More on LEA software US style

Tue, 4 Dec 2001 08:40:34 -0000

FWIW I offer the following which was passed to me by an academic
colleague interested in these matters. The "Badtrans" virus piece is of
operational interest to a large e-mail sites such as ourselves. We seem
to be detecting and rejecting infected messages OK.

Quentin=20
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."

------------- cut here
>>Sent: Friday, November 30, 2001 2:51 PM
>>Subject: [osint] CyberWar Update #2
>>
>>
>>The Virus Invasion portion is new material that I've been working on=20
>>for a couple days, it first became relevant news about Tuesday of this

>>week. The FBI vs. CIA is material I went over with John and Paul on=20
>>their radio show on WABC last night (hear them on 770AM 10-1 EST) --=20
>>included is a list of other tools that the FBI and CIA are currently=20
>>employing in their effort to come in line with the online world.=20
>>Included is a description how you can completely, legally and safely=20
>>circumvent all the known ways of online federal monitoring.  There are

>>other ways to make it more safe, but these include tactics which are=20
>>not allowed within the confines of the law, and I cannot suggest their

>>usage for everyday purposes.
>>
>>Rizzn's Wartime Factbook: http://factbook.diaryland.com/
>>The Best UAV: http://www.unmannedaircraft.com
>>
>>CyberWar Update #2
>>The update as of November 30th, 2001
>>Report assembled by Mark Hopkins
>><markhopkins@mindless.com>
>>of Parallad Studios OSIS Project
>>
>>There are two major fronts opening up in the Cyber War front, largely=20
>>being ignored by the major media. Computer security groups are noting=20
>>the vast influx of email-propelled virii. The other front largely=20
>>ignored is the clash in the surveillance policies and programs between

>>the FBI and the CIA, reported only by Charles R. Smith of Newsmax.com=20
>>news service.
>>
>>Virus Invasion
>>
>>Badtrans is the name of the virus that is making the rounds currently=20
>>and grinding email servers to a halt worldwide. There is much=20
>>speculation by respectable theorists that this may be the much-talked=20
>>about keylogging virus the FBI is threatening to release on the public

>>known by the name Magic Lantern. Operationally, it fits the profile,=20
>>logging keystrokes to a temp-file and when the temp-file reaches a=20
>>certain size, mailing the log file to a pre-specified recipient. The=20
>>Badtrans virus has had a couple modifications made to it over the last

>>couple weeks, making it's transmission and operations more smooth, and

>>therefore more infections and effective, however it is reported that=20
>>most commercially available anti-virus software still picks it up=20
>>prior to infection.
>>
>>The new version of the Badtrans virus activates embedded HTML in the=20
>>email and automatically informs Microsoft email programs to activate=20
>>the attached virus program. The virus also appears to activate the MP3

>>player.
>>
>>There are three scenarios within possibility which would explain the=20
>>origin of the Badtrans virus. The first, most obvious, and most widely

>>accepted is that it is a simple keylogging virus put out by a random=20
>>hacker to get user's usernames and passwords. The second theory is=20
>>more of an addendum to the first, in that it's a virus put out by a=20
>>random hacker at this time to try to create a buzz and make it look as

>>if the FBI is targetting certain groups or demographics (this theory=20
>>has been posited by many members of the OSINT group RMNews). The third

>>theory is that this is in fact the second iteration of the Magic=20
>>Lantern keylogger.
>>
>>The first theory is supported by the simple fact that this sort of=20
>>thing comes out on a fairly regular basis, and to assume that this=20
>>virus is any different than the last 15 that have come out is pure=20
>>conjecture -- at least at first glance. The third theory is supported=20
>>by the plethora of news releases that has accompanied the virus's=20
>>release that tell of the FBI's Magic Lantern keylogger's inner=20
>>workings. The operations are very similar in description, and a mass=20
>>release through worm form is an effective means of distribution,=20
>>despite the preferred method of delivery is reportedly the newly=20
>>allowed ''sneak and peek'' method -- however, distribution through an=20
>>email virus does seem to be a bit unconventional, a bit of a=20
>>kludge-type attack. Granted, the FBI's technology teams have proven=20
>>somewhat clueless as to implementation of internet technologies in the

