Bugs, Keyloggers, and Honey Pots: Who's Watching Your Ass on the Internet?
by RW
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Bugs, Keyloggers, and Honey Pots, Or...Who's Watching Your Ass on the Internet?
Revolutionary Worker #1117
September 2, 2001
rwor.org
"Security is a matter of degree. The best that you can do is make it harder to get access to your information. But there is simply no way to keep everyone out all of the time. I do not transmit private information wirelessly, ever. I keep my private records on a computer that is not connected to the Internet. I assume all email and instant messages that I send are about as private as a postcard. Everyone really needs to develop a whole lot of healthy paranoia."
Tepes, self-described cracker, wired.com Feb. 6, 2001
"You have zero privacy anyway-get over it."
Scott McNealy, CEO, Sun Microsystems
Whenever you get information on the internet, you may also be giving it away.
People now use the internet for many important means of communication. People visit websites for news and information (and increasingly to buy things.) They exchange email. And increasingly various forms of discussion on the internet (including email lists, web-based threads, and newsgroups) are an important way of sharing views and debating issues.
It is important to understand how you may be giving away your privacy when you do this-revealing your identity, location, and interests to potentially hostile forces and even exposing private data stored on your hard drive to them.
The world of internet spying is changing rapidly. Not only are technical capabilities for surveillance developing, but many of them are being kept secret from the public so that people cannot take effective countermeasures.
At the same time, the legal right of commercial interests and government agents to gather information is not yet clear-many legal issues about internet spying are still being decided within the government and contested in the courts.
In this article we focus on recent events connected to internet spying that give a sense of what is publicly reported about spying activities and capabilities.
Federal Honey Pot
"More than merely another successfully prosecuted case, Operation Avalanche stands as a model of federal, state, and local cooperation in the investigation....There are no free rides on the Information Highway."
U.S. Attorney General John Ashcroft, August 8, 2001
On August 8, the federal authorities revealed a two-year internet sting operation called Operation Avalanche-involving a joint team of the FBI, Dallas police and U.S. Postal Inspection Service. In September 1999, the authorities arrested key figures of an alleged illegal pornography ring. The joint task force then continued operating the website of this ring (as if nothing had happened)-by their own account gathering information on 250,000 people around the world who subscribed to the service. This web-based investigation was used to target 144 homes in 37 different states for raids and searches. Over 100 people have been arrested so far.
Providing an illegal service to attract people for investigation is a police technique called "a honey pot." The website attracted people interested in its goods, and once they were there, the police convinced them to provide personal information that could be used for search warrants and arrests. It is a technique that has been widely used by police against radical and revolutionary forces around the world-long before there was an internet.
Historically, political police have circulated petitions at political gatherings to gather names and addresses of participants. Now such practices are being transported to the internet.
In "Operation Avalanche," the authorities asked for personal information (like a credit card number, a personal email address, mailing address) when visitors bought "membership" access to private pages of the website and when they paid for materials to be delivered through the mail.
This highly publicized "Operation Avalanche" case targeted alleged merchants of child pornography and the FBI posed as the defender of children. This continues the federal attempt to use child pornography and online solicitation by child molesters as their justification for widespread police spying on the internet. Under the Internet Crimes Against Children Task Force Program, federal authorities are training and funding nearly 60 city, county and state law enforcement agencies to spy on the internet.
Visits Leaving Traces
Anyone visiting a website is making some information available in the website's records. Webmasters can tell what "domains" or Internet Service Provider (ISP) visitors have come from (was it from AOL, or Earthlink, or MCI or AT&T, etc.). They can tell when a session started, and what pages a specific visitor saw. That information does not, necessarily, provide the specific identify of a visitor, or even the specific computer or internet account they used to surf to the website.
But over the last few years, more and more sophisticated techniques have been developed to help businesses and government agents identify exactly who was traveling to websites and what they were doing there.
It is possible for hostile forces to embed little programs on websites (and in email) that get deposited on a visitor's computers. These programs (called Java, or Active X or "web bugs") can potentially do a wide range of things-from erase data, to report back information about your hard drive and activities.
When people connect to the internet, they are connecting their computer to an Internet Service Provider (ISP) computer, and from there to a distant computer containing the website they want.
Though situations vary, it is generally possible for every site you visit to record the unique internet protocol number (IP address) from which you are currently connecting to the internet.
