The Terrifying World of the Slingshot Virus

The Terrifying World of the Slingshot Virus

On March 9, 2018, Kaspersky Labs published a blog post about the newly discovered Slingshot APT. APT stands for advanced persistent threat; its a computer virus that sits on a computer for a long time, has built in tools to avoid detection and is thought to have specific targets. The Stuxnet virus is a good example of an APT; if the infected computer didn’t have a specific piece of software installed that controlled a nuclear centrifuge, the Stuxnet virus would shutdown and appear harmless to virus scanners. Most of the viruses pushed by cyber-criminals are designed to infect as many computers as possible and create monetary incentives to remove the software. A good example of a non APT virus is ransomware which encrypts a hard drive, and the cybercriminal requests payment to unlock your data. Slingshot appears to be designed as a spying tool with its built in network packet sniffer, keylogger, screenshot function, and ability to steal clipboard data. Slingshot also has about 1500 other functions that virus experts are just beginning to unravel but the already discovered functions are devastating,

  1. Network Packet Scanner: Imagine you visit a website on a computer that isn’t infected by Slingshot but it is on the same network as an infected computer. A packet scanner copies and decodes information from the non infected computer that is being passed through the network. This includes usernames, passwords, computer name information, copies of files and other such data.
  2. Keylogger: A keylogger logs every key that is pushed on the target keyboard. Imagine you click your browser address bar and type in mail.yahoo.com and enter. Next you put in your username and password on the next screen. Even if a keylogger doesn’t see your screen, the three pieces of information that it just captured is enough to allow a hacker to login to your email account
  3. Screenshot: Many readers are familiar with screenshot technology, but imagine information not captured by the packet scanner and keylogger such as inbox email can be captured by a screenshot of the email as you read it
  4. Clipboard data: even if the screenshot grabber doesn’t get all the emails, there are times that an individual uses the copy feature from an email or webpage that contains sensitive information that a keylogger also won’t pickup but copying the clipboard data to a file exposes the user to additional leaks of data.

So why is this virus scarier than all other viruses that have similar functions? The fact that this virus has just been discovered publicly despite evidence of installations at least as early as 2012, means that its anti detection features are extremely sophisticated and it is possible that the virus captured data from millions of unknown computers for at least six years. In addition,

To Scan or Not To Scan That is the Question

To Scan or Not To Scan That is the Question

Elizarri v. Sheriff of Cook County, No. 07 C 2427, 2013 U.S. Dist LEXIS 20570 (N.D. Ill. Feb. 13, 2013)

Plaintiffs had sought “original intake receipts” and “any documents related to the processing of personal property and money belonging to individuals incarcerated in the Cook County Jail” for an approximate five year period. Defendants scanned over 400,000 property receipts from the jail. Plaintiffs sought production of the electronic versions of the property receipts.

The magistrate judge held that the defendants were not required to produce the scanned version of the property receipts, and had met their discovery obligations by permitting plaintiffs to inspect and copy the receipts. The judge held that plaintiffs should not get the benefit of the electronic imaging when the defendants had incurred the expense of conversion, and further held that plaintiffs had received the receipts in the original paper format.

The district court reversed, holding that plaintiffs were entitled to the digital versions of the receipts. The court first noted that defendants had not offered plaintiffs access to the original receipts, but the scanned versions. Therefore, since the original documents were not being produced, defendants were obligated to produce them in a reasonably useful form. As the scanned documents were presumably the form of the receipts which defendants would be using during the litigation, it was the electronic format which had to be produced, not a less manageable format.

Defendants basically did not want to turn the digital versions of the receipts over to the plaintiffs because they had incurred considerable expense in scanning them. That was not a basis for denying plaintiffs’ request. Defendants had not argued that the information was not reasonably accessible because of undue burden or cost. Even materials prepared in anticipation of litigation must be produced if they are otherwise discoverable, and the party cannot obtain their equivalent without undue hardship. Scanning documents does not result in a privileged work product. Forcing the plaintiffs to copy the scanned documents, and then scan them again, would result in undue hardship to the plaintiffs.

E-discovery of Sound Files, I Don’t Like the Sound of That.

E-discovery of Sound Files, I Don’t Like the Sound of That.

Borwick v. T-Mobile West Corp., Civil No. 11-cv-01683-LTB-MEH, 2012 U.S. Dist. LEXIS 128968 (D. Colo. Sept. 11, 2012)

Plaintiff, a telephone customer service representative, contended that she was discriminated and fired due to her pregnancy. Defendant alleged that Plaintiff was terminated because she would inappropriately hang up on customers during service calls. Defendant had originally recorded calls using “i360” software, but transferred the calls to .wav files, and destroyed the original files pursuant to its document destruction policy after one year. The lawsuit was pending during that period.

Plaintiff’s discovery request was for “copies of all recordings,” but she did not request the calls in native format. When she subsequently determined that the calls were originally made using the i360 software, the originals had already been discarded.

