Tag Archives: FBI

ShutterstockNearly eight years passed from the time FBI agents raided corporate recruiter David Nosal‘s office in 2005 to the start of his criminal trial in San Francisco federal court.

After deliberating for just over two days, the jury found Nosal, 55, guilty of conspiracy, stealing trade secrets and violating the Computer Fraud and Abuse Act — handing the U.S. attorney’s office a complete trial victory in a high-profile and challenging white-collar prosecution.

The verdict in the case before U.S. District Judge Edward Chen comes a year after the U.S. Court of Appeals for the Ninth Circuit sided with Nosal’s defense lawyers in a pivotal en banc decision that junked six additional computer hacking charges against the former Korn/Ferry International executive.

Prosecution of White-collar Hacking Successful | DFI News.

CNetReddit General Manager Erik Martin used the company’s blog to publiclyapologize for the site’s role in fueling an “online witch hunt” for Sunil Tripathi, a missing Brown Univ. student falsely identified as a possible suspect in the Boston Marathon bombing.

Last week, prior to the FBI naming Dzhokhar and Tamerlan Tsarnaev as the primary suspects in the bombing, members of the link-sharing site set out tocrowdsource the identities of the people behind the attack. Their vigilante efforts turned counterproductive when Tripathi’s name was picked up by those monitoring police scanners. The site helped spread the misinformation, and became “one of the more ugly and disgusting places that had a lot of traffic,” Tripathi’s sister told ABC News.

Reddit Apologizes for ‘Online Witch Hunt’ | DFI News.

Courtesy of Aurich Lawson/Thinkstock
                                      Courtesy of Aurich Lawson/Thinkstock

It’s a good thing for the rest of us that so few criminals are truly “masterminds”—and thus end up so easy to find. Case in point: the FBI‘s arrest, of an alleged sextortionist named Karen “Gary” Kazaryan in California.

First, let’s be clear on the charges. According to the FBI, the 27-year-old spent huge amounts of time breaking in to email and social networking accounts — usually Facebook — and then scouring them for sexually provocative photos. If found, the photos were then used to approach the account holders and blackmail them into making further displays, usually over Skype, to the watching hacker. If they didn’t comply, the original photos might be posted to their Facebook page.

So how did the FBI find Kazaryan? Well — pretty easily. They simply asked Facebook.

Internet Criminals: Dumb at Hiding Their Tracks | DFI News.

Does your child know what to do if he is being bullied online? Does your daughter know how to play online games safely? Can your child limit access to information posted online?

Your child can learn the answers to these questions and many others through the FBI-SOS (Safe Online Surfing) Internet Challenge. As part of its longstanding crime prevention and public outreach efforts, the FBI announced this free, web-based initiative designed to help educate 3rd- through 8th-grade students about cyber safety.

Since the launch of its current version in late 2012, educators in Mississippi have recognized the effectiveness and convenience of the FBI-SOS program in meeting cyber safety instruction goals. “All aspects of Internet safety are covered in one place. Facebook issues, viruses, texting — the lessons are already there, ready for us to teach,” said one Mississippi teacher.

Daniel McMullen, Special Agent in Charge (SAC) of the FBI in Mississippi, is notifying parents and teachers that all public, private, and home schools are eligible to participate in this entertaining and educational program, which can be accessed at any time during the year, in the classroom, or at home.

The FBI-SOS Internet Challenge was developed with the assistance of the National Center for Missing and Exploited Children, with input from teachers and schools. FBI-SOS is available through its newly revampedwebsite. The site features six grade-specific “islands.” Through the website, students “travel” to their grade-specific island, which includes either seven or eight learning portals to visit. Using different types of media, such as games and videos, these areas address topics such as the protection of personal information, password strength, cell phone safety, social networking and online gaming safety. The videos include real-life stories of kids who have faced cyber bullies and online predators. After students have completed all activities on the island, they are given an exam. Top scoring schools within categories, which are based on the number of participating students, are awarded an FBI-SOS trophy and, when possible, receive a visit from a local FBI agent.

Kids of all ages — and even adults — can explore the site, play the games, watch the videos, and learn all about cyber safety. However, the exam can only be taken by 3rd- to 8th-grade students whose classes have been registered by their teachers.

“The FBI does not collect students’ names, ages, or other identifying information through this website,” stated SAC McMullen. “Our goal in creating this program is to provide virtually everything a parent or teacher may need to teach safe, responsible cyber citizenship to their children and students. “

For additional information, please visit https://sos.fbi.gov.

FBI Launches SOS Internet Challenge | DFI News.

Photo: dustball / Flickr

Just imagine if all the applications and services you saw or heard about at CES last week had to be designed to be “wiretap ready” before they could be offered on the market. Before regular people like you or me could use them.

Yet that’s a real possibility. For the last few years, the FBI’s been warning that its surveillance capabilities are “going dark,” because internet communications technologies — including devices that connect to the internet — are getting too difficult to intercept with current law enforcement tools. So the FBI wants a more wiretap-friendly internet, and legislation to mandate it will likely be proposed this year.

But a better way to protect privacy and security on the internet may be for the FBI to get better at breaking into computers.

