FBI Investigating Mystery Laptops Sent To US Governors 329
itwbennett writes "The FBI is trying to find out who is sending laptops to state governors across the US, including the governors of Wyoming and West Virginia. The West Virginia laptops were delivered to the governor's office on August 5, according to the Charleston Gazette, which first reported the story. Kyle Schafer, West Virginia's chief technology officer, says he doesn't know what's on the laptops, but he handed them over to the authorities. 'Our expectation is that this is not a gesture of good will,' he said. 'People don't just send you five laptops for no good reason.'"
Me (Score:5, Funny)
If the governors don't want them, I'll have them.
Re:Me (Score:5, Funny)
West Virginia - keeping Hughes Net in business since 2005.
Re: (Score:2, Troll)
From Israel, with love.
Re: (Score:3, Funny)
I'd like mine with an Argentinean girlfriend and some unexplained hiking trips, please.
Re:Me (Score:5, Funny)
If they don't want them (Score:2, Interesting)
I'll take them.
Seriously, they don't have one good tech guy who could wipe the drives/check the internals for rogue hardware?
That might not be safe enough (Score:5, Insightful)
What if whoever's sending them isn't just a small-time crook but a foreign intelligence agency with the resources to custom-make chips with built-in back doors. (Such back doors have been demonstrated to be plausible; someone has built a CPU with a circuit which switches off memory protection when it finds a specific sequence on a memory bus, which means that it doesn't matter how secure the software running on it is.)
Why would they target state governors' offices? Well, they'd presumably be easier to pwn than, say, the Department of Defence or the CIA, and a good starting point for setting up pieces.
Re:That might not be safe enough (Score:4, Insightful)
But delivering them this way is attracting too much attention. Better to deliver the machines to their normal IT supplier, perhaps by getting one of your people on the payroll.
Re:That might not be safe enough (Score:5, Insightful)
But delivering them this way is attracting too much attention. Better to deliver the machines to their normal IT supplier, perhaps by getting one of your people on the payroll.
It would be far cheaper to put malware on a USB key with a logo of some government project on the side and mail that to them. They could use the same CD autorun thing that the U3 malware uses.
Re:That might not be safe enough (Score:5, Insightful)
Are you kidding?
If I wanted to guarantee that a found USB key would be plugged in somewhere, I'd label it "porn".
Re:That might not be safe enough (Score:5, Funny)
On small (4-5 person) LAN parties back in the nineties, I knew a guy who shared his floppy drive under the name "porn". When somebody got too horny, their expectation of anonymity were ruined by the characteristic noise those drives make when they try to read from a non-existent floppy.
Re: (Score:2, Interesting)
Offtopic, but does anyone know how to remove the U3 "feature" using Linux? I heard there are Win32 removal tools, but I don't trust removal tools from people who actually invented U3...
Re: (Score:2)
Good old format (insert linux equivalent) doesn't work?
Re: (Score:2)
I'm quite puzzled now because I just formatted my sandisk stick which had u3 so the virtual cd and all other software just went away.
Re: (Score:2, Informative)
http://u3.com/support/default.aspx#CQ3 [u3.com]
They finally came out with an uninstaller for it. Quick and easy, but back up all your data as it wipes the entire flash drive.
Re: (Score:3, Informative)
Doesn't work in Linux, as the GP asserted. Have to stick it in a Windows box just to run the uninstaller.
As far as I'm concerned it's defective from the vendor and I personally don't buy any USB thumbdrives with U3 installed on them.
If I accidentally buy one with it on there and realize it after I get it home and open the package, I take it back. Sorry, but no.
Re: (Score:2)
a) As pointed out, somebody with the resources to do that would be a but more subtle about delivering them.
b) In this case, the smart thing to do would be to keep things quiet and send false info.
Re: (Score:3, Insightful)
Then again.... maybe this is just QA.
Put in your malbug, send the laptops out in a high profile way... see what happens. Do they investigate? Do they even find what you did? That, in and of itself, could be valuable information, and possibly worth 5 laptops.
