IP: CyberWar Update #2

[David Farber <dave () farber net>]

> From: "John F. McMullen" <johnmac () acm org>
>
> >From osint
>
> ----- Original Message -----
> From: mark hopkins
>
> Sent: Friday, November 30, 2001 2:51 PM
> Subject: [osint] CyberWar Update #2
>
>
> The Virus Invasion portion is new material that I've been working on for
> a couple days, it first became relevant news about Tuesday of this week.
> The FBI vs. CIA is material I went over with John and Paul on their
> radio show on WABC last night (hear them on 770AM 10-1 EST) -- included
> is a list of other tools that the FBI and CIA are currently employing in
> their effort to come in line with the online world. Included is a
> description how you can completely, legally and safely circumvent all
> the known ways of online federal monitoring.  There are other ways to
> make it more safe, but these include tactics which are not allowed
> within the confines of the law, and I cannot suggest their usage for
> everyday purposes.
>
> Rizzn's Wartime Factbook: http://factbook.diaryland.com/
> The Best UAV: http://www.unmannedaircraft.com
>
> CyberWar Update #2
> The update as of November 30th, 2001
> Report assembled by Mark Hopkins
> <markhopkins () mindless com>
> of Parallad Studios OSIS Project
>
> There are two major fronts opening up in the Cyber War front, largely
> being ignored by the major media. Computer security groups are noting
> the vast influx of email-propelled virii. The other front largely
> ignored is the clash in the surveillance policies and programs between
> the FBI and the CIA, reported only by Charles R. Smith of Newsmax.com
> news service.
>
> Virus Invasion
>
> Badtrans is the name of the virus that is making the rounds currently
> and grinding email servers to a halt worldwide. There is much
> speculation by respectable theorists that this may be the much-talked
> about keylogging virus the FBI is threatening to release on the public
> known by the name Magic Lantern. Operationally, it fits the profile,
> logging keystrokes to a temp-file and when the temp-file reaches a
> certain size, mailing the log file to a pre-specified recipient. The
> Badtrans virus has had a couple modifications made to it over the last
> couple weeks, making it's transmission and operations more smooth, and
> therefore more infections and effective, however it is reported that
> most commercially available anti-virus software still picks it up prior
> to infection.
>
> The new version of the Badtrans virus activates embedded HTML in the
> email and automatically informs Microsoft email programs to activate the
> attached virus program. The virus also appears to activate the MP3
> player.
>
> There are three scenarios within possibility which would explain the
> origin of the Badtrans virus. The first, most obvious, and most widely
> accepted is that it is a simple keylogging virus put out by a random
> hacker to get user's usernames and passwords. The second theory is more
> of an addendum to the first, in that it's a virus put out by a random
> hacker at this time to try to create a buzz and make it look as if the
> FBI is targetting certain groups or demographics (this theory has been
> posited by many members of the OSINT group RMNews). The third theory is
> that this is in fact the second iteration of the Magic Lantern
> keylogger.
>
> The first theory is supported by the simple fact that this sort of thing
> comes out on a fairly regular basis, and to assume that this virus is
> any different than the last 15 that have come out is pure conjecture --
> at least at first glance. The third theory is supported by the plethora
> of news releases that has accompanied the virus's release that tell of
> the FBI's Magic Lantern keylogger's inner workings. The operations are
> very similar in description, and a mass release through worm form is an
> effective means of distribution, despite the preferred method of
> delivery is reportedly the newly allowed ''sneak and peek'' method --
> however, distribution through an email virus does seem to be a bit
> unconventional, a bit of a kludge-type attack. Granted, the FBI's
> technology teams have proven somewhat clueless as to implementation of
> internet technologies in the past, but this tends to lack the type of
> precision the FBI needs, and seems like it could lead to the type of
> legal troubl! e the FBI could ill-afford.
>
> All of this lends the most credence to the second theory, that it is
> most likely being used as an Infowar tool, to make individuals feel as
> if they are being singled out by the FBI or other government agencies
> since most virus detection systems alert the user of it and mention it's
> purpose. It may have originally started out as the tool mentioned in
> theory one, but it has quickly become the tool mentioned in theory two.
>
> FBI vs. CIA in Cyberspace
>
> Most people who are in the intelligence community and those who follow
> it recognize that there was a vast intelligence failure that led up to
> the Sept 11 attacks.
>
> The FBI and CIA are two agencies charged with law enforcement and
> intelligence operations, have taken the most heat for the failure. Both
> agencies had few areas of cooperation prior to Sept. 11. As it turns out
> the FBI and CIA have suddenly found themselves in diametrecially opposed
> roles inside cyberspace.
>
> Below is a list of tools that would aid US Federal law
>
> FBI tools:
> Carnivore (http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm)
> The way carnivore works, according to the diagrams and explanations on
> the FBI website, is to trap all data going through a certain point, make
> a copy and send it back to a centralized point. The FBI is then able to
> sift through it using keyword searches.
>
>
> Some time last year the FBI was forced by privacy advocates such as the
> ACLU and the EFF to reveal that it had a new software program called
> Carnivore designed to monitor Internet e-mail. The way the Carnivore
> system operates is not on home personal computers, or the client side,
> but on Internet Service Provider computers, or the server side. This
> allows the agency to siphon off data from suspected customers.
>
> It is used only for looking through email, according to its description,
> *however* from it's description, it is also capable of sifting through
