FBI Investigating Mystery Laptops Sent To US Governors 329
itwbennett writes "The FBI is trying to find out who is sending laptops to state governors across the US, including the governors of Wyoming and West Virginia. The West Virginia laptops were delivered to the governor's office on August 5, according to the Charleston Gazette, which first reported the story. Kyle Schafer, West Virginia's chief technology officer, says he doesn't know what's on the laptops, but he handed them over to the authorities. 'Our expectation is that this is not a gesture of good will,' he said. 'People don't just send you five laptops for no good reason.'"
That might not be safe enough (Score:5, Insightful)
What if whoever's sending them isn't just a small-time crook but a foreign intelligence agency with the resources to custom-make chips with built-in back doors. (Such back doors have been demonstrated to be plausible; someone has built a CPU with a circuit which switches off memory protection when it finds a specific sequence on a memory bus, which means that it doesn't matter how secure the software running on it is.)
Why would they target state governors' offices? Well, they'd presumably be easier to pwn than, say, the Department of Defence or the CIA, and a good starting point for setting up pieces.
Re:That might not be safe enough (Score:4, Insightful)
But delivering them this way is attracting too much attention. Better to deliver the machines to their normal IT supplier, perhaps by getting one of your people on the payroll.
Re:That might not be safe enough (Score:5, Insightful)
But delivering them this way is attracting too much attention. Better to deliver the machines to their normal IT supplier, perhaps by getting one of your people on the payroll.
It would be far cheaper to put malware on a USB key with a logo of some government project on the side and mail that to them. They could use the same CD autorun thing that the U3 malware uses.
Re:Hacked hardware? (Score:3, Insightful)
I think that they are more concerned about bombs than BIOS trojans.
Re:If they don't want them (Score:5, Insightful)
Show me an IT monkey who could tell the difference between two standard network adapters, one of them fine and the other containing a counterfeit MAC/PHY IC that's been fucked with by Chinese intelligence services...
And for the time taken to vet the laptop for such things, you might as well throw it out.
On the other hand, if you actually did want to get government personnel using subverted hardware then I think just sending it to them anonymously is probably not a good way of going about it... so maybe the criminals aren't that smart. Or maybe that's what they want you to think?
Re:Interesting angle on social engineering... (Score:2, Insightful)
A foreign government might be willing to splash out this sort of cash but I wonder how interested they are in individual state politics.
Re:Interesting angle on social engineering... (Score:2, Insightful)
But West Virginia?
Re:That might not be safe enough (Score:5, Insightful)
Are you kidding?
If I wanted to guarantee that a found USB key would be plugged in somewhere, I'd label it "porn".
Re:If they don't want them (Score:3, Insightful)
And if it's a hardware issue? I'd donate them to a educational organization (after wiping them down for malware)
Re:If they don't want them (Score:4, Insightful)
You wipe the OS and install a new one. You clean it up from the default bloatware and hook it to the network. You analyze the connection and if there is no communication the devices are safe.
You seem like a intelligent gentleman providing great solution for both the latest gov IT attacks AND the recession!
If this happens, I can see both China's computer espionage and Kim Jong's heads exploding from the sore happiness!
Re:If they don't want them (Score:3, Insightful)
Re:Interesting angle on social engineering... (Score:1, Insightful)
It's near DC (there are daily commuter trains), it's fairly cheap, and there's a congress critter with some clout. West Virginia actually has several federal computer centers, which are central hubs for the Coast Guard and the DHS. (At least.)
Not that the governor has anything to do with them but there are some high-profile targets.
Re:If they don't want them (Score:4, Insightful)
> And for the time taken to vet the laptop for such things, you might as well throw it out.
Except that if I were the CIA, I would pay a lot more than the price of 5 laptops to know who was spying on me, and how.
Re:Interesting angle on social engineering... (Score:4, Insightful)
Re:Interesting angle on social engineering... (Score:2, Insightful)
Or they might just want the latest recipe for Varmint Pie.
Your problem being? (Score:2, Insightful)
Rip out the hard drive, install a new one, perfectly good laptop for the price of a hard drive.
If you're cheap, wipe the hard drive and reinstall (preferably some Linux distri).
WTF is your problem, gubernator?
Re:That might not be safe enough (Score:1, Insightful)
Nah. "${name of boss's hot PA/secretary} nude photoshoot" surely.
Re:If they don't want them (Score:3, Insightful)
Actually, you would have to be pretty stupid to send them to the CIA. You'd send them to the FBI (as TFA mentions), who would try to figure out if it was foreign or domestic, and then they would get the real experts (NSA) to do the technical work.
Re:That might not be safe enough (Score:3, Insightful)
Then again.... maybe this is just QA.
Put in your malbug, send the laptops out in a high profile way... see what happens. Do they investigate? Do they even find what you did? That, in and of itself, could be valuable information, and possibly worth 5 laptops.
Though I do enjoy the double standard. Someone breaks into your systems, with evidence. Think the FBI is going to care unless they can be shown to have done massive damage or stolen real money?
Here someone does something that is, on its face, perfectly legal and straight up, but the suspicion of potential wrongdoing and the FBI are all over it. I am pretty sure that if someone sent me a free laptop and I called the FBI, they would just laugh at me.
-Steve
Re:Your problem being? (Score:3, Insightful)
Re:Hard-Trojans (Score:3, Insightful)
Re:That might not be safe enough (Score:2, Insightful)
Because they want to be noticed. One laptop to the President gets disposed of. Five laptops to each governor gets them examined. Carefully.
It's a message. Wonder who it's from, don't you? Maybe God.
Why assume it's some foreign entity? (Score:4, Insightful)
What do the states whose governors received these laptops have in common? The referenced article didn't mention the complete list but West Virginia and Wyoming might have something commercial in common. Mining or energy for example. Wouldn't a lobbyist with some powerful clients in the mining/energy industry just love to have access to some state computer systems where they could snoop through internal emails discussing potential legislation restricting mining activities? West Virginia's had problems with mountaintop removal for years. There's been talk of stopping that for some time. Wyoming has their share of mining companies abusing the environment as well.
On the other hand, perhaps a bunch of environmentalists shipped the laptops in the hope of getting access to state information so they could blow the whistle on state govt./industry shenanigans (bribes and the like).
Anyone know where there's a complete list of the states where these laptops were shipped?
Re:China (Score:2, Insightful)
Coal... China is now a net importer of fossil fuels, though mostly from Australia.
Re:Your problem being? (Score:3, Insightful)
Re:If they don't want them (Score:2, Insightful)