Though I do enjoy the double standard. Someone breaks into your systems, with evidence. Think the FBI is going to care unless they can be shown to have done massive damage or stolen real money?
Here someone does something that is, on its face, perfectly
Re:That might not be safe enough (Score:5, Interesting)
Really? They why state governors? They really don't have a lot of access to secret stuff. My guess is a little more amusing. Someone has figured out how to hack into HPs GSA ordering system and is pranking them. They are basically ordering laptops on the states dime from HP just to see if anyone notices. Sort of like ordering Pizzicati to be set to buddy's house as a joke. The difference is this is going to be a federal offense.
Re:That might not be safe enough (Score:4, Funny)
God would send an iPhone, not a laptop.
Get real.
Why assume it's some foreign entity? (Score:4, Insightful)
What do the states whose governors received these laptops have in common? The referenced article didn't mention the complete list but West Virginia and Wyoming might have something commercial in common. Mining or energy for example. Wouldn't a lobbyist with some powerful clients in the mining/energy industry just love to have access to some state computer systems where they could snoop through internal emails discussing potential legislation restricting mining activities? West Virginia's had problems with mountaintop removal for years. There's been talk of stopping that for some time. Wyoming has their share of mining companies abusing the environment as well.
On the other hand, perhaps a bunch of environmentalists shipped the laptops in the hope of getting access to state information so they could blow the whistle on state govt./industry shenanigans (bribes and the like).
Anyone know where there's a complete list of the states where these laptops were shipped?
Re:That might not be safe enough (Score:5, Interesting)
Re:If they don't want them (Score:5, Interesting)
Seriously, they don't have one good tech guy who could wipe the drives/check the internals for rogue hardware?
Not at a cost less than the price of one new laptop. Smart hardware people with time to prepare could hide just about any device just about anywhere. Or hide nothing at all just so people waste time looking for what isn't there.
I get the impression this is just a prank by someone with a little too much free cash and a bad sense of humor. Either that or a marketing thing by a laptop manufacturer.
Re: (Score:2)
I get the impression this is just a prank by someone with a little too much free cash and a bad sense of humor.
You may have meant "someone with a little too much stolen cash". This is too blunt for anyone with the resources to seriously mod the HW in a meaningful way for intelligence gathering or DoS. My gut reaction is the laptops have a trojan/worm on them, and were intended for the dumber staff to go "cool! free loot!" for the LULZ [youtube.com].
Re: (Score:3, Insightful)
And if it's a hardware issue? I'd donate them to a educational organization (after wiping them down for malware)
Re: (Score:2)
Re: (Score:3, Informative)
Hidden, malicious hardware.
Re:If they don't want them (Score:4, Insightful)
You wipe the OS and install a new one. You clean it up from the default bloatware and hook it to the network. You analyze the connection and if there is no communication the devices are safe.
You seem like a intelligent gentleman providing great solution for both the latest gov IT attacks AND the recession!
If this happens, I can see both China's computer espionage and Kim Jong's heads exploding from the sore happiness!
Re: (Score:2)
Re: (Score:2)
My guess is, "return them to some company somewhere that screwed up an order".
Re: (Score:3, Funny)
Put it in the field and fly a Huey Gunship in the general vicinity.
If it runs, it's VC.
If it doesn't run, it's well disciplined VC.
I know what you're thinking ... "How do you shoot innocent laptops and desktops?"
It's easy - you just don't lead them as much!
Re: (Score:3, Insightful)
Re: (Score:2)
I'm not saying they should use them, because every major organization should use standardize equipment. Just discussing how they can be checked for malicious code.
Re: (Score:3, Interesting)
Re:If they don't want them (Score:5, Insightful)
Show me an IT monkey who could tell the difference between two standard network adapters, one of them fine and the other containing a counterfeit MAC/PHY IC that's been fucked with by Chinese intelligence services...
