FBI spyware used to nab hackers, extortionists

The FBI has used a secret form of spyware in a series of investigations designed to nab extortionists, database-deleting hackers, child molesters, and hitmen, according to documents obtained by CNET News.

One suspect used Microsoft's Hotmail to send bomb and anthrax threats to an undercover government investigator; another demanded a payment of $10,000 a month to stop cutting cables; a third was an alleged European hitman who was soliciting for business from a Hushmail.com account.

CNET News obtained the documents -- totaling hundreds of pages, although nearly all of them were heavily redacted -- this week through a Freedom of Information Act request to the FBI.

The FBI spyware, called CIPAV, came to light in July 2007 through court documents that showed how the bureau used it to nab a teenager who was e-mailing bomb threats to a high school near Olympia, Wash. (CIPAV stands for Computer and Internet Protocol Address Verifier.)

A June 2007 memo says that the FBI's Deployment Operations Personnel were instructed to "deploy a CIPAV to geophysically locate the subject issuing bomb threats to the Timberline High School, Lacy, Washington. The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."

An affidavit written by FBI Special Agent Norman Sanders at the time said that CIPAV is able to send "network-level messages" containing the target computer's IP address, Ethernet MAC address, environment variables, the last-visited Web site, and other registry-type information including the name of the registered owner of the computer and the operating system's serial number.

The FOIA documents indicate that the FBI turns to CIPAV when a suspect is communicating with police or a crime victim through e-mail and is using an anonymizing service to conceal his computer's Internet protocol address. If an anonymizing service had not been used, then a subpoena to the e-mail provider would normally be sufficient.

CIPAV lets the FBI trick a suspect's computer into identifying itself to police, much as an exploding dye packet might identify a bank robber.

One document from March 2007 indicates that the FBI originally used a simple technique known as a "Web bug." Written by the Justice Department's Computer Crime and Intellectual Property Section, it says "some investigators have begun to use an investigative technique referred to as an 'Internet Protocol Address Verifier' (IPAV), a/k/a a 'Web bug.'"

Then the bureau appears to have shifted to actual software, once known as Magic Lantern (possibly a Trojan Horse) and then CIPAV.

One example of CIPAV's use came in a March 2006 request to the FBI's Cryptologic and Electronic Analysis Unit. It said a victim's Hotmail account is controlled by a suspect who "is extorting the victim because the account had personal info in it. Subject wants victim to set up an e-gold.com account and transfer $10,000 there and then email the userid/pwd to the subject."

Another was an August 2005 request saying a hacker deleted a company's database and "is extorting the victim company for payment to restore it."

If CIPAV could be detected before being installed by antivirus software, a criminal suspect may be able to avoid having his Internet address divulged to the police. A 2007 CNET News survey of the major antispyware vendors found that that not one company acknowledged cooperating unofficially with government agencies.

[Michichael]

The FBI hacking people's computers? Isn't that technically a violation of the computer trespassing la... oh wait. They are the law. Thank god crap like that only works against skiddies and your average non tech-savvy user. Everyone else sandboxes, uses encryption, can recognize something like that, etc. By Everyone else I mean real InfoSec people.

[n3td3v]

"One suspect used Microsoft's Hotmail to send bomb and anthrax threats to an undercover government investigator."

Something doesn't sound right here.

[Lerianis3]

Yeah, the problem is: 1. How did he get the undercover (key word there) officers e-mail address? and 2. Big deal. Hotmail is used a LOT by people who want to be partially anonymous.

[Pete Bardo]

Sounds like a phishing scam to me. The send a link in an IM to the suspect and hope he (she) clicks on it.

Let that be a lesson for us all. Don't ever click on links in your email or IM. There's no telling where they've been.

[shootthecops]

the title of this article should have read "FBI spyware used to nab hackers, extortionists and spy on everyone else they infect"

the fact is the majority of people the FBI spied on WON'T be the bad guys

1984, police state, etc

[Lerianis3]

Frankly, child molesters don't qualify in my idea of a 'bad guy' considering that, from my own experiences as a child and talking with children who were 'molested'....... most of the 'molesters' who would better be called pedosexuals ask for the child's permission to touch them in a sexual manner and stop when they ask them to stop.
People e-mailing bomb threats? Yeah, they need to be caught.
Hitmen? Same thing, no matter who their target is (though their business would disappear if we made drug 'dealing' legal).
Extortionists? Hell yes!

[shootfirst]

So let me get this straight, even the government uses spyware. Thats funny stuff. No wonder we can't get rid of the crap. Yet another reason not to use windows and go open source so you can see exactly what you are using. I guess this is another reason to bot out computers so you can protect yourself from the prying eyes of the law. Guess those of us that are smart enough will start spoofing MAC addresses and using other means to conduct our business.

