Enhanced Carnivore To Crack Encryption Via Virus

suqur writes: "MSNBC has a story about a new Carnivore feature, dubbed 'Magic Lantern,' which arrives on a victim's computer in the form of a virus through email or well-known vulnerabilities. Magic Lantern uses keylogging to extract keys typed in, and sends them off to the FBI. This is similar to a story reported on previously, but taken one step further, allowing computers to be compromised remotely."

Re:Short Answer: Yes

[interiot]

Even easier: use an encryption program that their virus doesn't know how to sniff yet. Their virus doesn't sniff all keystrokes (yet), just for specific encyrption programs. You don't even necessary need to change encryption schemes, just use a different front-end for typing in your password.

Good luck...

[Chasing+Amy]

The FBI is evil, but not stupid. If they did it the best way possible, then their software probably replaces a key part of your operating system's networking code, so that even if you knew each and every process running and exactly what it does, you could still have their software installed and never have any way of knowing.

After all, it's doubtful that Microsoft would object to the FBI looking at their source code for such a project, it's doubtful that Apple would object--but even if they did, the lower levels of OS X are open-source Darwin--and of course Linux is open-source anyway. It doesn't seem too difficult for them to do.

It seems that if they were to do it the simpler way, it would be too easy to detect. If they installed it like a simple trojan, it would be trivial to detect, particularly by software such as ZoneAlarm and equivalents which monitor all attempts by programs to access the net. In fact, if it is what they used in the Scarfo case and they are using it now, if it were a simple trojan it would probably have been reported by now. People with something to hide know what software to use to protect them from such things.

For example, "Dr. Who's Encryption and Security FAQ" http://www.slack.net/~hermit/ebook/documents/secur ity.html is standard reading in newsgroups and on websites dedicated to privacy. It is also standard reading in newsgroups and message boards where child pornography is posted. It is probably also known to organized crime and other elements which engage in illicit activities and use computers. It explains in language most people can understand, the use of PGP, firewalls, various encryption and security software, and the threat of keyloggers and trojans and how to use software like ZoneAlarm to secure network access to only those programs you choose to authorize.

Call me crazy, but I think the FBI would take note of this readily available information and come up with a way to counteract it. Writing their trojan into your operating system itself seems like a damn good way to do this. Windows and Mac users and even Linux users expect certain processes to access the network, so why not exploit that to camouflage an "ultimate trojan"?

There would be only one way to counteract it, and this is mentioned in Dr. Who's FAQ: make detached PGP signatures for each important file in your OS that you'd expect not to change, and use a script to check them against the files each time you boot, or each time you choose to run it. If a file has changed, you know something is wrong.

Of course, this is very cumbersome--how many files exactly should you sign? Very tedious. I got to thinking on this some time back, and came to the conclusion that if you want the best possible security against unauthorized changes to your system, the best way might be to install your whole OS and all your apps, configure everything how you like, and immediately transfer the whole system to one file. Then, strip down your OS to the very minimal parts needed to boot and to check the signature on the "big file" and your stripped-down OS files, then decompress/mount then boot the whole OS in your "container" file. If you have lots of cheap RAM, you can decompress the file containing your OS into a RAMdisk to save some time and make the files less persistent. A lengthy process, depending on how big your OS/apps are, but if you want security there will be a price. This way, every file on your system is uncorruptable, untouchable by trojans and FBI spyware.

I experimented with just that using Windows 98SE, and though I don't know exactly how you'd do it with Linux or WinNT/2k/XP it is definitely doable with Win9x. First I installed Windows and all my apps, then made a Zip file (using no compression at all, for speed of unzipping at boot) of the whole system. Then I deleted the system except for minimal DOS command files and a RAM disk creation tool called xmsdsk.exe and a command-line unzip tool, altered Autoexec.bat to call xmsdsk with the parameters to make a 1GB RAM disk (there were 1.5gigs on the machine), called the unzip tool to unzip the file to the RAM disk, and had the config files boot Win98 from that drive. It took fiddling a bit, but finally I got it right and it worked. When my Win98 booted, in the startup folder was a shortcut to check the PGP signatures of all the startup files and the Big File that the system was stored in.

Not ideal. Quite slow to boot up. You can see why I don't actually still do this; it was more or less an experiment. But it did work. When the system was shut down, the RAM disk went away, and so any changes at all to the system would be undone. If the Big File the system came from, or any of the boot files, were modified it would show up the next time I booted when the signatures were checked. It was unweildy, but it did provide full protection of a sort I can't think how to have otherwise.

So, does anyone else have crazy ideas on how to provide security against such intrusions? Preferably ones that don't require a boot time long enough that you can go make breakfast in the intervening minutes.

Re:AV software.

[SomeoneYouDontKnow]

I doubt it would happen that way. Chances are, the "virus" wouldn't be self-replicating, at least the government's version wouldn't. If it were, there'd be no effective way to control it. So, if the only people who are sent this thing are people the feds want to bug, the AV companies most likely wouldn't see it.

However, all this goes out the window if someone gets hold of this thing somehow and modifies it. They could do several things. First, they could attempt to decompile it and then post the source for all to see. If they wanted to get more, um, creative, they could modify it so it becomes a truly self-replicating virus. Not only would this turn the thing loose on the Net at large, it'd also have the possible effect of taking out whatever computer the original virus was supposed to "phone home" to. How long could a machine set up to handle data from several thousand of these things last when it's getting bombarded with data from a few million? Finally, there's the possibility that it could be modified to seek out and attack computers owned by the government. Once it got in, it would sit there and spy on whoever was using that machine. Results could be sent anywhere. Protecting all those government computers would be a massive undertaking. Even if the feds had custom software to do it, distributing it in any meaningful way to locations around the country would almost guarantee that it'd leak out within a few days. But the truth is that federal computers are running the same software that everyone else is, and the people using them can be just as easily deceived as the average home user. All it'll take is for one programmer with talent, a chip on his shoulder, a good deal of free time, and access to the right tools to decide to fight code with code. If he gets hold of the feds' virus, he could use that. If not, well, he'd most likely roll his own.

This is a superbly stupid idea the feds are pursuing. If they write crappy code, only the truly moronic will allow this to get installed. If they write a really sophisticated piece of software, they could very well end up creating a monster that will turn around and bite them in the ass.

Re:Legal?

[trilucid]

I don't think it'll be illegal to use a secure system due to this, but I *do* think they're really asking for trouble if this thing "flies".

WARNING: The remainder of this post may in fact be advocating "terrorism" under the new definitions put forth by the U.S. gov with respect to "computer crimes". Why am I logged in? Because, quite simply, they can kiss my A$$.

Do you really think tens thousands of server admins would let this go without retribution? I for one sure as hell wouldn't. Invasion of my servers is, in my book, precisely the same as invading my home (maybe even worse). Okay, so how do we fix their little red wagon?

Go HoneyPot on their asses. Set up a bunch up of machines all over the place to get compromised, and have firewall software monitoring the destination of the nasty outgoing packets. From there, use a P2P model to distribute the destinations of such data, and D-E-N-Y the living hell out of their servers. For added flair, you could always include repetitious, highly profane strings in your denial actions (use your imagination).

I would especially advocate this concept for all technies living in various foreign nations whose citizens might get "bugged" by the our wonderful boys in blue. Yes, I am openly advocating retaliatory strikes against this sort of disgusting behavior.

And I think it's damned well warranted. :(

Web hosting by geeks, for geeks. Now starting at $4/month (USD)!
Yes, this is my protest to the sig char limit :).