Will Security Firms Detect Police Spyware?

cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."

note to self

[timmarhy]

"Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested"

never buy anything from check point.

TFA didn't ask about National Security Letters

[schwaang]

The question was "Have you ever received such a court order signed by a judge...".
But if what they had received instead was a NSL, they would be under a gag provision (with *jail* as the penalty) to not mention anything about it.

That's only in Amerika of course.

Re:TFA didn't ask about National Security Letters

[cyberstealth1024]

For the rest of you Googlers: National Security Letter

Re:TFA didn't ask about National Security Letters

[schwaang]

Totalitarian dictatorships absolutely would do this. But then, that's actually my point.

Re:TFA didn't ask about National Security Letters

[FailedTheTuringTest]

It's an amusing story, but of course it is not true. First, the Official Secrets Acts (1911 and 1989) are law, and is enforceable whether the person in question has signed anything or not, just like any other law. "Signing the Official Secrets Act" (or more properly, signing a statement acknowledging that they understand the provisions of the Act) is simply a way of impressing people and reminding them that loose lips sink ships. Second, the Act doesn't say anything about signing it, and of course nothing about not telling people whether you've signed it. (Official Secrets Acts 1911 and 1989)

The importance of open source...

[misleb]

This highlights the needs for more open source/public software. Whether it is voting machines or spyware scanners. Some things can't reliably be left to commercial vendors with closed source.

-matthew

Sony Rootkit....

[Tuoqui]

Sounds like the Government is planning to implant a rootkit in every single computer or atleast leave a vulnerability/flaw in code (very easy to do with Vista since its so new) which will allow them to do so.

Time for everyone to switch to Linux. The more eyeballs we can get on code the more likely someone isnt able to sneak shit like this in.

Well, this isn't exactly new...

[Penguinisto]

Seriously - there's even a good reason why MSFT doesn't really want to talk about it.

/P

Re:Police spyware used by the dark side?

[BUL2294]

I live in Chicago. Half the cops here are crooks, and the other half would never snitch on their crooked friends...

So, yes, such white-listed malware is bound to get into the hands of crooks--especially if it's in the hands of cops.

Re:Would you TRUST their answers if they said "no"

[HiThere]

Probably the government approved SELinux. If you set the permissions correctly, then no program who doesn't need to should be able to detect what another program is doing.

Of course, setting the permissions correctly is a PITA...and so is using a system so configured. But it's probably as secure as you can get, bar a disconnect from the internet.

Re:Security

[Jugalator]

Decoded because tinfoiling or making a point this way is just plain annoying... :-p

"Government agencies and backdoors in technology products have a long and frequently clandestine relationship. One 1995 expose by the Baltimore Sun described how the National Security Agency persuaded a Swiss firm, Crypto, to build backdoors into its encryption devices. In his 1982 book, The Puzzle Palace, author James Bamford described how the NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications to turn over telegraph traffic to the feds."

With Bush in office you can only expect more of the same.

McAfee and Symantec dropped the ball

[BillGatesLoveChild]

Consider what happened with the SONY rootkit? Bruce Schneier (Cryptography and Security Expert) reported that Symantec and McAfee who both knew about the SONY rootkit did not add it to their signatures file. Apparently if SONY hacks your computer, that's fine with them! They only updated their files once SONY themselves had retracted the rootkit. http://www.schneier.com/blog/archives/2005/11/sony s_drm_rootk.html

If Symantec and McAfee will let SONY hack your PC, they'll let the government hack your PC.

Can anyone recommend a virus scanner that looks after the customer rather than the virus companies one-day maybe potential business partners if they get lucky?

Re:Uhm no

[sricetx]

It would just need to be published in another jurisdiction. Contrary to the delusions of the Bush administration, the rest of the world is not a colony of the USA. The same applies to other countries. Thankfully we don't have a "world government" yet (although things are moving that way, unfortunately).

Re:Security

[NeverVotedBush]

This topic came up here recently in the case of a Rising Tech (Chinese) sueing Kaspersky Labs (Russian) when their software called Rising Tech's "malware". (http://it.slashdot.org/article.pl?sid=07/07/08/12 38230)

Anyone that trusts AV vendors - especially foreign ones - not to imbed backdoors and spyware, or to whitelist their government's "tools" is a bit too trusting IMHO.

