Wednesday, May 04, 2016 (08:59:42)

Arsenal Reveals Sophisticated Evidence Tampering Involving Turkish Journalists

Arsenal Consulting President Mark Spencer’s article in Digital Forensics Magazine (Issue 27, published May 1) describes how his firm uncovered evidence tampering which led to the wrongful imprisonment of Turkish investigative reporter Baris Pehlivan and his colleagues at Odatv. Odatv runs one of the most popular news websites in Turkey and has a reputation for being critical of the current government, controlled since 2002 by the Justice and Development Party. Mr. Pehlivan and his colleagues are currently on trial and accused of supporting the Ergenekon terrorist organization. Ergenekon is an alleged secularist “deep state” in Turkey with ties to the military, academia, NGOs, and the media whose supporters are charged with plotting to overthrow the government.

“Arsenal has a great deal of experience identifying evidence tampering, but even we were surprised by the volume and nature of the attacks against Mr. Pehlivan’s Odatv computer,” Mr. Spencer said. “Unfortunately for Mr. Pehlivan and his colleagues, these attacks were ultimately successful and resulted in their imprisonment.”

Arsenal used an analysis technique known as “Anchors in Relative Time” to reveal critical details about the attacks – details other digital forensics experts missed. This analysis technique allows digital forensics experts to determine when, in relative time, important events have occurred within electronic evidence, even when all the dates and times associated with those events cannot be trusted. Anchors in Relative Time has become one of Arsenal’s most powerful weapons when confronting sophisticated evidence tampering.

Mr. Spencer will be discussing the analysis of Mr. Pehlivan’s Odatv computer at the Internet Security Operations and Intelligence conference in San Francisco, CA on May 12 and the High Technology Crime Investigation Association’s Mid-Atlantic Chapter meeting in Manassas, VA on May 19.

About Arsenal Consulting

Arsenal provides digital forensics services to law firms, corporations, and government agencies by leveraging battle‐tested digital forensics tools and techniques refined through many years of research and development. Using the most powerful tools and techniques, Arsenal uncovers smoking guns that others simply cannot. Arsenal is headquartered in the Chelsea Naval Magazine, a historic military structure in which arms for the celebrated heavy frigate USS Constitution were stored, just outside Boston, Massachusetts.

Contact:

Mark Spencer
[email protected]

• Posted by: spencerforhire
• Topic: News

• Printer Friendly Page
• Send to a Friend

Three new changes in federal court rules have vastly expanded law enforcement’s ability to hack into computers around the world.

The changes, to a federal court procedure known as Rule 41, were announced last week by the Supreme Court. They would let magistrate judges routinely issue search warrants to hack into computers outside their jurisdiction. The changes would also let magistrates issue a single search warrant for numerous computers in multiple jurisdictions, saving law enforcement the burden of having to obtain a separate warrant for each computer. This means a judge in Virginia could issue a single warrant for computers in California, Florida, Illinois and even overseas.

The government says the changes are minor but necessary to keep pace with cross-border internet crime and anonymizing software like Tor that hides the real IP address and location of computers. But civil liberties groups say the amendments let authorities conduct expansive hacking operations with little oversight, potentially threatening the security and privacy of innocent parties. They’re also alarmed that the changes suggest the government aims to hack the computers of crime victims—not just perpetrators.

One senator, Ron Wyden (D—Oregon), has already promised to introduce legislation that would halt the changes to Rule 41, but he only has seven months to get it passed.

Here’s a breakdown of the three changes and why they’re so controversial.

What Are the Proposed Changes to Rule 41?

Rule 41 governs how search warrants are requested and executed in federal cases, including the authority magistrates have to issue them. The Justice Department can request changes to the rules, which the US Supreme Court can approve or reject.

There are effectively three changes(.pdf) the Justice Department has requested.

The first would let magistrate judges issue search warrants to remotely search—essentially hack—computers outside their jurisdiction if the location of the computer has been intentionally concealed through technical means. Currently magistrates can only issue warrants to search and seize property within their court’s jurisdiction, with exceptions (for example, property that might move out of the district before a search can be executed or property located in a US territory or embassy overseas). The proposed change would mean that when a hacker or child pornographer uses Tor or some other proxy to conceal their real IP address and location, law enforcement would not be required to determine the location of the computer to get permission to hack it.

