random notes

A sophisticated FBI-produced spyware program has played a crucial behind-the-scenes role in federal investigations into extortion plots, terrorist threats and hacker attacks in cases stretching back at least seven years, newly declassified documents show.



The documents, which are heavily redacted, do not detail the CIPAV’s capabilities, but an FBI affidavit in the 2007 case indicate it gathers and reports a computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.

After sending the information to the FBI, the CIPAV settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every server to which the machine connects.

The documents shed some light on how the FBI sneaks the CIPAV onto a target’s machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That’s what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject’s private chat room on MySpace.com."

In a separate February 2007, Cincinnati-based investigation of hackers who’d successfully targeted an unnamed bank, the documents indicate the FBI’s efforts may have been detected. An FBI agent became alarmed when the hacker he was chasing didn’t get infected with the spyware after visiting the CIPAV-loaded website. Instead, the hacker "proceeded to visit the site 29 more times," according to a summary of the incident. "In these instances, the CIPAV did not deliver its payload because of system incompatibility."

The agent phoned the FBI’s Special Technologies Operations Unit for "urgent" help, expressing "the valid concern that the Unsub hackers would be ’spooked.’" But two days later the hacker, or a different one, visited the site again and "the system was able to deliver a CIPAV and the CIPAV returned data."

The software’s primary utility appears to be in tracking down suspects that use proxy servers or anonymizing websites to cover their tracks. That’s illustrated in several cases in the documents
...
The documents appear to settle one of the questions the FBI declined to answer in 2007: whether the bureau obtains search warrants before using the CIPAV, or if it sometimes relies on weaker "pen register" orders that don’t require a showing of probable cause that a crime has been committed. In all the criminal cases described in the documents, the FBI sought search warrants.

The records also indicate that the FBI obtained court orders from the Foreign Intelligence Surveillance Court, which covers foreign espionage and terrorism investigations, but the details are redacted.