And for the time taken to vet the laptop for such things, you might as well throw it out.
On the other hand, if you actually did want to get government personnel using subverted hardware then I think just sending it to them anonymously is probably not a good way of going about it... so maybe the criminals aren't that smart. Or maybe that's what they want you to think?
Re:If they don't want them (Score:4, Insightful)
> And for the time taken to vet the laptop for such things, you might as well throw it out.
Except that if I were the CIA, I would pay a lot more than the price of 5 laptops to know who was spying on me, and how.
Re: (Score:3, Insightful)
Actually, you would have to be pretty stupid to send them to the CIA. You'd send them to the FBI (as TFA mentions), who would try to figure out if it was foreign or domestic, and then they would get the real experts (NSA) to do the technical work.
OLPG (Score:5, Funny)
Its obviously the one laptop per Governor project.
Re: (Score:2, Funny)
Compaq 15.6" CQ60-410US Notebook PC, I got mine for $298.00. Not a real cost.
Let's guess, one drunk, $1600.00 laying around and surf the web for governor's
addresses.
The malware? IE 8.0 plus VISTA Home edition. Instant coup.
Are you kidding me? (Score:4, Funny)
Are you kidding me? I've received hundreds of free laptops from total strangers. In fact, I trust them so much that I do all my banking on them. After all, this nice downtrodden Nigerian prince has personally guaranteed the security and stability of all these laptops. Now, let me go check my bank balance....OMGWTFBBQ^*#^$@))*#$!!!!!
NO CARRIER
Re:Are you kidding me? (Score:5, Funny)
NO CARRIER
I understand breaking the monitor and keyboard in such situation, but you actually went out of the house, walked to your tool shack, picked up an axe and smashed your telephone line with it? That's a little bit aggressive, dont you think?
Re: (Score:2)
"People don't just send you five laptops for no good reason."
They do if the senders are expecting a positive review!
At the same time, I don't think that the incoherent and vaguely grammatical comments of daft and corrupt US politicians will help sales much.
I could be wrong, though. I was one of the ones who believed Cmdr Taco was right about the iPod.
If the govenors do not want them... (Score:5, Interesting)
Re: (Score:2)
Replace and save the hard drive for legal analysis, with a good chain of ownership in case of lawsuits.
I'd also be concerned about electromechanical key loggers. Governors handle some very sensitive data, and should not have their keystrokes logged. But scrubbing the drives with a good Linux live CD makes them safe enough for casual use.
Interesting angle on social engineering... (Score:5, Interesting)
You get the laptops delivered to a big enough organisation, whoever signs for them assumes *somebody* ordered them for a reason, but can't find out who. So they stash them somewhere. Fast forwards to when someone new joins the organisation and needs a laptop, somebody mentions there are a couple lying around in boxes and bingo, you've got malware in through the front door without touching an Internet connection.
Makes me wonder, how often this has been done successfully to less vigilant offices, worked, and we haven't heard about it.
Re:Interesting angle on social engineering... (Score:5, Interesting)
That's an expensive hack! Especially when the typical methods are practically free. I wonder how effective it is.
You know, it might be cheaper to just "accidentally" drop usb drives near the office or, if you're not targeting a particular office specifically, leave the drives in coffee shops and local restaurants. Someone takes it home and tries looking at it, pwnage.
Re: (Score:2)
Expensive for whom, you? What about a large political party or the intelligence unit of a foreign country? Practically free for them.
Re: (Score:2, Insightful)
But West Virginia?
Re: (Score:2, Insightful)
Or they might just want the latest recipe for Varmint Pie.
Re: (Score:2)
It's them pesky East Virginians, I'll bet!
Re: (Score:2)
It's near DC...
Not to mention some of the "secret bunkers" and "undisclosed locations". Chances are that any plausible enemy knows about them but could always use more info on how they are supplied, etc.
The major connection I see between WV, VT, and Wyoming is mountains. Things get dug deep into mountains.
