CIPAV (Computer and Internet Protocol Address Verifier)
1984 is a tad later coming. Ah no nah it isn't. This was just a commentary in some random online news. I just want let you know what I know, about CIPAV. CIPAV stands for Computer and Internet Protocol Address Verifier, a software tool developed by the FBI. It has been described as "secret data-gathering tool that the FBI uses to track and gather location data on suspects under electronic surveillance". I want to cover CIPAV in my articles because I did some research about government investigation software. I want to explain what is known about CIPAV and how it most likely works. Enjoy reading!
- Peter Kleissner, Investigator
CIPAV (Computer and Internet Protocol Address Verifier) is a software program by the FBI to, getting it to a point, find out the IP address of a suspect using and faking electronic communication. This is necessary for the FBI to investigate electronical over U.S. frontiers and "useful" when someone uses proxies and tunneling to hide/anonymize its true origin in the internet.
As described in the affidavit (link below) CIPAV collects following data:
- IP address
- MAC address
- registry keys
- Environment Variables
- Open Ports
- Process List
- Operating System (Type, Version, Serial Number/Product ID)
- Internet Browser and Version
- Language identifier
- Computer Name, Company Name
- User Name
- visited sites history (of browser)
Half of the collected data can be used to identify a computer uniquely to a person - the other half is useful if you want to hack some target computer. IP, MAC, certain registry keys and computer name among others things can be used to assign a computer to a real person, but things like open ports, process list or internet browser are definitely used to find security flaws of the computers configuration.
In todays century you would use half of the information to find security flaws in the computers configuration and would use metasploit or other exploiting frameworks to gain access and control to the computer. The operating system product id has already been used multiple times to get the buyer of a computer - the whole process of selling a Windows OS will be logged via the product id (where it will be sold, shipped, to whom etc.). The history list of the web browser that is collected is clearly against privacy - and has nothing to do with configuration. It can be treated as content, not as meta-data/configuration and therefore its illegal to collect it without an explicit search warrant. The urls often contain sensitive information, like filled-out form contents, login information or session ids.
Before explaining how CIPAV works, I want to give some details about the actual case where CIPAV was used to identify a suspect. In summer 2007, a student at Thurston County School send some bomb threats via email to his school. He also has (still) an account at MySpace, www.myspace.com/timberlinebombinfo, where he has a picture of bombs. His last login was 22.06.2007 - the end of the month where he sent multiple bomb threats to his school.
Anyway he used a proxy server in italy to hide his true ip address. He registered email accounts on Google and sent bomb threats to his school. He used a compromised computer in italy to tunnel his communication (most likely a SOCKS5 server), not a difficult thing to do. A lot of script-kiddie tools like shark trojan have integrated such functionality - a victim will automatically act as proxy. All you have to do is spread your trojan (a simple executable) into the world.
By giving information to the FBI. See following data that was collected by Google via Google Mail service of the suspect (taken from the affidavit):
Status: Enabled (user deleted account) Services: Talk, Search History, Gmail Name: Doug Briggs Secondary Email: Lang: en IP: 126.96.36.199 LOGS: All Times are displayed in UTC/GMT email@example.com Date/Time IP 04-Jun-2007 05:47:29 am 188.8.131.52 04-Jun-2007 05:43:14 am 184.108.40.206 03-Jun-2007 06:19:44 am 220.127.116.11
This is what google saves about you, even you delete your Google Mail account. All IP addresses (the one which was used when registering and all others used for login) will be recorded.
MySpace stores following information:
User ID: 199219316 First Name: Doug Last Name: Briggs Gender: Male Date of Birth: 12/10/1992 Age: 14 Country: US City: Lacey Postal Code: 985003 Region: Western Australia Email Address: firstname.lastname@example.org User Name: timberlinebombinfo Sign up IP Address: 18.104.22.168 Sign up Date: June 7, 2007 7:49 PM Delete Date: N/A Login Date June 7, 2007 7:49:32:247 PM IP Address: 22.214.171.124
How CIPAV works
The idea is quite easy - code will be executed locally and the code comes within a website. This solves all problems with proxies for investigators - if you can see the website you have the malicious code. In the timberlinebombinfo case it was MySpace site and administrators who hosted CIPAV program on MySpace site to get above presented data. The final idea behind the concept is that the executed code will contact the (law enforcement) server and send the data like IP address and local configurations. The Browser Helper Object/Active X component can be installed automatically into the browser - so every time the suspect uses Internet Explorer the browser helper object will become active and can do its intelligence jobs.
So nope, there's no executable sent via email, this is simply not done, not true and not the case. (because many people speculated CIPAV could come via email or via security flaw in Windows)
- Affidavit for Search Warrant, United States District Court
- Search Warrant, United States District Court
- FBI remotely installs spyware to trace bomb threat
- FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats, Wired news