Slashdot Mirror
Will Security Firms Detect Police Spyware?
cnet-declan writes "A recent appeals court case dealt with Drug Enforcement Administration agents using a key logger to investigate a suspect using PGP and Hushmail. That invites the obvious question: Will security companies ever intentionally overlook police spyware? There were somewhat-muddled reports in 2001 that Symantec and McAfee would do just that, so over at News.com we figured we'd do a survey of the top 13 security firms. We asked them if it is their policy to detect policeware. Notably, Check Point said it would 'afford law enforcement' the courtesy of whitelisting if requested. We've also posted the full results, with the companies' complete answers. Another question we asked is if they have ever received a court order requiring them to overlook police key loggers or spyware. Symantec, IBM, Kaspersky, and others said no. Only Microsoft and McAfee refused to answer."
"Tbireazrag ntrapvrf naq onpxqbbef va grpuabybtl cebqhpgf unir n ybat naq serdhragyl pynaqrfgvar eryngvbafuvc. Bar 1995 rkcbfr ol gur Onygvzber Fha qrfpevorq ubj gur Angvbany Frphevgl Ntrapl crefhnqrq n Fjvff svez, Pelcgb, gb ohvyq onpxqbbef vagb vgf rapelcgvba qrivprf. Va uvf 1982 obbx, Gur Chmmyr Cnynpr, nhgube Wnzrf Onzsbeq qrfpevorq ubj gur AFN'f cerqrprffbe va 1945 pbreprq Jrfgrea Havba, EPN naq VGG Pbzzhavpngvbaf gb ghea bire gryrtencu genssvp gb gur srqf."
Jvgu Ohfu va bssvpr lbh pna bayl rkcrpg zber bs gur fnzr.
I don't trust any of them NOT to do whatever the cops/government want(s).
Open Source all the way.
I am going to send all my private messages by owl from now on.
never buy anything from check point.
If you mod me down, I will become more powerful than you can imagine....
They don't need to turn a blind eye to policeware. The commercially available remote administration tools aren't in the databases.
the NPG electrode was replaced with carbon blac
But it's not the source, it's the data.
And publishing data or distributing which compromises investigations is probably a felony.
So how would your open source system work? Would you openly publish how to recognize all of the government's spy software?
I'm not normally given to conspiracies, but this is ridiculous. The fact that we're having this conversation means that at least someone is concerned about the possibility of Government key loggers not being detected, and if it's taken someone outside of gov't this long to discuss it then I feel certain that the gov't itself has been thinking about this for some time.
These companies will cave to whatever law enforcement agency has jurisdiction for the investigation quicker than the last Harry Potter book hit the torrents. The only possible exception would be those AV companies that are immediately outside of the grasp of the agency involved. I don't even think that those companies are safe because their own governments would likely bear pressure to comply.
load "$",8,1
As far as I am concerned, no company that white-lists "entities" is in security.
White-listing processes/applications/files/data is not global, and is the only level for security. White-listing a company or organization is never an option. It is politics.
You'll notice that when asked about key loggers they started talking about methods of detection other than signature recognition. Kaspersky even mentioned that he wasn't talking about signature recognition which is the only reliable method.
You can take this as a hint that none of the companies is distributing signatures of the programs that the government uses.
The question was "Have you ever received such a court order signed by a judge...".
But if what they had received instead was a NSL, they would be under a gag provision (with *jail* as the penalty) to not mention anything about it.
That's only in Amerika of course.
If policeware gets a free pass to do things that, done by other parties, would be considered "malicious", then other malware will quickly begin to disguise itself as policeware to avoid detection.
This highlights the needs for more open source/public software. Whether it is voting machines or spyware scanners. Some things can't reliably be left to commercial vendors with closed source.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
1. Whitelist police spyware
2. Crim gets hold of police spyware
3. Crim gets pwns your machine, steals your identity and makes your life a living hell for the next 3 years or more.
If you paid for a piece of anti-spyware and they leave a backdoor open like this, isn't that a case of negligence?
These posts express my own personal views, not those of my employer
Some technologies are simply too easily abused. You want to check my system for criminal activity? Fine. Get a warrant and confiscate it. I don't think this is anti 5-0. This is checks and balances. There are tons of great people involved in law enforcement, but adding tools and acceptions like this is just taking another needless step down a slippery slope.
We keep gleefully throwing away our rights in the name of what? Fear? That's bad rationale. Our founding fathers must be turning in their graves.
