The tricky issue of 'policeware'

The tricky issue of spyware with a badge: meet 'policeware'

http://arstechnica.com/news.ars/pos...firms-avoid-detecting-government-spyware.html

 

http://news.zdnet.com/2100-1009_22-6197020.html

"A recent federal court decision raises the question of whether antivirus companies may intentionally overlook spyware that is secretly placed on computers by police.

In the case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger--call it fedware--to record the typing of a suspected Ecstasy manufacturer who used encryption to thwart the police.

A CNET News.com survey of 13 leading antispyware vendors found that not one company acknowledged cooperating unofficially with government agencies. Some, however, indicated that they would not alert customers to the presence of fedware if they were ordered by a court to remain quiet.

Most of the companies surveyed, which covered the range from tiny firms to Symantec and IBM, said they never had received such a court order. The full list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point, eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec, Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer that question. (Click here for the verbatim responses to the survey: http://news.zdnet.com/2100-1009_22-6196990.html?tag=nl )"

See also: http://news.com.com/8301-10784_3-9746451-7.html

"FBI remotely installs spyware to trace bomb threat

The FBI used a novel type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Wash.

Federal agents obtained a court order on June 12 to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the software was designed to report back to the FBI with the Internet Protocol address of the suspect's computer, other information found on the PC and, notably, an ongoing log of the user's outbound connections.

An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month and obtained by CNET News.com claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.

"The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique," Sanders wrote. A reference to the operating system's registry indicates that CIPAV can target, as you might expect given its market share, Microsoft Windows. Other data sent back to the FBI include the operating system type and serial number, the logged-in user name, and the Web URL that the computer was "previously connected to."

CIPAV was going to be installed "through an electronic messaging program from an account controlled by the FBI," which probably means e-mail. (Either e-mail or instant messaging could be used to deliver an infected file with CIPAV hidden in it, but the wording of that portion of the affidavit makes e-mail more likely.)

After CIPAV is installed, the FBI said, it will immediately report back to the government the computer's Internet Protocol address, Ethernet MAC address, "other variables, and certain registry-type information." And then, for the next 60 days, it will record Internet Protocol addresses visited but not the contents of the communications.

Putting the legal issues aside for the moment, one key question remains a mystery: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? (There's no mention of antivirus defenses in the court documents, true, but the bomb-hoaxster also performed a denial of service attack against the school district computers -- which, coupled with compromising the server in Italy, points to some modicum of technical knowledge.)

One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence.

Another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. From the FBI's perspective, this would be the most desirable: for one thing, it would also obviate the need to strong-arm dozens of different security vendors, some with headquarters in other countries, into whitelisting CIPAV."

=========================================


As an aside, real old-timers here at Wilders may remember that someone once known as M3gaW0lf posted about this stuff years ago, on the original Wilders forum. Pete

 

This is/may be an inconceivably powerful tool.

Magnus has made some interesting comments here
http://www.dslreports.com/forum/r18712037-FBI-planted-spyware-on-teens-computer

 

Hello,
Microsoft and McAfee declined to answer ... hm hm ...
Mrk

 

Yep, I remember M3gaW0lf from almost 6 years ago

=====

Users of SpyCop can read this message in SpyCop:

 

From the article.

Relying on any signature based security app to detect official snoopware would be futile. If someone is truly concerned about this type of privacy invasion, they're already using Open Source apps and/or systems, running a tightly controlled default-deny security policy, and can account for every file on their system.

I've long suspected that to be true. It would be no suprise if some of these "known exploits" were deliberately put in just for such a purpose. Since the NSA helped Microsoft make Vista secure, they won't need such trojans in the future unless the person uses an alternate or older operating system. Microsoft's refusal to answer their questions only adds to that suspicion.

I don't have a problem with legitimate surveillance, done with the proper oversight, with legitimate probable cause, and within the boundaries of the law. When government thinks they're above the law and treats everyone like a suspect, it undermines the principles we claim to stand for. Without them, we're just another police state.
Rick

 

I don't really understand the "Relying on any signature based security app to detect official snoopware would be futile." remark (although I totally agree with the rest of your post).

CIPAV - and it's variations - (assuming one could get ahold of the code, of course) - could all have definitions written for them which would enable detection.

Even though a browser exploit is involved to allow code-injection, the code itself still has to be delivered afterward, correct?

Given the fact that a lot of the A/T companies are based overseas or internationally (and thus not subject to U.S. edicts on detection), I just don't really get that remark. Pete

 

Malware writers have demonstrated that they can evade signature based detection almost at will with many different techniques. Malware has had the ability to defend itself for quite some time. Look at HackerDefenders anti-detection. It wouldn't be difficult with such a method to create a thousand trojans that are functionally identical but with unique signatures. Assuming that these trojans aren't nearly as widespread as most trojans (I hope not), capturing one is the first problem. We already have malware that can alter or destroy itself if it detects it's in a virtual environment. It's reasonable to assume that the official snoopware also has the ability to delete itself if detected or after a certain period of time. When keeping the snoopware's existence secret is a priority, I'm sure they've taken those steps and more. I doubt that an AV or antispyware vendor would recognize it. Even if they did, there'd be no way to prove it's official snoopware and not just another malware keylogger. For all we know, AVs have detected some of them but have no way of knowing who controls it.

It's also quite reasonable to assume that they know something of the abilities of their intended target by the time they intend to infect them, whether they're an average user or a skilled paranoid. With most users, it wouldn't be necessary to use a super secret trojan when conventional malware would do the job, and put the blame on cyber crooks if it's discovered.

A browser exploit is one way, but there's many others, some of which most people wouldn't consider.
Windows services, especially those related to remote access.
Windows update, with cooperation from M$, anything could be installed with it.
Other unpatched and undisclosed windows vulnerabilities.

At present, I'd expect that the official snoopware is undetected because its usage is comparatively rare and that they're careful where they use it. The more they use it, the better the chance it'll be detected and identified. Then there's Vista with it's "patch guard" and the legal nightmare for vendors regarding detecting what might be running at a kernel level. I'd like to hear your thoughts on this, the potential to hide official snoopware with it, and the possible legal implications for all parties, especially security-ware vendors and those who maintain rootkit detectors.
Rick

 

Thank you, Rick, I see what you're saying now.

It's possible I just don't think of stuff like that considering the amount of alterations to my XPPro set-up here, services-wise; the fact that I don't IM on MySpace (or the like); that I run ProcessGuard here, use all the "safe hex" that I can, etc.

As far as how the vendors are going to be affected by the Vista "features" ( ) you've mentioned, it looks like it may be pretty grim. I have a feeling that M$ did a lot of that stuff simply to knock third-party vendors out of business and further lock down their stranglehold on what software (theirs) that can be run on their OS.

It's not going to take but a few instances of third-party security-ware being un-able to protect peoples' machines anymore (due to M$ "features" that they can't work around, or through) before a lot of them are going to be seriously hurting for business, IMO.

That's why I'll probably be running XP until the computer dies and then I'll simply hang it up.

On the upside, I seriously doubt that civilization will outlive my computer. , so it's all probably moot. Pete