Wednesday, July 18, 2007

Legal Spyware

Federal agents obtained a court order to send spyware called CIPAV to a MySpace account suspected of being used by a bomb threat hoaxster who was later sentenced to 90 days for hoaxing, according to the CNet News Blog.

While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.

Wired looks at how CIPAV might have worked.



It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand -- but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows.

MySpace has an internal instant messaging system, and a web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags.

There are several such holes to choose from. There's an old hole -- patched early last year -- in the way Windows renders WMF (Windows Metafile) images. Cyber crooks are still using it to install keyloggers, adware and spyware on vulnerable machines. Last year it even popped up in an attack on MySpace users delivered through an ad banner.

The importance of the Internet and telecomms in general to networked insurgency means that "wizard wars" are going to swirl around platforms the way kinetic battles focused on terrain features like Little Round Top. If the US private sector can be mobilized in the information warfare field it can dominate the playing field. But don't count all those offshore programmers out ... like the Russians ... or ideological locals either.

You've heard of vaporware and malware. But what about ransomware? "Imagine opening up the personal documents file on your computer and finding a ransom note warning you that all of your precious files will be deleted unless you wire money to cyber crooks. That's exactly what happened over the past several days to more than a thousand victims, many of them employees at U.S.-based companies and government contractors," according to Security Fix.

According to this Reuters story, this extortion attack played out at some of the nation's biggest corporations, including Booz Allen Hamilton, computer services company Unisys Corp., defense contractor L-3 Communications, computer maker Hewlett-Packard Co. and satellite network provider Hughes Network Systems. These were just the victims that rose to the top of the hit list. There are hundreds more.

Strangely enough, the story makes hardly any mention of the extortion attack itself, saying the malicious code was designed to steal data from infected machines. Russian anti-virus company Kaspersky Lab has a more detailed look at this intruder, including a copy of the ransom note, which demands $300 for a special key supposedly designed to let victims unscramble documents encrypted by the virus.

David Perry, global director of education for anti-virus maker Trend Micro, said he's curious why the attackers in this case asked for such a small amount. ... My theory is that perhaps in the virus writers' hometown, $300 may be a great deal of money. Moreover, it's a decent price point: They're probably far more likely to convince people to cough up $300 than they are $3,000. Besides, $300 is slightly less than it costs just to buy a brand new computer these days.

Yep. Three hundred bucks can buy life or death in certain parts of the world where only the normal curve of intelligence distribution prevails, but where little else is normal.

2 Comments:

Blogger SDAI said...

The good thing about cyber-terror is that the perpetrators are often as vulnerable as the victims. Recently Fox News revealed that cell phones can be turned on and used as listening devices, without the owners knowledge. However, the government simply doesn't have the resources to process much of the data that passes through wires and the air, whereas corporations, terror groups and private citizens are more likely to spy on portions of the global data flow with a particular goal in mind. Most corporations secure data is stored and uploaded to computers without any internet access or possibility of being corrupted by anyone outside the company itself. Anyone with data worth protecting must keep a separate isolated computer system which merely acts as a secure repository for files.

And on this same note, brick & mortar stores and websites are collecting and reselling your personal data faster than ever. Kids are often targeted to harvest e-mail addresses, birthdays and other personal information that can be used to exploit their parents. Sites such as Facebook ask enough questions and collect enough data to provide the site-owner with a global database that the CIA would envy. As someone who deals in knowledge, the questions asked reveal that the site, or some party intends to use this data to create a database and exploit people.

As more people spend time on the web, the more we will see mass-market exploitation and data collecting techniques disguised as sites like Myspace, Youtube, Facebook, Neopets, etcetera.

Abundans cautela non nocet

7/18/2007 09:18:00 PM  
Blogger Rick said...

At some point, the perpetrators of Ruby Ridge and Waco will need to be brought to heel; they grow more Gestapo-like all the time. Their use of spyware is certainly illegal. I hope they get nailed for it.

7/19/2007 06:30:00 AM  

Post a Comment

<< Home


Powered by Blogger