>>past, but this tends to lack the type of precision the FBI needs, and=20
>>seems like it could lead to the type of legal troubl! e the FBI could=20
>>ill-afford.
>>
>>All of this lends the most credence to the second theory, that it is=20
>>most likely being used as an Infowar tool, to make individuals feel as

>>if they are being singled out by the FBI or other government agencies=20
>>since most virus detection systems alert the user of it and mention=20
>>it's purpose. It may have originally started out as the tool mentioned

>>in theory one, but it has quickly become the tool mentioned in theory=20
>>two.
>>
>>FBI vs. CIA in Cyberspace
>>
>>Most people who are in the intelligence community and those who follow

>>it recognize that there was a vast intelligence failure that led up to

>>the Sept 11 attacks.
>>
>>The FBI and CIA are two agencies charged with law enforcement and=20
>>intelligence operations, have taken the most heat for the failure.=20
>>Both agencies had few areas of cooperation prior to Sept. 11. As it=20
>>turns out the FBI and CIA have suddenly found themselves in=20
>>diametrecially opposed roles inside cyberspace.
>>
>>Below is a list of tools that would aid US Federal law
>>
>>FBI tools:
>>Carnivore (http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm)
>>The way carnivore works, according to the diagrams and explanations on

>>the FBI website, is to trap all data going through a certain point,=20
>>make a copy and send it back to a centralized point. The FBI is then=20
>>able to sift through it using keyword searches.
>>
>>
>>Some time last year the FBI was forced by privacy advocates such as=20
>>the ACLU and the EFF to reveal that it had a new software program=20
>>called Carnivore designed to monitor Internet e-mail. The way the=20
>>Carnivore system operates is not on home personal computers, or the=20
>>client side, but on Internet Service Provider computers, or the server

>>side. This allows the agency to siphon off data from suspected=20
>>customers.
>>
>>It is used only for looking through email, according to its=20
>>description,
>>*however* from it's description, it is also capable of sifting through
>>web traffick. (remember that)
>>
>>Magic Lantern
>>There is no official documentation on Magic Lantern on FBI's website,=20
>>but open source intelligence resources describe it's operation and=20
>>implementation as such:
>>
>>It is to be spread either through an agent manually infecting the=20
>>machine by inserting an infected disk or downloading the infection, or

>>through targeted email virus infections. (i.e., opening an email, and=20
>>a hidden virus is installed on the victim's machine without his=20
>>knowlege by way of many security holes in email software).
>>
>>It is a key-logging program, designed to intercept passwords and=20
>>outgoing emails from the user's machine. It cannot log mouse clicks,=20
>>however, which is it's only weakness. (i.e., if a user has an=20
>>encryption software installed, and has the password stored locally, it

>>can be activated by mouse clicks instead of a password being typed in,

>>thus defeating the keylogging method).
>>
>>dTective
>>Developed jointly by Ocean Systems Co. of Burtonsville Md. (did the=20
>>software side) and Avid Technology Inc. (hardware side). Its purpose=20
>>is to trace the financial transactions linked to Sept's terrorist=20
>>attacks against New York and Washington by enhancing ATM video=20
>>surveillance images that were previously unusable due to bad lighting=20
>>and such.
>>
>>Encase
>>Deleted file recovery tool. Used in cases where the suspect has clean=20
>>sweep deleted the hard drive of data.
>>
>>CIA tools:
>>Triangle Boy/SafeWeb
>>It's original intent was to allow Asian Surfers (primarily Chinese) to

>>surf the web without government interference. It allowed them to=20
>>bypass governmentally blockage of websites and to do so anonymously=20
>>(at least to governments other than the United States).
>>
>>Technically, this tool sponsored by the CIA could be used as an aid to

>>hackers, as well as those hiding from governments and companies who=20
>>filter what their users are able to see.
>>
>>It could also be used as a device to in some way circumvent the FBI=20
>>from positively tracking down the author of a message. Imagine if a=20
>>terrorist sets up an account on Hotmail, but uses Triangle Boy to=20
>>access it. The FBI would be able to determine what the content was,=20
>>but would be unable to find the user by way of IP tracking. Nor would=20
>>the FBI know what computer to put Magic Lantern on in case the user=20
>>was employing a method of encryption, which would prevent the FBI from

