Industry News

FBI infected 15-year-old bomb threat twit with malware, by impersonating newspaper

100 Arrested In BlackShades Malware Crackdown

The Seattle Times is furious, after discovering that the FBI stole its identity.

seattle-times

 

Documents obtained by the Electronic Freedom Foundation (EFF) show that, while attempting to identify who had made a series of high school bomb threats, the FBI created a fake Seattle Times webpage containing a bogus Associated Press news story, with the intention of infecting a suspect’s computer with malware.

What was previously known was that in late May 2007, a series of bomb threats began to arrive at Timberline High School in Washington state. Some of the messages, which appeared to be from a Myspace user called “Timberlinebombinfo”, taunted the authorities that they were “too stupid to trace the email.”

Now that the school is scared from yesturdays fake bomb threat it’s now time to get serious. One in a gym locker, the girls. It’s in a locker hidden under a pile of clothes. The other four I will only say the general location. One in the Language Hall, One in the math hall, One underneath a portable taped with strong ducktape. This bomb will go off if any vibrations are felt. And the last one, Is in a locker. It is enclosed in a soundproof package, and litteraly undetectable. I have used a variety of chemicals to make the bombs. They are all different kinds.

They will all go off at i0:15AM. Through remote detonation. Good Luck. And if that fails, a failsafe of 5 mmutes later.

Oh and for the police officers and technology idiots at the district office trying to track this email and yesturdays “email’s location. I can give you a hint. The email was sent over a newly made gmail account, from overseas in a foreign country. The gmail account was created there, and this email and yesturdays was sent from there. So good luck talking with Italy about getting the identify of the person who owns the 100Mbit dedicated server

An attempt to identify Timberlinebombinfo’s true identity was attempted by the authorities, who subpoenaed MySpace and webmail services, but the person making the threats had sufficiently covered their tracks by apparently using Italian computers to send the messages.

That’s when the FBI came up with an idea. They would infect the suspect’s PC with some spyware called CIPAV (Computer & Internet Protocol Address Verifier) that could report back to them information about the computer (IP address, MAC address, a list of running programs, currently logged-in username and more) that could help identify who was responsible.

The FBI’s attempt to infect the suspect’s computer was successful, and as a consequence a 15-year old student called Josh was arrested.

Now, what hasn’t been commonly known until this week is just *how* the FBI managed to infect Josh’s computer.

Christopher Soghoian, the American Civil Liberties Union’s principal technologist, revealed on Twitter that the FBI sent the malware, via a link in an email deliberately disguised to appear as though it were from the Seattle Times.

cipav-email

 

This, of course, is precisely the same method that has been used time and time again by cybercriminals over the years – posing as breaking news stories likely to interest recipients, but in reality using social engineering to trick users into clicking on a link to a malware poisoned webpage.

But just because it’s a trick that malicious hackers have proven works time and time again, does that make it right for law enforcement authorities to use it too?

Was it really necessary for the FBI to use the name of a genuine media organisation, without its permission, rather than invent a media outlet for their purposes which wouldn’t bring a real legitimate firm into potential disrepute?

The Seattle Times was less than impressed to find, belatedly, that the FBI had exploited its name in this way:

“We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” said Seattle Times Editor Kathy Best.

“Not only does that cross a line, it erases it,” she said.

“Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence — from law enforcement, from government, from corporations and from all other special interests,” Best said. “The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.”

Paul Colford, a spokesperson for the Associated Press, was similarly aggrieved by the FBI’s actions:

“We are extremely concerned and find it unacceptable that the FBI misappropriated the name of The Associated Press and published a false story attributed to AP. This ploy violated AP’s name and undermined AP’s credibility.”

However, in the opinion of Frank Montoya Jr, who heads up the FBI in Seattle, the public interest was served by the agency’s actions:

“Every effort we made in this investigation had the goal of preventing a tragic event like what happened at Marysville and Seattle Pacific University. We identified a specific subject of an investigation and used a technique that we deemed would be effective in preventing a possible act of violence in a school setting. Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat. We were fortunate that information provided by the public gave us the opportunity to step in to a potentially dangerous situation before it was too late.”

What do you think? Was the FBI right to do what it did? Are the news agencies wrong to complain that their name was used in this way? Or are the authorities overstepping the mark in the belief that the end justifies the means? Have your say by leaving a comment below.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • All I can offer is this:

    Slander. Libel. Fraud. Similar things. Essentially they were claiming to be Seattle Times but they are NOT. Not only that, at the same time (which makes it much worse, as if it needs to be worse) they were doing something that, if a citizen did it, would be illegal. It also makes some OTHER corporation look bad. But of course they don’t have to follow the laws, do they? Of course not – how else would they manage? Ironically the FBI boss was concerned about mobile phone encryption and the things he said was (this from the BBC):

    “What concerns me about this is companies marketing something expressly to allow people to place themselves beyond the law,” he said.

    “I am a huge believer in the rule of law, but I am also a believer that no-one in this country is beyond the law,” he added.

    Not that I ever believed him or any one else there about such things, but… Hypocrisy much? And no shame from them, either, clearly as they defended their actions. I also find it bad that some times they take things like this too far and then other times they don’t do what they should do (if they do anything at all).

    This bit: “Use of that type of technique happens in very rare circumstances and only when there is sufficient reason to believe it could be successful in resolving a threat.”

    Okay, the FBI doesn’t do this often, I get it. Of course you don’t need to – you just let other US agencies do the work for you (as if you’re not sharing information)… so you’re all right, your behaviour is ethical and no harm was done. Surely the NSA could have found this joker, right? I mean their actions are nothing new, not at all. Clearly their spying is so good that they keep their revelations so secret even eluding themselves… Oh, wait… (even before 9/11 they were concerned about strong encryption but certainly they aren’t that great at keeping secrets as Snowden has demonstrated). /sarcasm

    Worse of all ? Depending on the malware and depending on who else uses the computer, they could risk others. Shame on them. That the US government (or any government!) uses malware and essentially allows creation and growth of a black market of these types of things is a righteous pain to administrators and regular users, too…

  • If the guy had planted the bombs which then killed/maimed students would the authorities been blamed for not doing anything?

    Or perhaps let the guy kill/maim students so the authorities would have an excuse in the future to do something.

    A double edged sword perhaps?

  • The imbeciles barely catch a 15yr old, yet someone hacks the whitehouse and they are clueless…. guess clueless is a job requirement at the largest parasitic organism in the universe.