FBI Investigating Mystery Laptops Sent To US Governors

itwbennett writes "The FBI is trying to find out who is sending laptops to state governors across the US, including the governors of Wyoming and West Virginia. The West Virginia laptops were delivered to the governor's office on August 5, according to the Charleston Gazette, which first reported the story. Kyle Schafer, West Virginia's chief technology officer, says he doesn't know what's on the laptops, but he handed them over to the authorities. 'Our expectation is that this is not a gesture of good will,' he said. 'People don't just send you five laptops for no good reason.'"

Me

[earthloop]

If the governors don't want them, I'll have them.

Re:Me

As a resident of West Virginia, I assure you it wasn't a trust issue. Rather, the laptops did not have 28.8 modems to connect to the local bbs rendering them useless in the Mountain State.

West Virginia - keeping Hughes Net in business since 2005.

Re:Me

[sotw81]

I don't know what part of West Virginia you live in, but we've had cable service for years. Heck, even the south has had broadband for 5+ years.

Re:Me

[CmdrPorno]

If the governors don't want them, I'll have them.

I'd like mine with an Argentinean girlfriend and some unexplained hiking trips, please.

Re:Me

[NotBornYesterday]

I just got off the phone with HP customers service, and boy, am I pissed. I ordered 5 new laptops a week ago, and no one can tell me where the hell they are.

If they don't want them

[snl2587]

I'll take them.

Seriously, they don't have one good tech guy who could wipe the drives/check the internals for rogue hardware?

Re:If they don't want them

[1s44c]

Seriously, they don't have one good tech guy who could wipe the drives/check the internals for rogue hardware?

Not at a cost less than the price of one new laptop. Smart hardware people with time to prepare could hide just about any device just about anywhere. Or hide nothing at all just so people waste time looking for what isn't there.

I get the impression this is just a prank by someone with a little too much free cash and a bad sense of humor. Either that or a marketing thing by a laptop manufacturer.

Re:If they don't want them

[jamesh]

Show me an IT monkey who could tell the difference between two standard network adapters, one of them fine and the other containing a counterfeit MAC/PHY IC that's been fucked with by Chinese intelligence services...

And for the time taken to vet the laptop for such things, you might as well throw it out.

On the other hand, if you actually did want to get government personnel using subverted hardware then I think just sending it to them anonymously is probably not a good way of going about it... so maybe the criminals aren't that smart. Or maybe that's what they want you to think?

Re:If they don't want them

[Jeremy+Erwin]

And if it's a hardware issue? I'd donate them to a educational organization (after wiping them down for malware)

Re:If they don't want them

[sopssa]

You wipe the OS and install a new one. You clean it up from the default bloatware and hook it to the network. You analyze the connection and if there is no communication the devices are safe.

You seem like a intelligent gentleman providing great solution for both the latest gov IT attacks AND the recession!

If this happens, I can see both China's computer espionage and Kim Jong's heads exploding from the sore happiness!

Re:If they don't want them

[Corporate+Troll]

That's a bit naive, isn't it? Perhaps there is a hardware trigger that will start sending out data when receiving a specific packet and when it doesn't, it stays silent? Or a timed device (6 months from first power-on)... There are many ways that those machines may be compromised without even being affected by the operating system that's on it.

Re:If they don't want them

[thue]

> And for the time taken to vet the laptop for such things, you might as well throw it out.

Except that if I were the CIA, I would pay a lot more than the price of 5 laptops to know who was spying on me, and how.

Re:If they don't want them

[Jeremy+Erwin]

Hidden, malicious hardware.

Re:If they don't want them

[Beezlebub33]

Which is why you forward them to the CIA and have _them_ figure the whole thing out.

Actually, you would have to be pretty stupid to send them to the CIA. You'd send them to the FBI (as TFA mentions), who would try to figure out if it was foreign or domestic, and then they would get the real experts (NSA) to do the technical work.

Re:If they don't want them

[Glonoinha]

Put it in the field and fly a Huey Gunship in the general vicinity.
If it runs, it's VC.
If it doesn't run, it's well disciplined VC.

I know what you're thinking ... "How do you shoot innocent laptops and desktops?"
It's easy - you just don't lead them as much!

