Yet another note on our loss of privacy

[roc]

U.S. Data Mining Goes Beyond Terrorist Hunt
The FBI identifies possible fraud through techniques approved for terrorist investigations, the DOJ reports.
Jaikumar Vijayan, Computerworld
Saturday, July 14, 2007 05:00 PM PDT

The FBI is using data mining programs to track everyone from potential terrorists to individuals who file fraudulent automobile insurance claims, according to a U.S. Department of Justice report filed with Congress this week.

The DOJ report, which is required under the Patriot Improvement and Reauthorization Act of 2005, details six pattern-based data mining initiatives currently under way or planned by the department and its components. "Each of these initiatives is extremely valuable for investigators, allowing them to analyze and process lawfully acquired information more effectively in order to detect potential criminal activity and focus resources appropriately," a DOJ spokesman said in an e-mailed statement.

In a statement, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, said the report was four months late and raised more questions than it answered. The report "demonstrates just how dramatically the Bush administration has expanded the use of [data mining] technology, often in secret, to collect and sift through Americans' most sensitive personal information," he said.

At the same time, the report provides an "important and all-too-rare ray of sunshine on the department's data mining activities," Leahy said. It would give Congress a way to conduct "meaningful oversight" he said. "I look forward to thoroughly examining the findings in this report with the attorney general and the FBI director in the coming weeks."

Among the six FBI pattern-based data mining initiatives listed in the DOJ report are:

-- A soon-to-be-launched program called the System to Assess Risk initiative designed to help FBI analysts focus in on individuals who may merit further scrutiny from a terrorist standpoint. According to the DOJ, the initiative will not "label anyone a terrorist." Rather, it is designed to help the FBI save time by focusing on those who have already been identified as persons of interest.

-- An identity theft intelligence project that examines customer complaints relating to identity theft to look for patterns suggesting major ID theft rings in a given area. The data mining effort has been used to identify trends and generate leads for the FBI since 2003.

-- An initiative dating back to 1999 under which the FBI has been examining public records on real estate transactions to identify potentially fraudulent housing transactions.

Of the three other data mining programs, one is aimed at identifying Internet pharmacy fraud, another at fraud involving automobile insurance and the third at health-care-related fraud.

In all instances, adequate care has been taken to ensure that the right privacy and civil liberties protections are in place, the DOJ statement said.

"Each initiative is designed to supplement, not replace, traditional investigative methods. No action is taken based solely on the analytic products produced by these data mining initiatives," the DOJ said. As such, they are governed by a slew of laws such as the Privacy Act of 1974 and the Federal Information Security Management Act of 2007.

The results generated by such data mining programs are used only as "pointers" or "leads" that are evaluated by investigators to determine if there's a need for further action. "More-intrusive law enforcement techniques are still subject to independent legal requirements," the DOJ spokesman said.

[CoyoteMesc]

So do you need to be convicted or suspected of fraud before the Gov. can use this software on you? Or do they just use it at random on anyone?

[Nabby]

Sounds like they can use it on anyone they please to find out who to look for, but it's not enough to give them the legal right to do anything to that person until they gather more evidence in conventional ways.

[bb4]

it's kind of like when the feds get you on conspiracy, but don't disclose with whom or what about...

[roc]

I think this sucks the big one... if I wanted the government to control me I'd move to somewhere like North Korea.

[oibchip]

Quote:

Originally Posted by CoyoteMesc

So do you need to be convicted or suspected of fraud before the Gov. can use this software on you? Or do they just use it at random on anyone?

I think it is "everyone" not just anyone. Thats the scary part to me.

[crazy1]

What we all believe to be Freedom, is a faint and receasing dream our forefathers had here. This is a world gone astray.
We all do what we do and whats wrong with that?

[apokalypse]

You read slashdot too eh roc?

[PsychoDrogue]

Quote:

Originally Posted by CoyoteMesc

So do you need to be convicted or suspected of fraud before the Gov. can use this software on you? Or do they just use it at random on anyone?

id imagine the software scans a database for irregularities, and if your one out of the limits it flags you. with the numbers involved nowadays it would be a huge strike of luck for them to pick a random person and expect to find anything.

[roc]

Sucks doesn't it?

[roc]

FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threat
Kevin Poulsen Email 07.18.07 | 2:00 AM

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

FBI Spyware in a Nutshell

The full capabilities of the FBI's "computer and internet protocol address verifier" are closely guarded secrets, but here's some of the data the malware collects from a computer immediately after infiltrating it, according to a bureau affidavit acquired by Wired News.

• IP address
• MAC address of ethernet cards
• A list of open TCP and UDP ports
• A list of running programs
• The operating system type, version and serial number
• The default internet browser and version
• The registered user of the operating system, and registered company name, if any
• The current logged-in user name
• The last visited URL

Once that data is gathered, the CIPAV begins secretly monitoring the computer's internet use, logging every IP address to which the machine connects.

All that information is sent over the internet to an FBI computer in Virginia, likely located at the FBI's technical laboratory in Quantico.

Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet.

According to the affidavit, the CIPAV sends all the data it collects to a central FBI server located somewhere in eastern Virginia. The server's precise location wasn't specified, but previous FBI internet surveillance technology -- notably its Carnivore packet-sniffing hardware -- was developed and run out of the bureau's technology laboratory at the FBI Academy in Quantico, Virginia.

The FBI's national office referred an inquiry about the CIPAV to a spokeswoman for the FBI Laboratory in Quantico, who declined to comment on the technology.

