TrendA first: FBI installs policeware remotely to trace bomb threat
FBI electronically installs spyware — or, rather, policeware — to MySpace account of a suspect in e-mailing bomb threats to school; suspect nabbed
Now, here is a novel use for the much-maligned spyware: The FBI used a new type of remotely installed spyware last month to investigate who was e-mailing bomb threats to a high school near Olympia, Washington. Federal agents obtained a court order on 12 June to send spyware called CIPAV to a MySpace account suspected of being used by the bomb threat hoaxster. Once implanted, the spyware reported back to the FBI with the Internet Protocol address of the suspect’s computer, other information found on the PC and, notably, an ongoing log of the user’s outbound connections. The suspect, former Timberline High School student, was sentenced this week to ninety days in juvenile detention after pleading guilty to making bomb threats and other charges.
C|Net News’s Declan McCullagh writes that, as far as we can tell, this is the first first case to reveal how the technique of implanting law-enforcement spyware is used in practice. The FBI did confirm in 2001 that it was working on a virus called Magic Lantern but has not said much about it since. The two other cases in which federal investigators were known to have used spyware — the Scarfo and Forrester cases — involved agents sneaking into offices to implant key loggers.
An 18-page affidavit filed in federal court by FBI Agent Norm Sanders last month claims details about the governmental spyware are confidential. The FBI calls its spyware a Computer and Internet Protocol Address Verifier, or CIPAV.
McCullagh writes that there have been hints in the past that the FBI has employed this technique. In 2004, an article in the Minneapolis Star Tribune reported that the bureau had used an “Internet Protocol Address Verifier” that was sent to a suspect via e-mail.
Technology mavens are intrigued by this question: Assuming the FBI delivered the CIPAV spyware via e-mail, how did the the program bypass antispyware defenses and install itself as malicious software? One possibility is that the FBI has persuaded security software makers to overlook CIPAV and not alert their users to its presence, and another is that the FBI has found (or paid someone to uncover) unknown vulnerabilities in Windows or Windows-based security software that would permit CIPAV to be installed. C|Net Newssurveyed thireteen security vendors and all said it was their general policy to detect police spyware. Some, however, indicated they would obey a court order to ignore policeware, and neither McAfee nor Microsoft would say whether they had received such a court order.