Incident of the Week: OIG Reports that the FBI Routinely Circumvented Electronic Communications Privacy Act

Posted on January 29, 2010 by Gabriel M. Helmer

A report entitled A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely "circumvented the requirements of the Electronic Communications Privacy Act (ECPA)" by using so-called "exigent letters" to obtain telephone call data from telecommunications companies.  The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena. 

The 700+ "exigent letters" examined by the OIG became common after the terrorist attacks on September 11, 2001.  In reaction to the attacks, a telecommunications company (referenced as "Company A" in the report) provided a "fraud detection analyst" to the FBI's New York field office to access telephone records in response to subpoenas from the U.S. Attorney's Office.  Apparently, over time the Company A analysts began to provide the requested customer data in response to "placeholder" letters signed by FBI special agents while the grand jury subpoenas were in the process of being obtained.  These letters, which claimed "exigent circumstances" and requested the production of customer data before the submission of a subpoena, became known as "exigent letters."  When the FBI's investigation moved to Washington, D.C., three service providers moved analysts into the FBI's offices to respond to the requests for telephone data covered by the ECPA.  

Observations from the OIG report include:

  • The "concept of using exigent letter originated as a time-saving technique" in the wake of 2001 terror attack, but over the years the embedding of service provider analysts with the FBI "led to a culture in which exigent letters and other even less formal and equally inappropriate requests for information became the [FBI Communication Analysis Unit's] accepted and customer method of conducting business."
     
  • Some letters called for the production of thousands of telephone numbers and customer transaction data.
     
  • OIG concluded that exigent letters were issued and customer records were obtained even though the "circumstances . . . were not exigent," including "media leak investigations . . . and other investigations that did not include exigent or life-threatening circumstances."
     
  • The FBI special agent responsible for signing over 100 exigent letters told OIG investigators "that the communications service providers' employees often gave him exigent letters to sign after he had already been given the requested records -- and he simply signed the letters.  This SSA also said that while he realized the exigent letters inaccurately states that grand jury subpoenas had been submitted, he signed the letter because he 'thought it was all part of the program coming from the phone companies themselves[.]'"
     
  • Another FBI special agent responsible for a large number of the letters told the OIG that the telecommunications analyst from "Company A" informed him about the letters and told him that the letters had been approved by legal counsel.
     
  • When asked, the FBI unit chief described the exigent letters as "standard operating procedure."
     
  • Telecommunications company analysts interviewed by the OIG described pressure from the FBI to accept the "placeholder" exigent letters.  One noted: "personally, it wasn't my place to police the police."
     
  • FBI sought court orders under the Foreign Intelligence Surveillance Act (FISA) using customer data obtained through exigent letters in violation of the ECPA.  Howeveragents mischaracterized how the FBI had obtained the data -- suggesting that the data had been properly produced in response to a national security letter or subpoena.
     
  • OIG "found that numerous, repeated, and significant management failures led to the FBI's use of exigent letters and other informal requests for telephone transactional records over an extended period of time."
Tags: , , , , , ,

Incident of the Week: U.S. Law Firms and Public Relations Firms Hit By E-mail Attack

Posted on November 19, 2009 by Gabriel M. Helmer

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using "spear phishing" attacks -- personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software.  "Hackers exploit the ability of end users to launch the malicious payloads from within the network by attaching a file to the message or including a link to the domain housing the file and enticing users to click the attachment or link." 

While the FBI indicates that it may not be possible to flag the emails attacks themselves, system administrators will be able to detect the malware infection once a computer has been compromised:

Once executed, the malicious payload will attempt to download and execute the file ‘srhost.exe’ from the domain ‘http://d.ueopen.com’; e.g. http://d.ueopen.com/srhost.exe. Any traffic associated with ‘ueopen.com’ should be considered as an indication of an existing network compromise and addressed appropriately.

The FBI has asked that firms that have detected a breach direct incident response notifications to the Department of Homeland Security and U.S. CERT.

FBI unit chief Bradford Bleier commented to the Associated Press: "Law firms have a tremendous concentration of really critical, private information," and infiltrating those computer systems "is a really optimal way to obtain economic, personal and personal security related information." 

Allen Paller, director of research at SANS Institute, told reporters that an attack on a major New York law firm in 2008 has been linked to a group of Chinese hackers.  Paller told the AP that the hackers going after law firms, "often target companies that are negotiating a major international deal -- anything from seeking a patent on a sensitive new technology to opening a plant in another country."  "The best documents to steal are in the law firm that represents that company."

As hackers become more organized and strategic, law firms may need to reassess the risks they face in light of the value of the information they manage for their clients. 

Links:

 

Tags: , , , , , , ,

Subject of FBI Investigation Reveals Government Concerns About Access to Federal Courts' Public PACER System

Posted on October 6, 2009 by Aaron Wright

Reddit co-founder Aaron Swartz was apparently the subject of an FBI investigation for “participating in a project to take the publicly owned US court records from the PACER database (where they were very expensive to access) and put them on the web.” 

Mr. Swartz has made this information public by releasing the contents of his FBI file, obtained through a Freedom of Information Act request. His file reveals that the FBI was treating his access of PACER as a crime which cost the victim, the Administrative Office of the US Courts, approximately $1.5 million. The file suggests, but does not explicitly sate, that the crime may have been a violation of the Computer Fraud and Abuse Act (18 U.S.C. §1030), as the FBI apparently asked the Administrative Office of the US Courts how Mr. Swartz would have know his access was unauthorized.

The FBI closed its investigation of Mr. Swartz without filing charges. The investigation of Swartz's activity, coupled with questions about what constitutes accessing a computer "without authorization" under anti-hacking statutes (as I previously discussed here), suggests that future efforts to open the PACER system (as well as existing efforts, like RECAP) may meet with some government resistance.

For more on efforts to make the PACER system more accessible to the public se our previous posts on the subject.

Links

Tags: , , , , , ,

Incident of the Week: Declassified Documents Show FBI Expanding Data Mining Efforts Over 1.5 Billion Personal Records (And Counting)

Posted on September 24, 2009 by Gabriel M. Helmer

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

  • International travel records of citizens and foreigners
  • Financial forms filed with the Treasury by banks and casinos
  • 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
  • 730 records from rental-car company Avis
  • 165 credit card transaction histories from Sears
  • Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
  • 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

Tags: , , , , , , , , , , ,

Incident of the Week: Indictments Issue Against The Individuals Behind RNS, Pirate Site for "Pre-Release" Music

Posted on September 10, 2009 by Gabriel M. Helmer

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released, including "Blue Print 2" by Jay-Z, "Encore" by Eminem and "How to Dismantle an Atomic Bomb" by U2. 

The indictment claims that Adil R. Cassim, who used the handle "Kali," was the leader of RNS, while Matthew D. Chow ("RL"), Bennie L. Glover ("ADEG") and Edward L. Mohan, II ("MistaEd") all played high-level roles in the group.  According to federal investigators, these individuals set up and maintained a number of file transfer sites containing thousands of copies of copyrighted music, movies, video games and commercial software.  The Department of Justice press release states that, if convicted, the RNS Four face five years of jail time and a $250,000 fine.

Tags: , , , , , , , , , , , ,

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Posted on August 13, 2009 by Gabriel M. Helmer

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network.  During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know."  As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California.  He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work.  Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer.  Working with Seattle Police, the victim set up a meeting with Wood and he was arrested.  Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General.  The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation. 

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)).  He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

Tags: , , , , , , , , , , , ,