Quack, quack.
Sounds like the Government is planning to implant a rootkit in every single computer or atleast leave a vulnerability/flaw in code (very easy to do with Vista since its so new) which will allow them to do so.
Time for everyone to switch to Linux. The more eyeballs we can get on code the more likely someone isnt able to sneak shit like this in.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
Quo usque tandem abutere, Nimbus, patientia nostra?
What I'd like to see is a actual accounting of "whitelisted" programs, ones that have attained the appropriate certificate.
Walk with Music;
Unlike traditional malware, "policeware" would only be present on the target machine(s), rather than spread to any and every computer, so it's extremely unlikely that AV vendors would ever receive a sample. No sample means it would continue to go undetected, provided it was designed to go undetected in the first place.
And how often do you look at the back of your computer? How often do you think the average user does, or would even notice anything out of the ordinary if they were staring right at one? Sure, this is more difficult on a laptop since it would have to be opened, but it would also be even more discreet. I'm not aware of any products on the market for laptops, but I'm sure LE could commission one to be made, if necessary.
The point is, it would be an incompetent department indeed which needed cooperation from AV suppliers to keep their surveillance methods discreet.
https://www.eff.org/https-everywhere
Yeah. Would you choose a neurosurgeon who pokes around people's brains in his spare time? I wouldn't.
Probably the government approved SELinux. If you set the permissions correctly, then no program who doesn't need to should be able to detect what another program is doing.
Of course, setting the permissions correctly is a PITA...and so is using a system so configured. But it's probably as secure as you can get, bar a disconnect from the internet.
I think we've pushed this "anyone can grow up to be president" thing too far.
Consider what happened with the SONY rootkit? Bruce Schneier (Cryptography and Security Expert) reported that Symantec and McAfee who both knew about the SONY rootkit did not add it to their signatures file. Apparently if SONY hacks your computer, that's fine with them! They only updated their files once SONY themselves had retracted the rootkit. http://www.schneier.com/blog/archives/2005/11/sony s_drm_rootk.html
If Symantec and McAfee will let SONY hack your PC, they'll let the government hack your PC.
Can anyone recommend a virus scanner that looks after the customer rather than the virus companies one-day maybe potential business partners if they get lucky?
1) AV companies whitelist trojan used by government agents.
2) government agents install said trojan on all the bad-guys computers.
So now all the known bad guys have copies of a trojan that is whitelisted by the AV software...
What could possibly go wrong?
That's exactly the level of intelligence I've come to expect from this government.
Oh wait, maybe they'll copyright the the trojan so the bad guys can't copy it and use it on other computers...
Any AV company that co-operates with such a plan is incompetent.
Unless there's a world-wide conspiracy or a single supplier of "police spyware" in the world, Anti-Spyware products from other countries will not follow "don't detect us" order (and, I bet, there would be one or two posts with "would you look at that?!" notes, listing exactly what "please don't detect us" not says). ;) ) :)
Of course it also implies that gov-spyware is used in such mass quantities that at least one or more somewhat knowledgeable people find that something is wrong and involve anti-virus/spyware vendors.
So... those who believe in world-wide conspiracy -- there is nothing to protect you (otherwise it wouldn't be ww-c
Those who are paranoid -- use anti-virus/spyware kits from different countries. Kill everything suspicious (perhaps including one or two of those anti-virus programs that point at each other as a threat)
Everyone else... panic for a week, then move on to the new threat/panic/book/movie
Hyperom.com
A question. If a malware detector wants to avoid detecting government malware, would they need to explicitly whitelist it or merely fail to blacklist it?
If they do whitelist government malware, is it possible to read the whitelist and extract the signatures of the whitelisted malware - and then search your system using a modified scanner and the signature they so thoughtfully provided?
.evom ton seod gis eht
Is there such a thing as a generic test for keyloggers? Perhaps some way to profile a known-clean system and then spot the difference in some aspect of performance if a keylogger is subsequently inserted? If the keylogger is rootkit-like it may be hard to spot in the small space of memory it would require. But wouldn't it usually introduce some slight delay in the speed of keyboard input getting to the intended program? Is there any way to test for that without the test program itself getting the same slightly-delayed input, with no way to measure when the key actually made contact? Can keyboard input be simulated in a way that would send it through any installed keylogger, and so reveal it?
