Are YOU infected with government sponsored 'spyware'?
Computer of alleged Sarah Palin hacker had spyware The 21 year-old college student charged with hacking former Alaska Governor Sarah Palin's Yahoo e-mail account was using a compromised computer that was secretly logging and reporting information without his knowledge, his lawyers say. In court filings attorneys for David Kernell say that the Acer notebooks that U.S. Federal Bureau of Investigation agents seized from Kernell's Knoxville, Tennessee, apartment last year apparently contained spyware. "The program, which was installed by an unknown method before the computer ever came into Mr. Kernell's possession,uses sophisticated technology to record and report personal information without the user's knowledge," his attorneys state, in a Nov. 30 motion. Although the court documents do not identify the program, they indicate that the software was reverse-engineered and analyzed within the five forensic reports the U.S. Government produced for this case.Those reports have been filed under seal because they contain personal information. Kernell is facing a possible five-year prison sentence on a one-count felony computer hacking charge.Prosecutors say that he accessed Palin's personal e-mail account in Sept. 2008, while she was running as a vice-presidential candidate, and used Yahoo's password reset feature to gain access to her mail. Thee-mails were posted online and an anonymous member of the 4chan discussion board named Rubico claimed responsibility for the act. In her recent autobiography, Palin described the incident as the"most disruptive and discouraging" event of her losing 2008 campaign. It's not uncommon for computers to be infected with malicious software that logs personal information, said Paul Ferguson a security researcher with anti-virus vendor Trend Micro. In fact, he guesses that one in five PCs have some sort of malicious program on them, giving backdoor access to cyber-criminals. David Kernell is the son of Democratic Tennessee state representative Mike Kernell. His trial is set to begin on April 20. from CSO Security and Risk blog |
And now for the followup info:
Security firms on police spyware, in their own wordsBut would that government spyware used in that investigation actually be detected by security software? Or would security companies intentionally fail to report it? To answer that question, CNET News.com performed the following survey.We asked three questions of 13 security companies, ranging from tiny ones to corporations like Microsoft and IBM, and the results are below. When there is no answer listed for a specific question, the company chose not to answer it. In some cases we followed up with additional questions. We began the survey last Tuesday and asked the final questions on Monday. AVG/GrisoftResponses from Fran Bosecker, spokeswoman for Grisoft, which publishes the AVG Anti-Virus, AVG Anti-Spyware, and AVG Anti-Rootkit programs, many of which are free. Grisoft has offices in the United States, Czech Republic, and Cyprus. Question: Has Grisoft/AVG ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency? Answer: Not to the best of my knowledge in the U.S. or Europe. Question: Is it Grisoft/AVG's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency? Answer: So far this is the policy, also based on the valid legislature. Question: Do these policies vary depending on the country (the U.S. vs. others, for instance)? Answer: Yes. Current AVG policy is to flag Trojans that exhibit these types of actions. With that said, AVG will of course consider all laws, regulations and compliance rules set forth by the nations and/or local governments to the best of our abilities. Question: We understand that you have to comply with applicable laws and regulations. But do any laws and regulations currently require security companies to ignore spyware/malware/key loggers placed onc omputers by governmental agencies? Answer: None that we're aware of in the U.S. or Europe, or at least no law enforcement or agency has asked that we ignore any. Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities int erms of not detecting government-installed spyware or delivering government spyware to your users? Answer: No Check PointResponses from Allison Wagda, director of public relations at Check Point Software, which makes the ZoneAlarm security software, including a Vista version announced last month. Other Check Point products provide disk encryption, firewalls and intrusion detection. Question: Has Check Point ever had any discussions with any government agency about not detecting spyware or keystroke loggers installed by a police or intelligence agency? Answer: No, we've never been approached with such a request. Question: Is it Check Point's policy to alert the user to the presence of any spyware or keystroke logger, even if it is installed by a police or intelligence agency? Answer: Our goal is to detect malicious software. ZoneAlarm does so by detecting certain behaviors (such as keystroke logging) and alerting the user. We do have a policy whereby legal, legitimate software programs from any third-party vendor can be "whitelisted" from detection upon request. We would afford law enforcement the same courtesy. Question: In a follow-up conversation, we asked Check Point under what circumstances they would afford that "courtesy." Anwser:We've never been in the situation, but if the request fell outside of our typical parameters for whitelisting (i.e. having a signed certificate, among other things), then we'd consider on a case-by-case basis. Question: Have you ever received such a court order signed by a judge requiring you to cooperate with law enforcement authorities in terms of not detecting government-installed spyware or delivering government spyware to your users? Answer: Not to our knowledge. ................... From Cnet News |
The story continues for 6 pages, consulting the major security firms that provide end users with anti-virus, anti-spyware, and firewall support. Each one basically says no, but it's not like they're under any legal obligation to answer Cnet's questions with the truth. It'd just be bad business in fact for them to indeed mention that they do cooperate with law enforcement, not that it'd affect the end users, cause no one actually knows any better. The most unclear of all the responses comes from McAffee and of course everyone's favorite, Microsoft, with "It is company policy to not comment on our conversations with law enforcement". Yeah, sure, I believe you, not. Taking into consideration of gag orders it's very well possible that they are simply not allowed to tell you. Big deal right? This is casual news in a business world, but it affects you on a very personal level. Even still, if they really do this, should it be allowed? Is your personal privacy worth sacrificing to catch some script kiddies, or in this case the Palin hacker whom I feel honestly has done nothing wrong besides violate Yahoo's terms of service. Palin should have never had that account and violated her own State's privacy statutes, where is the recourse for that? Perhaps if Palin was smart enough to ensure her password reset question wasn't so easy, this would've never happened, Palin's e-mails probably would of never come to light (although they were seemingly innocuous anyhow), but is she not held to the same standards as the rest of Yahoo users who's obligation it is to secure their own info?
There is no differentiation here if the spyware was indeed government issue, or people really are pwning themselves and government agencies are just letting themselves in, taking advantage of the lackluster presentation of trojan coders to usurp, for instances, bots from a botnet maliciously installed by your generic bad guys, but because they didn't bother ensuring the command and control center couldn't be compromised and taken over (no honor among thieves) they are now in the hands of good guys with questionable ethics. What is the precedent for that anyhow? It's illegal to install trojans on another's computer without their permission, but once it's already there, what's to stop someone else from taking advantage of that backdoor? If these companies really are 'whitelisting' government spyware, what's to stop the bad guys from figuring out how to make their programs seem legit and pass detection as well? I guess we're playing wait and see... fun!
Checkpoint's stance on the whole thing is just scary: "Our goal is to detect malicious software. ZoneAlarm does so by detecting certain behaviors (such as keystroke logging) and alerting the user. We do have a policy whereby legal, legitimate software programs from any third-party vendor can be "whitelisted" from detection upon request. We would afford law enforcement the same courtesy." I doubt that many of the major firms differ from this view greatly. So who can you trust? Since we're getting all X-Files zany here... as Fox Mulder would say, trust no one.
Categories: Opinions,Paranoia,Secrets,Privacy,Security
Tags: spyware spying lies ethics legality government analysis bullshit Data insecurity misdirection
Comments