© 1994 - 2007
Against the Grain

Site Design, Hosting and Logo
by DNA Web Media

*FBI ADMITS EXISTENCE OF "MAGIC LANTERN"
By Shawna McAlearney

The FBI last week admitted to developing "Magic Lantern," a worm/Trojan combination capable of infecting a suspect's machine to obtain encryption keys.

"We're talking about something that is in the process of being developed and we're really not too pleased that it got out to begin with," says FBI spokesman Paul Bresson. "We don't really want to talk too much about the specifics. It is something we're developing, but it's never been used before."

Though details of how the program will work aren't available, AV experts speculate that it installs keylogging software on a suspect's machine after infecting it with a worm. By capturing keystrokes, critical encryption key information can be gathered and transmitted back to the FBI.

The admission caused an uproar in the antivirus industry when several companies said they wouldn't include detection capabilities for Magic Lantern in their products.

"If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it, we wouldn't detect it," Eric Chien, chief researcher at Symantec's antivirus research lab, said in a published report. "However we would detect modified versions that might be used by hackers."

An Associated Press report also indicated McAfee Corp. had contacted the FBI to make sure that its software wouldn't detect the Trojan. However, Network Associates, McAfee's parent company, contradicted the report, saying that the discussion hadn't occurred.

Other vendors say it would depend upon safeguards. "If the authorities would be able to closely contain and monitor the use of their special tool--that it's not spreading like wildfire through the Internet and if it's only available in a controlled fashion--it's much easier for antivirus vendors to cooperate with the authorities and not detect the tool as a damaging Trojan horse," says Ari Hypponen, CTO of F-Secure. "The key differentiator here is whether the tool would affect real-world customers and their legitimate need for network security."

The AV industry is walking a tightrope on such covert government actions.

Companies that insist on detecting the Trojan could be shielding terrorists and criminals while vendors that concede to the FBI's wishes will be accused of violating their customers' civil liberties and providing a flawed product.

"Looking at this situation from an industry perspective, if an AV vendor was going to put this into their software, it would be bad," Rob Rosenberger, editor of VMyths.com, a computer virus myths Web site. "There are a lot of companies out there that want to know that their antivirus software detects all malicious stuff--even if we're talking about the FBI."

Some vendors reassured customers that they wouldn't modify their products to allow the FBI Trojan to slip past undetected.

"Malicious code is malicious code," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "There's no reason why organizations targeted by Magic Lantern could not write a variant of the e-bug for their own use. Before we know it, we'll all be spied on by every Tom, Dick and Harry--the FBI could even become a victim of its own code!"

Allowing "back doors" for U.S. law enforcement has additional implications for vendors that do business in other countries. Customers outside the U.S. would expect protection against the Trojan, companies based in other nations may add it to their signatures and other nations might wish to develop similar tools.

"Is the FBI going to trust Eastern European and Asian companies to do the honorable thing and not detect this Trojan," asks Cluley. "What if the French intelligence service, or even the Greeks, created a Trojan horse program for this purpose? Should we ignore those too?"

Some doubt that Magic Lantern could work as a successful way of observing suspected criminal and terrorist activity.

"Maybe we already detect Magic Lantern, but call it by a different name. The FBI hasn't provided us with a sample--it could be one of the many keylogging Trojans we've been sent in the past," says Cluley. "We have no way of knowing if it was written by the FBI and, even if we did, we wouldn't know whether it was being used by the FBI or if it had been commandeered by a third party wishing to spy on a customer--it's a totally unworkable situation."

The FBI recently acknowledged it used key-logging software in the investigation of suspected mobster Nicodemo Scarfo; however, in that case, the FBI physically installed the program on his machine.

======================================================================

more carnivore

======================================================================

http://www.cbsnews.com/now/story/0,1597,318869-412,00.shtml

The FBI is going to new lengths to eavesdrop, building software to monitor computer use and urging phone companies to help make wiretaps more reliable. The FBI's "Magic Lantern" technology would allow investigators, via the Internet, to secretly install powerful software that records every keystroke on a person's computer, according to people familiar with the effort. The software is similar to "Trojan horse" programs already used by some hackers and corporate spies. The FBI envisions using Magic Lantern, part of a broad FBI project called "Cyber Knight," to record the secret key a person might use to encrypt Messages or computer files. The bureau has been largely frustrated in efforts

