As a Professor, attorney, and technologist, I deliver many academic lectures at John Jay College of Criminal Justice, lecture at conferences to professional organizations, and train law enforcement around the country. In 2012, I began warning of FinFisher, a German-based company (previously U.K.-based) that produces and sells computer intrusion systems, including remote monitoring solutions, and had recently developed the ultimate spyware for smartphones and computers.

Back then, details of FinFisher and its software were not publicly available. The company is secretive as its clients are government intelligence agencies. Some of FinFisher’s clients include nations with poor records on human rights, personal liberties, and privacy, including Mongolia, Pakistan, Vietnam, Nigeria, and Singapore. FinFisher has also reportedly sold software to intelligence communities in South Africa, Australia, Belgium, Slovakia, and the Netherlands.

In 2012, there was little information publicly available as to the full capabilities and reach of FinFisher’s software products. However, since then, information has slowly leaked out through WikiLeaks and other reputable sources. Today, FinFisher is known to produce the most powerful commercial weaponized surveillance malware software packages on the planet.

Two products of significance are FinSpy PC (computer spyware) and FinFisher Relay (smartphone spyware), which when installed grant the ability to intercept all files/documents and communications, such as those over Skype, email, and even video and audio through the webcam and microphone. These two software products can be remotely “pushed” (installed without the user’s knowledge or actions via a Trojan Horse or other method) to any computer or smartphone. This includes OS X, Windows and Linux computers, as well as Android, iOS, BlackBerry, Symbian, and Windows mobile devices. Users of these devices do not have to be anywhere near the vicinity of the person installing the malware. Furthermore, it is nearly impossible to identify that the malware has been installed without conducting a deep forensic analysis.

Disturbingly, researchers at citizenlab.org published evidence and reports showing the use of FinSpy PC and FinFisher Relay against journalists, activists, and political non-desirables around the world by government intelligence agencies. But at least the software was only available to international government intelligence agencies and generally kept out of the hands of cyber criminals… until now.

In 2013, during a presentation to the United States Association of Inspectors’ General, I warned that it was only a matter of time until FinFisher’s software would leak out on the web, becoming accessible to cyber criminals and others with malicious intent.

That day has arrived.

Yesterday, on September 15, 2014, Julian Assange, WikiLeaks Editor-in-Chief, allowed both FinSpy PC and FinFisher Relay to be openly published on WikiLeaks.org. In other words, as of yesterday, millions of cyber criminals around the world have access to a weaponized surveillance malware package that can be installed with very little effort, giving access to almost all the data on a user’s computer or smartphone.

Within minutes of the site going live, I received a barrage of communications via phone, email, Twitter, and text message from students, law enforcement, and researchers around the world. Most people just wanted to talk about the release of the software, while others asked how long it would take me to download and analyze the software.

Before lunchtime, my lab at John Jay College of Criminal Justice (The Advanced Research Domain for Information Security in Public Policy) had downloaded all available software and documentation. While my team and I obviously cannot deploy the software “in the wild,” we are able to analyze its code to determine exactly how virulent the software really is. We will be devoting a significant amount to time in the near future to analyze this threat and report our findings.

There is a glimpse of bright light shining through the murky water… Julian Assange and WikiLeaks did not release this software for cyber criminals to obtain and use, although it will be an unintended result. Their primary goal was to allow security researchers to analyze the code to come up with methods to protect us all (the public). While we are all at risk today, you can be sure that future software updates from Apple, Google, and Microsoft will contain significant security improvements rendering this software obsolete. That is, of course, until FinFisher updates the code within their products, and the cycle starts over again…

Adam Scott Wandt, J.D., M.P.A., is an Assistant Professor of Public Policy at John Jay College of Criminal Justice, where he serves on both the Graduate faculty of the Digital Forensics and Cyber Security program and the Masters of Public Administration in Inspection and Oversight program. Professor Wandt is an Attorney and Counselor-at-Law in the State of New York.

Media requests on this issue should be sent to the attention of [email protected] with FinFisher clearly identified in the subject line.

Professor Wandt On Twitter: @Prof_Wandt

Professor Wandt’s Presentation at the Association of Inspectors’ General 2013 Annual Meeting. The topic of the presentation is “Mobile Device Investigations: Thinking Outside the Box.”

[youtube]http://www.youtube.com/watch?v=1LdZWTiWSBI[/youtube]

Did 4Chan Identify the Boston Bombers?

Americans tend think of hacking groups like Anonymous and 4Chan as mischievous criminals who cause damage and cost corporations and governments millions upon millions of dollars.

But occasionally the views of these groups align with popular opinion.

In response to the explosions at the Boston Marathon, online discussion forums are abuzz with the story that the global hacking group 4Chan took to the Internet to conduct their own cyber investigation. 4Chan reportedly requested assistance from the public and collected scores of photographs, a technique called crowd sourcing.

4Chan painstakingly analyzed the photos and identified several individuals who may have been involved with the bombing.

A website has been created (http://imgur.com/a/sUrnA) with annotated photographs showing the suspects at different points in time. Two photographs are annotated “Suspect #1” and “Suspect #2.” The suspects can be seen with and without two backpacks that may have been used to carry the bombs. A third suspect carries a duffel bag. Several other suspects are also identified. The photographs and evidence are clearly presented to the public.

This type of crowd sourced criminal investigation is a fairly new activity for hacker groups to engage in. What are the pros and cons of these activities?

