FBI's Secret Spyware Tracks Down Your Movements; But how?
Posted: Wed Jul 18, 2007 3:46 pm
Source: Wired
FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.
The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.
The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.
In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.
http://www.wired.com/politics/law/news/ ... bi_spyw...
--------------------------------------------------
FBI Spyware: How Does the CIPAV Work? -- UPDATE
Following up on my story on the FBI's computer-monitoring malware, the most interesting question unanswered in the FBI affidavit; is how the bureau gets its "Computer and Internet Protocol Address Verifier" onto a target PC.
In the Josh Glazebrook case, the FBI sent its program specifically to Glazebrook's then-anonymous MySpace profile, Timberlinebombinfo. The attack is described this way:
The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI. The computers sending and receiving the CIPAV data will be machines controlled by the FBI. The electronic message deploying the CIPAV will only be directed to the administrator(s) of the "Timberinebombinfo" account.
It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand -- but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows.
MySpace has an internal instant messaging system, and a web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags.
http://blog.wired.com/27bstroke6/2007/0 ... ware-ho...
FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.
The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.
The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.
In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.
http://www.wired.com/politics/law/news/ ... bi_spyw...
--------------------------------------------------
FBI Spyware: How Does the CIPAV Work? -- UPDATE
Following up on my story on the FBI's computer-monitoring malware, the most interesting question unanswered in the FBI affidavit; is how the bureau gets its "Computer and Internet Protocol Address Verifier" onto a target PC.
In the Josh Glazebrook case, the FBI sent its program specifically to Glazebrook's then-anonymous MySpace profile, Timberlinebombinfo. The attack is described this way:
The CIPAV will be deployed through an electronic messaging program from an account controlled by the FBI. The computers sending and receiving the CIPAV data will be machines controlled by the FBI. The electronic message deploying the CIPAV will only be directed to the administrator(s) of the "Timberinebombinfo" account.
It's possible that the FBI used social engineering to trick Glazebrook into downloading and executing the malicious code by hand -- but given the teen's hacker proclivities, it seems unlikely he'd fall for a ruse like that. More likely the FBI used a software vulnerability, either a published one that Glazebrook hadn't patched against, or one that only the FBI knows.
MySpace has an internal instant messaging system, and a web-based stored messaging system. (Contrary to one report, MySpace doesn't offer e-mail, so we can rule out an executable attachment.) Since there's no evidence the CIPAV was crafted specifically to target MySpace, my money is on a browser or plug-in hole, activated through the web-based stored messaging system, which allows one MySpace user to send a message to another's inbox. The message can include HTML and embedded image tags.
http://blog.wired.com/27bstroke6/2007/0 ... ware-ho...