Interesting People mailing list archives
IP: CyberWar Update #2
From: David Farber <dave () farber net>
Date: Sun, 02 Dec 2001 19:14:33 -0500
From: "John F. McMullen" <johnmac () acm org> >From osint ----- Original Message ----- From: mark hopkins Sent: Friday, November 30, 2001 2:51 PM Subject: [osint] CyberWar Update #2 The Virus Invasion portion is new material that I've been working on for a couple days, it first became relevant news about Tuesday of this week. The FBI vs. CIA is material I went over with John and Paul on their radio show on WABC last night (hear them on 770AM 10-1 EST) -- included is a list of other tools that the FBI and CIA are currently employing in their effort to come in line with the online world. Included is a description how you can completely, legally and safely circumvent all the known ways of online federal monitoring. There are other ways to make it more safe, but these include tactics which are not allowed within the confines of the law, and I cannot suggest their usage for everyday purposes. Rizzn's Wartime Factbook: http://factbook.diaryland.com/ The Best UAV: http://www.unmannedaircraft.com CyberWar Update #2 The update as of November 30th, 2001 Report assembled by Mark Hopkins <markhopkins () mindless com> of Parallad Studios OSIS Project There are two major fronts opening up in the Cyber War front, largely being ignored by the major media. Computer security groups are noting the vast influx of email-propelled virii. The other front largely ignored is the clash in the surveillance policies and programs between the FBI and the CIA, reported only by Charles R. Smith of Newsmax.com news service. Virus Invasion Badtrans is the name of the virus that is making the rounds currently and grinding email servers to a halt worldwide. There is much speculation by respectable theorists that this may be the much-talked about keylogging virus the FBI is threatening to release on the public known by the name Magic Lantern. Operationally, it fits the profile, logging keystrokes to a temp-file and when the temp-file reaches a certain size, mailing the log file to a pre-specified recipient. The Badtrans virus has had a couple modifications made to it over the last couple weeks, making it's transmission and operations more smooth, and therefore more infections and effective, however it is reported that most commercially available anti-virus software still picks it up prior to infection. The new version of the Badtrans virus activates embedded HTML in the email and automatically informs Microsoft email programs to activate the attached virus program. The virus also appears to activate the MP3 player. There are three scenarios within possibility which would explain the origin of the Badtrans virus. The first, most obvious, and most widely accepted is that it is a simple keylogging virus put out by a random hacker to get user's usernames and passwords. The second theory is more of an addendum to the first, in that it's a virus put out by a random hacker at this time to try to create a buzz and make it look as if the FBI is targetting certain groups or demographics (this theory has been posited by many members of the OSINT group RMNews). The third theory is that this is in fact the second iteration of the Magic Lantern keylogger. The first theory is supported by the simple fact that this sort of thing comes out on a fairly regular basis, and to assume that this virus is any different than the last 15 that have come out is pure conjecture -- at least at first glance. The third theory is supported by the plethora of news releases that has accompanied the virus's release that tell of the FBI's Magic Lantern keylogger's inner workings. The operations are very similar in description, and a mass release through worm form is an effective means of distribution, despite the preferred method of delivery is reportedly the newly allowed ''sneak and peek'' method -- however, distribution through an email virus does seem to be a bit unconventional, a bit of a kludge-type attack. Granted, the FBI's technology teams have proven somewhat clueless as to implementation of internet technologies in the past, but this tends to lack the type of precision the FBI needs, and seems like it could lead to the type of legal troubl! e the FBI could ill-afford. All of this lends the most credence to the second theory, that it is most likely being used as an Infowar tool, to make individuals feel as if they are being singled out by the FBI or other government agencies since most virus detection systems alert the user of it and mention it's purpose. It may have originally started out as the tool mentioned in theory one, but it has quickly become the tool mentioned in theory two. FBI vs. CIA in Cyberspace Most people who are in the intelligence community and those who follow it recognize that there was a vast intelligence failure that led up to the Sept 11 attacks. The FBI and CIA are two agencies charged with law enforcement and intelligence operations, have taken the most heat for the failure. Both agencies had few areas of cooperation prior to Sept. 11. As it turns out the FBI and CIA have suddenly found themselves in diametrecially opposed roles inside cyberspace. Below is a list of tools that would aid US Federal law FBI tools: Carnivore (http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm) The way carnivore works, according to the diagrams and explanations on the FBI website, is to trap all data going through a certain point, make a copy and send it back to a centralized point. The FBI is then able to sift through it using keyword searches. Some time last year the FBI was forced by privacy advocates such as the ACLU and the EFF to reveal that it had a new software program called Carnivore designed to monitor Internet e-mail. The way the Carnivore system operates is not on home personal computers, or the client side, but on Internet Service Provider computers, or the server side. This allows the agency to siphon off data from suspected customers. It is used only for looking through email, according to its description, *however* from it's description, it