In association with heise online

19 July 2007, 13:29

Secret online search warrant: FBI uses CIPAV for the first time

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The FBI has used PC spyware for the first time to reveal the identity of an offender who sent bomb threats to a high school in Washington state. In his blog on the American Internet service site, US journalist Declan McCullagh refers to the declaration from the FBI official who applied for the search warrant (PDF). The declaration describes the mode of operation of the spyware which the FBI is using under the abbreviation CIPAV (Computer and Internet Protocol Address Verifier).

CIPAV is apparently a Windows program which the FBI deploys via e-mail or Instant Messaging. The program installs itself on the target computer or on a web account such as MySpace or Google Mail from whence it moves on to the target computer. Once installed, CIPAV searches the entire hard disk and sends the FBI a record of the names of all running programs, browser data, operating system type (including the serial number) and all user information from the registry. Thereafter it apparently operates as a pen register, recording the URLs and IP addresses visited but not the contents of communications - a point which the FBI emphasised several times in their declaration. The FBI document does not reveal whether CIPAV in its current version is technically capable of including and passing on the contents of communications or indeed of keylogging.

By using CIPAV, the FBI was in this case able to use the IP address to determine the identity of the former student of Timberline High School, Lacey, Washington, who had been terrorising the school with bomb threats for days. The juvenile had been using five different Google Mail addresses to issue his threats and also a MySpace account under the name "timberlinebombinfo" which other "fellow campaigners" were supposed to use to make known their animosity towards the high school. He logged onto the web account via three compromised computer systems in Italy. The IP addresses which Google and MySpace supplied to the FBI therefore referred to the Italian computers. In order to trace the perpetrator, the FBI sent the CIPAV via Google Mail or MySpace after receiving a search warrant from the authorities so that the spyware could install itself as more threats were sent. Use of the CIPAV was granted by the judge with the stipulation that the software was only to transmit its IP data between 6:00 and 22:00. However, it was permitted to log IP addresses round the clock.

With these bomb threats to Timberland High School, the FBI's use of spyware to uncover a perpetrator has been publicly documented for the first time. In previous preliminary proceedings, the FBI has [ticker:uk_19744 only used keyloggers] which FBI officers have secretly installed on target computers directly. However, the FBI has experimented with a variety of (often short-lived) snooping tools for several years, starting with Omnivore in 1997, which evolved into the now-famous Carnivore, which performed traffic monitoring at ISPs. This was effectively abandoned in 2001 when a project called Magic Lantern was announced. However, no more has been heard of Magic Lantern, and CIPAV, the first targeted remotely deployed snooping tool to be used by the agency, is suspected by some to be the outcome of that project.

(Detlef Borchers)


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit