http://news.cnet.com/news/0-1003-200-5785729.html?tag=tp_pr
By Robert Lemos
Special to CNET News.com
May 1, 2001, 12:05 p.m. PT
A sting operation in which FBI agents downloaded data from two
Russian-based computers has some high-tech lawyers concerned that the
precedent may be used to justify indiscriminate, cross-border hacking.
The incident came to light last week after the indictment of two
Russians on charges of breaking into the networks of banks, Internet
service providers and other companies. While the charges were somewhat
routine, the methods the FBI used to nab the pair were novel and
potentially worrisome, said security experts.
According to court documents filed in the case, the FBI and Department
of Justice lured two suspected Russian hackers to Seattle with job
offers at a fictitious security company. After monitoring the duo's
connection to two servers in Russia, the FBI used the suspects'
passwords to download incriminating data from those servers.
The tactic is likely to be challenged in court; if it is deemed
lawful, the precedent could allow law enforcement and intelligence
communities free rein to hack foreign computers. In addition, such a
ruling could provide a legal loophole for other countries to break
into U.S.-based computers in search of data that could aid their own
investigations.
"It's extremely dangerous just to throw the door open--it will be a
free-for-all," said Jennifer Granick, clinical director for the
Stanford University Center for Internet and Society. "It won't just be
individuals (hacking each other). It will be corporate espionage."
Although U.S. officials downplay the incident, some legal experts fear
that this first publicly acknowledged government "hack" could spark a
rash of indiscriminate, international hacking by individuals, foreign
governments and corporations.
In this case, the FBI was determined to obtain the Russian-based
information before it could be deleted.
On Nov. 10, FBI agents and officials from the Department of Justice
nabbed two suspected Russian hackers after luring the duo to the
United States with employment offers for a mythical security company,
Invita.
Details of the case became public after the suspects were indicted
early in April.
Welcome to Invita!
According to court filings, this is how the sting went down:
FBI agents requested that the two suspects--20-year-old Alexey Ivanov
and 25-year-old Vasiliy Gorshkov--crack the security on "Invita's own
computers."
During the hack, the FBI agents monitored the duo's activities with a
"sniffer"--a program designed to trap all keystrokes made on a
computer. When the suspects allegedly downloaded hacking tools from
two servers in Russia using their usernames and passwords, the sniffer
collected the tools needed to access the accounts.
Typically, U.S. law enforcement would wait on their counterparts in
Russia to search the servers. Yet, while the United States has more
than 25 mutual legal assistance treaties to aid law enforcement in
capturing data in other countries, Russia has signed an agreement to
help the U.S. in investigating only some crimes--and computer crimes
are not among them.
Nevertheless, the Department of Justice did request assistance from
Russian authorities, but without answer. After several unsuccessful
attempts to get Russian authorities to cooperate, the FBI--with the
help of a security expert--used the usernames and passwords to access
the two servers.
Once in, investigators browsed through the directories on both servers
and selected, then compressed, a large number of files. The agents
then downloaded the 1.3GB file to their own computers.
Before they began to sift for evidence, the FBI did obtain a search
warrant to look at the files.
Thought to be the first public acknowledgement of U.S.
hacking-for-access, the tactics have set off alarm bells among
cyber-savvy lawyers.
If a judge rules in favor of the FBI, the precedent will be clear,
said Matthew Yarbrough, head of the Cyberlaw Section for Dallas-based
law firm Fish & Richardson: The United States can pursue
investigations of data in other countries, widening the boundaries of
the investigation to cyberspace.
Yet, while the United States can hack servers in other countries,
those countries could also return the favor, he said.
"Whenever you deal with international criminal problems, you have to
be careful, because the rule is: Whatever we do to them, they can do
to us," said Yarbrough, a former Department of Justice cybercrime
prosecutor. "I don't think we want KGB agents--or whatever
organization handles law enforcement now--to be hacking our servers to
get evidence for their cases."
A hack attack?
A federal prosecutor involved in the case defended the FBI's actions.
"I wouldn't call it hacking," said Stephen Schroeder, assistant U.S.
attorney for the Western District of Washington in Seattle and the
lead prosecutor in the case against Gorshkov. "The implications of
hacking go far beyond what we did."
However, the law enforcement community commonly uses "hacking" to
describe the illegal activity of breaking into a computer, usually
with some degree of skill. While little skill is needed to type in
usernames and passwords, the Computer Fraud and Abuse Act of 1986
treats the unauthorized access of computers as the same crime as
breaking into a computer without using passwords.
In most cases, law enforcement officers are exempted from any sort of
prosecution under the act if the questionable activity has been
authorized as part of their investigation. Furthermore, the FBI can
violate the law--similar to their ability to break the speed
limit--and still have any resulting evidence be admissible in court.
Yet, the key question among attorneys is whether such a waiver exists
for so-called remote cross-border searches of computer data. One thing
is certain: Not having to gain permission from the country in which a
server resides speeds the process, said Schroeder.
"Normally, to get evidence we go through diplomatic channels, in
writing, with pretty seals, and then it percolates down to law
enforcement," he said. "Six months later we get our evidence."
In this case, he said, six months would have been too late. Indeed,
six days after Ivanov and Gorshkov were arrested, someone changed one
of Ivanov's passwords, according to the court papers.
War on hacking
"I don't think the basic thing--that they broke in--is debatable,"
said Stanford's Granick. "The ramifications? Now, they are debatable."
Currently, Gorshkov's lawyer, Kenneth Kanev, is attempting to block
any use of the data from the Russian servers based on privacy and
Fourth Amendment violations. However, because Ivanov and Gorshkov are
not United States citizens and the data was kept in another country,
some legal experts say it's likely the data will be admissible in
court.
When reached at this office, Kanev refused to comment on the case.
In fact, a case from the United States' War on Drugs seems to support
the search of a server in a foreign country. In 1986, Mexican police
picked up the suspected leader of a narcotics ring and delivered him
to the Mexico-United States border, where he was arrested by U.S.
officials. Agents of the Drug Enforcement Agency and Mexican officials
later searched the suspect's homes in Mexico without a warrant.
The U.S. Supreme Court ruled four years later that a search of a
non-U.S. citizen's foreign residence is legal, and no search warrant
is necessary.
That decision could influence a ruling in this case, but that may not
be the only fallout. By deeming such actions legal, the United States
could kick off a spate of similar cross-border hacking, said Patricia
Bellia, assistant professor of law at Notre Dame University and a
former Justice Department attorney.
"I do think that (countries) are going to continue to have an urge to
get evidence like this," she said. "They are getting frustrated with
their inability to get evidence."
And while U.S. law may deem the agents' actions legal, international
law--the expectations of treatment that exist between countries--will,
without a doubt, condemn them, she added.
"If Russia did this to us, we would object diplomatically," she said.
The Embassy of Russia in Washington, D.C., would not comment on the
case, nor on whether the country intended to lodge an international
complaint against the United States for a violation of its
sovereignty.
In a paper studying the legal ramifications of remote cross-border
searches, Bellia concludes that current mutual legal assistance
treaties and the Cybercrime Convention being drafted by the Council of
Europe won't add much clarity to the issue. Both require that
countries promise to aid foreign law enforcement in searching for
evidence that may reside on servers in their territory.
However, arranging for such searches takes weeks or, more often,
months. Neither allows law enforcement to react fast enough to prevent
data from being deleted.
Still, without an immediate solution, constraint should be the rule,
said Bellia.
"If we can do it, then everybody else can do it to us--that's a very
disturbing notion," she said. "The United States is the repository of
so much data; it is very dangerous to go down that road."
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Wed May 2 03:47 CDT 2001