FBI Selling the Old/New Brand of Malware to the Public for the Sake of 'Security' as Policy Change

""The FBI’s bespoke surveillance malware—called Computer and IP Address Verifier (CIPAV)—is designed to track criminal suspects by logging their IP address, MAC address, computer programs running, operating system details, browser details, and other identifying computer information.

As far as spyware goes, it’s unusually circumscribed—unlike consumer keylogging and social media snooping surveillance tools, CIPAV isn’t able to spy on the entire computer at will, just a narrow list of identifiers. That means it’s a weirdly weak invader, but that’s a deliberate, built-in privacy protection, a way to keep the FBI’s spyware ostensibly legal.

Despite limitations, the FBI’s spyware capabilities are hugely powerful. As the Washington Post pointed out:

The most powerful FBI surveillance software can covertly download files, photographs and stored e-mails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology.
Yet there’s been zilch in the news about this government malware since 2013.

The FBI’s basement baby

The FBI keeps its malware deployment on the down low low. The few official documents available that provide spyware details use take care to reveal as little as possible.

“The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other ongoing investigations and/or future use of the technique,” an FBI agent’s affidavit reads.

So the FBI says it can’t explain exactly how CIPAV works because then the bad guys will figure it out and get away. If this argument sounds stale, it’s because it’s the same wobbly rationale the FBI uses to keep its heavy-handed cell phone tracking practices secret.

What we do know about CIPAV largely stems from court documents from one 2007 case. The FBI installed its malware on a teenaged bomb-threat suspect’s computer by tricking him into clicking on a phishing message on MySpace by impersonating Associated Press journalists. The FBI created a fake news article that contained malware about the bomb threats and sent it to the suspect in hopes that he’d click on it.

And the first and only semi-confirmed CIPAV attack discovered “in the wild,” before it was documented in a court case, happened in 2013, when researchers fingered the FBI as the source of a malware attack on Freedom Hosting, the anonymous hidden service notorious for hosting child porn. (The FBI later confirmed this.)

Another FBI spyware was used in 2013 to inject surveillance malware into a Colorado bomb threat suspect’s Yahoo email account. We know that the spyware allowed the FBI to see the webpages the suspect was visiting, which means it had a wider range of capabilities than CIPAV.

You may be wondering, who cares about the privacy of bomb threat suspects and pedophiles? It’s not exactly a sympathetic clan. The issue here isn’t that known pedophiles shouldn’t be tracked or that there’s a general problem with the FBI using warrants to narrowly track suspects of terrible crimes—that’s what it’s supposed to do! The issue is that the FBI’s current setup leaves too much room for to violate the privacy of people who aren’t suspects, and too many unanswered questions about its powerful spy tools.

Take the Freedom Hosting case for instance. All of the sites that used the anonymous server, including many that had absolutely nothing to do with child porn, were hit with the FBI’s spyware. In the case of the Colorado bomb threat, the FBI screwed up and originally received a warrant to spy on the wrong email address thanks to a typo, meaning some random person whose only crime was accidentally choosing an email address similar to a wanted criminal had their computer vulnerable to intensive FBI spying. The FBI saw no reason to fess up to spying on innocent people in those cases.

And since the FBI can use spyware to go after “zombified” computers infected with botnets, it could end up putting spyware on peoples’ computers just because someone else had already infected them with malware. This is like the FBI searching your house without telling you because a criminal had already broken in earlier.

We want to know more

What little we know about the FBI’s history with spyware raises questions. For instance, there was internal confusion about how to deploy spyware that suggests that the FBI hasn’t been sure how much it intruded on privacy. While the agency now requires a warrant and a Pen/Trap order to use CIPAV, documents obtained by the Electronic Frontier Foundation show several FBI agents discussed deploying the spyware without warrants before finally asking for clarification in 2007.

Since we know the FBI has been using spyware since 2001, that’s six years before the FBI cemented its policy. How many other lingering privacy questions are still being debated about legal spyware use internally? And shouldn’t Congress and the general public be able to participate in these privacy debates? Shouldn’t people have the right to know if their computer has been accidentally snooped on, or if they’ve acquired government-issued spyware as collateral damage?""

http://gizmodo.com/the-fbi-has-its-own-secret-brand-of-malware-1694821520

Kaspersky Proofs Continue Pointing to NSA as Creators of 'Equation Group' Master Hacks

""Kaspersky has carried out an involved study of the Equation Group and made it look like it is probably the work of the US government.