PROS:

1. Taking initiative to increase public safety.
2. Conducting a public and transparent investigation.
3. Collecting evidence that may assist law enforcement.
4. Looking out for Americans.

CONS:

1. May be considered inappropriate or illegal interference with a federal investigation.
2. Alerting and outing possible suspects could cause problems for law enforcement.
3. Releasing evidence before the government deems it appropriate may be considered a problem for national security.
4. What if these people are innocent? What about violent vigilantly responses?
5. What if images are being doctored?

One final thought: Looking at these photographs, I noticed that some of these people look like special ops, not terrorists. Two of the suspects are wearing tactical pants and the backpacks possibly used to carry the bombs look like tactical gear. Did 4Chan simply identify undercover law enforcement or military, not terrorists?

Perhaps these photographs leave more questions unanswered than answered. But one thing is for sure… hacker groups engaging in crowd sourced criminal investigations is an interesting behavior that raises new ethical and legal issues.

Take a look at this archive of 4Chan’s photo investigation work (http://imgur.com/a/sUrnA) and tell me what you think in the comments below.

Everywhere we look today, we see signs and images reminding us of the tragic events of 9/11/2001. The slogan “Never Forget” has become the symbolic mantra associated with that horrible day. We see the words “Never Forget” … But what do they really mean? What is it we should “Never Forget?”

Should we Never Forget the events of 9/11/2001, or the people who lost their lives that day? Should we Never Forget the heroes that responded to 9/11 and the many who perished when the buildings fell.  Should we Never Forget the Twin Towers, American Airlines Flights 11 and 77, United Airlines Flight 175, or the Pentagon? Should we Never Forget that we were attacked by al Queda or Osama Bin Laden? Should we Never Forget where we were or how we felt when we watched the news and felt helplessly sad and defeated?

Should we Never Forget the days following 9/11? Days of amazing patriotism where everyone flew an American flag and stood together in solidarity; Days where differences in race, color and religion seemed to fade away.  For a short period of time following 9/11, we were all American and we were all in this together.

I used to think that is what “Never Forget” meant, but today, I look at it differently. I see the phrase in a way that might upset people.

I ask that we Never Forget what life was like before 9/11.

I ask that we Never Forget there was a time when we did not live in fear. A time before SWAT Teams freely roamed the streets of New York City. A time before the TSA. A time before armed military in the subways,  Penn Station, and Grand Central Terminal. A time before the NSA spied on just about everybody and everything. A time before the Patriot Act and the Protect America Act. A time before the president had the authority to suspend habeaus corpus. A time before water boarding and the horrors of Guantanamo Bay.

I ask that we Never Forget that our country was once free and prosperous. A time before fear controlled us. A time where the NYPD enforced quality of life crimes and did community policing. A time when racial profiling was frowned upon and not official policy.

I ask that we Never Forget there was a time when the world respected us. A time before we invaded Iraq. A time when our military budgets were much smaller and our international aid much larger. A time where we valued education and public service. A time where we respected (most) politicians. A time before hate. A time before the Tea party. A time before OWS, massive debt, bailouts and TARP.

We should Never Forget the lives lost and the damage done on 9/11/2001. But more importantly, we should Never Forget who we were, as a nation, when we went to sleep on 9/10/2001.

We should Never Forget that a terrorist’s mission (by definition) is to force political or social change by fear. We should Never Forget that the terrorists accomplished this and therefore won on 9/11.

In a rather disturbing example illustrating how courts don’t understand societal use and impact of computers and technology, it seems that the Court of Appeals of the State of New York (NY’s highest court) has held that it is perfectly legal to view child pornography on the Web (or at least non-convictable as possession), as long as the viewer does not pay for it or intentionally download a copy to a computer.

In a decision that will be formally released at the end of this week, Judge Ciparick writes in the majority opinion in The People v James D. Kent  that detectives finding “cached Internet files” of child pornography on a defendant’s computer does not constitute possession of child pornography. The Court further “conclude[s] that merely viewing Web images of child pornography does not, absent other proof, constitute either possession or procurement [of child pornography] within the meaning of our [NYS] Penal Law.” This would apply even in the case where the defendant browsed several child pornography pictures in a row, which were cached on the computer as internet files. (Caching is the process of automatically saving a copy of browsed website images to the computer, so that it can be quickly loaded the next time the user visits the same website).

The Defendant, Professor of Public Administration James D. Kent, of a Dutchess County College, was properly convicted on other counts of possessing child pornography on his work  computer that he had downloaded and saved to his “Documents” folder  (so justice was served). However, the precedent that was created in this case will, without a doubt, be exploited by future pedophiles who will use this legal loophole to safely view and build caches of child pornography without having to fear a criminal conviction for possession. It is more than possible for those interested in child pornography to build large caches of internet child pornography, without formally “downloading them.” Those caches could later be retrieved, shared and distributed without leaving any evidence that they were accessed.

I also think it is ridiculous in today’s digital age for someone as sophisticated as this defendent to claim that he was ignorant that images viewed on his computer were cached by the system. In 2012, I believe this is common knowledge.

The burden now lies with the NYS Legislature to draft and pass new legislation preventing people from exploiting this upsetting loophole, while protecting those who may accidentally stumble upon such disturbing contraband while innocently surfing the Web.

The soon to be released opinion in “The People v James D. Kent” can be found here: http://www.nycourts.gov/ctapps/Decisions/2012/May12/70opn12.pdf

Follow Professor Wandt on Twitter: @Prof_Wandt