Malicious Software and Hacking

Malicious Software and Hacking

AKA: "Malware," "Spyware," and “Keylogging”

Malicious software can be used to monitor use of personal computing devices. For example, keylogging tools record every keystroke you make on your computer

What is it used for?: 

Presently, there are few documented cases of police departments utilizing the technical ability to collect and monitor your electronic activities using malicious software. However, federal law enforcement and intelligence agencies such as the FBI, DEA, and NSA utilize such tools, and many suspect it is inevitable that they will end up in the hands of local law enforcement agencies. Even when major federal agencies struggle to gain access to carefully secured electronic communications, keystroke logging tools get around these constraints by collecting a record of every button you press on your computer. Using this information, a technician can find the passwords you use to protect your email, shopping history, financial records, or anything else you manage online. The FBI has used this technique to investigate suspected criminals since at least 1999. 

CIVIL LIBERTIES CONCERNS

Keylogging and other forms of malware are an inherently overbroad search. After all, they generally give police access to all user files, not just the ones that may involve criminal activities. Reliance on such tools also makes everyone less secure, as these types of software rely on vulnerabilities and bugs that, unpatched, expose everyone to privacy invasions, whether by governments or criminals. Recently, federal agencies have come under fire for installing this software on the computers of whistleblowing employees. This is particularly problematic:  If whistleblowers fear that their bosses will keep tabs on their communications with management, policy-makers, or journalists, they may not report the waste, fraud, or other abuses they observe.

How it Works: 

Malicious software has been used for decades to collect passwords and personal information to commit identity fraud and other crimes. Governments have used these tools to surveil people, for purposes including  watching dissidents and monitoring suspected whistleblowers.

  • Government investigators have used both hardware and software keylogging tools. Police had to physically attach early keystroke loggers to a computer. Typically, government agents or informants would enter a suspect’s house and plug a small device into the cable that connected the keyboard to the computer. Later, they would collect that device and return it to a forensics lab for analysis.
  • Modern malicious software is much more subtle. In 2001, MSNBC discovered that the FBI had developed software called “Magic Lantern,” a program that we still know little about. Magic Lantern is a Trojan program, software that poses as something harmless. Researchers believe that agents arrange for someone to send a suspect an email with an attachment (a photo, video, etc.) that contains some malicious code. Once the attachment is accessed by the suspect, the program installs itself and runs secretly in the background. The program logs every keystroke made on the computer and transmits that data back to police. Other forms of spyware can be used to remotely trigger webcams and microphones in order to surveil people in proximity to the device. Many forms of malicious software may be deployed to personal devices remotely through vulnerabilities in device firmware and operating systems.
  • Government malware may be very difficult to detect unless you know how to look for them. This sort of program operates at the lowest levels of computer operations. In the case of keyloggers, the interface between your keyboard and your computer is so basic that few users ever think to check it.

 

How prevalent is it?: 

So far, only the FBI and DEA have used evidence from keystroke logging tools and malicious software in criminal trials. (Though the NSA and other intelligence agencies certainly have the technical ability to create and use these tools as well.) Additionally, federal government agencies probably use these tools to monitor at least some of their employees on government computers. Although similar programs are available to many local police departments, we have not found any instances of their use at the local level.

Identity thieves, however, use malicious software of varying sophistication to steal your information. In order to protect your data, never download anything unless you trust the source.

Examples of Use

  • Location:: 
    Silver Spring, MD
    FDA Uses Spyware to Clamp Down on Whistleblowers

    The Food and Drug Administration – the federal agency that regulates food, tobacco, pharmaceuticals, and medical devices – is not the most likely agency to use cutting-edge surveillance technology to illegally monitor its critics. Beginning in 2010, however, middle managers launched a two-year surveillance operation to secretly monitor researchers they suspected of “collaborating” with outside watchdogs to tarnish the agency’s image. These researchers had argued that flawed reviews had led to the approval of medical imaging devices that emitted dangerous levels of radiation. Frustrated by the lack of action from their supervisors, they took their concerns to the press, Congress, and the White House. In response, the agency installed spy software on five of its own scientists’ computers. “The software,” according to the New York Times, “tracked their keystrokes, intercepted their personal emails, copied the documents on their personal thumb drives, and even followed their messages line by line as they were being drafted.” Questioned by the House Government Oversight Committee, FDA managers insisted that the purpose of the software was to identify the employee who had compromised a trade secret months before. The committee’s report noted that if that were the case, it would have been pointless. The software served only to monitor the employees’ current activities, not to look for past leaks. The FDA’s snooping could have much broader implications than the harassment of five employees. In the future, concerned scientists may be reluctant to inform the public about health risks FDA managers have overlooked.

Recommendations: 

When government agencies consider acquiring and using surveillance systems, communities and their elected officials must both weigh the benefits against the costs to civil liberties and carefully craft policies and procedures that help to limit the negative effects that surveillance will have on fundamental rights.  For a useful list of considerations, please visit the recommendations page.