Alternately, the keylogger is most likely storing the logged keys either in clear or in isomorphic form to the input. So if you inserted your own keylogger into the system, what would it take to scan memory (and drives?) for matches on samples of what your own keylogger captures? Keyloggers aren't going to want to be burdened with heavy encryption to avoid this scanning, since that would add enough system load to make them more spottable by other means. Obviously you'd have to mask out the legitimate memory locations of, say, your word processor the input's going to - which would miss a keylogger patched into your word processor.
Is anyone working on a way to harden systems against this whole category? (Yeah, key-logging dongles are yet another thing. Software insertion is the question I'm addressing.)
"with their freedom lost all virtue lose" - Milton
What are the chances of success of a company specifically advertising that they don't overlook any spyware (including intelligence services spyware) from any country including US and making their business model on it?
Everything I write is lies, read between the lines.
I just hope the politicians (who invariably are usually the ones with the least knowledge of computers) come to their minds before the big desaster strikes.
It's not so much an issue of security and anti-malware vendors. A "government trojan" has the potential to become a diplomatic desaster. I mean, ponder the consequences.
Aside from the political problem that could rise when such a trojan is detected (and I deliberately don't write "if". "When" is the word of choice, because it will be detected, no matter whether AV vendors ignore it, because they must or because they want to 'help their country'), which can quickly destroy the rest of support a government has from its subjects, the foreign politics are much more endangered.
Imagine the US writing a keylogging and content sniffing trojan. Said trojan is then issued to a potential suspect. Said suspect finds it and forwards it via spam mail to Chinese companies and government. There it's detected, dissected and analyzed, to find that it's a keylogger reporting to the NSA.
Can you imagine the international implications?
For European governments, the headaches get even worse. Kaspersky said they won't care (and I believe them. I mean, if I was in Russia and had the backing of the government there, I wouldn't care about "do not find" letters from some minor country in Europe either). European AV researchers will be in Den Hague immediately when a "you must not find" letter hits their desk, and sue for unfair competition situations. And then, the cat IS out of the box. Dead or alive.
What governments around the world didn't get yet is that the success of trojans lies on their spreading. A trojan gets sent to a few thousand targets, a tenth of a percent of which actually click on it and infect themselves. The current very popular and successful form of infecting where you manipulate webpages to spread your malware is definitly out for targeted infections either, you'd have no control over who gets infected.
So if you send your "targeted" trojan to a thousand suspects, only ONE of them on average will actually be infected. Compare that to the dangers of having that trojan in the "wrong hands" (see above), using such a trojan would be political suicide for any remotely democratic government.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No, not for the crooks, but for security altogether. Let's take a look.
Police comes forwards with a trojan that must not be detected. AV vendors heed the order and whitelist it.
Now, I dunno if you know how malware is developed. Malware is routinely tested against the current AV tools. Simply because you want to create malware that is at least not immediately detected. So what's the best malware? Exactly: One that MUST NOT be detected. So what's the best base for the ultimate trojan? The police trojan. You only have to create a trojan that matches the whitelist signature of the fed trojan to be safe from detection.
It's way easier than trying to match your malware against other software that's on a whitelist. That police trojan has to do essentially what you want to do: Infect a computer, install a keylogger, steal the user's passwords, sniff through his files. No "ordinary" software that could be whitelisted does that. Your chances to match your trojan against this piece of whitelisted shit are incredibly higher.
So if I was a malware writer, I'd be waiting with anticipation for the feds to release it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Wired is reporting on some FbI spyware used to catch people. Wonder if any of these companies would spot and report that...
i _spyware
http://www.wired.com/politics/law/news/2007/07/fb
In any case, it's a good idea to not just know what those processes are but what source (yep, also more than one meaning) they come from.
If you consider remote exploits, it is also a good idea to look at netstat -p and know what those ports are, why they are open and what processes are using them.
There are many terrible, bad, good and excellent rootkit and virus scanners, firewalls and IDSes out there to help you with this.
The Hacker's Guide To The Kernel: Don't panic()!
Since no one else has mentioned it...
CALEA.
When an isp gets a subpoena, they're required to be able to tap your internet traffic basically at a moment's notice. The law enforcement agency will then receive a full packet trace of literally every bit of your network traffic.
Granted, this is meaningless on a stand-alone pc that's not connected to the internet, but the instances where they'll want to install gov't spyware on this type of system has got to be far, far less often.
"I can be self-referential if I want to," said Tom, swiftly.