[ISN] FBI "hack" raises global security concerns

From: InfoSec News (isnat_private)
Date: Tue May 01 2001 - 16:37:53 PDT

  • Next message: bacano: "Re: [ISN] Calendar of Significant Dates in May"

    http://news.cnet.com/news/0-1003-200-5785729.html?tag=tp_pr
    
    By Robert Lemos
    Special to CNET News.com
    May 1, 2001, 12:05 p.m. PT
    
    A sting operation in which FBI agents downloaded data from two
    Russian-based computers has some high-tech lawyers concerned that the
    precedent may be used to justify indiscriminate, cross-border hacking.
    
    The incident came to light last week after the indictment of two
    Russians on charges of breaking into the networks of banks, Internet
    service providers and other companies. While the charges were somewhat
    routine, the methods the FBI used to nab the pair were novel and
    potentially worrisome, said security experts.
    
    According to court documents filed in the case, the FBI and Department
    of Justice lured two suspected Russian hackers to Seattle with job
    offers at a fictitious security company. After monitoring the duo's
    connection to two servers in Russia, the FBI used the suspects'
    passwords to download incriminating data from those servers.
    
    The tactic is likely to be challenged in court; if it is deemed
    lawful, the precedent could allow law enforcement and intelligence
    communities free rein to hack foreign computers. In addition, such a
    ruling could provide a legal loophole for other countries to break
    into U.S.-based computers in search of data that could aid their own
    investigations.
    
    "It's extremely dangerous just to throw the door open--it will be a
    free-for-all," said Jennifer Granick, clinical director for the
    Stanford University Center for Internet and Society. "It won't just be
    individuals (hacking each other). It will be corporate espionage."
    
    Although U.S. officials downplay the incident, some legal experts fear
    that this first publicly acknowledged government "hack" could spark a
    rash of indiscriminate, international hacking by individuals, foreign
    governments and corporations.
    
    In this case, the FBI was determined to obtain the Russian-based
    information before it could be deleted.
    
    On Nov. 10, FBI agents and officials from the Department of Justice
    nabbed two suspected Russian hackers after luring the duo to the
    United States with employment offers for a mythical security company,
    Invita.
    
    Details of the case became public after the suspects were indicted
    early in April.
    
    Welcome to Invita!
    
    According to court filings, this is how the sting went down:
    
    FBI agents requested that the two suspects--20-year-old Alexey Ivanov
    and 25-year-old Vasiliy Gorshkov--crack the security on "Invita's own
    computers."
    
    During the hack, the FBI agents monitored the duo's activities with a
    "sniffer"--a program designed to trap all keystrokes made on a
    computer. When the suspects allegedly downloaded hacking tools from
    two servers in Russia using their usernames and passwords, the sniffer
    collected the tools needed to access the accounts.
    
    Typically, U.S. law enforcement would wait on their counterparts in
    Russia to search the servers. Yet, while the United States has more
    than 25 mutual legal assistance treaties to aid law enforcement in
    capturing data in other countries, Russia has signed an agreement to
    help the U.S. in investigating only some crimes--and computer crimes
    are not among them.
    
    Nevertheless, the Department of Justice did request assistance from
    Russian authorities, but without answer. After several unsuccessful
    attempts to get Russian authorities to cooperate, the FBI--with the
    help of a security expert--used the usernames and passwords to access
    the two servers.
    
    Once in, investigators browsed through the directories on both servers
    and selected, then compressed, a large number of files. The agents
    then downloaded the 1.3GB file to their own computers.
    
    Before they began to sift for evidence, the FBI did obtain a search
    warrant to look at the files.
    
    Thought to be the first public acknowledgement of U.S.
    hacking-for-access, the tactics have set off alarm bells among
    cyber-savvy lawyers.
    
    If a judge rules in favor of the FBI, the precedent will be clear,
    said Matthew Yarbrough, head of the Cyberlaw Section for Dallas-based
    law firm Fish & Richardson: The United States can pursue
    investigations of data in other countries, widening the boundaries of
    the investigation to cyberspace.
    
    Yet, while the United States can hack servers in other countries,
    those countries could also return the favor, he said.
    
