In a very little publicised case of bomb threats that have been going on for months against US public buildings like universities, hotels and airports, an anonymous caller identifying himself as a friend of James Holmes, continuously warned the FBI that if the Colorado cinema shooter was not released a building full of people would be blown up using Ammonium Nitrate.
An Emergency Discloure Request order sent to Google exposed that the caller was using Google Voice VoIP service to carry out the bomb threats while masking his computer IP with a free VPN service called HotSpotShield, also known as AnchorFree.
Subsequent bomb threats included numerous email exchanges, a chat in between the suspect and an FBI agent using Yahoo Messenger and photographs the suspect sent of, supposedly, himself to the FBI, dressed wearing an Iranian camouflage military uniform.
The FBI trojan horse is referred to in the search warrant application as Network Investigative Technique (NIT) and it was sent to the suspect’s Yahoo email address “texan.slayer@yahoo.com” in the form of a link, it should have been executed when the suspected terrorist logged into his email account, connecting to FBI servers and downloading malware to let law enforcement know the following:
– Computer IP address, computer network card MAC address, list of open ports, a list of running programs, operating system and Windows serial number, web browser brand and version, computer’s language encoding and default language, computer time zone, previous visited websites and other identifying information that could be of assistance.
The document shows that the trojan horse failed to execute correctly but not before revealing that the person making bomb threats was doing so from Iran.
There is no specific information about how the FBI executed the malware but since a download link is mentioned, I will make a guess, without backing evidence, of how it could have been done, by saying that that the trojan horse could have been embedded in an HTML formatted email and executed with Javascript as soon as the suspect opened the email message.
A list of normally secretive companies and products used by over 150 Governments from around the world to spy and hack into people’s computers has come to light thanks to the Wall Street Journal Surveillance Catalog project, these confidential brochures explain what products are used by Governments for mass surveillance, some of the prospectuses have been partially blacked out as specific technical information is only available to authorised law enforcement personnel.
The surveillance tools are sold to law enforcement agencies and some corporations, its legality depend on the laws of the country where they are being applied, the tools have often been found in the hands of repressive regimes like China or Iran, since censoring of the web and mass spying is allowed in those countries, it is perfectly legal.
Note: In addition to these private contractors products, well resourced countries also develop their own custom hacking tools in-house.
Software for Internet surveillance
Mobile phone tracking: Septier Location Tracking provides mobile phone tracking, lawful interception and intelligence gathering analyzing and retaining location data from mobile phone networks, it uses triangulation to find out where a mobile phone is, a technique that looks at the signal strength in between a phone and a mobile phone tower to determine its location, the system can handle all modern mobile networks like 3G, GSM, Wi-Fi, WiMax, etc.
Linguistic Analysis: A company called Expert System Semantic Intelligence has semantic software called Cogito that is capable of searching linguistic data using strict parameters, categorize data and extract entities like people and organizations, after data has been sifted through events are flagged, further parsed for early warning indications, ranked and then extracted and categorized.
Social network analysis: Intellego studies the relationships in social networks, representing emails, websites and targets as nodes then interlink them with other nodes showing a graphic of all the links. The diagram shows a clear picture of the network communication. This kind of analysis does not necessarily involve public data in Facebook, it can involve private data analysis, it allows the investigators to easily spot target’s relationships.
Social network analysis
Installing trojan horses: FinFly ISP can disguise a trojan horse in the form of popular software like updates for the Firefox browser, Adobe Flash or Java, once the user agrees to update this as he often does, a trojan horse that sends private data to a surveillance agency and is not detected by any antivirus is downloaded to his computer. This British company (Gamma Group) claims that it can work with an ISP to distribute a trojan horse to users. Its latest product, FinFly Web, can infect targets with a trojan on-the-fly by just visiting a website.
Deep packet inspection: OnPath technologies claims to provide “lawful interception” of Internet communications taking all the traffic from the Internet backbone (ie. ISP) and funnelling it through hardware devices that inspect data packets, determine what’s inside them and decides if it is necessary to forward the data to a law enforcement agency for inspection.
Deep packet inspection device
Hide computer IP: A company called ION (Internet Operations Network) solutions claims to provide random rotating IP addresses that look ordinary and are untraceable. Even law enforcement agencies need to hide their computer IPs, if someone is posing as a bad guy online he does not want his IP to reveal that his computer is located inside the FBI Headquarters, hiding a law enforcement agency computer IP is also useful to avoid warning a target that he is under investigation by visiting their potentially illegal website for research (servers log visitors IPs).
Trojan horse on a USB: When physical access to a computer is possible, a solution called FinFly USB can install remote monitoring software (aka trojan) on a target machine by just inserting a USB thumbdrive, it does not require any IT trained agent to do this. They claim that it has been used by surveillance teams to install “remote monitoring” on target computers that where switched off (booting the computer from the USB thumbdrive).
Interception of encrypted traffic: Using a man in the middle attack approach a company called Packet Forensics can intercept encrypted SSL & TLS connections and decrypt its content, with this technique they can listen in to Voice over IP encrypted calls and read email messages sent through SSL tunnels. The company textually claims on its brochure “users are lured into a false sense of security” which allows staff to obtain the best evidence. Packet Forensics devices can easily be placed at an ISP or private network without causing any noticeable interruption in the service.