The FBI has been known to use PC-spying technology since at least 1999, when a court ruled the bureau could break into reputed mobster Nicodemo Scarfo's office to plant a covert keystroke logger on his computer. But it wasn't until 2001 that the FBI's plans to use hacker-style computer-intrusion techniques emerged in a report by MSNBC.com. The report described an FBI program called "Magic Lantern" that uses deceptive e-mail attachments and operating-system vulnerabilities to infiltrate a target system. The FBI later confirmed the program, and called it a "workbench project" that had not been deployed.

No cases have been publicly linked to such a capability until now, says David Sobel, a Washington, D.C., attorney with the Electronic Frontier Foundation. "It might just be that the defense lawyers are not sufficiently sophisticated to have their ears perk up when this methodology is revealed in a prosecution," says Sobel. "I think it's safe to say the use of such a technique raises novel and unresolved legal issues."

The June affidavit doesn't reveal whether the CIPAV can be configured to monitor keystrokes, or to allow the FBI real-time access to the computer's hard drive, like typical Trojan malware used by computer criminals. It notes that the "commands, processes, capabilities and ... configuration" of the CIPAV is "classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique."

The document is also silent as to how the spyware infiltrates the target's computer. In the Washington case, the FBI delivered the program through MySpace's messaging system, which allows HTML and embedded images. The FBI might have simply tricked the suspect into downloading and opening an executable file, says Roger Thompson, CTO of security vendor Exploit Prevention Labs. But the bureau could also have exploited one of the legion of web browser vulnerabilities discovered by computer-security researchers and cybercrooks -- or even used one of its own.

"It's quite possible the FBI knows about vulnerabilities that have not been disclosed to the rest of the world," says Thompson. "If they had discovered one, they would not have disclosed it, and that would be a great way to get stuff on people's computer. Then I guess they can bug whoever they want."

The FBI's 2008 budget request hints at the bureau's efforts in the hacking arena, including $220,000 sought to "purchase highly specialized equipment and technical tools used for covert (and) overt search and seizure forensic operations.… This funding will allow the technology challenges (sic) including bypass, defeat or compromise of computer systems."

With the FBI in the business of hacking, security companies are in a tight place. Thompson's LinkScanner product, for example, scans web pages for security exploits, and warns the customer if one is found. How would his company respond if the FBI asked him to turn a blind eye to CIPAV? He says he's never fielded such a request. "That would put us in a very difficult position," Thompson says. "I don't know what I'd say."

The Washington case unfolded May 30, when a handwritten bomb threat prompted the evacuation of Timberline High School in Lacey, Washington. No bomb was found.

On June 4, a second bomb threat was e-mailed to the school from a Gmail account that had been newly created under the name of an innocent student. "I will be blowing up your school Monday, June 4, 2007," the message read. "There are 4 bombs planted throughout Timberline high school. One in the math hall, library hall, main office and one portable. The bombs will go off in 5 minute intervals at 9:15 AM."

In addition, the message promised, "The e-mail server of your district will be offline starting at 8:45 am."

The author made good on the latter threat, and a denial-of-service attack smacked the North Thurston Public Schools computer network, generating a relatively modest 1 million packets an hour. Responding to the bomb threat, school administrators ordered an evacuation of the high school, but, once again, no explosives were found.

That began a bizarre cat-and-mouse game between law enforcement and school officials and the ersatz cyberterrorist, who e-mailed a new hoax bomb threat every day for several days, each triggering a new evacuation. Each threat used the same pseudonym, but was sent from a different, newly created Gmail account to complicate tracing efforts.

On June 7, the hoaxer started issuing threats through other online mediums. In his most brazen move, he set up a MySpace profile called Timberlinebombinfo and sent friend requests to 33 classmates.

The whole time he was daring law enforcement officials to trace him. "The e-mail was sent over a newly made Gmail account, from overseas in a foreign country," he wrote in one message. "Seeing as you're too stupid to trace the e-mail back lets (sic) get serious," he taunted in another. "Maybe you should hire Bill Gates to tell you that it is coming from Italy. HAHAHA. Oh wait. I already told you that it's coming from Italy."

As promised, attempts to trace the hoaxer dead-ended at a hacked server in Grumello del Monte, Italy. The FBI's Seattle Division contacted the FBI legal attaché in Rome, who provided an official request to the Italian national police for assistance. But on June 12, perhaps fed up with the mocking, the FBI applied for and obtained a search warrant authorizing the bureau to send the CIPAV to the Timberlinebombinfo MySpace profile.

Court documents reveal the search warrant was "executed" June 13 at 5:49 p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP address would have been enough to guide the FBI to the teen's front door.

John Sinclair, Glazebrook's attorney, says his client never intended to blow anything up -- "it was a prank from the get-go" -- but admits he hacked into computers in Italy to launder his activities, and that he launched the denial-of-service attack against the school district's network.

Glazebrook was sentenced Monday to 90 days in custody, and given credit for 32 days he's spent behind bars since his arrest. When he's released he'll be on two years' probation with internet and computer restrictions, and he's been expelled from high school. The teen is being held at the Thurston County Juvenile Detention Center, where he will serve out his sentence, says Sinclair.

Sinclair says he was told that the FBI had tracked down his client in response to a request from local police -- but that he didn't know exactly how the bureau did it. "The prosecutor made it clear that they wouldn't indicate how this device works or how they do it," says Sinclair. "For obvious reasons."

Larry Carr, a spokesman with the FBI's Seattle field office, couldn't confirm that the CIPAV is the same software previously known as Magic Lantern, but emphasized that the bureau's technological capabilities have grown since the 2001 report. The case shows that FBI scientists are equipped to handle internet threats, says Carr.

"It sends a message that, if you're going to try and do stuff like this online, that we have the ability to track individuals' movements online and bring the case to resolution."

[roc]

This really sucks!

[roc]

Quote:

Originally Posted by apokalypse

You read slashdot too eh roc?

Yea and Wired News as well...