Germany Sought Info About FBI Spy Tool in 2007

CipavTwo years before the Bavarian state in Germany began using a controversial spy tool to gather evidence from suspect computers, German authorities approached the Federal Bureau of Investigation to discuss a similar tool the U.S. law enforcement agency was using.

The information is interesting in light of recent questions raised about the legality and security of spyware that German authorities have been using to gather evidence from criminal suspects.

Bavarian authorities reportedly began using their spyware in 2009. It’s not known if that spyware is based on the FBI’s, but in July 2007, German authorities contacted the FBI seeking information about its tool.

The request came just days after Threat Level first reported that the FBI had used its so-called “computer and internet protocol address verifier,” or CIPAV, tool to track bomb threats that a 15-year-old student had e-mailed to a Washington state high school. It was the first time the FBI’s use of an internet spy tool was publicly disclosed in connection to a specific case.

The FBI’s assistant legal attache in Frankfurt, Germany, sent an email to Bureau colleagues (.pdf) on July 24, 2007, writing, “I am embarrassed to be approaching you again with a request from the Germans . . . but they now have asked us about CIPAV (Computer Internet Protocol Address Verifier) software, allegedly used by the Bu[reau].”

The email was among a trove of documents that the Electronic Frontier Foundation received this year in response to a 2007 Freedom of Information Act the organization filed to request more information about CIPAV. There are no e-mails in the documents to indicate how the FBI responded to the German government’s request.

Under German law, authorities can use spyware to monitor criminals, but its use is supposed to be limited to the interception of internet telephony and to serious criminal cases.

Members of the Berlin-based Chaos Computer Club, however, examined the so-called R2D2 keylogging Trojan after getting hold of a copy of it, and discovered that it was doing much more than it was legally supposed to do. In addition to monitoring Skype calls and recording keystrokes to capture e-mail and instant messaging communications, the Trojan had the ability to take screenshots and activate a computer’s microphone and webcam to allow someone to remotely spy on activities in a room. Furthermore, the program includes a backdoor that would allow authorities to remotely update the program with additional functionality.

The backdoor, CCC found, also contains several security vulnerabilities that makes any system on which the spyware is installed potentially vulnerable to takeover by other parties who could commandeer the spyware for their own purposes. Commands sent to the Trojan are not encrypted, and the spyware requires no authentication between the Trojan and the system communicating with it, meaning that anyone could take remote control of the spyware to spy on a user, plant evidence on his machine or even impersonate a law enforcement Trojan to communicate with law enforcement systems.

Bavaria Interior Minister Joachim Herrman confirmed this week that officials began using the spyware in 2009, but insisted authorities acted within the law. Three other states — Baden-Wurttemberg, Brandenburg and Lower Saxony — have also confirmed using spyware, though it’s unclear if they used the same Trojan that CCC found.

A recent news report in Germany revealed details about some of the cases in which Bavarian authorities used the spyware. One case involved a group suspected of illegally selling pharmaceutical products and narcotics. In this case, the malware collected 60,000 screenshots, according to the German publication Süddeutsche Zeitung.

A second case involved a group of online scammers who successfully conned about 120,000 people out of 10 million Euros by selling them electrical appliances that never got delivered. A third case targeted a group of thieves who sold stolen clothes and other products overseas.

Germany’s Justice Minister Sabine Leutheusser-Schnarrenberger has called for an investigation to determine if authorities used the spyware properly.

The FBI’s use of its spyware has yet to be investigated. Documents obtained by Threat Level under the Freedom of Information Act showed that the FBI had deployed the CIPAV in a wide variety of cases — from major hacker investigations, to a case involving someone who posed as an FBI agent online. The program at one point became so popular with federal law enforcement agents, that Justice Department lawyers warned that overuse could result in electronic evidence being thrown out of court in some cases.

“While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit,” notes a formerly classified 2002 memo from the Justice Department’s Computer Crime and Intellectual Property Section.

Image courtesy

See Also:

Alleged Celeb Hacker Glad He Got Caught; Was Addicted to Hacking

A Florida man who was arrested on charges that he hacked the e-mail accounts of actress Scarlett Johansson and at least 49 other celebrities and their friends says he’s glad he got caught because he was addicted to the hacking and couldn’t stop.

