Must Read: Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

Steven M. Bellovin (Columbia), Matt Blaze (Penn), Sandy Clark (Penn), and Susan Landau (Harvard; Sun Microsystems) have posted an incredible paper that was presented at the Privacy Legal Scholars Conference in June 2013. The paper is entitled "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet"; I have a general aversion to the term "must read," so my use of that term is indicative of the quality of the content.

 The abstract:

For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, though, the changing structure of telecommunications — there was no longer just “Ma Bell” to talk to — and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which mandated a standardized lawful intercept interface on all local phone switches. Technology has continued to progress, and in the face of new forms of communication — Skype, voice chat during multi-player online games, many forms of instant messaging, etc.— law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, they want changes to the wiretap laws to require a CALEA-­like interface in Internet software.  

CALEA, though, has its own issues: it is complex software specifically intended to create a security hole — eavesdropping capability — in the already-­complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, but time has proven the experts right. The so-­called “Athens Affair”, where someone used the built-­in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system. 

In this paper, we explore the viability and implications of an alternative method for addressing law enforcement's need to access communications: legalized hacking of target devices through existing vulnerabilities in end-­user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable. 

Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are: 

• Will it create disincentives to patching?
• Will there be a negative effect on innovation? (Lessons from the so-­called “Crypto Wars” of the 1990s, and, in particular, the debate over export controls on cryptography, are instructive here.)
• Will law enforcement’s participation in vulnerabilities purchasing skew the market?
• Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role?
• Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals?
• What happens if these tools are captured and re-purposed by miscreants?
• Should we sanction otherwise-­illegal network activity to aid law enforcement?
• Is the probability of success from such an approach too low for it to be useful? 

As we will show, though, these issues are indeed challenging. We regard them, on balance, as preferable to adding more complexity and insecurity to online systems.

Read More

A fantastic social engineering infographic

I thought this was particularly well done:


Infographic by Veracode Application Security

Read More

The End of DarkComet RAT - Part 3: Could the creators of RATs (or similar software analogues) be prosecuted (law)

And now, on to the finale - could DarkCoderSc be prosecuted for creating, supporting, and distributing the DarkComet RAT.

NO (in the United States)

First, DarkComet RAT can be easily distinguished from Mariposa and Blackshades, on the following grounds:

1. DarkCoderSc never sold what he made - there was no profit motive, and thus one could argue, no intent to defraud.

2. As far as I know, DarkCoderSc was never affiliated with any illicit group as the Blackshades RAT creator was - which would make that person liable for numerous charges, not the least of which would be conspiracy under the CFAA.

3. At least with respect to Mariposa, DarkComet RAT had legitimate uses. You could use it for remote administration, to monitor your kids, and for legitimate purposes not otherwise specified. On the other hand, it is hard to argue legitimate uses for a botnet such as Mariposa.

Second, as many readers have pointed out, there is the "what about Metasploit and Backtrack argument." Namely, those two tools, combined, have probably pwned more computers than DarkComet RAT, yet the creators of those tools (who do have a profit motive) are not prosecuted for such activity. Circumventing these types of arguments would be a prosecutor's nightmare; I would love anyone's possible argument around those, or a different way to distinguish DarkComet/DarkCoderSc.

As I mentioned in the previous post, an interesting argument could be made along the lines of MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005) - specifically, that a tool that had no legitimate legal uses could be a violation of XXX law. I say XXX law, because the Grokster case was based on the Lanham Act (and a judicially created standard of contributory infringement). However, as stated above, this sort of law might be used to prosecute other software creators - but because DarkComet has legitimate uses (see above), even this law would be ineffective. But, is law XXX, making it illegal to create illicit hacking tools off the table? I don't think it should be. 

In fact, it is the law in other countries - Germany's "Anti-Hacking Law" Section 202c of the StGB states "[w]hosoever prepares the commission of an offence under section 202a or section 202b by producing, acquiring for himself or another, selling, supplying to another, disseminating or making otherwise accessible… (2) software for the purpose of the commission of such an offence" is subject to prison time up to a year.  See this document describing the law a little further with recommendations for security professionals. As the article states, the regular use of penetration testing tools does not fall within the ambit of the law, as long as the purpose is legal, and everything is above board. The law is aimed at those tools that are developed or aimed at perpetrating cybercrime.

Such a law for the United States, to return to a normative argument for a second, should be considered. It would immunize Metasploit, Backtrack, etc., but go after those who create the software solely for criminal intentions.