>>even seeing the content of the messages as well.
>>
>>Fluent
>>Custom-written software scours foreign Web sites and displays=20
>>information in English back to analysts. The program already=20
>>understands at least nine languages, including Russian, French and=20
>>Japanese. Not a remarkable piece of software, same results that this=20
>>software produce can be accomplished by combining the power of=20
>>Digital's babelfish project with Google's search engine software.
>>
>>Echelon
>>Essentially a European Carnivore, not officially acknowleged by the US

>>government.
>>
>>Oasis
>>Technology that listens to worldwide television and radio broadcasts=20
>>and transcribes detailed reports for analysts. Oasis currently=20
>>misinterprets about one in every five words and has difficulty=20
>>recognizing colloquial Arabic, but the system is improving, said Larry

>>Fairchild, head of the CIA's year-old Office of Advanced Information=20
>>Technology.
>>
>>Conflicting tools:
>>
>>The tool conflict comes up between the CIA and the FBI are the CIA's=20
>>Triangle Boy utility and the FBI's Magic Lantern and Carnivore=20
>>snooping utilities. Essentially, by using the Triangle Boy web proxy=20
>>utility or any other commercially available approximation thereof=20
>>while simultaneously running any number of publicly available=20
>>different 128-bit encryption routines, you can effectively and=20
>>completely block yourself off from any FBI monitoring.
>>
>>What Triangle Boy allows you to do is anonymously surf the web. There=20
>>are a couple public projects on the internet that approximate what=20
>>Triangle Boy does, such as it's predecessor Anonymizer.com, probably=20
>>the web's first public anonymous proxy server. By using this or a=20
>>similar service to log on to a public, free email server, you have=20
>>prevented the email server from logging your IP address, or in other=20
>>words, a number that can be linked to your person.
>>
>>To completely make your message unintelligable and unbreakable to the=20
>>US Federal government, use 128-bit or better encryption methods,=20
>>preferrably the RC5 standard. Distributed.net has been working with a=20
>>brute force hack of the RC5 encryption routine (64-bit encryption)=20
>>since 1998 using thousands of computers simultaneously on the project=20
>>and estimates they have a year left until they break the code. From=20
>>this one can safely assume that by the time the government is able to=20
>>break your message at 128-bits, the usefulness of the contents of the=20
>>message will long past be viable, not to mention most statute of=20
>>limitation laws will have expired in the process.
>>
>>Vulnerabilities in the Magic Lantern Keylogger
>>
>>The Magic Lantern keylogger not only is ineffective in accomplishing=20
>>it's purpose by virtue of the CIA's and the private sector's privacy=20
>>tools, it also could backfire on the federal government. Any=20
>>technically savvy hacker, could quite easily reverse engineer the=20
>>product to either hack into the repository for the keylogged files or=20
>>re-distribute the virus as an agent to gather his own data, especially

>>if the government strikes deals with anti-virus makers to make the=20
>>utility unnoticed by their detection software.
>>
>>
>>[Non-text portions of this message have been removed]
>>
>>
>>--------------------------
>>Brooks Isoldi, editor
>>bisoldi@intellnet.org
>>
>>http://www.intellnet.org
>>
>>   Post message: osint@yahoogroups.com
>>   Subscribe:    osint-subscribe@yahoogroups.com
>>   Unsubscribe:  osint-unsubscribe@yahoogroups.com
>>
>>
>>"When you come to the fork in the road, take it" - L.P. Berra "Be=20
>>precise in the use of words and expect precision from others" - Pierre

>>Abelard "Always make new mistakes" - Esther Dyson
>>
>>John F. McMullen
>>johnmac@acm.org johnmac@computer.org johnmac@johnmac.net
>>ICQ: 4368412 Fax: (603) 288-8440 http://www.westnet.com/~observer
>>http://www.johnmac.net
>
>For archives see:=20
>http://www.interesting-people.org/archives/interesting-people/
------------- cut here