Re:If they don't want them

[geekgirlandrea]

How would you know if it's listening? It doesn't have to be software tampering. All it would take is a counterfeit ethernet chip that recognizes some magic number in a packet, maybe sends out some really innocuous-looking packet once in a while as a location beacon (make some known DNS query or something), and then does DMA into the host's memory on command. Nothing unusual at all in the traffic except some ordinary-looking location signal, until its owner starts using it as a hardware rootkit.

Re:If they don't want them

[IchNiSan]

We really need to know, will it blend?

OLPG

[MichaelSmith]

Its obviously the one laptop per Governor project.

Re:OLPG

[zoomshorts]

Compaq 15.6" CQ60-410US Notebook PC, I got mine for $298.00. Not a real cost.
Let's guess, one drunk, $1600.00 laying around and surf the web for governor's
addresses.

The malware? IE 8.0 plus VISTA Home edition. Instant coup.

Are you kidding me?

[zach_the_lizard]

"People don't just send you five laptops for no good reason."

Are you kidding me? I've received hundreds of free laptops from total strangers. In fact, I trust them so much that I do all my banking on them. After all, this nice downtrodden Nigerian prince has personally guaranteed the security and stability of all these laptops. Now, let me go check my bank balance....OMGWTFBBQ^*#^$@))*#$!!!!!

NO CARRIER

Re:Are you kidding me?

[sopssa]

NO CARRIER

I understand breaking the monitor and keyboard in such situation, but you actually went out of the house, walked to your tool shack, picked up an axe and smashed your telephone line with it? That's a little bit aggressive, dont you think?

If the govenors do not want them...

[Skinkie]

...at least give every incoming laptop to a nearby school. I mean, spying on students happens already anyway.

Interesting angle on social engineering...

[damburger]

You get the laptops delivered to a big enough organisation, whoever signs for them assumes *somebody* ordered them for a reason, but can't find out who. So they stash them somewhere. Fast forwards to when someone new joins the organisation and needs a laptop, somebody mentions there are a couple lying around in boxes and bingo, you've got malware in through the front door without touching an Internet connection.

Makes me wonder, how often this has been done successfully to less vigilant offices, worked, and we haven't heard about it.

Re:Interesting angle on social engineering...

[jollyreaper]

That's an expensive hack! Especially when the typical methods are practically free. I wonder how effective it is.

You know, it might be cheaper to just "accidentally" drop usb drives near the office or, if you're not targeting a particular office specifically, leave the drives in coffee shops and local restaurants. Someone takes it home and tries looking at it, pwnage.

Re:Interesting angle on social engineering...

[scheuri]

That is what I thought first, too. Well, I still think it is a very interesting angle on social engineering as you put it.

However, if you do that with a large enough company to get "undetected" (assuming smaller companies would recognise something fishy is going on) there should be a large risk that this laptop goes to the IT-people first to get completely altered to companies standards.
That usually should mean complete format and using an image of whatever the company is using as client OS. So there goes your malware (at least most of it).

So I am very confident that this has to be taken into account.

Re:Interesting angle on social engineering...

[jlmale0]

The article notes that the seized laptops were part of an order that shipped to 10 offices; all have been tracked down. Still, you're right, we don't know about other orders. I think it's a brilliant idea, the free laptops. If it's a software only attack, they have to be wary of those departments that reimage PCs to standard images.

Re:Interesting angle on social engineering...

[91degrees]

Yes. I can't imagine it would be worth it for businesses. You're spending a lot of cash on something that may well go to fairly junior employees who have no access to any information of any importance. Even if the Governor himself gets one, you can't be sure that he'll use it for anything that will be of any value to a third party.

A foreign government might be willing to splash out this sort of cash but I wonder how interested they are in individual state politics.

Re:Interesting angle on social engineering...

[maxume]

But West Virginia?

Re:Interesting angle on social engineering...

[Skinkie]

So what if the laptops where HP's with onboard maybe even modified 3G cards. How are you going to prevent a KVM calling home?

Re:Interesting angle on social engineering...

[MiniMike]

Maybe they're trying to intercept communications to or from Senator Byrd who, despite being from West Virginia, is a very influential Senator.

