FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

by Kevin Poulsen
FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

Warning: Police spyware detected!

In a recent case that was decided earlier this month, federal agents used a keystroke logger to record the typing of a suspected ecstasy manufacturer who has been using encryption to thwart the police.

In the wake of that, CNET’s News.com did a survey of 13 leading anti-spyware vendors and found none have cooperated (or acknowledge doing that) unofficially with government agencies. Still, some of them did indicate that if so ordered by a court to keep quiet, they would obey and not alert customers to the presence of government-planted spyware.

The entire question of whether police spyware should be allowed is becoming more urgent given that the use of keyloggers, especially, are becoming increasingly necessary, and as a result, they are frequently used. This is due in large part to the prevalence of encryption used both in hard disk and network communications. Microsoft’s Windows Vista and Apple’s OS X, for example, both include built-in encryption features.

According to the article Will security firms detect police spyware:

Because there has only been two known criminal prosecutions n the United States involve police use of key loggers, important legal rules remain unsettled. But key logger makers say that police and investigative agencies are frequent customers…

Unfortunately, it remains unclear if police have the legal authority to do so under current law.

Kevin Bankston, an attorney with the Electronic Frontier Foundation who has litigated wiretapping cases says:

The government would be pushing the boundaries of the law if it attempted to obtainsuch an order. There’s simply no precedent for this sort of thing.

You can read more at CNET News.com: Security firms on police spyware, in their own words

What is your opinion on this matter? What measures do you take to ensure that your security and privacy is not compromised?
by blogs.techrepublic.com.com

FBI installs spyware to gather evidence

A former Washington high school student received 90 days in juvenile detention this week after pleading guilty to charges stemming from a rash of bomb threats and being tracked down by the Federal Bureau of Investigation through the use of a Trojan horse that identified his computer.

The student used a false name and other pseudonyms in e-mail addresses registered with Google's Gmail to send bomb threats to Timberline High School in Lacey, Washington, FBI Special Ageny Norman Sanders Jr. stated in an affidavit. The threats caused daily evacuations of the school the week of June 4, 2007. An earlier bomb threat, which evacuated the school on May 30, was found in a handwritten note.

The sender of the threats had claimed to be using a computer in Italy and taunted police and the FBI for their apparent lack of success in locating him, according to the affidavit.

"Seriously, you are not going to catch me. So just give up," the student wrote, according to the court filing. "Maybe you should hire Bill Gates to tell you that it is coming from Italy."

More than thirty students at the school received a request from the suspect to link to a MySpace page, "Timberlinebombinfo." The suspect had used another student's name to send the invitations using America Online's Instant Messenger.

Internet addresses used to register the Gmail and MySpace accounts resolved to an Internet service provider in Italy, while the address used to post bomb threats on the bulletin board of The Olympian came from a computer at the National Institute of Nuclear Physics in Italy, the affidavit stated. Because of the likelihood that the suspect was using compromised systems to hide his identity, the FBI decided to use a program dubbed the Computer and Internet Protocol Address Verifier (CIPAV) to locate the miscreant, according to the affidavit filed by Sanders requesting the use of the program.

The FBI sent the Trojan horse to the administrator of the MySpace account "Timberlinebombinfo". The program is designed to record the IP address, dates, and times when data is sent, but not the content of the messages. Both Wired News and CNET News.com have additional coverage of the use of the CIPAV Trojan horse.

The student whose identity was stolen was ostracized at school and has since enrolled in a different district, the Olympian reported. The ninety day sentence is the maximum allowed under the standard sentencing guidelines for juveniles.

If you have tips or insights on this topic, please contact SecurityFocus.

by www.securityfocus.com

FBI remotely installs spyware to trace bomb threat

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.

Screen snapshot of 'timberlinebombinfo' MySpace account The suspect, former Timberline High School student Josh Glazebrook, was sentenced this week to 90 days in juvenile detention after pleading guilty to making bomb threats and other charges.

While there's been plenty of speculation about how the FBI might deliver spyware electronically, this case appears to be the first to reveal how the technique is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but hasn't said much about it since. The two other cases in which federal investigators were known to have used spyware--the Scarfo and Forrester cases--involved agents actually sneaking into offices to implant key loggers.

