FBI software cracks encryption wall

MSNBC ^ | November 20, 2001 | Bob Sullivan

[testforecho]

The FBI is developing software capable of inserting a computer virus onto a suspect’s machine and obtaining encryption keys, a source familiar with the project told MSNBC.com. The software, known as “Magic Lantern,” enables agents to read data that had been scrambled, a tactic often employed by criminals to hide information and evade law enforcement. The best snooping technology that the FBI currently uses, the controversial software called Carnivore, has been useless against suspects clever enough to encrypt their files.

MAGIC LANTERN installs so-called “keylogging” software on a suspect’s machine that is capable of capturing keystrokes typed on a computer. By tracking exactly what a suspect types, critical encryption key information can be gathered, and then transmitted back to the FBI, according to the source, who requested anonymity.

The virus can be sent to the suspect via e-mail — perhaps sent for the FBI by a trusted friend or relative. The FBI can also use common vulnerabilities to break into a suspect’s computer and insert Magic Lantern, the source said.

Magic Lantern is one of a series of enhancements currently being developed for the FBI’s Carnivore project, the source said, under the umbrella project name of Cyber Knight.

MENTIONED IN UNCLASSIFIED DOCUMENTS

The FBI released a series of unclassified documents relating to Carnivore last year in response to a Freedom of Information Act request filed by the Electronic Privacy Information Center. The documentation was heavily redacted — most information was blacked out. They included a document describing the "Enhanced Carnivore Project Plan,” which was almost completely redacted. According to the anonymous source, redacted portions of that memo mention Cyber Knight, which he described as a database that sorts and matches data gathered using various Carnivore-like methods from e-mail, chat rooms, instant messages and Internet phone calls. It also matches the files with the necessary encryption keys.

MSNBC.com repeatedly contacted the FBI to discuss this story. However, after three business days the FBI was still requesting more time before commenting. MSNBC.com has filed a Freedom of Information Act request with the bureau.

Word of the FBI’s new software comes on the heels of a major victory for the use of Carnivore. The USA Patriot Act, passed last month, made it a little easier for the bureau to deploy the software. Now agents can install it simply by obtaining an order from a U.S. or state attorney general — without going to a judge. After-the-fact judicial oversight is still required.

FBI HAS ALREADY STOLEN KEYS

If Magic Lantern is in fact used to steal encryption keys, it would not be the first time the FBI has employed such a tactic. Just last month, in an affidavit filed by Deputy Assistant Director Randall Murch in U.S. District Court, the bureau admitted using keylogging software to steal encryption keys in a recent high-profile mob case. Nicodemo Scarfo was arrested last year for loan sharking and running a gambling racket. During their investigation, Murch wrote in his affidavit, FBI agents broke into Scarfo’s New Jersey office and installed encryption-key-stealing software on the suspect’s machine. The key was later used to decrypt critical evidence in the case.

Magic Lantern would take the method used in Scarfo one step further, allowing agents to “break in” to a suspect’s office and install keylogging software remotely. But in both cases, the software works the same way.

It watches for a suspect to start a popular encryption program called Pretty Good Privacy. It then logs the passphrase used to start the program, essentially given agents access to keys needed to decrypt files.

Encryption keys are unbreakable by brute force, but the keys themselves are only protected by the passphrase used to start the Pretty Good Privacy program, similar to a password used to log on to a network. If agents can obtain that passphrase while typed into a computer by its owner, they can obtain the suspect’s encryption key — similar to obtaining a key to a lock box which contains a piece of paper that includes the combination for a safe.

BREAKING NEW GROUND

David Sobel, attorney for the Electronic Privacy Information Center and outspoken critic of Carnivore, did not outright reject the notion of a Magic-Lantern-style project, but raised several cautions.

“This is breaking new ground for law enforcement, to be planting viruses on target computers,” Sobel said. “It raises a new set of issues that neither Congress nor the courts have ever dealt with.”

Stealing encryption keys could be touchy ground for federal investigators, who have always fretted openly about encryption’s ability to help criminals and terrorists hide their work. During the Clinton administration, the FBI found itself on the losing side of a lengthy public debate about the federal government’s ability to circumvent encryption tools. The most recently rejected involved so-called key escrow — all encryption keys would have been stored by the government for emergency recall.

LEVELS PLAYING FIELD WITH CRIMINALS

A spokesperson for Rep. Dick Armey (R-Texas), said he thought Magic Lantern, as described to him by MSNBC.com, was considerably more palatable than key escrow.

“Citizens should have ability to keep their files and e-mails safe from bureaucratic prying eyes. But this would only be usable against a limited set of people. It’s not as troubling as saying the government should have all the keys,” said the Armey spokesperson. He also said Magic Lantern didn’t raise the same Fourth Amendment concerns regarding search and seizure as Carnivore, because Magic Lantern apparently targets one suspect at a time. Armey, an outspoken Carnivore critic, has complained about the potential for the FBI’s Internet sniffing software to capture too much data as packets fly by headed for a suspect — known in the legal world as an “overly broad” search.