Or they might just want the latest recipe for Varmint Pie.

Re:Interesting angle on social engineering...

[vertinox]

You get the laptops delivered to a big enough organisation, whoever signs for them assumes *somebody* ordered them for a reason, but can't find out who.

Hehe. I worked for a large company where on more than one occasion someone just sends their laptop in to the workshop only to be lost in the stack because they didn't put a ticket number on it. It wasn't stolen but rather just with all the other laptops in a pile and was basically unlocatable for a few months.

Secondly, the purchasing approval process sometimes takes a while so by the time someone gets their laptop purchase approved they might no longer be with the company.

Re:Interesting angle on social engineering...

[jamstar7]

Coal in West Virginia, oil shale in Wyoming. Not sure what energy related resource is in Vermont tho.

Reality is weirder than fiction

[Drakkenmensch]

Sounds like the opening chapter of a John Grisham novel. Encryption hits the newspaper stands before the library shelves, it seems!

Re:Reality is weirder than fiction

[Jeremy+Erwin]

When the NSA's invincible code-breaking machine encounters a mysterious code it cannot break, the agency calls in its head cryptographer, Susan Fletcher, a brilliant and beautiful mathematician. What she uncovers sends shock waves through the corridors of power. The NSA is being held hostage...not by guns or bombs, but by a code so ingeniously complex that if released it will cripple U.S. intelligence.

Egad. If I want cheap obnoxious thrillers, I'll read Greg Bear's lesser work...

That might not be safe enough

[acb]

What if whoever's sending them isn't just a small-time crook but a foreign intelligence agency with the resources to custom-make chips with built-in back doors. (Such back doors have been demonstrated to be plausible; someone has built a CPU with a circuit which switches off memory protection when it finds a specific sequence on a memory bus, which means that it doesn't matter how secure the software running on it is.)

Why would they target state governors' offices? Well, they'd presumably be easier to pwn than, say, the Department of Defence or the CIA, and a good starting point for setting up pieces.

Re:That might not be safe enough

[MichaelSmith]

But delivering them this way is attracting too much attention. Better to deliver the machines to their normal IT supplier, perhaps by getting one of your people on the payroll.

Re:That might not be safe enough

[1s44c]

But delivering them this way is attracting too much attention. Better to deliver the machines to their normal IT supplier, perhaps by getting one of your people on the payroll.

It would be far cheaper to put malware on a USB key with a logo of some government project on the side and mail that to them. They could use the same CD autorun thing that the U3 malware uses.

Re:That might not be safe enough

[BenEnglishAtHome]

...a USB key with a logo of some government project ...

Are you kidding?

If I wanted to guarantee that a found USB key would be plugged in somewhere, I'd label it "porn".

Re:That might not be safe enough

[Corporate+Troll]

They could use the same CD autorun thing that the U3 malware uses.

Offtopic, but does anyone know how to remove the U3 "feature" using Linux? I heard there are Win32 removal tools, but I don't trust removal tools from people who actually invented U3...

Re:That might not be safe enough

[LWATCDR]

Really? They why state governors? They really don't have a lot of access to secret stuff. My guess is a little more amusing. Someone has figured out how to hack into HPs GSA ordering system and is pranking them. They are basically ordering laptops on the states dime from HP just to see if anyone notices. Sort of like ordering Pizzicati to be set to buddy's house as a joke. The difference is this is going to be a federal offense.

Re:That might not be safe enough

[TheCarp]

Then again.... maybe this is just QA.

Put in your malbug, send the laptops out in a high profile way... see what happens. Do they investigate? Do they even find what you did? That, in and of itself, could be valuable information, and possibly worth 5 laptops.

Though I do enjoy the double standard. Someone breaks into your systems, with evidence. Think the FBI is going to care unless they can be shown to have done massive damage or stolen real money?

Here someone does something that is, on its face, perfectly legal and straight up, but the suspicion of potential wrongdoing and the FBI are all over it. I am pretty sure that if someone sent me a free laptop and I called the FBI, they would just laugh at me.

-Steve

Re:That might not be safe enough

[daivzhavue]

http://u3.com/support/default.aspx#CQ3

They finally came out with an uninstaller for it. Quick and easy, but back up all your data as it wipes the entire flash drive.