To see the earlier parts of this series follow the links below:

The End of DarkComet RAT - Part 1: The Introduction
The End of DarkComet RAT - Part 1: The Introduction - Update
The End of DarkComet RAT - Part 2: Should the creators of RATs (or similar software analogues) be prosecuted (ethics)
The End of DarkComet RAT - More Technical Details

Read More

The End of DarkComet RAT - Part 1: The Introduction - Update

I forgot to mention the story from last year about how DarkComet was ported to Mac computers - facts are important -  if for no other reason than to bolster the argument that DarkComet's uses are likely more malicious than condoned.

Before you rail against me - let me note as an aside that I recognize the Metasploit, Backtrack, Core Impact, etc, etc, etc. argument against criminal enforcement. They are legal tools that do the same, and they generate more money (exponentially) than DarkCoderSc could have ever made with DarkComet. That's the beauty of a three-part series. At the end, rail away. Comments are not only allowed, but encouraged throughout the process. But please, vindicate or vilify me when appropriate.

~J

Read More

The End of DarkComet RAT - Part 1: The Introduction

If you are not aware, the author of the DarkComet RAT (Remote Administration Tool) has stopped offering the software, and stopped updating it - a move that has somehow been argued to be a victory for law enforcement, although they didn't actually do anything.  Yes, I have heard of deterrence. However, I will leave for another day whether or not the creator of this software should or could actually be liable for the damage it has caused. Thus, in this three part series, I will: (1) introduce the tool, (2) discuss whether there should be legal implications for creators of such tools, and (3) discuss whether there could be legal implications.

THE INTRODUCTION
From the beginning - a RAT is a Remote Administration Tool. Essentially, this type of tool allows a remote user to exercise control over your machine - it take pictures of the user of the computer, make changes to the computer's configuration, read/write documents, and pretty much anything else you can think of - in hacker terms, you have been "pwned." It is a complete invasion of privacy for the individual, and a complete breach for a corporation. Hackers prepare to take advantage of a RAT by "packing" it - which means the guts of the program are rearranged (code-wise), or the tool is compressed using a novel method. A good packer will allow this program to scoot by an average (or high-security) user's anti-virus, and coupled with an exploit, allow the hacker to take full control as described above. There are a plethora of "packers" and new ones everyday - so anti-virus companies (whose methods are typically signature based) cannot keep up with the evolution of newly packed malware that, in the end, is the same malicious piece of software. Hackers will often test their newly packed versions against VirusTotal - a site which runs a binary through a multitude of anti-virus products, and reports whether or not it is picked up. The holy grail is 0/40, aka undetectable - and this is even taking account of the heuristics and "learning" that AV vendors claim to have injected into their detection engines.  Individuals might also use "crypters," which encrypt the code in various ways to defeat antivirus detection - see below.

What is novel about the DarkComet RAT is that it has always been free to whomever wanted to use it, for whatever purpose. Now, instead of being able to download it, users are greeted with a message from the creator, DarkCoderSc, noting his decision to stop allowing it to be downloaded and further updated. There has been speculation that this decision was tied to the discovery of Syria using this tool to spy on dissidents as well as the software writer's fear that he could be prosecuted for the criminal acts of others - from his statement: "Like it was said above because of the missuse [sic] of the tool, and unlike so many of you seem to believe i can be held responsible of your actions [sic], and if there is something i will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you."

If you doubt the prevalence or wide-spread use of this tool - allow me to demonstrate. The images below are from hacker forums (one underground, one a russian clearnet site):

Click image to enlarge

The first image is from an underground hack bulletin board, asking for information about how to use tor and DarkComet. The second post is a person advertising a "crypter" - which is like a "packer" but as the name states, it encrypts instead of packing. As I described above, using crypters or packers makes anti-virus unlikely to detect the trojan. The service this person is offering is to make it "100% FUD" which is hacker jargon for "(F)ully (U)n(D)etectable," updated every 24 hours to continue to evade antivirus.

There is no doubt that DarkComet is all over the place, and even as he has withdrawn it from the market by not allowing anyone to download it from his site anymore, there are plenty of versions floating around the interwebs - so it is not going away soon.  As others have reported, the author's change of heart likely arises from the arrests of the Mariposa botnet creator and also, more recently, the arrest of the Blackshades RAT creator as part of the Carder Profit bust.

I think the creator of DarkComet can be separated from the cases above, though, because he has always offered his software for free, and thus does not make a profit on illicit use of it. A small distinction, but a legally significant one.


In the next part I will discuss whether or not DarkCoderSc (or other RAT creators) should be prosecuted or held legally liable for his RAT.

Read More