That change is fairly straightforward. But the second amendment is more complicated.

One Warrant for Multiple Searches, Including Victims

The second amendment would let magistrates issue a warrant outside their jurisdiction when the computers to be searched are part of a cybercrime investigation, have been “damaged without authorization” and “are located in five or more districts.” The rules committee says the amendment “would eliminate the burden of attempting to secure multiple warrants in numerous districts” and allow a single judge to oversee an investigation. But the description of the computers to be searched has nothing to do with criminal suspects, critics point out, and instead refers to victims’ computers.

The government cited two sample cases to explain why it needed this amendment. The first involved an unidentified child porn case, which may be the Freedom Hosting case in 2013, which occurred a few months before the government requested the rule changes. In that case, investigators wanted a search warrant giving them authority to embed surveillance software on a child porn site that would infect and identify the real IP addresses of visitors to the site. They apparently got it, because the infections did occur.

The Justice Department may have worried, however, that once it took the child porn suspects to court, judges might object to them using a single search warrant to infect multiple machines. If they were concerned about this, they had good reason, as evidenced by a ruling in another child porn case last month. In this case, the FBI and law enforcement partners hacked some 4,000 computers belonging to members of the child porn site Playpen, whose IP addresses were obscured. A magistrate in Virginia issued a warrant allowing the FBI to infect the computers of anyone who visited Playpen. But last month, a Massachusetts judge ruled the warrant was invalid outside the Virginia court’s district, marking the first time a judge threw out evidence over Rule 41 jurisdictional issues.

In the child porn examples, the targets of the searches were all criminal suspects. But that’s not the case in the second sample case the Justice Department cited to support its request for Rule 41 changes.

This second scenario involves a botnet, which are networks of thousands or even millions of computers that attackers infect with malware and then control with remote commands to commit other crimes. A multi-computer search warrant in this case, the Justice Department says, would let law enforcement seize information to gather “evidence about the scope of the botnet and how the botnet might be dismantled.”

But critics like computer scientist Steve Bellovin say searching victims’ computers isn’t necessary. “[T]the computer security community has had great success studying botnets and locating their ‘command and control’ nodes without hacking into other victim computers,” Bellovin wrote in comments that he and two other computer scientists (.pdf) sent to the committee evaluating the changes. In the case of known botnet malware, they can consult computer security firms to get samples of the malware and learn how it works. These firms can even point the FBI to the command servers that control the botnet to help dismantle it.

Aside from the fact that letting the FBI search unlimited victim machines would violate the particularity rule—which requires search warrant applications identify the specific computers or devices to be searched—a wide swath of people would potentially be affected by such searches. Botnet victims, Amie Stepanovich, US policy manager at Access Now points out, can include journalists, dissidents, whistleblowers, military personnel, lawmakers, and corporate executives.

“[T]he proposed change would subject any number of these users to state access to their personal data on the ruling of any district magistrate,” she wrote to the rules committee.

The Center for Democracy and Technology also points in its comments to the rules committee that although the government used a botnet infection as an example of a case where it might seek to search the computers of victims, the actual amendment refers to any machine damaged in the commission of a crime as defined by the Computer Fraud and Abuse Act. This would conceivably apply to any computer infected with a virus or other malware.

“Approximately 30 percent of all computers worldwide, as well as in the United States, are estimated to be infected with some type of malware,” the group wrote. “The number of computers that may therefore be subject to multidistrict searches under the proposed Rule 41 amendment is massive.”

Notice of Search

The third Rule 41 change is even more tricky. Law enforcement has to find a way to tell people when a search of their property has occurred. With in-person searches, this is easy to do. They either hand notice “to the person from whom, or from whose premises, the property was taken” or leave a notice “at the place where the officer took the property.” But this is challenging with remote searches when the computer’s “place” and computer owner are unknown. Under the amendment, law enforcement “must make reasonable efforts” to serve a copy of the warrant on the person whose property was searched, which “may be accomplished by any means, including electronic means.”

This concerns civil liberties groups, since an email notification or pop-up message from law enforcement could easily look like a phishing attack to a botnet victim and be ignored. Enterprising hackers would also adopt this as a tactic to trick users into clicking on malicious links or attachments.