Whoa, what? Let us explain.

Whether we like them or not, wiretaps — legally authorized ones only, of course — are an important law enforcement tool. But mandatory wiretap backdoors in internet services would invite at least as much new crime as it could help solve.

Especially because we’re knee deep in what can only be called a cybersecurity crisis. Criminals, rival nation states, and rogue hackers routinely seek out and exploit vulnerabilities in our computers and networks — much faster than we can fix them. In this cybersecurity landscape, wiretapping interfaces are particularly juicy targets.

Every connection, every interface increases our exposure and makes criminals’ jobs easier.

Matt Blaze directs the Distributed Systems Lab at the University of Pennsylvania, where he studies cryptography and secure systems. Prior to joining Penn, he was a distinguished member of technical staff at AT&T Bell Labs. He can be found on Twitter at mattblaze.

Susan Landau is currently a Guggenheim Scholar. She was a distinguished engineer at Sun Microsystems. Landau is the author of Surveillance or Security? The Risks Posed by New Wiretapping Technologies.  

We’ve Been Here Before

Two decades ago, the FBI complained it was having trouble tapping the then-latest cellphones and digital telephone switches. After extensive FBI lobbying, Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994, mandating that all telephone switches include FBI-approved wiretapping capabilities.

CALEA was justifiably controversial, not least because its requirement for “backdoors” across our communications infrastructure seemed like a security nightmare: How could we keep criminals and foreign spies from exploiting weaknesses in the new wiretapping features? Would we even be able to detect them when they did?

Those fears were soon borne out. In 2004, a mysterious someone — the case was never solved — hacked the wiretap backdoors of a Greek cellular switch to listen in on senior government officials … including the prime minister.

Think this could only happen abroad? Some years ago, the U.S. National Security Agency discovered that every telephone switch for sale to the Department of Defense had security vulnerabilities in their mandated wiretap implementations. Every. Single. One.

Given these risks, you might think now’s a good time to scale back CALEA and harden our communications infrastructure against attack.

But the FBI wants to do the opposite. They want to massively expand the wiretap mandate beyond phone services to internet-based services: instant messaging systems, video conferencing, e-mail, smartphone apps, and so on.

Yet on the internet, the threats — and consequences of compromise — are even more serious than with telephone switches. Not only would wiretap mandates put a damper on innovation, but the FBI is effectively choosing making it easier to solve some crimes by opening the door to other crimes.

Are these really the only options we have? No.

The FBI wants to massively expand the wiretap mandate beyond phone services to internet-based services.

Bugs Are Backdoors, Too

If it turns out that important surveillance sources really are going dark — and that’s a big if (it’s not only on TV that modern tech already makes it easier to surveil suspects) — there’s no need to mandate wiretap backdoors.

That’s because there’s already an alternative in place: buggy, vulnerable software.

The same vulnerabilities that enable crime in the first place also give law enforcement a way to wiretap — when they have a narrowly targeted warrant and can’t get what they’re after some other way. The very reasons why we have Patch Tuesday followed by Exploit Wednesday, why opening e-mail attachments feels like Russian roulette, and why anti-virus software and firewalls aren’t enough to keep us safe online provide the very backdoors the FBI wants.

Since the beginning of software time, every technology device — and especially ones that use the internet — has and continues to have vulnerabilities. The sad truth is that as hard as we may try, as often as we patch what we can patch, no one knows how to build secure software for the real world.

Instead of building special (and more vulnerable) new wiretapping interfaces, law enforcement can tap their targets’ devices and apps directly by exploiting existing vulnerabilities. Instead of changing the law, they can use specialized, narrowly targeted exploit tools to do the tapping.

In fact, targeted FBI computer exploits are nothing new. When the FBI placed a “keylogger” on suspected bookmaker Nicky Scarfo Jr.’s computer in 2000, it allowed the government to win a conviction from decrypting his files after gaining access to his PGP password. A few years later, the FBI developed “CIPAV,” a piece of software that enables investigators to download such spying tools electronically.

The sad truth is that no one knows how to build secure software for the real world.

Exploits aren’t a magic wiretapping bullet. There’s engineering effort involved in finding vulnerabilities and building exploit tools, and that costs money.

And when the FBI finds a vulnerability in a major piece of software, shouldn’t they let the manufacturer know so innocent users can patch? Should the government buy exploit tools on the underground market or build them themselves? These are difficult questions, but they’re not fundamentally different from those we grapple with for dealing with informants, weapons, and other potentially dangerous law enforcement tools.

But at least targeted exploit tools are harder to abuse on a large scale than globally mandated backdoors in every switch, every router, every application, every device.

While the thought of the FBI exploiting vulnerabilities to conduct authorized wiretaps makes us a bit queasy, at least that approach leaves the infrastructure, and everyone else’s devices, alone.

Ultimately, not much is gained — but too much is lost — by mandating special “lawful intercept” interfaces in internet systems. There’s no need to talk about adding deliberate backdoors until we figure out how to get rid of the unintentional ones … and that won’t be for a long, long time.

The FBI Needs Hackers, Not Backdoors | Wired Opinion | Wired.com.