Christopher Chaney, 35, of Jacksonville, Florida, told a local Florida news station that his hacking began simply as a “curiosity” but soon turned into an addiction for stealing celebrity secrets.

“It just happened and snowballed,” he said, adding that he was “almost relieved months ago” when law enforcement agents seized his computer during a search.

“I didn’t know how to stop doing it myself,” he said.

Last month, photos that Johansson took of herself in the nude appeared online and showed her looking seductively at a phone camera as she snapped images of her bare breasts while lying on a bed. Another image showed her bare backside, taken as she looked into a mirror.

The celebrity website TMZ announced around the time that it had also seen photos of actress Mila Kunis that someone had obtained, which showed her in a bathtub with only her head peeking above the edge of the tub. A separate photo of Justin Timberlake showed him lying shirtless in a bed with a pair of pink women’s underwear over his head, TMZ reported. The website did not publish the images.

A number of Chaney’s victims are identified only by their initials in the indictment (.pdf) (such as B.G., B.P., D.F., J.A., L.S. and L.B.) though Kunis, Johansson, Christina Aguilera and Renee Olstead are identified in full, as is Simone Harouche, a fashion stylist and handbag designer.

Chaney, who used the online nicknames “trainreqsuckswhat,” “anonygrrl,” and “jaxjaguars911,” has been indicted on nine counts of computer hacking, eight counts of aggravated identify theft, and nine counts of illegal wiretapping. His nickname “trainreqsuckswhat” is a reference to another alleged celebrity hacker named Josh Holly who told Threat Level in 2008 that he had hacked Miley Cyrus’s email account and stole suggestive photos of her that were later posted online.

According to CNN, Chaney was able to guess the passwords celebrities used for their email accounts by monitoring their social media accounts for possible clues — such as a pet’s name — that might point to a password.

Once he hacked into a celebrity’s e-mail account, he’d search the celebrity’s contact list for other celebrity e-mail accounts and then target those victims, authorities say. He’d then alter the account settings to automatically forward a copy of any e-mails the celebrity received to an e-mail account Chaney controlled.

Chaney said in the interview just after being released on bail that he didn’t begin the hacking with the intent of selling photos he found or otherwise exposing them on the internet.

Instead, he did it just to see how easy it would be to do it. He says he never sold any celebrity pictures or information that he gleaned from reading emails, but he says someone did contact him at one point wanting to get pictures from him to sell, but he says he refused. Authorities, however, say he did distribute some information he received from celebrity accounts.

He now regrets his activity, saying he takes responsibility for what he did.

“I deeply apologize,” he told the WAWS news station in Florida. “I know what I did was probably one of the worst invasions of privacy someone could experience. And these people don’t have privacy to begin with. And I was in that little sliver of privacy they do have.”

Chaney has been released on a $10,000 unsecured bond and faces a possible maximum sentence of 121 years if convicted on all charges.

See Also:

TA11-286A: Apple Updates for Multiple Vulnerabilities

Original release date: October 13, 2011
Last revised: --
Source: US-CERT

Systems Affected

  • Mac OS X 10.6.8
  • Mac OS X Server 10.6.8
  • Mac OS X 10.7, 10.7.1
  • Mac OS X Server 10.7, 10.7.1


There are multiple vulnerabilities in Mac OS X 10.6.8, 10.7, and 10.7.1 and Mac OS X Server 10.6.8, 10.7, and 10.7.1. Apple has released updates to address these vulnerabilities.

I. Description

The Apple Security Advisory for OS X Lion v10.7.2 and Security Update 2011-006 describes multiple vulnerabilities in Mac OS X and Mac OS X Server. Apple has released updates to address these vulnerabilities.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

III. Solution

Apple has provided updates for these vulnerabilities in the Apple Security Advisory for OS X Lion v10.7.2 and Security Update 2011-006. This advisory describes any known issues related to the updates and the specific impacts for each vulnerability. Administrators are encouraged to note these issues and impacts and test for any potentially adverse effects before wide-scale deployment. 

IV. References

Feedback can be directed to US-CERT.

Produced 2011 by US-CERT, a government organization. Terms of use

Revision History

October 13, 2011: Initial release