If you are dialing up with a DSL or cable modem this can lead directly back to your personal machine.
If you are dialing up with a modem connection, your ISP may record information on this IP address that leads back to your personal account.
Once authorities identify that an ISP is providing internet access to someone they are interested in, the police can demand that the ISP turn over information about that account. The information an ISP has about internet users varies, but they often include the credit card number that is used to pay for the account.
In at least one case, it was revealed that an ISP kept caller ID logs of people dialing up with their modems, and they were able to provide the police with the specific phone numbers used to connect to that internet account.
One Dutch ISP recently announced they would not cooperate with such requests, But unfortunately, it appears that such non-cooperation is quite rare. Recently, the New York Law Journal reported that federal authorities succeeded in getting the first court order to have a cable ISP turn over log records and account information without informing the people being spied on. Other kinds of ISPs have been routinely complying with such court orders for some time.
Workplace Spying
"On an individual user, we can see what you're emailing, where you are surfing, if you send anything to be printed, collaborate with anyone on a Word document, access or change the database-basically everything you're doing on the network."
Kris Haworth, manager at the consulting firm of Deloitte & Touche
"I tell employees that if they want to have truly private communications, don't have them from work."
Shanti Atkins, consultant with Employment Law Learning Technologies
It is not widely known yet what information ISPs record, and what information authorities are able to get from them. But one place where there has been documentation of the technical possibilities of ISP spying is the workplace. For millions of people, their employer is their ISP while they are at work. In several cases, courts have ruled that if employers own the computers and the computer networks and provide internet connections for work, they have the legal right to spy on whatever their employees are doing.
There are widely different estimates of how many workers are being routinely spied on. One estimate is that 15 percent of U.S. workers with internet access have their email monitored systematically and 19 percent have their web surfing continuously tracked. A 2001 study by the American Management Association found that 78 percent of U.S. firms monitor employee communications in some way, and 47 percent of them peek at their workers' email-up nearly 10 percent over the year before. International Data Corporation (IDC) estimates that in 1999 corporations worldwide spent $62 million on internet filtering and monitoring software like Websense and Surfcontrol. IDC predicts that figure will rise to $561 million by 2005.
One example of a new level of corporate capabilities is SilentRunner, developed by military giant Raytheon Corporation. SilentRunner secretly gathers and organizes comprehensive information on all activities on a computer network-including detailed profiles of what each individual worker is doing on the Internet. It tracks the transfer of web pages, email, digital video and sound files, spreadsheets, Word documents, FTP, instant messages, passwords, you name it-all at high speed. It uses programs that go far beyond traditional "keyword sniffers," and its developers claim that SilentRunner can identify the writing style of any individual in any language and then track unsigned email and documents written by that person across the network. "An email could be fed to the system as a template, and then it would cluster others like it," said Christopher Scott, a chief architect of the software. "It's like a DNA sample of someone's writing."
SilentRunner has been reportedly purchased by government agencies. The security consultant firm TruSecure used the $65,000 software widely for its 400 clients. But no employer has publicly admitted to using SilentRunner to monitor its own employees. Only Connecticut currently requires employers to notify their workers of monitoring.
The Case of the Spied-Upon Judges
Early this summer, several dozen employees of the federal courts were disciplined for "inappropriate web surfing" from their office computers. As a result, it became common knowledge that everyone in the system was being spied upon by the Administrative Office of the Courts, a small agency in Washington, D.C. that runs the operations side of the federal court system-about 10,000 court employees, including 700 judges.
The judges of the federal Ninth Circuit, which covers nine western states were furious to find out they were monitored. And the judges had the Circuit's tech crew pull the plug, dismantling the spy system for about a week in May. The incident brought amused headlines, like the New York Times banner that read (August 8, 2001): "Rebels in Black Robes Recoil at Surveillance of Computers."
The rebellion didn't last long. On August 13, the Administrative Office distributed recommendations by a panel of 14 federal judges headed by Edwin L. Nelson, a district judge in Birmingham, Alabama-it essentially upheld the right of court administrators in Washington to monitor all court computers. It pointed out that this was the same policy that is already in effect throughout much of the executive branch. It requires that all employees be given notice before they use an office computer that they forfeit a right to privacy while doing so.
The issue may be finally resolved after the Judicial Conference of the United States meets on September 11.