Bullshit

Unlike traditional malware, "policeware" would only be present on the target machine(s), rather than spread to any and every computer, so it's extremely unlikely that AV vendors would ever receive a sample. No sample means it would continue to go undetected, provided it was designed to go undetected in the first place.

Call me stupid, but don't most virus/malware scanners use heuristics and other methods designed to detect methods of attack, rather than particular signatures attached to specific pieces of software? Scanners could work in two ways: find residue/signatures of specific pieces of problem software, then clean up/block that software. Or, in addition to signatures, detect methods problem software uses, such as scanning every port in order, using known methods to attempt to hide in memory, attempting to install without user confirmation, etc. If scanners use methods, not just signatures, then police designed software would be just as likely to be detected as any other new virus/malware.

I don't know a lot about this, but it seems to me that ever since viruses began to hide themselves in memory and polymorph on the harddrive, i.e. since 1994 or so, scanners have had to be more clever and have had to look for methods. They recognize types of behaviors and types of signatures which are known to correlate pretty well to virii and malware.

This possibility is confirmed by AVG's Fran Bosecker [TFA]:

Current AVG policy is to flag Trojans that exhibit these types of actions.

AVG detects methods not signatures. Therefore police malware would have to use novel methods to be undetectable.

And again, my assumption is confirmed, by Randy Drawas of Kaspersky Lab [TFA]:

While part of our product's technology relies on static signatures to detect known malware, signature detection is only one of several detection methodologies in Kaspersky products. Our products, as with many other commercial anti-malware software, implement proactive detection methodologies--statistical analysis, heuristics, emulation, and so on. These methodologies, unlike signature detection, do not "know" what they are detecting; they only know they've detected a form of malware. This is basically to say that detection of malware written specifically for purposes of law-enforcement is something that we cannot control. If our product detects a piece of malware, it detects it.

And again my view is confirmed, this time by Vlad Gorelik of Sana Security [TFA]:

Our product detects potentially malicious software based on its behaviors.

And, finally, my view is confirmed by Dan Hubbard of Websense [TFA]:

Websense detects malware irrespective of its source. Websense detects malware based on the behavior and perceived intent of the code.

If this is true, and police software is as likely to be picked up as any other malware, then the police require malware whitelisting to do their job. It is not moot.

The average policy agency, slowed down with bureaucratic molasses, will not be at the forefront of malware development. They will need whitelisting, OR methods that disable security software.

I'm shocked the parent got +5. Are there no technically competent /. readers?

Re:Generic test?

[Opportunist]

The short answer is no. The long answer is more complicated.

You can't determine jack by time consumption. First of all, the time a keylogger uses can be ignored. You can also not predict how the scheduling works, you might lose the focus just inside your checking routine and a heap of milliseconds is gone before your program gets its timeslice again. Not possible.

You could generate keystrokes, but unless the keylogger somehow manipulates them (which would kinda defeat the purpose of being undetectable), you'd get what you send. Copying information leaves the original information unchanged.

Keyloggers are rather "lightweight". Windows offers its own API routines to faciliate it. And makes heavy use of them itself (for keyboard layout drivers).

What you could do is overwrite the system call for the keyboard hooking routine, so you'd know every time some program accesses it, then compare the programs using it to a list of "known good" programs and yell if a program not matching that list makes use of the API call. That works as long as the malware uses the API. If it goes ahead and comes with its own keyboard drivers, you'd also have to monitor what kind of beast is responsible for the raw keyboard input.

And when you're done with that all, you'll realize that it's not even a keylogger but just a BHO that copies all information you type into your IE, which uses completely different ways of stealing your information.

In other words, if you want to be safe from Windows malware, use a different system.

AS LUCK WOULD HAVE IT...

[NeverVotedBush]

Wired is reporting on some FbI spyware used to catch people. Wonder if any of these companies would spot and report that...

http://www.wired.com/politics/law/news/2007/07/fbi _spyware

Irrelevant...

[naChoZ]

Since no one else has mentioned it...

CALEA.

When an isp gets a subpoena, they're required to be able to tap your internet traffic basically at a moment's notice. The law enforcement agency will then receive a full packet trace of literally every bit of your network traffic.

Granted, this is meaningless on a stand-alone pc that's not connected to the internet, but the instances where they'll want to install gov't spyware on this type of system has got to be far, far less often.