Re:That might not be safe enough

Because they want to be noticed. One laptop to the President gets disposed of. Five laptops to each governor gets them examined. Carefully.

It's a message. Wonder who it's from, don't you? Maybe God.

Re:That might not be safe enough

[Glonoinha]

Doesn't work in Linux, as the GP asserted. Have to stick it in a Windows box just to run the uninstaller.
As far as I'm concerned it's defective from the vendor and I personally don't buy any USB thumbdrives with U3 installed on them.
If I accidentally buy one with it on there and realize it after I get it home and open the package, I take it back. Sorry, but no.

Re:That might not be safe enough

I work in West Virginia state government and this came up at yesterdays staff meeting. According to the boss (not PHB) they've found that laptops had been purchased with stolen credit cards and came loaded with malware. Also some of the laptops received in other states had actually been used.

Re:That might not be safe enough

[Vintermann]

On small (4-5 person) LAN parties back in the nineties, I knew a guy who shared his floppy drive under the name "porn". When somebody got too horny, their expectation of anonymity were ruined by the characteristic noise those drives make when they try to read from a non-existent floppy.

Re:That might not be safe enough

[ColdWetDog]

It's a message. Wonder who it's from, don't you? Maybe God.

God would send an iPhone, not a laptop.

Get real.

Re:That might not be safe enough

I work in the WV state government as well. I'm a system/network administrator in an agency and we've been batting this around for a while trying to come up with ideas and motives. Personally, there is no way I would ever consider allowing these machines onto my network in any capacity. If for some reason we really thought we had to power them on, they go on a dedicated switch connected to our testing cable modem connection, with a spanned port going to a dedicated snort box. IMO either give them to the feds to work with, or destroy them without powering them on. There is no sense in introducing an unknown unmanaged machine into a government network.

I can see it now

[ChayesFSS]

Next week on CNN: Pen & Paper sent to US Governors in hopes that they'd do more work. FBI called in to investigate.

Hard-Trojans

[LaminatorX]

"A what? Whatever, put it in the yard next to the giant wooden horse."

Re:Hard-Trojans

[Culture20]

They don't sound too pleasant. Hopefully they're made with metal or plastic instead of wood. Bonuses: no breaking.

a delivered local wi-fi attack?

fedex sleeping laptop
wake at delivery time
run superduper wi-fi haxor proggy
phone home

Re:a delivered local wi-fi attack?

[lxs]

"a delivered local wi-fi attack" is the best poetry I've read all day. Your lack of punctuation and capitalzation reminds me of e.e.cummings, and the unexpected Spielberg reference at the end is a stroke of genius. You should do poetry slams. (imagine "run superduper wi-fi haxor proggy" to the sound of a bass slapping. )

Re:a delivered local wi-fi attack?

[zippthorne]

I'm imagining it, but it's really hard to get a good rhythm out of a dead fish.

Hacked hardware?

[tsvk]

Since the origin of the computers is unknown, the hardware cannot be trusted. The computers might be hacked and backdoored on the BIOS level. Modern BIOSes are quite sophisticated with a rich functionality, that can be misused invisibly from the OS' point of view.

Re:Hacked hardware?

[John+Hasler]

I think that they are more concerned about bombs than BIOS trojans.

Re:Hacked hardware?

[maxume]

The article says that they were HP laptops, not Sony.

</obvious>

2 democrats

[WindBourne]

I wonder if the others are dems? Perhaps it is time to check the keys themselves and see what is on them

Updated news report

[ciaran.mchale]

This just in... It seems the governor's office was right to be wary. The FBI have confirmed that all the laptops are infected with Windows Vista Basic. Truly nasty.

That's nothing...

Real bad guys would plant a Governor or a President, not some brainless laptops...

Stop being so paranoid

[charliebear]

A likely explanation is that somebody either stole a credit card or cards or somehow ordered them fraudulently and is using this as a smokescreen. Send 10 laptops to 10 governors. Send 10 to random people including yourself. Profit! Or else an employee at one of the offices is in on it and wanted to cover themselves by sending them out to other offices.

