FBI must reveal the network investigative technique used to hack more than 1000 computers

Pierluigi Paganini February 22, 2016

The FBI must provide details on the network investigative technique used to hack more than 1000 computers in a case involving child pornography.

In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.

Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.

Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.

The use of the NIT was also confirmed earlier this year when according to court documents reviewed by Motherboard, the FBI had used it to identify the suspects while surfing on the Tor network.

The network investigative technique (NIT) got the suspects’ real IP address, the MAC address and other pieces of information and sent them to the FBI machines.

In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network.

According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.” The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.

In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.

The problem is that the FBI used only one warrant to hack computers of unknown suspects all over the world. The defense also argues that the FBI left the child pornography site running in order to be able to do the network investigative technique.

Last month a judge rules that the FBI’s actions did not constitute “outrageous conduct.”, but now a new order got out and obligates the FBI to disclose all the code components used in the network investigative technique.

Michaud’s lawyers were trying to get access to the technique and code used by the FBI since September but it wasn’t until January that Vlad Tsyrklevitch (the defense’s consulted expert) received the discovery.

Tsyrklevitch now argues that the provided code was incomplete, missing several parts. Part of the missing code is the one that identifies Michaud PC. Tsyrklevitch  also claimed that part of the code missing is the exploit used to break into machines.

“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud’s computer, beyond the one payload that the Government has provided,” Michaud’s lawyers wrote, 

Tormail Network investigative technique

It is not the first time that judges requested FBI to disclose the code used in hacking operations. In 2012, a case called Operation Torpedo the FBI disclosed the details a Metasploit module used for their investigation.

Wired revealed that the law enforcement relied on the popular Metasploit framework to first de-anonymize operators of child porn websites in the Tor network.

“Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of  suspects hiding behind the Tor anonymity network.” states the reportpublished by Wired.

The Operation Tornado was revealed when the FBI seized three child porn sites on Tor based in Nebraska. The FBI, authorized by a special search warrant crafted by Justice Department lawyers in Washington, DC, delivered the tracking Flash code do de-anonymous visitors.  The operation allowed the FBI to identify at least 25 users in the US and many others in foreign countries.

There is no doubt, cases like this one will be even more frequent and it’s possible that in the future more court order will obligate to disclose all the information about a “target”.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/
[adrotate banner=”9″] [adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – Network investigative technique, FBI)

[adrotate banner=”13″]



you might also like

leave a comment