[monkeyfun14]

Who says it doesn't effect Macs?

Mac's are protected from VIRUSES not spyware.

And something just verifying IP addresses doesn't need really any permissions and can slip on a Mac unnoticed.

And i'm sure with a little conference with Apple and a hundred or so million dollars Apple would be more then willing to make sure this type of program is not detected ;)

[Dalkorian]

ROFL!

Should anyone bother to try to teach the monkey the difference between a Mac and a MAC?

ROFLMAO!!

[monkeyfun14]

Macs are not inherently immune to viruses if a virus is written for Mac it can be ran. Nothing is immune..

[unknown unknown]

@ monkeyfun14 MAC stand for Media Access Control. It's a quasi unique identifier assigned to most network hardware (network interface cards and routers etc).

[monkeyfun14]

@unknown

I said Mac not MAC

[d4nowar]

@monkey

So why'd you bring up Macs? The OP didn't mention them.

[TimOT77]

I am not sure I really needed to know this? Does CNET really feel the public is better served by disseminating this? I don't think our country is any safer by discussing what our FBI does in order to ensure that we can go about our daily routine and then take it for granted that we are safer because of them.

I realize by reading some of the diatrabe from those who are cynical about anything from our government, and this seems to be the majority of those here, but the 'right to know' comes with a price to pay. I just hope people are not so naive that they are not aware of this.

CNET, thanks but no thanks. Not the kind of news worthy article I wish to read.

Tim

[biffhenerson]

Typically the government makes only public what is already obsolete. My guess is that they have moved on an are using some other technique, thus they are able to disclose the old technique. On the other hand, I agree that the media exposes, teaches, and demonstrates a lot of "perfect crime" techniques that the dumb ass criminals would have never thought of without seeing it the media.

[jemiller0]

One should assume that the government has access to everything on their hard drive. Does anyone remember the NSAKey that someone found in Windows? Microsoft came up with some other excuse and said that it had nothing to do with the NSA. Yeah, sure, we believe you. I don't believe any of the browser vendors are serious about creating a secure product. If they were, they would implement it in a language that doesn't allow buffer over flows. I'm betting the government found an exploit, but, instead of reporting it and having it fixed they let it sit there and exploit it themselves. Another thing they can do is turn on the mic on your cell phone and use it as a bug. And evidently they can do it without a warrant these days.

[Lerianis3]

What computer language DOESN'T allow buffer overflows? Answer: NONE! So shut up, please! You are making yourself look stupid there.

Every single programming language I can think of allows buffer overflows, and has methods to 'catch' those so that they do not run arbitrary code anymore. Now, back in the 1998 era.... yeah, buffer overflows were a real danger. Now? Not really.

[Altotus]

Then go away Timot77 you don't have to be a citizen and take responsibility for your government you can be a drone.

[Viio]

I do not think people are naive to think this does not occur, but because it does occur does not mean the public should be accepting of it. Basically what this piece points out that the FBI uses the very things they are suppose to protect against to catch criminals - trojan horses, spyware, phishing scams, viruses. I am all for the FBI having the tools to do their job, but I am against them putting spyware or a virus on my computer. Not because I have anything to hide, but because it is MY computer and I should not suffer performance issues because of a legal virus.

We all know the government is listening, they at least can respect me enough to lie about it.

[BtmnHatesRbn]

Use a Mac or Linux. FBI can't get into those OSs, nor can hackers. If you say otherwise, you're an idiot who drink Micro$oft Kool-Aid.

[monkeyfun14]

I think your drinking to much Kool-Aid if you honestly believe those OS can't be hacked.

Wait how long did it take for that Mac get hacked into? Was it 10 seconds?

[Dalkorian]

Mac and Linux are SAFER, not impenetrable. NOTHING made by mankind will ever be perfect by definition, ignoring that reality is either crazy or stupid.

I'd remind the monkey here that Mr. Miller worked on and kept secret that vulnerability for nearly a year before the contest and it was the browser that was exploited, but I don't want to wear the feces he's flinging around. That stuff stinks big time.

[pithenumber]

the FBI and hackers can get into Mac OS and Linux easily
nothing is impenetrable

[monkeyfun14]

@dalkorian

You really think the US is not capable of taking out a Mac?

[monkeyfun14]

@dalkorian

You really think the US is not capable of taking out a Mac?

And it doesn't matter how long the person knew of the exploit it still existed.

