Get SF Weekly Newsletters
Pin It

The Spybots Among Us 

How the NSA tracks terrorists in the United States through the Internet

Wednesday, Dec 19 2001

Page 3 of 5

Intelligent software agents, such as Trojan horses, are self-contained miniprograms that act on their own initiative after being set free to hunt pre-parametered prey in the cyberjungle. Aggressive malware can take control of a computer, without the user being aware of its presence, by seizing on flaws in the computer's operating system, such as the widespread use of the practically insecurable ActiveX programming language used in many Microsoft applications.

Government malware is analogous to commercial applications, such as Symantec Corp.'s pcAnywhere, and powerful hacker tools, such as Back Orifice. These sophisticated bots can be quietly installed on the hard drives of computers that are connected to the Internet (or by real-life government burglars trained to break and enter the old-fashioned way). Once hidden inside the millions of lines of code that are the life force of a computer, a malicious bot can copy logs of the Web sites a suspect has visited, steal his credit card numbers, or purloin the embarrassing love poem he thought he had trashed and send it all back in a bundle to the bot's master by way of an untraceable route.

A nasty "warbot" can mine the suspect's data for information on the whereabouts of the other members of his terrorist cell -- and then wipe his hard drive clean. A "worm" or "logic bomb" can attach itself to his e-mails and the e-mails of the people he sends e-mail to, and their e-mail lists, ad infinitum. On a certain date, thousands of self-replicated copies of this badbot, nesting inside hundreds of innocent computers, can send cascades of 1,000-page e-mail files to the server hosting the Web site of the front group for the suspect's terrorist organization, crashing it. On the other hand, a low-profile snitchbot can just sit quietly inside a font file and rat him out to the NSA every time he goes online.

Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc. in Cupertino, has worked with the National Security Agency. "The NSA would be foolish not to make attacks using malware," says Schneier. "It would not be doing its job if it didn't." Indeed, the NSA's mandate to protect and defend the country's cyber-infrastructure necessitates that it engage in comprehensive surveillance and "defensive" hacking.

Federal law does not criminalize surveillance or hacking unless $5,000 worth of damage is done. Aside from that threshold, there is almost no case law to guide plaintiffs who object to being monitored by bots, be they taxpayer-financed bots or private-sector bots. While the Fourth Amendment to the Constitution generally forbids the government to search and seize private property without a court order, it does not define the boundaries in cyberspace at which a bot becomes an unauthorized intruder, by, for instance, crossing from sniffing around inside a public Web site to peeking into a private database. Schneier points out that in the United States people basically do not own their personal data, which can be sold by others for profit.

Christopher O'Ferrell is the director of ethical hacking for NETSEC, a computer security company founded by two ex-NSA officials. The Virginia-based company has several contracts with federal intelligence agencies to deepen the security of government computer networks and to surveil the Internet in real time.

O'Ferrell, who used to work for the FBI and the Secret Service, says, "Oh sure, definitely, without question government [intelligence] agencies use bots. The terrorists attack us with worms, so, of course, we use worms against them." O'Ferrell says the NSA conducts "black projects" -- covert operations -- in cyberspace.

"Of course they do that stuff [hacking]," he says. "They'd be crazy not to." O'Ferrell notes that the military establishment and the law enforcement and intelligence agencies need to "think outside the box."

"If we stay within legal bounds," O'Ferrell says, "we have lost the game."

Besides targeting suspect individuals or groups with bots that burrow and tools that hack, the NSA eavesdrops generally on cyberspace. The nationwide paranoia after the horror of September's terror attacks has lent popular approval to this practice. A bill to increase the NSA's budget by adding several billion dollars to the approximately $30 billion a year we spend on foreign intelligence-gathering is working its way through Congress. The bill specifically funds the NSA to change its current focus from intercepting messages transmitted by satellite and microwave dish to intercepting electronic traffic, particularly Internet traffic, that speeds through the land and sea networks of fiber-optic cables, which transmit voice and data communications.

A few years ago, Lt. Gen. Kenneth A. Minihan, then-director of the NSA, wrote an article revealing that the NSA defends the security of the Internet by spying on it. Stripped of bureaucratic jargon, what Minihan said was that the NSA attaches "sensors" on the Internet backbone and "in the underlying telecommunications infrastructure itself" to detect potential "threats" from nations, terrorists, and radical groups.

Contrary to popular conspiracy theories, the NSA can't monitor every man-made electron orbiting the Earth and pick out keywords, such as "anthrax" or "bribe," according to the European Parliament's ECHELON report. For one thing, trying to analyze huge volumes of phone calls by keywords is beyond the agency's capabilities because spoken language contains too many variables. The NSA can, however, analyze tremendous amounts of nonvoice data using keywords. Still, experts say that while it is theoretically possible for the NSA to monitor cyberspace in real time, the $4-billion-a-year spy agency, which is reported to employ more hackers and mathematicians than any other organization in the world, is not yet able to trap and analyze the unbelievably mammoth content of the Internet slipstream as it passes through the government's interception devices. Clearly, though, the NSA is working hard to do so.

There is no single physical point of connection through which all traffic passes, says security scientist Schneier. Instead, the NSA can connect "sniffers" -- Internet wiretap devices -- on overseas cables and at nine connection points in the U.S. (including in the Pacific Bell headquarters building in San Francisco). The problem with analyzing intercepted data, Schneier remarks, is knowing what information to ignore. It's a question of time. If it takes more than one second to analyze a second's worth of data, you fall behind in a fatal spiral, says Schneier, never catching up.

About The Author

Peter Byrne


Subscribe to this thread:

Add a comment

Popular Stories

  1. Most Popular Stories
  2. Stories You Missed


  • clipping at Brava Theater Sept. 11
    Sub Pop recording artists 'clipping.' brought their brand of noise-driven experimental hip hop to the closing night of 2016's San Francisco Electronic Music Fest this past Sunday. The packed Brava Theater hosted an initially seated crowd that ended the night jumping and dancing against the front of the stage. The trio performed a set focused on their recently released Sci-Fi Horror concept album, 'Splendor & Misery', then delved into their dancier and more aggressive back catalogue, and recent single 'Wriggle'. Opening performances included local experimental electronic duo 'Tujurikkuja' and computer music artist 'Madalyn Merkey.'"