An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.

"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to."

News.com has posted Sanders' affidavit and a summary of the CIPAV results that the FBI submitted to U.S. Magistrate Judge James Donohue.

There have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an "Internet Protocol Address Verifier" that was sent to a suspect via e-mail.

But bloggers at the time dismissed it--in hindsight, perhaps erroneously--as the FBI merely using an embedded image in an HTML-formatted e-mail message, also known as a Web bug.

Finding out who's behind a MySpace account
An interesting twist in the current case is that the county sheriff's office learned about the MySpace profile--timberlinebombinfo--when the creator tried to persuade other students to link to it and at least one of their parents called the police. The sheriff's office reported that 33 students received a request to post the link to "timberlinebombinfo" on their own MySpace pages.

In addition, the bomb hoaxster was sending a series of taunting messages from Google Gmail accounts (including dougbrigs@gmail.com) the week of June 4. A representative excerpt: "There are 4 bombs planted throughout Timberline High School. One in the math hall, library hall, and one portable. The bombs will go off in 5 minute intervals at 9:15 am."

The FBI replied by obtaining account logs from Google and MySpace. Both pointed to the Internet Protocol address of 80.76.80.103, which turned out to be a compromised computer in Italy.

That's when the FBI decided to roll out the heavy artillery: CIPAV. "I have concluded that using a CIPAV on the target MySpace 'Timberlinebombinfo' account may assist the FBI to determine the identities of the individual(s) using the activating computer," Sanders' affidavit says.

CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)

After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.

Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.

Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV. Earlier this week, News.com surveyed 13 security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order. The verbatim results of our survey are here.
by news.zdnet.com

Computer virus turns 25

By John Leyden
The computer virus turns 25 this month. Long-suffering computer users would be forgiven for thinking that the first computer virus appeared in the mid-1980s, but the first virus actually predates the arrival of the first IBM-compatible PC.

Elk Cloner, which spread between Apple II computers via infected floppy disks, has the dubious distinction of the first computer virus1 to spread in the wild. The malware is thought to be the work of Rich Skrenta, a 15-year-old high school student from Pittsburgh, who released it in July 1982.
Click here to find out more!

The payload of Elk Cloner was largely benign, harking back to an earlier more innocent age before today's generation of Trojans that turn compromised PCs into clients on zombie networks controlled for profit-motivated cybercrooks. Elk Cloner's payload was merely a verse or two of poetry. Mostly harmless. Although the malware did set the theme for a stream of annoying pieces of malware which popped up on the screens of Apple II, BBC Micro and, later, early PC users' screens.

"Back then it was just a prank. A bit of fun. Today's malware is frequently malevolent and coded by criminals and/or hackers who are intent on extracting money from - as well as destroying the data of - innocent computer users and the organisations they work for," said Phil Higgins, a senior partner with security integrator Brookcourt Solutions. "An example of this is the MPack tool kit which is being used by criminals to infect legitimate websites and then deliver a crimeware payload to unsuspecting visitors."

25th anniversary of the computer virus? Not so fast

by Don Reisinger

The Internet has been abuzz lately claiming we are in the 25th year of the computer virus. And while many people believe a 15-year-old created the first virus in 1982, I'm not so quick to agree.

After digging through some Web sites offering insight into the history of the computer virus, only one thing is constant: Elk Cloner was not the first. Although some publications are claiming the poetic Elk Cloner virus was first, a host of viruses were ravaging computers in the 1970s.

The world's first generally accepted computer was created by Charles Babbage and while many things are uncertain about its design, one thing is not: no viruses infected it.

But if we fast-forward to the 1970s, the world's first computer virus actually sprang up. Called the Creeper virus, it was first detected on ARPAnet--a U.S. military computer network that was the forerunner of the modern Internet. According to Viruslist, the virus was written for the Tenex operating system and was capable of independently gaining access through a modem and copying itself to a remote system. Once infected, the system would display the following message: "I'M THE CREEPER: CATCH ME IF YOU CAN."