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
A foreign government might be willing to splash out this sort of cash but I wonder how interested they are in individual state politics.
Re: (Score:2)
Re:Interesting angle on social engineering... (Score:4, Insightful)
Re: (Score:2)
Just steal the laptops then.
Or -- I don't know -- just be the country that makes them (China) where you have virtually unlimited access to the stock, anyway.
Re: (Score:2)
Be sure to label the drives with stickers - "Your competitor's TOP SECRET data!!!" and the like.
God knows, I've worked with people who would fall for that.
Re: (Score:2, Interesting)
However, if you do that with a large enough company to get "undetected" (assuming smaller companies would recognise something fishy is going on) there should be a large risk that this laptop goes to the IT-people first to get completely altered to companies standards.
That usually should mean complete format and using an image of whatever the company is using as client OS. So there go
some company order systems with there image per lo (Score:2)
some company order systems with there image per loaded or some are so big that some think like can happen they are just sitting there ready to go (not knowing that IT did not even get to them) or they are in Small Branch Office with little to no on site IT.
Re: (Score:2)
Formatting the drive doesn't protect against malicious hardware/firmware built in (or installed before they were sent to the target). If we're talking foreign government it would be a piece of cake to get that done. The US government has done similar things to espionage targets. Organized crime would more than likely have the ability (or be able to develop the ability) to hide the face that a case had been opened and the guts altered from casual inspection.
I don't expect it would take too much ingenuity
Re: (Score:2)
Re: (Score:2, Interesting)
Don't assume Fraud is occuring on the delivery (Score:5, Interesting)
Go for the obvious. Someone is trying to get revenge on corporation "x" by purchasing a bunch of computers and having them drop shipped. By the time accounting catches up with the paperwork, the computers will be in the hands of the FBI for a month. If the scam is done right, it is done by an ex-employee or someone with just enough access to know who the preferred suppliers are. You make a couple of phone calls, send the right paperwork, and next thing your computer vendor is drop shipping a bunch of computers somewhere.
Having worked for distributors, I'm surprised this doesn't happen more often. Having stuff go missing for weeks on end inside factories, fairly routine ... This wouldn't be hard to do. Just ship a bunch of computers somewhere else.
It is even difficult to get charged for doing something like this. FAXing the paperwork leaves no fingerprints. To the accounting department, the transaction looks like typical incompetence. The corporation won't request charges laid, because then they would have to admit they were incompetent too, and this stuff happens all the time. The police have a tough time charging you, because you didn't steal anything. If done right, you didn't even touch anything so there is no physical evidence. No evidence means no crime, and your revenge makes the national newspapers. Perfect revenge scheme.
Re: (Score:2)
Re: (Score:3, Interesting)
You get the laptops delivered to a big enough organisation, whoever signs for them assumes *somebody* ordered them for a reason, but can't find out who.
Hehe. I worked for a large company where on more than one occasion someone just sends their laptop in to the workshop only to be lost in the stack because they didn't put a ticket number on it. It wasn't stolen but rather just with all the other laptops in a pile and was basically unlocatable for a few months.
Secondly, the purchasing approval process sometim
Reality is weirder than fiction (Score:4, Funny)
Re: (Score:2)
I think I read that book. It was by Dan Brown, not Grisham, and called Digital Fortress. Yes, it was terrible.
Re: (Score:3, Funny)
Egad. If I want cheap obnoxious thrillers, I'll read Greg Bear's lesser work...
I can see it now (Score:5, Funny)
Hard-Trojans (Score:5, Funny)
"A what? Whatever, put it in the yard next to the giant wooden horse."
