Utterly Outrageous

Now, this is whistleblowing:

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

“It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.”

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor.

The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases.

If the FBI is actually sending us malware, then someone has some 'splainin' to do, to say the least. Congressional hearings are in order, and the hearings ought to be public.

I Am Officially Smacked by Gob (Economic Development Administration Edition)

Your government at work:

The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering low growth, low employment, and other economic problems. In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a potential malware infection within the two agencies' systems.

The NOAA isolated and cleaned up the problem within a few weeks.

The EDA, however, responded by cutting its systems off from the rest of the world—disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally-held databases.

It then recruited in an outside security contractor to look for malware and provide assurances that not only were EDA's systems clean, but also that they were impregnable against malware. The contractor, after some initial false positives, declared the systems largely clean but was unable to provide this guarantee. Malware was found on six systems, but it was easily repaired by reimaging the affected machines.

EDA's CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware.

Oy. And also, vey.