Friday, April 17, 2009

Thoughts on the FBI spyware documents

Kevin Poulsen of Wired has now posted the documents he received in response from the FBI to his FOIA request.

In short, the FBI has been using their own homebrewed spyware to collect information on suspects who are using proxy servers (such as Tor to hide their own IP addresses.

The EFF, CNET and Wired all submitted similar FOIA requests, and likely received the same documents in response. I do hope that either Wired or EFF appeal the heavy redaction by the FBI's FOIA office. As Professor Paul Ohm writes, "The 152 pages don't take long to read, because they have been so heavily redacted. The vast majority of the pages have no substantive content at all."

While there are lots of issues raised by the FBI's spyware tool, I want to focus on one particular issue here: The FBI's method of infection.

As Wired's Kevin Poulsen notes:
The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on"

Remember now that this CIPAV spyware tool has been designed to locate hackers smart enough to use proxies to hide their IP address information.

Is the FBI's spyware tool spread through the use of suggestive messages (such as this hypothetical example) left on a suspect's MySpace page?:
"Hi, I am a sexy 18 year old cheerleader, and I'd like to meet you. Please click here to find out how to contact me"
Such a message will contain a link to a page on an FBI controlled web-server which then uses an unpatched browser vulnerability to force a drive by spyware infection.

While that might work for a few stupid teenagers, it is unlikely to work on real tech-savvy hackers.

What is far more likely is that the FBI has asked MySpace, Google or Yahoo to insert the drive-by malware infection code directly into their own websites, so that the next time the suspect signed into their account, their browser would automatically be infected without the need to trick them into visiting a FBI-controlled Web site.

Such cooperation by Web 2.0 companies (if it indeed occured) would be fascinating, troubling and would likely do significant damage to their reputations -- which would also explain the significant redaction in the FOIA documents.

If there is a lesson to be learned from this document release, it is that if you want to protect yourself from the FBI's CIPAV spyware tool, you should make sure you're running the latest version of your Web browser (and should probably avoid IE). Those people stupid enough to transmit anonymous bomb threats using Internet Explorer 6.0 are likely to end up in jail very quickly.


Kev said...

Your theory is a lot more plausible than the idea that tech-savvy crooks are being tripped up by the thought of some hot chick flashing her boobs.

Anonymous said...

I don't think what browser you use has much relevance - They are much, much more likely to use cross browser exploits such as Java, flash, pdf etc.

Not only are these cross browser and in some case cross OS vunerabilities, but since they don't update with the OS, they often don't get updated at all.