Plaintiff contended that the original recordings were important “because there are discrepancies in the documentation of the phone calls which demonstrate unexplained time “gaps” that could prove the Plaintiff did not intentionally hang up on customers.” In addition, because the .wav files could be easily altered, plaintiff implied that defendant had altered the files to benefit its case.

Defendant raised plaintiff’s failure to confer pursuant to local rules, thereby raising the issue in an untimely manner, as well as failure to request the files in native format, and lack of prior objection to the .wav format. Defendant also contended that the .wav files were exact copies of the original i360 files.

The court found for defendant, finding that there was no evidence of alteration of the .wav files, and that plaintiff had failed to ask for native files. The court further found that the destruction of the i360 files was pursuant to defendant’s document destruction policy, and found that the destruction fit within the Rule 37(e) “safe harbor”, or destruction due to a “routine, good-faith operation of an electronic information system.” Although best practices would have been to preserve the original files, failure to do so was not sanctionable.

A Pirate’s Right to Privacy: Don’t Download Copyrighted Information!

A Pirate’s Right to Privacy: Don’t Download Copyrighted Information!

Plaintiff justifies early discovery of identities of allegedly illegal downloaders of movie

Braun v. Primary Distributor Doe No. 1 and Defendant Does 2 through 69, No.: 12-cv-3690 YGR (JSC), 2012U.S.Dist. LEXIS 118396 (N.D.Cal.Aug. 21, 2012)

Plaintiff alleged that defendants used the BitTorrent peer-to-peer file sharing network to illegally download a video produced and copyrighted by plaintiff. BitTorrent works as follows:

in a process called “seeding” an initial file-provider shares a file with P2P networks. Other users (“peers”) on the network connect to the seed file to download. Each new file downloader receives a different piece of data from each user who has already downloaded the file that together comprises the whole. This piecemeal system with multiple pieces of data coming from different peer members is called a “swarm.” As new peers request the same file, each new peer becomes a part of the network and the peers offer parts of the file stored on their computers to other peers. This means that every “node” or peer who has a copy of the infringing copyrighted material also becomes a source of download for that infringing file.

(Dkt. No. 4-1 ¶ 8.) Through an intermediary, plaintiff was able to identify the IP addresses of the users accessing the video, as well as the dates and times the files were shared (roughly a 36 hour period). Plaintiff sought expedited discovery in order to subpoena the relevant internet service providers (ISPs) in order to disclose the name, address, telephone number and email address for each IP address.

The court was satisfied that plaintiff had identified each defendant with sufficient specificity such that it could conclude that each defendant was subject to the court’s jurisdiction. The IP addresses accurately reflected those addresses used to copy the video, and through geolocation technology, plaintiff had determined that the IP addresses were located inCalifornia. Since defendants had accessed the video without any other identifying information other than their IP addresses, plaintiff could not further identify them without the information from the ISPs.

Plaintiff also made a prima facie showing that the complaint could withstand a motion to dismiss, demonstrating that it owned a valid copyright, and that each defendant had intentionally copied the covered work. The evidence uncovered through geolocation technology would also be sufficient to support an inference that all defendants resided inCalifornia, which was sufficient to support the expedited discovery request. Proper joinder of the defendants was also sufficiently demonstrated by plaintiff’s showing that all defendants were part of the same swarm, downloading the video over the 36 hour period; and thus were part of the same transaction, raising common issues of law and fact.

The court acknowledged that the actual identities of the downloaders might not be revealed by the information sought from the ISPs, as the internet connection “could have been used by the subscriber, by another member of the household, by a visitor to the household, or by someone secretly using an unsecure connection.” However, plaintiff proposed that the subscribers be given a thirty day period to respond to and potentially contest the subpoena. Plaintiff would be given the information only after the thirty days had passed without a successful challenge.

The court granted plaintiff’s motion, finding: “In these circumstances, where Plaintiff has a good faith belief that the Doe Defendants reside in California, has submitted declarations outlining the steps it has taken to ensure that the identified Doe Defendants in fact downloaded Plaintiff’s copyrighted material, and has limited its case to a narrow period of time, the Court concludes that good cause has been shown.”

Is a Failure to Institute a Litigation Hold Considered Negligence Per Se?

Is a Failure to Institute a Litigation Hold Considered Negligence Per Se?

Chin v. Port Authority of New York and New Jersey, Nos. 10-1904-cv(L), 10-2031-cv(XAP), 2012 U.S. App. LEXIS 14088 (2d Cir. July 10, 2012)

The vast majority of precedents in the electronic discovery arena have been established at the federal district court level. Chin is one of the rare precedents set at the appellate level, and is even more noteworthy in its holding contrary to one of the leading judicial authorities in the area.

In Pension Committee v. Banc of America Securities, 645 F. Supp. 2d 456, 465 (S.D.N.Y. 2010), Judge Scheindlin had held that “the failure to issue a written litigation hold constitutes gross negligence because that failure is likely to result in the destruction of relevant information.” Based on this holding, plaintiff Howard Chin had argued that the destruction by the Port Authority of several folders containing information regarding his promotion in his Title VII discrimination action justified an adverse inference instruction. Chin argued that the failure by the Port Authority to issue any litigation hold constituted gross negligence.