The Case of the Outted Anonymous Service
In order to protect themselves from snooping, millions of people have used anonymous surfing services, like Anonymizer.com. Basically these services put a protective computer between your ISP and your destination website, and your personal information is stripped out. Your ISP (including employers) cannot easily see your end destination, they just see that you visited the anonymous site. And the destination website cannot easily record your personal information, it just sees that you came from the anonymous server.
These services are believed to be effective in hiding some information. But they are only as reliable as the anonymous service. Which leads us to the story of "Safeweb."
One of the well-known anonymity dot-coms, Safeweb, was recently "outted" for its ties to the CIA. The Oakland firm, Safeweb, received about $1 million (out of a capital investment of $8 million) from In-Q-Tel, a Northern Virginia company created by the CIA in 1999 to "encourage development of internet technologies."
The CIA expects to use Safeweb's anonymity software "Triangle Boy" to allow its agents to email and visit sites to submit reports without alerting the governments of targeted countries.
Officials of Safeweb admitted the relationship with the CIA to the Washington Post, but claimed that this association does not affect the credibility of Safeweb and does not compromise the privacy of people using its services. Widespread outrage in internet discussions revealed that many web users do not feel safe trusting the CIA with their "anonymity."
The Case of the Sloppy CIA Chief
"Microsoft released an urgent security warning on Friday, detailing a hole in Internet Explorer that allows attackers to remotely access and control any computer running any version of the Windows operating system and Internet Explorer Versions 5 and 5.5."
wired.com, April 2, 2001
Warnings like this appear constantly in the press. And they reveal that the software most people use is riddled with "holes" that allow attackers to enter your computer system.
There are many ways a hostile force can take over your computer and use it to launch attacks on other computers-and to read whatever is on your hard drive. In addition to holes in existing software (including internet browsers, Frontpage, operating systems like Windows and MacOS, etc.), there are many ways hostile forces can download small programs onto your computer. These include Java files and Active X that are routinely downloaded from web files without your knowledge, and small programs called "viruses" that can arrive in emails as "exe" files or attachments (like macros in Word documents).
While it is hard to comprehensively report on all the capabilities and developments of such "Trojan horse" programs-the short story is that when you are connected to the internet, a skillful opponent can read sensitive documents on your hard drive, and plant programs there for later mischief and identification.
To understand what this means, it is worth examining the public humiliation of Clinton's CIA chief John M. Deutch. Deutch was censored and stripped of security clearance by his agency for taking top secret memos home in 1995 and 1996, working on them using a computer that had an internet connection.
The assumption of the CIA is that internet connections allow hostile forces to view the contents of hard drives-and there are no absolutely reliable countermeasures except simply never exposing secret documents to the network.
There is danger even if the document is viewed from a floppy and then removed before connecting to the internet. Documents viewed (or edited or printed, etc.) using programs like Word or WordPerfect, leave traces in temporary files and other automatic backups, even if the file has been removed. Hostile forces who steal the hard drive, or even copy it secretly over the internet, can potentially reconstruct the secret document from these files.
Holes in Encryption Dreams
"Law enforcement is...concerned about the significant and growing threat to public safety and effective law enforce-ment that would be caused by the proliferation and use within the United States of a communications infrastructure that supports strong encryption products but cannot support timely law enforce-ment decryption."
FBI Director Louis Freeh to Senate Judiciary Committee, July 1997
"Today, P.G.P. is used by every human rights organization in the world."
Phil Zimmermann, father of free PGP encryption software
Phil Zimmermann had a dream. He wanted to develop a world class "strong" encryption program for encoding email and documents-and he would make it available free. He was himself an anti-nuke activist, and saw this as his contribution to resisters and government opponents around the world.
Ten years ago, in 1991, he released the first MS-DOS version of his invention called PGP (Pretty Good Privacy) on the "Peacenet." The U.S. government freaked out, and started a criminal investigation. They have long tried to prevent widespread use of encryption software by declaring that military grade encryption was a form of "munition" and making it a felony to send overseas (even though the principles of such encryption are, in fact, widely known around the world).
After the Justice Department announced on January 11, 1996 that they were abandoning the prosecution of Zimmermann and his collaborator Kelly Goen, Zimmermann created an aboveground company to produce new versions of PGP.
PGP has been a world-class hit-used by thousands people to encode their correspondence. Government efforts have been unable to contain it. And, because it was released in "open source" format, many people could study how it was made, and versions were quickly developed for Macintosh and Unix computers.
