Comments on: FBI remotely installs spyware to trace bomb threat

In what appears to be the first case of its kind, federal agents sent spyware called "CIPAV" to the owner of a MySpace account tied to e-mail bomb threats against a high school.

[hammc]

Maybe just image request tracking instead

Is it possible that the FBI used an image to be implanted as a 1x1 pixel with a clear background. Just waited for the person to open it and once it reported back a request for said gif they had there person's computer identified. Maybe sending multiple emails or messages possibly sending from friends or family to a known address...
Pretty clever but easily discovered.

It is going to get harder and harder to really use a traditional EXE virus program like once known. Not to mention a person can track all there programs and checksum their drive if they are clever enough. This is in addition to their virus protection. This guy was using a proxy of some type possibly so this isn't your average criminal. He had done other crimes(according to the story) and just got too brazen.

I wonder what liability Myspace or other providers have if whatever method is used causes issues???

[SeizeCTRL]

Exactly what I was thinking...

I had a so-so friend who had fled the area while on probation, and knew he was going to go back to jail for lack of payment on child support. I was got along pretty good with his wife, so she asked me if there was any way to find out where he might be... so all I did was upload a specific image to my FTP, then send him a myspace email with that image link in it and when he opened the email, his IP popped up in my access logs. After that it was simple to narrow down where he was hiding.

You would think the FBI with all their resources could do this same thing without the need for spyware. How hard can it be?

[declan00]

not image tracking

You might want to actually RTFA before posting.

A 1x1 pixel GIF isn't going to be able to report back to the FBI the IP address, MAC address, open communications ports, list of running programs, OS type and serial number, Internet browser and version, language encoding, registered computer name, registered company name, current logged-in user name, URL connected to, and a list of IP addresses subsequently visited.

It's on page 6 of the first PDF as well.

[real_bgiel]

Image Requests would point to the proxy

This guy was going thru a compromised computer. The actual IP of the requesting agent would still be hidden... no? Maybe it would show up on the compromised machine. But that would probably be inaccessible to local law enforcement.

[richto]

Bet it doesnt work on Windows Vista

I bet the FEDS have a real headache now that Windows Vista is rolling out. Users no longer run with the Administrator rights necessary to install software without a very clear warning message being displayed. Must make it much harder for the FEDS to compromise such systems.

[qwerty75]

I bet it does

If you think Vista is secure then I guess you will believe anything.

The "are you sure you want to do this" message(they need to have this popup during install) is quite often shut off because people get sick of it.

It is still possible to install software with a user account.

If you think you are any safer in Vista then in XP, well there isn't much to say about such stupidity.

[NCNSolutions]

What if he was using a Mac? Or Linux?

Wouldn't that block CIPAV as well? If they were able to track down the compromised comuter, then I'm sure the FBI could load CIPAV onto that machine, and then track track all the IP Addresses accessing that box. Then it's just a matter of weeding through the logs. Once they have the IP's they'll know the regions, and it sounds like this kid was in the same town as the school, so zero in on the region, zero in on the ISP, and use that court order to force the ISP to turn over his account info.

[The_Nirvana]

Was the computer running MS-WIndows?

or could CIPAV be something written in assembly level code, thus
making it OS independent. Just a thought....

[ralfthedog]

Assembly would not make it OS independent.

Linux uses different handles to access hardware. It allocates memory differently. If you wanted to make it OS independent you would have better luck with Java (I don't know if Java would work, but it would be closer).

My guess is that you would use an image to get the IP address of the target, then have an application running server side punch a hole through the router. If I had my guess, Magic Lantern is a server side application. Think of something on the lines of Steve Gibson's "Shields up".

Before anyone asks, yes, you could do this if the person was running a proxy server, but it would be a bit harder. The tricky part would be getting past the firewalls that the ISP uses.

[imacpwr]

Re: Was the computer running MS-Windows?

Quote from article:
"Another is that the FBI has found (or paid someone to uncover)
unknown vulnerabilities in Windows or Windows-based security
software that would permit CIPAV to be installed."

I've never heard of an OS called Linux-Windows, Unix-Windows
or Mac-Windows so I'm going to go out on a limb and say I
believe YES.. the article refers to MS-Windows..

(next time READ the article)

[mattumanu]

If I were a security tech...

I'd demand to know how they did it. There's a possibility that the CIPAV uses some unknown vulnerabilities in current operating systems, and if so these vulnerabilities need to be addressed and patched immediately. If the FBI refused to so so, I would attempt to get a court order to force them to reveal the process.

If, to solve one case, the security of millions of internet users is put at risk, then this is unconscienable. There is no difference between this and the actions of a hacker breaking into any given computer system, and in fact, should a hacker gain access to the information deemed "classified" by the FBI, they could exploit it to do any amount of damage they wanted to. A reverse engineered CIPAV in the hand of hackers or terrorists could be lethal.

[The_Nirvana]

If I were a security tech...

I wouldn't care how they did it. They have just exploited another (unknown) windows vulnerability. There are at least half dozen of them discovered every week.

[nielling]

How about the face recognition program?

Multiply.com has recently announced that a new upgrade to their sites will be a face recognition program...in case you see photos of people and think you might know them and want to have information on them. Fear! Now why would I put an alias and codes and all kinds of security on logging into a site and then want someone to know who I am or my child is and where we live and so on? Once the persons identity is released, one can go google and there it is. What if I did not want aunt soso to know that I had been at her divorced husbands party? Do I paranoid the FBI in this type of activity? What if, I thought I saw one of the suspects online at an unusual angle...I report it and force an investigation of someone who was just enjoying a web site?
The predators have one advantage, avatar icons...
Another question...if someone ads that a site is for families...should they be required to make it safe for children...or are children no longer a part of family?