Friday, April 17, 2009

FBI Hackers & CIPAV

In his slight paranoia blog, Christopher Soghoian shares some of his thoughts on the FBI spyware documents that were released in response to a Freedom of Information Act request by Wired.

For those of you who aren't familiar with CIPAV, check out the Wikipedia entry or my earlier posting entitled When Is Hacking OK?

In addition to being highly redacted, the documents were interesting not so much for what they said, but rather for what a security professional can see when reading between the blacked-out lines.

Wired's Kevin Poulsen:

The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."

So the FBI wants us to believe that tech-savvy crooks who use elaborate means to obfuscate their location and identity are going to be tricked into clicking on a link to be redirected to a website hosting malcode to exploit their browser vulns? That's a pretty big stretch for me to accept.

Chris has a much more probable theory:

What is far more likely is that the FBI has asked MySpace, Google or Yahoo to insert the drive-by malware infection code directly into their own websites, so that the next time the suspect signed into their account, their browser would automatically be infected without the need to trick them into visiting a FBI-controlled Web site.

Such cooperation by Web 2.0 companies (if it indeed occured) would be fascinating, troubling and would likely do significant damage to their reputations -- which would also explain the significant redaction in the FOIA documents.
Very interesting indeed.


No comments:

Post a Comment

Please tell me what you think.