Don't assume Fraud is occuring on the delivery

[Cassini2]

Go for the obvious. Someone is trying to get revenge on corporation "x" by purchasing a bunch of computers and having them drop shipped. By the time accounting catches up with the paperwork, the computers will be in the hands of the FBI for a month. If the scam is done right, it is done by an ex-employee or someone with just enough access to know who the preferred suppliers are. You make a couple of phone calls, send the right paperwork, and next thing your computer vendor is drop shipping a bunch of computers somewhere.

Having worked for distributors, I'm surprised this doesn't happen more often. Having stuff go missing for weeks on end inside factories, fairly routine ... This wouldn't be hard to do. Just ship a bunch of computers somewhere else.

It is even difficult to get charged for doing something like this. FAXing the paperwork leaves no fingerprints. To the accounting department, the transaction looks like typical incompetence. The corporation won't request charges laid, because then they would have to admit they were incompetent too, and this stuff happens all the time. The police have a tough time charging you, because you didn't steal anything. If done right, you didn't even touch anything so there is no physical evidence. No evidence means no crime, and your revenge makes the national newspapers. Perfect revenge scheme.

OLPC

[tekrat]

One Laptop Per *CHILD*.

Re:send them back...

[mikael]

Nigeria actually has a bank called "Bank PHB" with the slogan "Be you, be free, be brilliant". I can't help but think of the PHB from Dilbert;

Re:Your problem being?

[HikingStick]

Not a bad idea unless the firmware is poisoned.

Have they turned it on?

[MickyTheIdiot]

All it probably just plays Rick Astley "Never Gonna Give You Up" in a loop.

Why assume it's some foreign entity?

[rnturn]

What do the states whose governors received these laptops have in common? The referenced article didn't mention the complete list but West Virginia and Wyoming might have something commercial in common. Mining or energy for example. Wouldn't a lobbyist with some powerful clients in the mining/energy industry just love to have access to some state computer systems where they could snoop through internal emails discussing potential legislation restricting mining activities? West Virginia's had problems with mountaintop removal for years. There's been talk of stopping that for some time. Wyoming has their share of mining companies abusing the environment as well.

On the other hand, perhaps a bunch of environmentalists shipped the laptops in the hope of getting access to state information so they could blow the whistle on state govt./industry shenanigans (bribes and the like).

Anyone know where there's a complete list of the states where these laptops were shipped?

Send 10 laptops or have bad luck for 7 years.

[neo]

> Send a laptop to 10 people or you will have bad luck for 7 years. If you do send laptops to 10 people you will get your greatest wish!!
>
> A woman in Canada didn't send the laptops and now she is in prison for cheating on her taxes.
>
> A man in Kansas sent the 10 laptops and now has a new laptop!
>
> This is not a hoax or scam!! YOu HVAE TO SEND THIS!! 10 Laptops or something horrible will happens. Send it to all your friends!!!
> >
> > It's TRUE!! I got cancer when I didn't send the laptops, but then I sent them and now I have a million dollars!!!11
> >
> > Don't think this is a trick!! Just do it !1 Wjhat do you have to lose??
> >
> > Jack in Fredricksburgton
> >
> >
> > > I can't count the number of times I've sent out these kinds of Laptops and gotton NOTHIONG. But this is the real deal.
> > > You can't go wrong with this one. Think about it, you already got the laptop. You already have it...
> > > but dont' just accept the gift and not pass it on or your in for big troubles.
> > > >
> > > > Here is a free laptop. Pass this on to 10 friends and enjoy!
> > > >
> > > > Richard R.

Re:China

[conspirator57]

Coal... China is now a net importer of fossil fuels, though mostly from Australia.

Hackers

[jjhall]

When they turn 'em on, does it show some distorted video of a guy telling them to play nice, and to enjoy the new laptop?

Re:Your problem being?

[CodeBuster]

Even with the original hard drive gone, I still wouldn't use these laptops if I were the governor. Where did they come from and who arranged the shipping? It could be that foreign intelligence agencies (the Chinese in particular) specially crafted these "gifts" and then attempted to ensure that they would fall into the hands of important people within our government. No, these laptops are best turned over to the FBI or the CIA and left unused by their recipients.