Sobel was concerned that the keylogging software itself could result in overly broad searches, since it would be possible to observe every keystroke entered by a suspect, even if a court order specified a search only for encryption keys. Developers in the Scarfo case went to some trouble to limit the data stored by the keylogging software installed on Scarfo’s computer, shutting the system on and off in an attempt to comply with the court order, according to Murch’s affidavit. But given the confusion surrounding keylogging and encryption, and the mystery surrounding projects like Carnivore, Sobel said he’s worried about the bureau’s use of software that hasn’t been clearly explained to the public or the Congress.

“It is a matter of what protections are in place. At this point, the best documented case is Scarfo, and that raises concerns,” he said. “The federal magistrate who approved the technology in Scarfo had no understanding of what this thing was. I hope there can be meaningful oversight (for Magic Lantern).”

[tacticalogic]

Surely they have a solution to the "cut & paste," ya think?!

Cut and past would get around the key logging software, but would require that you have the encryption keys stored in a file on the computer to cut and paste from. If they can find that file, they don't need the key logging software.

[Brookhaven]

All of this is easier said then done.

For every FBI hack out there, there are 1000 hackers who will spot the FBI code and come up with ways to foil it.

[Poohbah]

Actually, the best way to defeat this is to design PGP to crash the instant it's opened on a Magic Lantern-infected box.

[Nita Nupress]

<< "Actually, they do--because they don't count actual keystrokes, they parse the value entered into the user ID and password fields, regardless of source--just like Windows does." >>

What's the definition of "parse the value?" Are you saying each character on a keyboard has a value that can be read even after being CNTL/V'd onto a screen?

[Mat_Helm]

Bwah hah hah ha........ahah!

[Nita Nupress]

Cut and past would get around the key logging software, but would require that you have the encryption keys stored in a file on the computer to cut and paste from. If they can find that file, they don't need the key logging software.

This is possibly the only time in a woman's life where something being described as "floppy" would be a good thing. ;-)

[The Duke]

Why not just have the virus "patch" PGP?

"Encryption keys are unbreakable by brute force,..."

The author lost all credibility with me at this point.

[Poohbah]

No, the entire password input box contains a value, such as "t4@!dd_KqZ$h" (if the user has a strong password) or "password" (if the user is an idiot). That value is passed into the PGP program through a standard Windows Foundation Class library function call. It sounds like the Magic Lantern software grabs that value and copies it to its own buffer. Keystroke logging takes entirely too much memory--suppose it was a guy composing an opus which would take ten pages to print out before hitting "ENCRYPT." Also, the cut-paste would be an easy dodge--so the FBI would look for a way around it before anyone else would think of it.

[oc-flyfish]

Laptop or second pc running Linux, and not connected to the internet, with the encryption software on it. Encrypt, then sneakernet to the internet connected computer for transmission. Duh.

Damn, you just defeated the FBI! :-)

[Nita Nupress]

Thanks.

[tacticalogic]

This is possibly the only time in a woman's life where something being described as "floppy" would be a good thing. ;-)

There are rare occasions when floppy is better, as anyone who's had to roll up a garden hose in the winter will attest to.

[oc-flyfish]

Yes, you are probably right. Also, they can "hide" the program so it doesn't show up under task manager so you don't know that it is running.

As for AV software... if they were in bed with the FBI then they wouldn't make it part of their pattern files.

[rdb3]

I agree. This reminds of of the file sharing/swapping software out today.

Once the genie has been let out of the bottle, there's no putting it back.

[Poohbah]

Might be able to hide it in the home versions of Windows...but would they be able to do that in the NT/2000 variants?

[logos]

What about the "hushmail" program, where the passphrase is generated by passing the mouse over a hidden grid? Is that a more difficult system to "break"?

[Poohbah]

The grid can't be TOO hidden, and neither can the passphrase.

[SSN558]

I don't know a whle lot about hacking but....isn't this old technology ? Back when corporate America was into counting key strokes AutoCad had a lisp that would log your keystrokes. I used to disable it to conserve memory and increase the speed of the machine.

[greasepaint]

A few security tips.
Use the Zonealarm firewall (free for personal use), or something similar.
Avoid Microsoft products.
Binary (non-text) files sent by email are a major security risk...
Avoid or minimize their use. Do not accept a non-text file from someone
you don't know, and then only with a reason to do so.
Be careful with email attachments.
Older, or text-only email readers, are more secure than new email readers.
IMO, every new feature is a security risk.

[Psycho_Bunny]

You don't need Windows for that...It could be done on any platform.

[logos]

Sorry. Sloppy choice of words on my part. Rather than being hidden, the grid from which the passphrase on "hushmail" is generated is a "blind" grid. Would this Magic Lantern softward be able to pick that up - not even the user knows what his passphrase is in this system.

You're absolutely right that nothing can be "TOO hidden;" any security system that one person can devise, another person can break, given sufficient time and motivation.