    "Whenever you deal with international criminal problems, you have to
    be careful, because the rule is: Whatever we do to them, they can do
    to us," said Yarbrough, a former Department of Justice cybercrime
    prosecutor. "I don't think we want KGB agents--or whatever
    organization handles law enforcement now--to be hacking our servers to
    get evidence for their cases."
    
    A hack attack?
    
    A federal prosecutor involved in the case defended the FBI's actions.
    
    "I wouldn't call it hacking," said Stephen Schroeder, assistant U.S.
    attorney for the Western District of Washington in Seattle and the
    lead prosecutor in the case against Gorshkov. "The implications of
    hacking go far beyond what we did."
    
    However, the law enforcement community commonly uses "hacking" to
    describe the illegal activity of breaking into a computer, usually
    with some degree of skill. While little skill is needed to type in
    usernames and passwords, the Computer Fraud and Abuse Act of 1986
    treats the unauthorized access of computers as the same crime as
    breaking into a computer without using passwords.
    
    In most cases, law enforcement officers are exempted from any sort of
    prosecution under the act if the questionable activity has been
    authorized as part of their investigation. Furthermore, the FBI can
    violate the law--similar to their ability to break the speed
    limit--and still have any resulting evidence be admissible in court.
    
    Yet, the key question among attorneys is whether such a waiver exists
    for so-called remote cross-border searches of computer data. One thing
    is certain: Not having to gain permission from the country in which a
    server resides speeds the process, said Schroeder.
    
    "Normally, to get evidence we go through diplomatic channels, in
    writing, with pretty seals, and then it percolates down to law
    enforcement," he said. "Six months later we get our evidence."
    
    In this case, he said, six months would have been too late. Indeed,
    six days after Ivanov and Gorshkov were arrested, someone changed one
    of Ivanov's passwords, according to the court papers.
    
    War on hacking
    
    "I don't think the basic thing--that they broke in--is debatable,"
    said Stanford's Granick. "The ramifications? Now, they are debatable."
    
    Currently, Gorshkov's lawyer, Kenneth Kanev, is attempting to block
    any use of the data from the Russian servers based on privacy and
    Fourth Amendment violations. However, because Ivanov and Gorshkov are
    not United States citizens and the data was kept in another country,
    some legal experts say it's likely the data will be admissible in
    court.
    
    When reached at this office, Kanev refused to comment on the case.
    
    In fact, a case from the United States' War on Drugs seems to support
    the search of a server in a foreign country. In 1986, Mexican police
    picked up the suspected leader of a narcotics ring and delivered him
    to the Mexico-United States border, where he was arrested by U.S.
    officials. Agents of the Drug Enforcement Agency and Mexican officials
    later searched the suspect's homes in Mexico without a warrant.
    
    The U.S. Supreme Court ruled four years later that a search of a
    non-U.S. citizen's foreign residence is legal, and no search warrant
    is necessary.
    
    That decision could influence a ruling in this case, but that may not
    be the only fallout. By deeming such actions legal, the United States
    could kick off a spate of similar cross-border hacking, said Patricia
    Bellia, assistant professor of law at Notre Dame University and a
    former Justice Department attorney.
    
    "I do think that (countries) are going to continue to have an urge to
    get evidence like this," she said. "They are getting frustrated with
    their inability to get evidence."
    
    And while U.S. law may deem the agents' actions legal, international
    law--the expectations of treatment that exist between countries--will,
    without a doubt, condemn them, she added.
    
    "If Russia did this to us, we would object diplomatically," she said.
    The Embassy of Russia in Washington, D.C., would not comment on the
    case, nor on whether the country intended to lodge an international
    complaint against the United States for a violation of its
    sovereignty.
    
    In a paper studying the legal ramifications of remote cross-border
    searches, Bellia concludes that current mutual legal assistance
    treaties and the Cybercrime Convention being drafted by the Council of
    Europe won't add much clarity to the issue. Both require that
    countries promise to aid foreign law enforcement in searching for
    evidence that may reside on servers in their territory.
    
    However, arranging for such searches takes weeks or, more often,
    months. Neither allows law enforcement to react fast enough to prevent
    data from being deleted.
    
    Still, without an immediate solution, constraint should be the rule,
    said Bellia.
    
    "If we can do it, then everybody else can do it to us--that's a very
    disturbing notion," she said. "The United States is the repository of
    so much data; it is very dangerous to go down that road."
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 01:40:02 PDT