Fw: [ISN] FBI "hack" raises global security concerns

[Nexus]

[Moderator - I know that this may seem a bit off-topic as it's not directly
related to the UK, so lob at the bit bucket if so, but IMHO this could open
a gobal can of worms, dependent on the legal rulings made in this, which I
believe, is a case precedent ? (or whatever the proper name is...) ]

----- Original Message -----
From: "InfoSec News" <isn@C4I.ORG>
To: <ISN@SECURITYFOCUS.COM>
Sent: Wednesday, May 02, 2001 12:37 AM
Subject: [ISN] FBI "hack" raises global security concerns


> http://news.cnet.com/news/0-1003-200-5785729.html?tag=tp_pr
>
> By Robert Lemos
> Special to CNET News.com
> May 1, 2001, 12:05 p.m. PT
>
> A sting operation in which FBI agents downloaded data from two
> Russian-based computers has some high-tech lawyers concerned that the
> precedent may be used to justify indiscriminate, cross-border hacking.
>
> The incident came to light last week after the indictment of two
> Russians on charges of breaking into the networks of banks, Internet
> service providers and other companies. While the charges were somewhat
> routine, the methods the FBI used to nab the pair were novel and
> potentially worrisome, said security experts.
>
> According to court documents filed in the case, the FBI and Department
> of Justice lured two suspected Russian hackers to Seattle with job
> offers at a fictitious security company. After monitoring the duo's
> connection to two servers in Russia, the FBI used the suspects'
> passwords to download incriminating data from those servers.
>
> The tactic is likely to be challenged in court; if it is deemed
> lawful, the precedent could allow law enforcement and intelligence
> communities free rein to hack foreign computers. In addition, such a
> ruling could provide a legal loophole for other countries to break
> into U.S.-based computers in search of data that could aid their own
> investigations.
>
> "It's extremely dangerous just to throw the door open--it will be a
> free-for-all," said Jennifer Granick, clinical director for the
> Stanford University Center for Internet and Society. "It won't just be
> individuals (hacking each other). It will be corporate espionage."
>
> Although U.S. officials downplay the incident, some legal experts fear
> that this first publicly acknowledged government "hack" could spark a
> rash of indiscriminate, international hacking by individuals, foreign
> governments and corporations.
>
> In this case, the FBI was determined to obtain the Russian-based
> information before it could be deleted.
>
> On Nov. 10, FBI agents and officials from the Department of Justice
> nabbed two suspected Russian hackers after luring the duo to the
> United States with employment offers for a mythical security company,
> Invita.
>
> Details of the case became public after the suspects were indicted
> early in April.
>
> Welcome to Invita!
>
> According to court filings, this is how the sting went down:
>
> FBI agents requested that the two suspects--20-year-old Alexey Ivanov
> and 25-year-old Vasiliy Gorshkov--crack the security on "Invita's own
> computers."
>
> During the hack, the FBI agents monitored the duo's activities with a
> "sniffer"--a program designed to trap all keystrokes made on a
> computer. When the suspects allegedly downloaded hacking tools from
> two servers in Russia using their usernames and passwords, the sniffer
> collected the tools needed to access the accounts.
>
> Typically, U.S. law enforcement would wait on their counterparts in
> Russia to search the servers. Yet, while the United States has more
> than 25 mutual legal assistance treaties to aid law enforcement in
> capturing data in other countries, Russia has signed an agreement to
> help the U.S. in investigating only some crimes--and computer crimes
> are not among them.
>
> Nevertheless, the Department of Justice did request assistance from
> Russian authorities, but without answer. After several unsuccessful
> attempts to get Russian authorities to cooperate, the FBI--with the
> help of a security expert--used the usernames and passwords to access
> the two servers.
>
> Once in, investigators browsed through the directories on both servers
> and selected, then compressed, a large number of files. The agents
> then downloaded the 1.3GB file to their own computers.
>
> Before they began to sift for evidence, the FBI did obtain a search
> warrant to look at the files.
>
> Thought to be the first public acknowledgement of U.S.
> hacking-for-access, the tactics have set off alarm bells among
> cyber-savvy lawyers.
>
> If a judge rules in favor of the FBI, the precedent will be clear,
> said Matthew Yarbrough, head of the Cyberlaw Section for Dallas-based
> law firm Fish & Richardson: The United States can pursue
> investigations of data in other countries, widening the boundaries of
> the investigation to cyberspace.
>
> Yet, while the United States can hack servers in other countries,
> those countries could also return the favor, he said.
>
> "Whenever you deal with international criminal problems, you have to
> be careful, because the rule is: Whatever we do to them, they can do