The court rejected the notion that the failure to issue a litigation hold was gross negligence per se. “Rather, we agree that “the better approach is to consider [the failure to adopt good preservation practices] as one factor” in the determination of whether discovery sanctions should issue…. we have repeatedly held that a “case-by-case approach to the failure to produce relevant evidence,” at the discretion of the district court, is appropriate.” In this case, the district court had found that the destroyed folders played a “limited role” in the promotion process, and the plaintiffs had been able to produce “ample evidence” regarding their qualifications vis-à-vis the employees actually promoted. Thus, the court concluded that, under these circumstances, an adverse inference instruction was inappropriate.

Court Suppresses E-discovery in Criminal Investigation for Government’s Bad Faith Seizure of Harddrives

Court Suppresses E-discovery in Criminal Investigation for Government’s Bad Faith Seizure of Harddrives

U.S. v. Metter, No. 10-CR-600 (DLI), 2011U.S. Dist. LEXIS 155130 (E.D.N.Y. May 17, 2012)

In this securities fraud action, the government had asserted that the defendant Metter had furthered the fraudulent scheme using his home computers, and after obtaining a valid warrant, seized four hard drives, among other items. The government also seized 61 hard drives, pursuant to a valid warrant, from two companies, and also obtained email from the internet search providers of Metter and other co-defendants. The Government made images of the hard drives and promptly returned them to their respective owners.

In November, 2010, the government stated that it intended to provide the defendants with image copies of the hard drives by January, 2011. At that point, the government had not begun a privilege review, and could not estimate when the review would be completed.

At a status conference in February, 2011, the government stated that it would provide a list of computers and emails seized by March, 2011. It also stated that it intended to produce all imaged evidence (without review) to all defendants, and then later conduct a privilege review. The government would also set up a “taint team” to review the hard drives and email accounts for privilege issues. Metter’s attorney expressed concern about the volume of confidential, irrelevant information of his client which would be made available to the other defendants, suggesting that each attorney review his clients’ material to weed out nonresponsive information. The government objected to defendants’ counsel making determinations that information was outside of scope. The court ordered the government to produce an inventory of the computers seized, and for defense counsel to review their clients’ computers for what they believed to be irrelevant or privileged evidence.

The government’s February 28, 2011 status report stated that the defendants could inspect the hard drives at the government’s office and lodge objections to evidence outside the scope of the warrant. However, it also indicated that any attorney could request a copy of any other seized hard drive. Metter immediately objected to the dissemination of the information on the hard drives without any review.

Fifteen months after the seizure, the government had still not conducted its review of the seized evidence to determine whether any information was outside the scope of the warrant, and had not determined when its privilege review would be complete.

Metter filed a motion to suppress the evidence, stating that the government’s significant delay violated the Fourth Amendment. The government argued that seizure and off-site review of evidence was permissible under the Fourth Amendment, defendants had not suffered harm because the government had immediately returned the evidence, and that the delayed review was reasonable.

The court found that the reasonableness of the delay between seizure and review of electronic evidence required a case-by-case factual analysis, but that under the facts of this case, the government’s seizure was unreasonable.

The court first observed that as an image of an electronic document contained the same information as the original documents, the retention of images by the government raised the same privacy concerns as retention of the original documents. Documents, both paper and electronic, raised different concerns than other types of evidence, because of the volume of information. Thus, courts permitted the government to examine documents which could be outside the scope of the warrant to determine whether they fell within the scope of the warrant. Similarly, the complexity of electronic evidence led courts to give the government some leeway in searching for relevant evidence, including the ability to search the evidence offsite.

The court acknowledged that the warrants obtained by the government and the imaging process itself were reasonable. The problem was the government’s delay in beginning review of the evidence. As of the date of the hearing, the government had no plan to begin review of the evidence.

The government’s retention of all imaged electronic documents, including personal emails, without any review whatsoever to determine not only their relevance to this case, but also to determine whether any recognized legal privileges attached to them, is unreasonable and disturbing.

Id. at *29. The court also found fault with the government’s intent to release images of the hard drives to the other defendants:

The Court agrees with Defendant that the release to the co-defendants of any and all seized electronic data without a predetermination of its privilege, nature or relevance to the charged criminal conduct only compounds the assault on his privacy concerns. It underscores the government’s utter disregard for and relinquishment of its duty to insure that its warrants are executed properly.

Id. at *29-*30.

Suppression of evidence is warranted when the government effects a “widespread seizure” of items outside the warrant’s scope, and it acts in bad faith. The first prong of the test was met by the government’s seizure of all information contained on the drives and the email accounts. The government’s bad faith was demonstrated by its promises to review the evidence, and its failure to do so after requests by both defense counsel and the court. Metter’s motion to suppress the electronic evidence was granted.