Senator Demands Answers on FBI’s Use of Zero Days, Phishing

FBI Director James Comey on Sony Hack

The chairman of the powerful Senate Judiciary Committee is asking some pointed questions of the FBI director about the bureau’s use of zero-day vulnerabilities, phishing attacks, spyware, and other controversial tools.

Sen. Charles Grassley (R-Iowa) has sent a letter to FBI Director James Comey asking for “more specific information about the FBI’s current use of spyware”. The letter includes a list of highly specific questions about the way the FBI uses remote exploitation capabilities and spyware tools. The letter is related to a current effort by the Department of Justice to get more leeway in the way that its agencies use spyware tools in criminal investigations.

In his letter, Grassley asks for information about a number of methods the FBI uses, including specifics about whether the bureau uses zero days or tools provided by intrusion-software vendors.

“Which spyware, related programs, and other network investigative techniques has the FBI used in the field since 2009? Please include both government-created programs and ones purchased externally, if any, from companies such as Hacking Team and Gamma Group International,” Grassley asks in the letter, sent June 12 to Comey.

Both Hacking Team and Gamma Group sell intrusion software to law enforcement agencies and other customers.

Grassley also is seeking information about whether and how the FBI uses zero days. He asked Comey whether the bureau uses and zero days in the process of installing spyware tools on target machines, and if so, whether the FBI develops exploits in-house or buys them from vendors, such as VUPEN. He also asked, if the bureau does use zero days, whether the FBI ever notifies software vendors about the bugs it’s exploiting.

Intelligence agencies and military branches are known to use exploits for zero days in their work, some of which are developed internally and others that are purchased from outside vendors. In 2013, a contract surfaced that showed the NSA had subscribed to a zero-day exploit service run by VUPEN, a French company that develops and sells vulnerability and exploit information. And last month the U.S. Navy published a solicitation for zero days in a variety of popular software.

In addition to the information on exploit usage, Grassley also is asking Comey for more details on the FBI’s phishing operations. Last year, it was reported that the FBI at one point ran an operation that involved setting up a site to impersonate the Associated Press in order to get a target to click on a link that would install a remote monitoring tool. AP officials were indignant at the revelation, saying it undermined the organization’s credibility. In his letter, Grassley asks how many other times the FBI has used this tactic and whether the bureau ever informs the companies it is impersonating.

Grassley asked Comey to respond by today.

Suggested articles

Discussion

  • Robert.Walter on

    I hope that the Director did reply on time and in detail, such that we can compare his answers against those coming out as a result of the HackingTeam disclosures where it seems the U.S. DOJ has been a good customer for some years now. Given that the exposed HackingTeam code shows that it is possible for users to insert child porn into compromised computers, Sen. Grassley needs to follow up and ask if/when this feature has been used to coerce or convict suspects.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.