Judge OKs FBI hack of Russian computers

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2767013,00.html

By Mike Brunker 
MSNBC
May 31, 2001 

Upholding the rights of law enforcement to cross national borders in
pursuit of cyberspace criminals, a federal judge has ruled that FBI
agents did not act improperly when they tricked a pair of suspected
hackers out of passwords and account numbers and then downloaded
evidence from their computers in Russia.

U.S. District Judge John C. Coughenour of Seattle rejected several
motions filed on behalf of Vasily Gorshkov, 25, seeking to suppress
the evidence obtained from the computers.

Gorshkov's lawyer, Kenneth Kanev of Seattle, argued that the FBI
agents had violated Gorshkov's Fourth Amendment right against
unreasonable search and seizure by secretly obtaining the passwords
and account numbers using a "sniffer" program that recorded his
keystrokes when he accessed the computers in Chelyabinsk, Russia.

But Coughenour, in a ruling dated May 23 that was made public this
week, ruled that Gorshkov and his alleged co-conspirator, Alexey
Ivanov, 20, had no expectation of privacy when they sat down at
computers in the offices of Invita--actually an FBI front set up to
lure the suspects to the United States with offers of work in the
computer security field.

"When (the) defendant sat down at the networked computer ... he knew
that the systems administrator could and likely would monitor his
activities," Coughenour wrote. "Indeed, the undercover agents told
(Gorshkov) that they wanted to watch in order to see what he was
capable of doing."

He also found that the Fourth Amendment applied neither to the
computers "because they are the property of a non-resident and located
outside the United States" nor the data--at least until it was
transmitted to the United States.

The judge noted that investigators then obtained a search warrant
before viewing the vast store of data--nearly 250 gigabytes, according
to court records. He rejected the argument that the warrant should
have been obtained before the data was downloaded, noting that "the
agents had good reason to fear that if they did not copy the data,
(the) defendant's co-conspirators would destroy the evidence or make
it unavailable."

Finally, Coughenour rejected defense arguments that the FBI's actions
"were unreasonable and illegal because they failed to comply with
Russian law," saying that Russian law does not apply to the agents'
actions.

The judge did grant one defense motion, agreeing to delay Gorshkov's
trial until Sept. 17.

Tantalizing clues

Prosecutors have dropped tantalizing clues in court papers and in
testimony suggesting that Gorshkov and Ivanov were kingpins of Russian
computer crime prior to their arrests.

Court papers indicate that the pair, who were arrested in Seattle on
Nov. 10, are believed to have broken into and obtained financial
information from the computer networks of two banks--the Nara Bank of
Los Angeles and Central National Bank-Waco (Texas). They also charge
that the duo broke into the computers of at least 38 other U.S.
companies, often following the intrusion with an extortion demand.

Prosecutors have indicated they believe the two are linked to a pair
of high-profile cases: the theft of data on 300,000 credit cards from
the CD Universe Web site and the heist of data on 15,700 credit cards
from a Western Union Web site. The suspects' alleged connection to
those cases has not been explained.

Both men have been indicted by a federal grand jury in Seattle. Ivanov
also has been indicted in New Jersey and Connecticut, where he
currently is in custody.

NT vulnerability exploited

Ivanov, Gorshkov and other unnamed associates used the Internet to
gain illegal access to the U.S. companies' computers, often by
exploiting a known security vulnerability in Windows NT, prosecutors
say. A "patch" for the vulnerability has been posted on the Microsoft
Web site for almost two years, but the companies hit by the
cyberbandits hadn't updated their software. (MSNBC is a Microsoft-NBC
joint venture.)

At least one company, Lightrealm Communications of Kirkland, Wash.,
acceded to a demand that it hire Ivanov as a security consultant after
he broke into the Internet service provider's computers. Prosecutors
say Ivanov then used a Lightrealm account to break into other
companies' computers.

The break that eventually led to the arrests came when Ivanov
identified himself in an e-mail while attempting to extort money from
a victimized company, Stephen Schroeder, an assistant U.S. attorney in
Seattle, told MSNBC.com. FBI agents then found his resum online and,
posing as representatives of a fictitious network security company
called Invita, contacted him to offer him a job.

"He felt pretty safe because he was in Russia," Schroeder said of
Ivanov's alleged blunder.

After Ivanov arrived in Seattle, accompanied by Gorshkov, agents
posing as Invita officials asked the men to demonstrate their prowess
on a computer outfitted with "sniffer" software to record every
keystroke. After arresting the duo, they used account numbers and
passwords obtained by the program to gain access to data stored in the
computers in Russia, Schroeder said.

Second major bust

The arrest of Ivanov and Gorshkov was the second major computer crime
bust aimed at former Soviet Union nations in the past year.

In August 2000, federal agents arrested two Kazakh men in London after
they allegedly broke into the computer systems of financial
information provider Bloomberg L.P. and attempted to extort $200,000
from company founder Michael Bloomberg.

U.S. authorities are seeking to extradite Oleg Zezov and Igor Yarimaka
for trial on the charges. If convicted, Zezov and Yarimaka could
receive prison sentences of up to 20 years and fines of $250,000 each.

Eastern Europe and nations of the former Soviet Union have become a
hotbed in recent years for computer crime aimed at businesses in the
United States and other Western nations.

When MSNBC.com first reported on the problem of overseas computer
crime in 1999, Mark Batts, the special agent in charge of the FBI's
Financial Institution Fraud Unit, said he was not aware of any
prosecutions of credit card thieves operating from Eastern Europe and
the nations of the former Soviet Union.
 



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.