Before it was an NSA 'style' threat, now it looks much more likely to be an NSA sourced threat, thanks to some commonality with other online security menaces.

The Kaspersky report refers to the use of Backsnarf, which is an unusual and uncommon word, that we have seen before.

The term, and others like it, appear in Snowden leaked documents that have been sourced from the NSA.

There are other clues that it is a US entity that is involved. For example time stamps associated with attacks suggest that it is nine to five, monday to friday staffers who operate in US timezones who are responsible.

It would seem unreasonable to suppose that an average malicious anchor who is not on a government salary would be inclined to work at the weekend. So this is another clue. The code is said to be of good quality, but we can't say that that provides any clue about its creator.

We have asked Kaspersky if it wants to actually finger the NSA as the Equation Group and it did not. It said that it did not want to pin it on the agency, but did concede that there does appear to be a strong link between Stuxnet and Equation.

"We are not able to confirm the conclusions that journalists came up with. Kaspersky Lab experts worked on the technical analysis of the group's malware, and we don't have hard proof to attribute the Equation Group or speak of its origin," it said in a statement.

"With threat actor groups as skilled as the Equation team, mistakes are rare, and making attribution is extremely difficult. However we do see a close connection between the Equation, Stuxnet and Flame groups."

In February Kaspersky researchers claimed to have uncovered one of the biggest, if not the biggest, threat actor that it has seen in two decades.

The security firm dubbed this outfit the Equation Group, and its toolbox 'the Death Star of the Malware Galaxy', and explained that the tools of its trade have hallmarks and themes similar to those of Stuxnet.

Words were not minced. Kaspersky described the group as a "powerful threat actor" that is "unique almost in every aspect of their activities".

The group is sophisticated and well-resourced, and uses complex tools to hide itself in "an outstandingly professional way".

In one incident the group infected targets by switching out legitimate CD Roms with spiked ones at a conference. This makes it sound like a very organised, and perhaps connected outfit.

The tools, a range of trojans, have been named EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish. Of these, Fanny, is described as the standout.

Two of these trojans, or modules, can be found deeply inserted in as many as a dozen different makes of hard drive that are sold and shipped to international waters.

The malware is so deeply inserted into the firmware that it can survive wipes, and "resurrect" itself indefinitely. Additional 'implants' add to the mix and can grab and store encrypted passwords, for example.

Costin Raiu, director of the global research and analysis team at Kaspersky Lab, said: "Another dangerous thing is that, once the hard drive gets infected with this malicious payload, it is impossible to scan its firmware.

"To put it simply: for most hard drives there are functions to write into the hardware firmware area, but there are no functions to read it back. It means that we are practically blind, and cannot detect hard drives that have been infected by this malware."

The Fanny trojan is used to fill in the spaces in systems, and launch attacks in unconnected and hard to reach places. Kaspersky said that the 'air-gap filler' is USB-based, and can let attackers move between otherwise unconnected networks.

Thousands of victims lie at the feet of the group, according to Kaspersky, and they include state targets, governments, security developers, telecoms, aerospace and energy industries, along with the military, Islamic activists and the media.

Kaspersky didn't name a likely source  then, but found a lot of links to Stuxnet, which is often linked to the NSA.

"There are solid links indicating that the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators, generally from a position of superiority," adds Kaspersky.

A Reuters report makes the NSA link, and we asked the agency if it wanted to make comment in response. It did. 

"We are aware of the recently released report. We are not going to comment publicly on any allegations that the report raises, or discuss any details," an NSA spokesperson told The INQUIRER. 

"The US. Government calls on our intelligence agencies to protect the United States, its citizens, and its allies from a wide array of serious threats - including terrorist plots from al-Qaeda, ISIL, and others; the proliferation of weapons of mass destruction; foreign aggression against ourselves and our allies; and international criminal organisations."

We asked some of the hard drive firms that Kaspersky said have been infiltrated by the Equation Group for their take on the news, and at least one told us that it has not heard specific allegations about any backdoor action.""

Kaspersky traces the Equation Group and its activities back to 2001:

http://www.theinquirer.net/inquirer/news/2395638/kaspersky-fingers-nsa-style-equation-group-for-hard-drive-backdoor-epidemic

Computer Virus Hits U.S. Drone Fleet Cockpits of America’s Predator and Reaper

 ""A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.""

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/