How good is PGP? High quality encryptions are extremely difficult to break by "brute force"-only major governments have the resource to tackle it, and it is believed that even they have great difficulty breaking more than a few high priority coded messages.
However, the code is still only as good as its private key-a long string of characters that the user applies to decode the messages. If the private key (which is never stored on a hard drive-for reasons explained above) falls into hostile hands the code is broken.
One worrisome note: The Clinton administration proposed allowing encryption if programming companies agreed to allow the government to hold onto master keys. The new commercial PGP company (which is no longer associated with Zimmermann) publicly flirted with this concept-and now refuses to publish the source code to the latest versions of PGP so outside experts can verify that no backdoors are present.
Even if government agents don't secretly have master keys, they have now developed ways to get the private keys directly. Which brings us to the story of Nicodemo S. Scarfo Jr.
The Case of Keylogging the Geeky Mobster
"When criminals like drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect."
Attorney General Janet Reno and Deputy Defense Secretary John Hamre, January 00
"If we're now talking about expanding black bag jobs to every case in which the government has an interest where the subject is using a computer and encryption, the number of break-ins is going to skyrocket. Break-ins are going to become commonplace.... What the government is arguing is that it should have the right to surreptitiously install monitoring devices on computers without any obligation to explain what that device does."
David Sobel, general counsel, Electronic Privacy Information Center (EPIC)
Police raided the office of Nicodemo S. Scarfo Jr. in January 1999 and came away pissed. Scarfo, son of the jailed mobster "Little Nicky" Scarfo, is known as "computer geek" in his circles. He had used PGP to encrypt his computer files. When the agents copied the contents of his hard drive-there was one key file they simply could not read. And they did not have the evidence they wanted about an alleged loan-sharking operation.
So they decided to break his codes.
On May 10, 1999, FBI agents obtained a general search warrant from a local magistrate.
The seven-page court order authorized the FBI and cooperating local police to break into Scarfo's first-floor "Merchant Services of Essex County" office as many times as necessary to deploy, maintain, and then remove "recovery methods which will capture the necessary key-related information and encrypted files."
Armed with this court order, police agents secretly returned to Scarfo's office in Belleville, New Jersey. Their black bag operation installed what authorities call "a keylogger system"-that would record his keystrokes and send them his password when he typed it in.
Ultimately, the logger captured a password. But Scarfo had changed his password, and it didn't decrypt the original file they had seized in the first raid. But investigators captured a new version of the file from floppy disks in Scarfo's home, and the password worked on that new version-supposedly revealing financial records of illegal operations.
James Atkinson of Granite Island Group, a private electronic surveillance firm, told the press that there are at least three types of keystroke-logging devices currently available:
There is software that can be loaded onto a computer.
There is an attachment that can be linked to the port where the keyboard line enters the computer.
Finally, there is a sugarcube-sized bug that can be put inside the keyboard. It draws power from the computer and can store up to 32 million keystrokes.
Typically, information from the bugged computers can be downloaded from a remote location.
The Scarfo case is being decided this summer and involves the issue of whether computer spying needs to conform to federal wiretapping laws.
In applying for their warrant, the agents claimed that "there will be no wire, oral or electronic communications captured," and were therefore arguing that federal restrictions on wiretapping did not apply to their keylogger. However, as Attorney Donald Manno pointed out to the press, "Anything he typed on that keyboard-a letter to his lawyer, personal or medical records, legitimate business records-they got it all."
The F.B.I. and prosecutors have firmly refused to say anything about their keylogger-including whether it is hardware or purely software. Justice Department attorneys told a federal judge that public disclosure of the details of this keylogger would undermine other cases where it is being used. Complete secrecy about this keylogger was needed, they say, to prevent targeted people from using "counter-surveillance tactics to thwart law enforcement."
Their secrecy is also an attempt to save their flimsy legal claim that keylogging is not wiretapping-and so can be done casually and secretly as part of any general search warrant.
The Case of the Tell-Tale Email
In the last year, there has been widespread publicity to the FBI's Carnivore program: This is a box that federal agents install on the internet to sniff out email associated with targeted users. Because of the nature of the Internet, the Carnivore must go over all email passing through-and the federal authorities insist that the public should trust them only to read those emails that are "spit out" with a particular email address on them.