[oldmanangry]

I find this story to lack any actual useful reporting. OK, you got the FOIA docs. But where does this story serve the greater good?

Where are the ethics experts to talk about the risk of the government doing these things? What about the experts who defend what the government has to do? Do they need a court order? Can this just be done at a drop of the hat?

This is not a story. This is not reporting.

This is a web blurb saying: "Look we got our FOIA documents back!"

If this story had actually some reason to exist, some hint of abuse by the government, I would buy it. Otherwise, all it is does is tip "the bad guys" on how the Bureau is getting people.

I used to count on News.com for news and analysis. I really don't know what it is anymore. If I wanted to get raw information without a filter or something to make me think, I'd just go read through the millions of documents generated yearly by the government.

[Lerianis3]

Actually, this does serve a 'greater good' by allowing us to know what the hell the government is up to. The fact is that our government has to be HONEST about what it is doing, and really those 'national security concerns'.... .only apply when you are talking about foreign terrorists or foreign countries!

Anything else, even if it is applying to a current criminal investigation..... should be made public, so that we know what our 'law enforcement' are doing and can make sure that they are not spying on people illegitimately.

[desertcities]

On one hand it's good to know our country knows how to find and apprehend the bad guys. But does anyone else have concern over how easy it really is to slip a spyware program into a system or client machine?

Just imagine you're an ISP and the government asks, "Hey, we want you to send to one of your customers this phony looking Windows XP security update, or else." Comply, comply, comply.

Regardless how many anti-virus and anti-spyware companies you asked if they have 'unofficially' been involved in helping the government, who in their right-mind would say "Yeah, I helped them!" It's similar when a company's network has been breached and data compromised. Nobody is going to shout out it happened to them.

The stories should work upon all of us in two ways. We need to stop and catch the real bad guys and at the same time we need to all become more 'protection-savvy' and have a good physical firewall; a good software firewall, a good anti-virus and anti-spyware program and be informed on how to be safe out there on the internet highway.

Time to start using my Linux system.

[pithenumber]

hate to break it to you Linux is prolly susceptible
the govt might decide to spend more time making Linux spy ware since Linux is quite popular with hackers

[fletchb]

Out of the box yes, but fire walled and many unnecessary services disabled, not so sure.

But reading the article, these folks were nasty and needed to be caught. I am glad to see they are finally starting to take out some of these slimeballs

[pithenumber]

nineteen eighty four

[anhtney]

you never know... the FBI could use these against all people doing illegal things on the internet.... *eg. pirate*

[weeblnbob]

Be very careful what you put on the internet, especially IM and email. It will all be backed up somewhere by someone for some reason or no reason. IOW, it's going to be around a lot longer than you will. The Man will only need to search through the digital trash in data centers to find anything on anyone. Behave yourself dear reader, EVERYONE is watching.

[bobwatts]

I completely agree with TimOT77 (April 17, 2009 1:59 PM PDT) and partially with desertcities (April 17, 2009 4:20 PM PDT). What purpose does this type of story serve except to try and generate more advertising dollars (greed) for CNET.

For every freedom that we enjoy there is a price to be paid. Weigh it out in your own mind - protecting the 99% of the compter user population that are not as computer savy as you or letting the 1% (thives and malcontents) rape everyone else because of some fear that someone is looking over your shoulder.

I pay a price to be finincially protected from the drunken uninsured motorist who crashes into my vehicle. I will do the same to be protected from the 1% mentioned above.

This type of story has no place in real journalism and is without any redeaming quality. The value of usefullness in CNET stories just hit a new low and I hope the editor's of these article's will raise their journalistic standard's significantly.

[Altotus]

The only redeeming quality of journalism is it duty as a free press to host a discussion of the citizens about the government . It is the responsibility of a citizen to be informed not stupid and unable to comment on issues due to ignorance of the issues. You un- Americana attitude sounds like ignorance did you graduate from high schooh? Ever take civics class?

[Altotus]

As far as this goes Linux SE is distributed by the NSA so that a level of security is possible its basically a Linux system that is tweaked. Do you think the NSA would distribute a system it could not hack itself? Is there there is no true security? I would say safe is a relative term there is no substitute for vigilance if the feds can, anyone can and this is relevant. As far as tipping off cyber-criminals goes there is no true place to hide if the stakes are high enough, The sad truth is just that no one cares about your ID, your bank account ,your anything, but you and the jokers who are taking you for a ride. You are not Mr Murdock and its not you X-Men movie that got released $100,000,000 are not at stake. This is exactly the type of article that makes Journalism relevant in a citizens discussion. The citizens of this country have a duty to preform.