Imagine this headline, “Your company was just legally hacked by the FBI.” If your one of hundreds of companies that had a security vulnerability this week, you may have been hacked by the FBI without your knowledge or consent. This week, courts approved the FBI legally hacking into your server to remove software from that server without your knowledge. The justice department released a statement containing the following:
“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Combined with the private sector’s and other government agencies’ efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. There’s no doubt that more work remains to be done, but let there also be no doubt that the Department is committed to playing its integral and necessary role in such efforts.”
The statement later goes on to say that the FBI tried to provide notice of the operation to any operators of the hacked exchange servers:
“The FBI is attempting to provide notice of the court-authorized operation to all owners or operators of the computers from which it removed the hacking group’s web shells.”
I’m not sure what attempting to provide notice means, but the statement makes it clear that the FBI went ahead and removed software without some companys’ consent.
This seems innocent on paper, but let’s face it, the government just legally hacked privately owned servers for the sake of the common good. The government’s fix doesn’t solve the problem. In fact, it may hide the problem from people that need to fix it. The server was hacked. It is Vulnerable. Even if the malicious scripts were removed. Think of it this way, a Peeping Tom has a key to your house. While you’re gone, he installs cameras to watch you inside your house. The FBI is informed a Peeping Tom is installing cameras in inside homes using a set of keys he stole from a maid service.
While you’re out, the FBI rings your door. No one is home, so the FBI comes in and removes the cameras without your knowledge. The next day, the Peeping Tom uses the key to your house to come back inside and install new cameras. Everything is back to where it was, and the problem is still there. The voyeur still has a key to your house. The FBI can legally reenter your house to keep removing the cameras, and you are unaware.
What if the FBI accidentally removes your baby camera to monitor your child’s crib without your knowledge? What if an agent takes a compromising picture out of your house without you knowing he was even there? Your privacy was breached, but did it need to be? Here are my concerns about the FBI tampering with servers that aren’t theirs.
1. The Justice Department pointed out that the FBI did not apply any fixes or patches to the servers in question outside of removing any malicious scripts. Regardless, the FBI illegally hacked into someone’s server. In our scenario above, this is like removing the cameras, but the peeping tom still has the keys. What prevents a hacker from returning to the compromised server and reinstalling the malicious scripts once the FBI leaves? Nothing. What does the homeowner know about the FBI attempting to fix the problem or the fact that someone is abusing keys to their house? Nothing. The problem is that the exploit that allowed the hacker to gain access is still there. Think of it this way. The FBI isn’t taking care of the larger problem, it’s just cleaning up the evidence of a crime.
2. The leads to my second point, if there was a breach, someone needs to know. The only way to fix a problem is to know a problem exists. Security teams handle risks like these in specific ways. The first step is identifying you have a problem. If you don’t know the problem exists, you can’t contain the threat, analyze it, apply prevention techniques, properly remediate the problem and recover. Maybe this server is leaking data for the owner. Maybe the server is an entry point into their sensitive data or the server exposed other servers to different hacks.
By removing the scripts, the security team may be unaware of the point of origin of an attack and remediate the problem inside their other servers while leaving the originally hacked server exposed to another hacking attempt. Maybe the FBI’s partial fix leaves the company’s data exposed because the security team is unaware of the external breach that is opening their internal network up for further hacking. The key problem is that the FBI is removing the evidence of a crime from the scene making it harder to identify the root of the problem.
3. After you identify a problem, the next step is to contain it. The FBI decided to contain the problem by legally hacking into a server through a court order, but the FBI never contained the problem. Proper containment includes port blocking, powering, removing the server from the network, or even powering down the server.
The FBI carried out a temporary fix, but it’s arguable whether their fix contains the problem because the original exploit allows the hacker to return. Did the FBI need to hack into these servers? In today’s internet-connected world the FBI didn’t need to gain access to any compromised systems in question. The FBI could have worked with AWS or Microsoft to block servers in the cloud or worked with internet providers to block ports or servers without touching the server itself.
AWS and Microsoft reserve the right to remove servers that are compromised. Even in a privately hosted solution, the FBI can work with internet providers to remove the server’s ability to connect to the internet raising its attention to the owners so they can identify the problem. This solves the problem of informing the owner since they will see there is a problem and contain it without tampering directly with the server.
4. My final point. The server is private property. The company may have sensitive corporate data or trade secrets on the server that the government has no right to view. Thinking back to the homeowner scenario, what if the government wants to check to see if you own a gun?
Can the FBI enter your house for the public good to make a gun check in your house? It’s a slippery slope. In a time when there is a level of mistrust of law enforcement, the tide can easily turn on the FBI’s good intentions.
What if a corporate email is leaked and traced back to a time the FBI was inside the company’s computer without their knowledge–even if a hacker was also on the target server at the same time? It leads to mistrust. As stated in my third point, the FBI didn’t need to log into the servers to contain the problem.
The road to hell is paved with good intentions. I think the Justice Department and the FBI had good intentions, but their intent creates a lot of problems for the owners of the hacked servers that the FBI remediated.
The security world is full of what-ifs, hunting, identifying, containing, and controlling. From a security perspective, the FBI isn’t fixing a problem. Instead, the FBI may make the problem worse. In removing these malicious scripts, they take away key evidence that something happened on these servers leaving them exposed to more attacks. From a privacy perspective, the FBI breached company privacy when there may have been other options, such as port blocking, IP blocking or even powering down the server if it was in the cloud.
Either way, the FBI’s good intention yields negative results for our future privacy.
Matt is a Director of Product Management for a leading mobile platform enablement company. He has traveled extensively in the United States and overseas for business and travel. His travels include India, Mexico, Europe, and Japan where he was an active blogger immediately following the Kaimashi quake. Matt enjoys spending time outdoors and capturing the world through the lens of his Nikon D90. Matt enjoys researching the political, economic, and historical influences of the places he visits in the world, and he commonly blogs about these experiences. Matt received a Bachelor in Computer Science at Mercer University, and is a noted speaker on innovation, holding over 150 patents. Matt’s remaining time is spent with his family going from soccer game to soccer game on the weekends.