Most email passes through the internet as unscrambled, easy-to-read, easy to intercept packets of text. Paul Syverson, researcher at U.S. Naval Research Laboratory's Center for High Assurance Computer Systems, told the press: "Public networks are vulnerable to traffic analysis. Packet headers identify recipients, and packet routes can be tracked. Even encrypted data exposes the identity of the communicating parties."
Faced with news about Carnivore and the knowledge that their employers might be reading workplace related email accounts, millions of people are seeking privacy through free email accounts at sites like yahoo.com, hotmail.com, and excite.com.
Because these web-based services are free, there are no credit card payments associated with them. And, as a result, there is no reason for the service providers to insist on accurate personal information from people using their services. So, these free email accounts are far more anonymous than the email accounts associated with paying ISP internet access.
However, one recent case reveals some little known dangers that await the unaware.
In the 2000 Minnesota Senate race, a series of malicious emails started appearing that targeted the liberal candidate Mike Ciresi. They claimed to be from a former supporter who called herself "Katie Stevens," and who said she was now disgusted to learn that Ciresi represented corporate polluters and anti-union companies.
The Ciresi campaign suspected this was campaign dirty tricks by their opponent, Republican Senator Gram. They obtained copies of the hostile email, and the true story started to unravel. (The following details are from a June 16 article by Declan McCullagh in wired.com.)
The email had been sent from a free email account at Microsoft's Hotmail service. This much was obvious, since the email address,
[email protected], came at the top of each email.
What "Katie Stevens" didn't know is that Hotmail also includes an X-Originating-IP header that shows the IP address of the sender. This IP address reveals where you are connected to the internet as you send and receive information-during that internet session.
The IP addresses revealed that "Katie Stevens" had started by sending the email from a rented computer in a Kinkos store.
But, over time, "Katie Stevens" got sloppy. Prosecutors, investigating election violations, traced some of the later emails to an IP address associated with a commercial ISP, AT&T WorldNet.
It turns out that AT&T WorldNet kept Caller ID logs of people phoning in by modem-and their records could connect the IP address to a specific phone call, and from there to specific phones.
The trail led back to the phone number of Christine Gunhus, who was about to marry Senator Gram.
In addition, the emails had Microsoft Word attachments. MS Word has a feature that embeds any "user information" given at installation into documents. And the author of the attached documents led to- you guessed it-Christine Gunhus.
Finally, investigators also found Globally Unique Identifiers (GUIDs) in the Word documents. The GUID includes the Ethernet MAC address. Prosecutors obtained a search warrant to seize Gunhus' computer, from which they could extract the MAC address from the machine's Ethernet card.
Christine Gunhus pleaded no contest in June 2001 to charges of using a pseudonym to unlawfully send email messages that disparaged her husband's Democratic rival.
The Privacy Conflict Continues
Press reports at the end of July said that the budget bill emerging from the Appropriations Committee includes $7 million more to the FBI for technology to thwart encryption. The appropriations committee intends for it to be spent on: "(1) analysis/exploitation of systems to allow access to data pre-encryption, (2) recognition/decryption of data hidden in plain sight, and (3) decryption of encrypted data." In addition, another $7 million goes to a plan to improve "intercept capabilities," including for "developing broadband capabilities and procuring prototypes capable of intercepting transmissions outside of the FBI's technical reach." Translation: Create better ways to eavesdrop on cable modems and DSL connections.
These government moves are being met by many different kinds of actions, including by programmers and privacy activists. There are court suits, energetic campaigns of exposure and a wide range of creative software intended to improve privacy. The web is full of "how to" sites-offering advice on firewalls, cleaning out hard drives, preventing Trojan horses and improving anonymity. For the reasons described in this article, it is extremely hard to evaluate which of these technical methods actually work.
Only one method guaranteed rather solid protection, and that was surfing and emailing from a machine that is not associated with the user in any way. If "Katie Stevens" had stayed at Kinkos, her identity might not have been uncovered.
And, perhaps ironically, the message of the CIA during the Deutch affair is that once a person and an account is known to hostile forces, even the CIA doesn't believe they have a reliable set of technical countermeasures. The CIA's publicly explained policy is quite clear and simple: A machine used to view or edit sensitive documents must be a separate "dedicated machine" for its lifetime-and never allowed to connect to the internet.