> to us," said Yarbrough, a former Department of Justice cybercrime
> prosecutor. "I don't think we want KGB agents--or whatever
> organization handles law enforcement now--to be hacking our servers to
> get evidence for their cases."
>
> A hack attack?
>
> A federal prosecutor involved in the case defended the FBI's actions.
>
> "I wouldn't call it hacking," said Stephen Schroeder, assistant U.S.
> attorney for the Western District of Washington in Seattle and the
> lead prosecutor in the case against Gorshkov. "The implications of
> hacking go far beyond what we did."
>
> However, the law enforcement community commonly uses "hacking" to
> describe the illegal activity of breaking into a computer, usually
> with some degree of skill. While little skill is needed to type in
> usernames and passwords, the Computer Fraud and Abuse Act of 1986
> treats the unauthorized access of computers as the same crime as
> breaking into a computer without using passwords.
>
> In most cases, law enforcement officers are exempted from any sort of
> prosecution under the act if the questionable activity has been
> authorized as part of their investigation. Furthermore, the FBI can
> violate the law--similar to their ability to break the speed
> limit--and still have any resulting evidence be admissible in court.
>
> Yet, the key question among attorneys is whether such a waiver exists
> for so-called remote cross-border searches of computer data. One thing
> is certain: Not having to gain permission from the country in which a
> server resides speeds the process, said Schroeder.
>
> "Normally, to get evidence we go through diplomatic channels, in
> writing, with pretty seals, and then it percolates down to law
> enforcement," he said. "Six months later we get our evidence."
>
> In this case, he said, six months would have been too late. Indeed,
> six days after Ivanov and Gorshkov were arrested, someone changed one
> of Ivanov's passwords, according to the court papers.
>
> War on hacking
>
> "I don't think the basic thing--that they broke in--is debatable,"
> said Stanford's Granick. "The ramifications? Now, they are debatable."
>
> Currently, Gorshkov's lawyer, Kenneth Kanev, is attempting to block
> any use of the data from the Russian servers based on privacy and
> Fourth Amendment violations. However, because Ivanov and Gorshkov are
> not United States citizens and the data was kept in another country,
> some legal experts say it's likely the data will be admissible in
> court.
>
> When reached at this office, Kanev refused to comment on the case.
>
> In fact, a case from the United States' War on Drugs seems to support
> the search of a server in a foreign country. In 1986, Mexican police
> picked up the suspected leader of a narcotics ring and delivered him
> to the Mexico-United States border, where he was arrested by U.S.
> officials. Agents of the Drug Enforcement Agency and Mexican officials
> later searched the suspect's homes in Mexico without a warrant.
>
> The U.S. Supreme Court ruled four years later that a search of a
> non-U.S. citizen's foreign residence is legal, and no search warrant
> is necessary.
>
> That decision could influence a ruling in this case, but that may not
> be the only fallout. By deeming such actions legal, the United States
> could kick off a spate of similar cross-border hacking, said Patricia
> Bellia, assistant professor of law at Notre Dame University and a
> former Justice Department attorney.
>
> "I do think that (countries) are going to continue to have an urge to
> get evidence like this," she said. "They are getting frustrated with
> their inability to get evidence."
>
> And while U.S. law may deem the agents' actions legal, international
> law--the expectations of treatment that exist between countries--will,
> without a doubt, condemn them, she added.
>
> "If Russia did this to us, we would object diplomatically," she said.
> The Embassy of Russia in Washington, D.C., would not comment on the
> case, nor on whether the country intended to lodge an international
> complaint against the United States for a violation of its
> sovereignty.
>
> In a paper studying the legal ramifications of remote cross-border
> searches, Bellia concludes that current mutual legal assistance
> treaties and the Cybercrime Convention being drafted by the Council of
> Europe won't add much clarity to the issue. Both require that
> countries promise to aid foreign law enforcement in searching for
> evidence that may reside on servers in their territory.
>
> However, arranging for such searches takes weeks or, more often,
> months. Neither allows law enforcement to react fast enough to prevent
> data from being deleted.
>
> Still, without an immediate solution, constraint should be the rule,
> said Bellia.
>
> "If we can do it, then everybody else can do it to us--that's a very
> disturbing notion," she said. "The United States is the repository of
> so much data; it is very dangerous to go down that road."
>
> ISN is hosted by SecurityFocus.com
> ---
> To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
> "SIGNOFF ISN".
>