Re: (Score:3, Insightful)
a delivered local wi-fi attack? (Score:3, Interesting)
fedex sleeping laptop
wake at delivery time
run superduper wi-fi haxor proggy
phone home
Re:a delivered local wi-fi attack? (Score:5, Funny)
"a delivered local wi-fi attack" is the best poetry I've read all day. Your lack of punctuation and capitalzation reminds me of e.e.cummings, and the unexpected Spielberg reference at the end is a stroke of genius. You should do poetry slams. (imagine "run superduper wi-fi haxor proggy" to the sound of a bass slapping. )
Re:a delivered local wi-fi attack? (Score:5, Funny)
I'm imagining it, but it's really hard to get a good rhythm out of a dead fish.
Hacked hardware? (Score:5, Interesting)
Re: (Score:3, Insightful)
I think that they are more concerned about bombs than BIOS trojans.
Re:Hacked hardware? (Score:5, Funny)
The article says that they were HP laptops, not Sony.
</obvious>
2 democrats (Score:4, Interesting)
Updated news report (Score:5, Funny)
China (Score:2)
Next question?
Re: (Score:2)
That's nothing... (Score:2, Funny)
Real bad guys would plant a Governor or a President, not some brainless laptops...
Re: (Score:2)
What if they aren't "brainless" laptops? After all, what would Skynet do?
(Note: Send Terminators only works for future Skynet)
Stop being so paranoid (Score:5, Interesting)
Re: (Score:2)
Send 10 laptops or have bad luck for 7 years. (Score:5, Funny)
> Send a laptop to 10 people or you will have bad luck for 7 years. If you do send laptops to 10 people you will get your greatest wish!!
>
> A woman in Canada didn't send the laptops and now she is in prison for cheating on her taxes.
>
> A man in Kansas sent the 10 laptops and now has a new laptop!
>
> This is not a hoax or scam!! YOu HVAE TO SEND THIS!! 10 Laptops or something horrible will happens. Send it to all your friends!!!
> >
> > It's TRUE!! I got cancer when I didn't send the laptops, but then I sent them and now I have a million dollars!!!11
> >
> > Don't think this is a trick!! Just do it !1 Wjhat do you have to lose??
> >
> > Jack in Fredricksburgton
> >
> >
> > > I can't count the number of times I've sent out these kinds of Laptops and gotton NOTHIONG. But this is the real deal.
> > > You can't go wrong with this one. Think about it, you already got the laptop. You already have it...
> > > but dont' just accept the gift and not pass it on or your in for big troubles.
> > > >
> > > > Here is a free laptop. Pass this on to 10 friends and enjoy!
> > > >
> > > > Richard R.
OLPC (Score:3, Funny)
One Laptop Per *CHILD*.
"you have won" (Score:2)
And they 'clicked here'
Figures that they would find the ONE legit free gift out of all the scam.. But then again, if you are scam to the core, you can see one a mile away.
For no good reason? (Score:2)
That's funny, corporations are constantly giving politicians much larger amounts of money for no good reason - since surely honest politicians would not let a few thousand dollars sway their administration of hundreds of millions of dollars away from the Common Good.
Re: (Score:2)
Yes, but normally when you bribe a politician you do it in such a way that they know who's paying.
Your problem being? (Score:2, Insightful)
Rip out the hard drive, install a new one, perfectly good laptop for the price of a hard drive.
If you're cheap, wipe the hard drive and reinstall (preferably some Linux distri).
WTF is your problem, gubernator?
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
It's a gift from their mistresses (Score:2)
The conversation we'll never hear about... (Score:2)
Tech: Mr Governor, sir, have you seen those HP laptops that you asked me to order? FedEx says your secretary signed for them.
Gov: Laptops, you say?
Re: (Score:2)
Have they turned it on? (Score:3, Funny)
All it probably just plays Rick Astley "Never Gonna Give You Up" in a loop.
Hackers (Score:5, Funny)
When they turn 'em on, does it show some distorted video of a guy telling them to play nice, and to enjoy the new laptop?
Re: (Score:2)
Re: (Score:3, Funny)
Nigeria actually has a bank called "Bank PHB" [promote-my-site.com] with the slogan "Be you, be free, be brilliant". I can't help but think of the PHB from Dilbert [promote-my-site.com];