To break open such messages by trying random combinations, and officials are increasingly concerned about their inability to read encrypted messages in criminal or terrorist investigations. The FBI said in a statement Wednesday that it cannot discuss details of its technical surveillance efforts, though it noted that "encryption can pose potentially insurmountable challenges to law enforcement when used in conjunction with communication or plans for executing serious terrorist and criminal acts." The FBI added that its research is "always mindful of constitutional, privacy and commercial equities," and that its use of new technology can be challenged in court and in Congress. The FBI's existing monitoring technology, called the "Key Logger System," has required investigators to sneak into a target's home or business and attach the device to a computer. Magic Lantern could be installed over the Internet by tricking a person into opening an e-mail attachment or by exploiting the same weaknesses in popular software that allow hackers to break into computers. It's unclear whether Magic Lantern would transmit the keystrokes it records back to the FBI over the Internet or store the information to be seized later in a raid. The existence of Magic Lantern was first disclosed by MSNBC television. "If they are using this kind of program, it would be a highly effective way to bypass any encryption problems," said James E. Gordon, who heads the information technology practice for Pinkerton Consulting and Investigations Inc. "Once they have the keys to the kingdom, they have complete access to anything that individual is doing." People familiar with the project, who spoke only on condition of anonymity, said the package is being developed at the FBI's electronic tools laboratory, the same outfit that built the bureau's "Carnivore" Internet surveillance technology. The former head of the lab, Donald M. Kerr, became head of the CIA's science and technology unit in August. Some experts said Magic Lantern raises important legal questions, such as whether the FBI would need a wiretap order from a judge to use it. The government has previously argued that the FBI can capture a person's computer keystrokes under the authority of a traditional search warrant, which involves less oversight by the courts. "It's an open question whether the covert installation of something on a computer without a physical entry requires a search warrant," said David Sobel, a lawyer with the Washington-based Electronic Privacy Information Center, a civil liberties group. Earlier this month the FBI urged some of the nation's largest telephone companies to change their networks so that investigators can reliably eavesdrop on conversations using new data technology. At a conference Nov. 6 in Tucson, Arizona - and in a 32-page follow-up letter sent about two weeks ago - the FBI told leading telecommunications officials that increasing use of Internet-style data technology to transmit voice calls is frustrating FBI wiretap efforts.

Although Carnivore can be used to capture electronic messages, it can't record voice messages sent over data networks for a variety of technical reasons. The bureau's access to voice calls using traditional technology is guaranteed under the 1994 Communications Assistance to Law Enforcement Act, but it exempted "information services." The FBI said Wednesday it is not seeking to broaden the 1994 law to cover modern data technology; industry officials say the changes being sought by the FBI could take years to make. The FBI told companies that it will need access to voice calls sent over data networks "within a few hours" in some emergency situations, and that any interference caused by a wiretap "should not be perceptible" to avoid tipping off a person that his calls might be monitored.

----------------------------------------------------------------------

*MANY LINUX USERS FACE EXPLOIT WITH NO PATCH
By Shawna McAlearney

A widespread vulnerability affecting all versions of wu-FTPD was worsened when one vendor mistakenly released information on the flaw early, leaving other Linux companies scrambling to release a fix.

Core ST, the group that discovered the flaw, was working with Linux vendors and the wu-FTP open-source group to release a fix simultaneously. Unfortunately, a mistake by a Red Hat administrator caused Red Hat's patch and advisory to be released early--nearly a week ahead of the approved time.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," Mark Cox, senior engineering director for Red Hat, said in a published report. "The company is adding new safeguards to its publishing system to avoid similar problems in the future. This will not happen again. It was a bad mistake."

According to security experts, the sudden release provides savvy hackers with a roadmap to target unpatched products while vendors continue to test their fixes. "The early release caught software makers in the middle of the testing process," Ivan Arce, chief technology officer for Core ST, said in published reports. "They had to scramble to get their fixes ready and tested for all the vulnerable distributions. Some vendors have up to 25 different distributions that are vulnerable and as you can imagine regression testing for all of them is not quick."

The wu-FTPD Globbing Heap Corruption Vulnerability affects most major Linux distributions, including Red Hat, SuSE, Connectiva, Caldera International, Turbolinux, Cobalt Networks, Wirex and MandrakeSoft products.

The vulnerability allows remote access to all files on a server, provided an attacker can access the FTP service. For a malicious user to exploit this vulnerability, the wu-FTPD service must either allow anonymous access or the attacker must gain valid credentials to use the service. Anonymous access is enabled by default on some systems.

"It would not surprise me to see someone building a worm around this hole," says Steve Bellovin, a researcher at AT&T Labs. "But I don't think this is critical. The 'Net as a whole has survived flaws in much more important software, such as IIS."

According to the SecurityFocus Web site, "We are expecting to see an increase in the frequency of this new attack, as attackers are successfully exploiting this vulnerability. The ARIS Incident Analyst team is aware of an exploit for this vulnerability that is targeting Linux platforms. This exploit is currently in limited distribution within the hacking community. It is recommended that affected sites take immediate action to limit their exposure to this vulnerability."

The National Infrastructure Protection Center recommends users disable FTP, which normally runs on TCP port 21. Sites that require FTP should restrict anonymous access.

http://www.nipc.gov/warnings/advisories/2001/01-027.htm
http://www.wu-ftpd.org
http://www.corest.com/pressroom/advisories_desplegado.php?dxsection=10 &idx=17
http://www.cert.org/advisories/CA-2001-33.html