November 21, 2001 12:40 PM PST
FBI snoop tool old hat for hackers
On Tuesday, MSNBC reported that the FBI was working on a computer "virus" to install key-logging programs and other surveillance software onto a suspect's computer.
Yet if the details of the report are correct, the technique doesn't use a virus, but a Trojan horse, a program that acts without the person's knowledge.
"The technology has been around a bit," said Vincent Gullotto, director of Network Associates' antivirus emergency response team. "It seems like the FBI is just trying to see if they can come up with different options and ways that electronic surveillance can be done."
Calling the technology "Magic Lantern," the report stated that the intent of such software would be to remotely install a system that logs all keystrokes sent to a PC to obtain data and passwords.
The idea is old hat, said Fred Cohen, a security practitioner in residence for the University of New Haven. "It's not a very clever or novel thing," he said.
FBI representatives could not be reached for comment.
Cohen has taught law enforcement and industry security professionals many ways of collecting digital evidence. When such evidence is encrypted, the officer needs to work around the crypto system, not try to break the keys with computational muscle, he said.
"You want to go after the keystrokes," he said. By capturing the keys typed by a person, then law enforcement can learn the password used to unlock encrypted documents. If they tried to use computational firepower instead, cracking the code could theoretically take years, if not centuries.
For that reason, Cohen suggests that hacking tools be used. "In my class, I teach how they could use a Trojan horse to go after the keystrokes," he said.
Several hacking tools, the two most popular being Back Orifice and SubSeven, allow full control over a remote PC infected by the program, including keystroke logging and even recording a conversation if a microphone is connected to the PC. Both programs have been incorporated into Trojan horses and are several years old.
In fact, the FBI has already used similar, if more limited, surveillance software in at least one high-profile case to obtain a secret code to unlock encrypted files on the computer of Nicodemo S. Scarfo, a suspected mobster in the Gambino crime family.
In details unveiled by an affidavit in the case, the FBI installed a key-logging system on Scarfo's computer during a search of his office.
U.S. Rep. Richard Armey, a Texas Republican, sees such techniques--and their remote installation--as a better deal for citizens than Carnivore, the FBI's controversial e-mail surveillance system.
"The way we look at it, this may be better than other available tools," said Armey spokesman Richard Diamond. Where the Carnivore system--renamed the DCS 1000--has access to an entire data stream and could potentially spy any traffic on that network, the so-called "Magic Lantern" technology would only be installed on a single PC.
"If Magic Lantern is as described, then it is a rifle-shot attack on a suspect," Diamond said, compared with Carnivore's shotgun blast.
One danger is that evidence-gathering tools such as Magic Lantern are not well defined in law. The technique could lead to unsupervised surveillance by law enforcement, because it's unclear whether any laws requiring oversight apply to the situation, said David Sobel, general counsel for the Electronic Privacy Information Center, a Washington D.C., policy think tank.
"This is more problematic than a traditional wiretap, because suddenly you are removing the communications provider from the equation," Sobel said. A wiretap order has to be presented to the phone company to connect to their network and snoop an individual's line. Even the Carnivore system requires the help of the Internet service provider to install it.
While Armey successfully added an amendment to the USA Patriot Act--a far-reaching package of surveillance laws passed last month--to provide oversight of the use of Carnivore by the FBI, it would not apply to Magic Lantern, Sobel warned.
"We don't know what this is capable of and whether it is being used properly," he said. "There may be no way to stop this from being installed on a computer."
1 commentJoin the conversation! Add your comment