To disable the Creeper virus, a new virus called the Reaper was created. Unlike the Creeper, the Reaper virus spread to networked machines looking for Creeper. If it was found, Reaper would immediately delete it. Regardless of its beneficial actions, who can argue that a program replicating itself to networked computers to delete files isn't a virus? Not me.

If you still don't believe me, a new virus called Rabbit infected computers in 1974. Although it was originally harmless, it replicated itself to other machines so quickly that once it hit critical mass, the system performance would slow to a crawl and eventually, the virus would crash. Hmm, sounds like a virus to me.

As if you needed more evidence to prove this isn't the 25th anniversary of the computer virus, 1975 ushered in one of the most legendary viruses ever: Pervading Animal. Created for the Univac 1108, a man named John Walker found a new way of distributing game files. The game, called Animal, was a self-learning variation of 20 questions that required you to simply "think of an animal." Insistent on putting an end to mailing the game out, Walker coded a virus called Pervade that was called by any program on the system and copied itself to every directory the user had access to without the user's knowledge.

Pervading Animal is one of the most debated viruses today. Some analysts argue that it was an unintentional byproduct of a man trying to make his life a little easier, while others claim intent has nothing to do with deciding whether a program is a virus. I judge a virus on what it does. In this case, the program replicated itself quietly behind the scenes and worked its way into every inch of the system. Pervading Animal was a virus.

While Elk Cloner was truly a virus, it was not the first. And although people like to anoint tags to this or that, recognizing the first virus as having occurred 25 years ago is simply incorrect. The sad fact is we are embarking upon more than 30 years of viruses, not 25. And while the early versions may have been a bit rudimentary, each was a virus nonetheless.

Move over Elk Cloner, you're too late.

Anti-virus computer lab reaches out to troubled boy

Young man, now in jail, had been helping them crack cases online
AhnLab, Korea's foremost anti-virus software developer, is worried not over a new virus, but because of the plight of a young computer expert with whom the firm had made acquaintance.

The young boy with a shaved head first became known to AhnLab when he visited a lecture program they sponsored on January 25. He told participants he was an 18-year-old high school student from Suncheon, South Jeolla Province, and AhnLab workers running the seminar were impressed by his excellent computer knowledge.

Upon returning to his hometown after the lecture, he began to offer advice online for AhnLab under the ID "scaniacool." Soon, he became well-known in the Internet community for his expert knowledge of how to avoid and clean computer viruses. As a result, scaniacool was selected by AhnLab as "security master of the month" for four consecutive months from January to April.

But "Scaniacool" disappeared from the Internet around the middle of April, and was not heard from for several weeks. One day in mid-May, AhnLab received a letter from him.


"Have you worried about me? I am in a Suncheon jail. Please send me some books; computer security-related books will be better for me." At the end of the four-page letter, he wrote, "Those who were so close with me in the society are turning their back on me, as I am behind bars. Please help me."

As it turns out, scaniacool, who used his skills to prevent thieves and virus-makers from harming Internet users, had turned to crime outside of the cyber world. He was arrested and indicted last month for stealing four motorcycles. This was his second time in prison after committing robbery three years ago.

Na Jong-hwa, the policeman at Gwangyang Police Station in South Jeolla Province who caught him, said, "I didn't know he had skills in computer security. It seemed that he couldn't display his talents because of his family circumstances. He didn't receive a proper education."

Scaniacool's family is within Korea's lowest income bracket; his father is a handyman and his mother suffers from a chronic illness. Before his arrest, his five-year-old computer had broken and he could not afford another one, even used. He only could continue to study computer security by working in a PC room.

After reading his letter, some at AhnLab suggested the company keep its distance from Scaniacool; as the nation's leading company in computer security, advocating morality and service for the public interest, it would be burdensome to maintain a relationship with him, they said

AhnLab, however, has decided to lay its hope on the young man, as it used to trust him. The institute sent a few books to him in May. Lee Byeong-cheol, an official at AhnLab, is going to visit him in prison. Lee said, "As far as we remember, he is a boy who used to say that he would become a second Ahn Chul-soo," referring to the founder AhnLab and a kind of pioneer in the field of computer security in Korea. "I believe he will finally return to the skaniacool he used to be before turning to a life of crime."
by english.hani.co.kr