is also capable of sifting through web traffick. (remember that) Magic Lantern There is no official documentation on Magic Lantern on FBI's website, but open source intelligence resources describe it's operation and implementation as such: It is to be spread either through an agent manually infecting the machine by inserting an infected disk or downloading the infection, or through targeted email virus infections. (i.e., opening an email, and a hidden virus is installed on the victim's machine without his knowlege by way of many security holes in email software). It is a key-logging program, designed to intercept passwords and outgoing emails from the user's machine. It cannot log mouse clicks, however, which is it's only weakness. (i.e., if a user has an encryption software installed, and has the password stored locally, it can be activated by mouse clicks instead of a password being typed in, thus defeating the keylogging method). dTective Developed jointly by Ocean Systems Co. of Burtonsville Md. (did the software side) and Avid Technology Inc. (hardware side). Its purpose is to trace the financial transactions linked to Sept's terrorist attacks against New York and Washington by enhancing ATM video surveillance images that were previously unusable due to bad lighting and such. Encase Deleted file recovery tool. Used in cases where the suspect has clean sweep deleted the hard drive of data. CIA tools: Triangle Boy/SafeWeb It's original intent was to allow Asian Surfers (primarily Chinese) to surf the web without government interference. It allowed them to bypass governmentally blockage of websites and to do so anonymously (at least to governments other than the United States). Technically, this tool sponsored by the CIA could be used as an aid to hackers, as well as those hiding from governments and companies who filter what their users are able to see. It could also be used as a device to in some way circumvent the FBI from positively tracking down the author of a message. Imagine if a terrorist sets up an account on Hotmail, but uses Triangle Boy to access it. The FBI would be able to determine what the content was, but would be unable to find the user by way of IP tracking. Nor would the FBI know what computer to put Magic Lantern on in case the user was employing a method of encryption, which would prevent the FBI from even seeing the content of the messages as well. Fluent Custom-written software scours foreign Web sites and displays information in English back to analysts. The program already understands at least nine languages, including Russian, French and Japanese. Not a remarkable piece of software, same results that this software produce can be accomplished by combining the power of Digital's babelfish project with Google's search engine software. Echelon Essentially a European Carnivore, not officially acknowleged by the US government. Oasis Technology that listens to worldwide television and radio broadcasts and transcribes detailed reports for analysts. Oasis currently misinterprets about one in every five words and has difficulty recognizing colloquial Arabic, but the system is improving, said Larry Fairchild, head of the CIA's year-old Office of Advanced Information Technology. Conflicting tools: The tool conflict comes up between the CIA and the FBI are the CIA's Triangle Boy utility and the FBI's Magic Lantern and Carnivore snooping utilities. Essentially, by using the Triangle Boy web proxy utility or any other commercially available approximation thereof while simultaneously running any number of publicly available different 128-bit encryption routines, you can effectively and completely block yourself off from any FBI monitoring. What Triangle Boy allows you to do is anonymously surf the web. There are a couple public projects on the internet that approximate what Triangle Boy does, such as it's predecessor Anonymizer.com, probably the web's first public anonymous proxy server. By using this or a similar service to log on to a public, free email server, you have prevented the email server from logging your IP address, or in other words, a number that can be linked to your person. To completely make your message unintelligable and unbreakable to the US Federal government, use 128-bit or better encryption methods, preferrably the RC5 standard. Distributed.net has been working with a brute force hack of the RC5 encryption routine (64-bit encryption) since 1998 using thousands of computers simultaneously on the project and estimates they have a year left until they break the code. From this one can safely assume that by the time the government is able to break your message at 128-bits, the usefulness of the contents of the message will long past be viable, not to mention most statute of limitation laws will have expired in the process. Vulnerabilities in the Magic Lantern Keylogger The Magic Lantern keylogger not only is ineffective in accomplishing it's purpose by virtue of the CIA's and the private sector's privacy tools, it also could backfire on the federal government. Any technically savvy hacker, could quite easily reverse engineer the product to either hack into the repository for the keylogged files or re-distribute the virus as an agent to gather his own data, especially if the government strikes deals with anti-virus makers to make the utility unnoticed by their detection software. [Non-text portions of this message have been removed] -------------------------- Brooks Isoldi, editor bisoldi () intellnet org http://www.intellnet.org Post message: osint () yahoogroups com Subscribe: osint-subscribe () yahoogroups com Unsubscribe: osint-unsubscribe () yahoogroups com "When you come to the fork in the road, take it" - L.P. Berra "Be precise in the use of words and expect precision from others" - Pierre Abelard "Always make new mistakes" - Esther Dyson John F. McMullen johnmac () acm org johnmac () computer org johnmac () johnmac net ICQ: 4368412 Fax: (603) 288-8440 http://www.westnet.com/~observer http://www.johnmac.net
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: CyberWar Update #2 David Farber (Dec 02)