> web traffick. (remember that)
>
> Magic Lantern
> There is no official documentation on Magic Lantern on FBI's website,
> but open source intelligence resources describe it's operation and
> implementation as such:
>
> It is to be spread either through an agent manually infecting the
> machine by inserting an infected disk or downloading the infection, or
> through targeted email virus infections. (i.e., opening an email, and a
> hidden virus is installed on the victim's machine without his knowlege
> by way of many security holes in email software).
>
> It is a key-logging program, designed to intercept passwords and
> outgoing emails from the user's machine. It cannot log mouse clicks,
> however, which is it's only weakness. (i.e., if a user has an encryption
> software installed, and has the password stored locally, it can be
> activated by mouse clicks instead of a password being typed in, thus
> defeating the keylogging method).
>
> dTective
> Developed jointly by Ocean Systems Co. of Burtonsville Md. (did the
> software side) and Avid Technology Inc. (hardware side). Its purpose is
> to trace the financial transactions linked to Sept's terrorist attacks
> against New York and Washington by enhancing ATM video surveillance
> images that were previously unusable due to bad lighting and such.
>
> Encase
> Deleted file recovery tool. Used in cases where the suspect has clean
> sweep deleted the hard drive of data.
>
> CIA tools:
> Triangle Boy/SafeWeb
> It's original intent was to allow Asian Surfers (primarily Chinese) to
> surf the web without government interference. It allowed them to bypass
> governmentally blockage of websites and to do so anonymously (at least
> to governments other than the United States).
>
> Technically, this tool sponsored by the CIA could be used as an aid to
> hackers, as well as those hiding from governments and companies who
> filter what their users are able to see.
>
> It could also be used as a device to in some way circumvent the FBI from
> positively tracking down the author of a message. Imagine if a terrorist
> sets up an account on Hotmail, but uses Triangle Boy to access it. The
> FBI would be able to determine what the content was, but would be unable
> to find the user by way of IP tracking. Nor would the FBI know what
> computer to put Magic Lantern on in case the user was employing a method
> of encryption, which would prevent the FBI from even seeing the content
> of the messages as well.
>
> Fluent
> Custom-written software scours foreign Web sites and displays
> information in English back to
> analysts. The program already understands at least nine languages,
> including Russian, French and Japanese. Not a remarkable piece of
> software, same results that this software produce can be accomplished by
> combining the power of Digital's babelfish project with Google's search
> engine software.
>
> Echelon
> Essentially a European Carnivore, not officially acknowleged by the US
> government.
>
> Oasis
> Technology that listens to worldwide television and radio broadcasts and
> transcribes detailed reports for analysts. Oasis currently misinterprets
> about one in every five words and has difficulty recognizing colloquial
> Arabic, but the system is improving, said Larry Fairchild, head of the
> CIA's year-old Office of Advanced Information Technology.
>
> Conflicting tools:
>
> The tool conflict comes up between the CIA and the FBI are the CIA's
> Triangle Boy utility and the FBI's Magic Lantern and Carnivore snooping
> utilities. Essentially, by using the Triangle Boy web proxy utility or
> any other commercially available approximation thereof while
> simultaneously running any number of publicly available different
> 128-bit encryption routines, you can effectively and completely block
> yourself off from any FBI monitoring.
>
> What Triangle Boy allows you to do is anonymously surf the web. There
> are a couple public projects on the internet that approximate what
> Triangle Boy does, such as it's predecessor Anonymizer.com, probably the
> web's first public anonymous proxy server. By using this or a similar
> service to log on to a public, free email server, you have prevented the
> email server from logging your IP address, or in other words, a number
> that can be linked to your person.
>
> To completely make your message unintelligable and unbreakable to the US
> Federal government, use 128-bit or better encryption methods,
> preferrably the RC5 standard. Distributed.net has been working with a
> brute force hack of the RC5 encryption routine (64-bit encryption) since
> 1998 using thousands of computers simultaneously on the project and
> estimates they have a year left until they break the code. From this one
> can safely assume that by the time the government is able to break your
> message at 128-bits, the usefulness of the contents of the message will
> long past be viable, not to mention most statute of limitation laws will
> have expired in the process.
>
> Vulnerabilities in the Magic Lantern Keylogger
>
> The Magic Lantern keylogger not only is ineffective in accomplishing
> it's purpose by virtue of the CIA's and the private sector's privacy
> tools, it also could backfire on the federal government. Any technically
> savvy hacker, could quite easily reverse engineer the product to either
> hack into the repository for the keylogged files or re-distribute the
> virus as an agent to gather his own data, especially if the government
> strikes deals with anti-virus makers to make the utility unnoticed by
> their detection software.
>
>
> [Non-text portions of this message have been removed]
>
>
> --------------------------
> Brooks Isoldi, editor
> bisoldi () intellnet org
>
> http://www.intellnet.org
>
>   Post message: osint () yahoogroups com
>   Subscribe:    osint-subscribe () yahoogroups com
>   Unsubscribe:  osint-unsubscribe () yahoogroups com
>
>
> "When you come to the fork in the road, take it" - L.P. Berra
> "Be precise in the use of words and expect precision from others" -
> Pierre Abelard
> "Always make new mistakes" - Esther Dyson
>
> John F. McMullen
> johnmac () acm org johnmac () computer org johnmac () johnmac net
> ICQ: 4368412 Fax: (603) 288-8440
> http://www.westnet.com/~observer
> http://www.johnmac.net

For archives see:
http://www.interesting-people.org/archives/interesting-people/