The wording of all of these changes is sufficiently vague that, as with most controversial issues, the devil is in the details and how law enforcement would interpret and implement these authorities in practice.

What Are the Big Concerns?

Critics of the proposed Rule 41 changes have essentially four concerns.

“Remote search” is too vague.
The government doesn’t say what it means by “remote search” in its proposed amendments, raising concern that it could encompass a wide variety of hacking techniques—from simply collecting an IP address to something more invasive like activating a computer’s microphone or webcam. In a 2013 case, the FBI sought a warrant to install surveillance software on an anonymous hacker’s computer that would not only identify his IP address but also activate his webcam to take pictures of whoever used the machine during the 30 days the warrant was active. The magistrate rejected the request (.pdf) based on Rule 41 jurisdictional issues—the location of the computer was unknown—and also pointed out that activating the webcam constituted video surveillance, which carried extra burdens of probable cause that the government hadn’t met.

Fewer judges and warrants mean less oversight.
Orin Kerr, a former federal cybercrimes prosecutor who is on the judicial rules committee that evaluated the proposed amendments, has expressed concern that letting a single magistrate issue one warrant for multiple searches would facilitate “forum shopping”—where prosecutors seek warrants only from magistrates known to be sympathetic to the government. When investigators are forced to obtain separate warrants for computers in different jurisdictions, this provides opportunity for better oversight, since different judges will have different concerns. The Justice Department has argued that there is a benefit to having a single judge familiar with an investigation oversee all warrants in a case.

Surveillance software can harm computers.
Surveillance software installed on computers carries potential consequences that are difficult to estimate and don’t really exist with traditional, physical searches.

“[I]n the physical world, agents of law enforcement can be reasonably confident that breaking and entering into premises won’t cause the entire building to fall down,” the Center for Democracy and Technology wrote in comments objecting to the amendments. “In cyberspace we cannot be so confident.”

Bellovin and his two colleagues noted that given the stealth characteristics that remote search software must have—it must run with the highest administrative privileges on a machine in order to hide itself and examine hidden parts of a machine—“it is more likely to cause unanticipated problems….[and] if it is used on enough machines, [for example] when doing a large-scale search of bots, there almost certainly will be problems on some of them.”

Magistrates don’t understand how the technology works well enough to provide proper oversight.
All of these other problems are exacerbated, critics say, by the fact that courts and magistrates don’t have the expertise needed to understand the capabilities of government hacking tools.

“We know nothing about how these things operate,” Joseph Lorenzo Hall, chief technologist for CDT, told WIRED. “Are [these things] engineered to be minimally risky to the targets and potential victims? We have no idea, and judges don’t know to ask that, and they don’t have the expertise to examine even if they did have.”

Due to all of these concerns, critics want Congress to weigh in on the rule changes, instead of leaving them up to the courts.

What Comes Next?

The proposed changes were submitted by the Justice Department to a judicial review committee in 2013 and, after a three-year review process, passed to the Supreme Court this year for approval, which the Court gave last week. Now lawmakers have 180 days to reject or amend them, as Wyden hopes to do, before the changes go into effect December 1.

By law, the federal courts are not allowed to make rule changes that are more than merely procedural—only Congress can do that. Critics hope that lawmakers agree that these amendments amount to substantive changes with clear Fourth Amendment implications. They’re calling on Congress to weigh in with a specific statute that would single out how government hacking technologies should be used, in the same way that similar statutes addressed wiretapping and other technologies as they emerged over the years.

“The accessing of thousands of computers by the government. . . should be the subject of a statute passed by Congress—not a short simple procedural rule, but a complex multi-provisioned statute that says who is allowed to do this, when they are allowed to do it, what justifies doing it, to whom it can be done and the procedures for doing it,” says Peter Goldberger with the National Association of Criminal Defense Lawyers.

There is one major distraction, however, that might prevent Congress from acting within the 180-day window it has to reject the amendments—the upcoming elections in November. Lawmakers seldom do anything substantial during lame-duck sessions.

Goldberger notes, however, that if they don’t have time to properly address the issue this year, they could also just pass a law suspending the 180-day deadline so they can take it up next year.

Go Back to Top. Skip To: Start of Article.