[info] Do antivirus apps ignore US government spyware?

[Eugen Leitl]

http://www.zdnet.com.au/news/security/soa/Do-antivirus-apps-ignore-US-government-spyware-/0,130061744,339280165,00.htm

Do antivirus apps ignore US government spyware?

Declan McCullagh, CNET News.com

18 July 2007 08:18 AM

Companies that produce security software may soon be ignoring certain
spyware, and potentially even infecting their customers through auto updates,
under orders from US government agencies.

In the case decided earlier this month by the 9th US Circuit Court of
Appeals, federal agents used spyware with a keystroke logger -- call it
fedware -- to record the typing of a suspected Ecstasy manufacturer who used
encryption to thwart the police.

A CNET News.com survey of 13 leading antispyware vendors found that not one
company acknowledged cooperating unofficially with government agencies. Some,
however, indicated that they would not alert customers to the presence of
fedware if they were ordered by a court to remain quiet.

Most of the companies surveyed, which covered the range from tiny firms to
Symantec and IBM, said they never had received such a court order. The full
list of companies surveyed: AVG/Grisoft, Computer Associates, Check Point,
eEye, IBM, Kaspersky Lab, McAfee, Microsoft, Sana Security, Sophos, Symantec,
Trend Micro and Websense. Only McAfee and Microsoft flatly declined to answer
that question.

Because only two known criminal prosecutions in the United States involve
police use of key loggers, important legal rules remain unsettled. But key
logger makers say that police and investigative agencies are frequent
customers, in part because recording keystrokes can bypass the increasingly
common use of encryption to scramble communications and hard drives.

Some companies that responded to the survey were vehemently pro-privacy. "Our
customers are paying us for a service, to protect them from all forms of
malicious code," said Marc Maiffret, eEye Digital Security's co-founder and
chief technology officer. "It is not up to us to do law enforcement's job for
them so we do not, and will not, make any exceptions for law enforcement
malware or other tools." eEye sells Blink Personal for US$25, which includes
antivirus and antispyware features.

Others were more conciliatory. Check Point, which makes the popular ZoneAlarm
utility, said it would offer federal police the "same courtesy" that it
extends to legitimate third-party vendors that request to be whitelisted. A
Check Point representative said, though, that the company had "never been" in
that situation.

This isn't exactly a new question. After the last high-profile case in which
federal agents turned to a key logger, some security companies allegedly
volunteered to ignore fedware. The Associated Press reported in 2001 that
"McAfee contacted the FBI... to ensure its software wouldn't inadvertently
detect the bureau's snooping software." McAfee subsequently said the report
was inaccurate.

Later that year, the FBI confirmed that it was creating spy software called
"Magic Lantern" that would allow agents to inject keystroke loggers remotely
through a virus without having physical access to the computer. (In both the
recent Ecstasy case and the earlier key logging case involving an alleged
mobster, federal agents obtained court orders authorising them to break into
buildings to install key loggers.)

Government agencies and backdoors in technology products have a long and
frequently clandestine relationship. One 1995 expose by the Baltimore Sun
described how the National Security Agency persuaded a Swiss firm, Crypto, to
build backdoors into its encryption devices.

In his 1982 book, The Puzzle Palace, author James Bamford described how the
NSA's predecessor in 1945 coerced Western Union, RCA and ITT Communications
to turn over telegraph traffic to the feds.

More recently, after the BBC reported last year on supposed talks between the
British government and Microsoft, the software maker pledged not to build
backdoors into Windows Vista's encryption functions.

Even if the FBI, the Drug Enforcement Administration or other federal police
haven't tried to compel security companies to whitelist fedware, security
experts predict that such a court order is just a matter of time.

What remains unclear, however, is whether police have the legal authority to
do so under current law. "The government would be pushing the boundaries of
the law if it attempted to obtain such an order," said Kevin Bankston, an
attorney with the Electronic Frontier Foundation who has litigated
wiretapping cases. "There's simply no precedent for this sort of thing."

One possibility is a section of the Wiretap Act that says courts can "direct
that a provider of wire or electronic communication service, landlord,
custodian or other person" to help with electronic surveillance.

"There is some breadth in that language that is of concern and that the
Justice Department may attempt to exploit," Bankston said.

In theory, government agencies could even seek a court order requiring
security companies to deliver spyware to their customers as part of an
auto-update feature. Most modern security companies, including operating
system makers such as Microsoft and Apple, offer regular patches and bug
fixes. Although it would be technically tricky, it would be possible to send
an infected update to a customer if the vendor were ordered to do so.

When asked if it had ever received such a court order, Microsoft demurred.
"Microsoft frequently has confidential conversations with both customers and
government agencies and does not comment on those conversations," a company
representative said. Of the 13 companies surveyed, McAfee was the other
company that declined to answer. (Two others could not be reached as of
Tuesday morning.)

Some security companies refused to reply to the initial version of our
survey, which broadly asked about fedware whitelisting. In response, we
revised the question to ask if they would alert a customer to the presence of
keystroke loggers installed by a police or intelligence agency "in the
absence of a lawful court order signed by a judge."

Cris Paden, Symantec's manger of corporate public relations, initially
declined to reply. "There are legitimate reasons for not giving blanket
guarantees--one of those is a court order," he said at first. "There are
extenuating circumstances and grey issues."

But after we altered the question, Paden replied: "Barring a court order to
cooperate with law enforcement authorities, Symantec would definitely alert
our customers to the presence of any malicious code or programs that we
detect on their systems." He added that Symantec had "absolutely not"
received any such a court order.

One danger with whitelisting fedware is that it creates a potentially serious
vulnerability in security software. If a malicious vendor of spyware were
clever enough to mimic the whitelisted government spyware, it would also go
undetected.

But if fedware becomes more common, savvy criminals could simply turn to
open-source software that's less likely to have backdoors for police. ClamAV
and OpenAntiVirus.org both offer open-source security software, and it's also
possible to boot off of a CD-ROM and inspect the hard drive for malicious
tampering.

At the moment, at least, there aren't any industry standards about detecting
fedware. "CSIA does not currently have a position on this issue nor has the
issue ever been addressed by its board of directors," said Tim Bennett,
president of the Cyber Security Industry Alliance.