Letter to the Judge
April 8, 2008
The Honorable Raymond Finch
Chief Judge of the U.S. District Court in the Virgin Islands.
Division of St. Croix
2013 Estate Golden Rock
Christiansted, St. Croix 00820
Dear Judge Finch:
I am writing you in regard to the trial of Charles Stephano (Criminal No. 41/2006) which as you may remember, I attended for about 3 weeks to observe and evaluate the technical testimony. For the past year, I have been studying the technical issues as covered in my notes and in the press reports and have been making periodic reports to Attorney Martial Webster discussing the egregious lies and blatant perjury told under oath by the prosecution witnesses especially, Ms. Shannon Perkins.
Atty. Webster has constantly assured me and other interested members of the community that an appeal is in the works and as soon as he got a copy of the transcript, he would deliver it to me as a basis for an appeal. I have now begun to lose faith that this will ever occur.
My biggest complaint about the testimony is that you should never lie about absolute facts that are part of the public record because the perjury is insulting to all who gave credence to the statements when facts come to light. Every time Atty. Webster started to offer a credible line of questioning leading to a defense, Ms. Perkins would offer a bold lie which would be accepted by the court based on her superior credentials and ability to lie.
For instance, when Atty. Webster started questioning her on honeypots, you and the court got a laugh out of it. Yet, after she denied knowing what they are for the second time, you ordered Atty. Webster to move on. The public record shows that Ms. Perkins possesses a GSEC certification which fulfills the Department of Defense requirements of the DoD 8570 IAT Level II Technician. This qualifies her to accept responsibility for securing systems and/or organizations. The Day 3 module for this 6 day course and part of the knowledge base for securing military systems includes training on honeypots including forensics. (See Appendix A.) Not only does she know what a honeypot is, she is a qualified honeypot administrator. This lie alone should make you suspect of everything else she said including nothing was being withheld because it was secret.
If one example of blatant perjury is not enough to discredit her testimony, it is time to move on. Atty. Webster tried to challenge the chain of custody for the computer by pointing out the obvious that the technician could have been on line and in fact the thousands of changes in the index.dat record which occurred on 5/5/04 at 5:25:54 PM indicated that the technician was surfing the net. Ms. Perkins halted this line of defense by testifying that the index.dat record was updated when the machine was turned on so both the log and the warrant were retained as evidence. In fact, the public record on interpreting EnCase weekly history and the EnCase manual warns that;
“Weekly and daily history folders and their containing index dot dat files are updated and therefore created when the user launches and uses Internet Explorer. Booting and logging on doesn’t alone cause these files to be updated and generated, at least in my tests with Windows XP SP2. Further, a system can sit logged on and idle for days and these folders and files don’t update until the user uses Internet Explorer. If no activity occurs to generate Internet history on a given day, no daily history file will be generated for that day.”(Taken from the University of Delaware Training Documents in Forensic science)
Thus the log shows the technician was surfing the Internet while logged on line in addition to interacting with the private files of Mr. Stephano, including eight documents in the “My Documents” folder. As a forensic EnCase Expert with a SANS Institute GIAC Certification, Ms. Perkins knew the technician was interacting with the private documents in the machine and that it was on-line regardless of her testimony. This is also consistent with her original written report dated 12/08/06 where she clearly stated on pg 4. that activity on the computer after 5/4/04 was attributed to the repair technician and law enforcement.
If two examples of blatant perjury are not enough to discredit her testimony, it is time to move on.
Mr. Austin Bowen and Atty. Webster tried to establish that malware (jumbieware) was present on the machine and that Trojans were capable of porn delivery and controlling a machine. Ms Perkins responded authoritatively that Trojans do not work on dial-up. This lie is so egregious that it is difficult but not impossible to find documentation that they do because it is simply accepted. Trojans work by being parasitic to a computer operating system which teaches the pile of hardware to be a computer (i.e. Windows XP) or the Browser (Internet Explorer) which allows the computer to look at web pages. The Internet Browser operates on a protocol much like the formality of Legal Protocol. It does not matter whether the original connection to the computer is wired or wireless, Broadband or dial-up, any malware which reaches the computer will be operable. (Just as it doesn’t matter whether lawyers communicate, by mail, email, phone or cell phone, the communication delivered according to protocol will be effective.)
In 2001, US-Cert.org (Part of Homeland Security) warned that IP addresses on dial-up were dynamically assigned and change for each session. “As a result, it is more difficult (not impossible, just difficult) for an attacker to take advantage of vulnerable network services to take control of your computer.”(Home Network Security, Copyright US-Cert, 2001) After a variety of anti-virus makers pointed out that changing IP’s can be valuable like constantly changing phone numbers because it makes it more difficult to trace illegal activities (e.g.Porn relays and spam relays), US-Cert changed their position. In a more recent document (Before You Connect a new Computer to the Internet, Copyright US-Cert, 2003) they simply warn that “Attackers know the common broadband and dial-up address ranges and scan them regularly.” After this, Cert no longer made a distinction between broadband and dial-up.
The Sans Institute ,which certified Shannon Perkins, explains how this is possible. “The way this works is simple: part of the virus payload is a Trojan that waits for your computer to connect to the Internet, then contacts another computer under the attackers control, usually a simple web page hosted by a free provider or a secret chat room.” (pg.26 Security 351 manual) Up to this point, I have restricted myself to only Sans and Cert References for facts she lied about as one certified her and the other is her employer, but the fact that malware and Trojans operate on dial-up is part of the shared knowledge of any security professional and indisputable without any documentation but it is provided here none the less. She is trained in this area as most major networks have some legacy dial-up connections which need to be protected from hackers.
The next distortion does not make it to the outrageous lie category but is merely a distortion of facts. According to US-Cert, it may be impossible to update and patch a home computer (2003). “It may not be possible for the user to complete the download and installation of software patches before the downloads they are trying to to fix are exploited” and “an up-to-date antivirus software package cannot protect against all malicious code.” My experience is that this is more true on dial-up but also occurs on broadband in the territory but unlike the previous fact analysis, this paragraph expresses an opinion.
However, Shavlik, who is a global security company with over 6000 customers worldwide and provides modules for Symantec and Microsoft to re-brand under their own name, offers the following information on self-replicating malware. “In addition to exploiting security vulnerabilities, spyware and adware often disable or interfere with desktop anti virus, anti-spyware, and firewall software and may change the browser and Internet security settings. In other words, once seated on the system, the adware and spyware applications go to drastic measures to insure as hospitable a host as possible.“(White Paper, Spyware and Patch Management, http://www.shavlik.com, 2005) In the same paper they point out that patches don’t always work and as an example use the MHTML URL Processing Vulnerability (MS04-13) which happens to be the vulnerability for the mk@MSITStore exploit. Both IBM and Microsoft confirmed that the initial patch was ineffective and a update was not effective until 2005. (Updated patch information is in Appendix F, Microsoft 6/14/05).
If the three previous examples of blatant perjury are not enough to discredit Ms. Perkins testimony, then it is time to move on and look at what sort of things Trojans are capable of.
In 2004, Trojans infected 37 million computers at a pace over 3 million a month. Each named Trojan can have hundreds of variants each serving a different function for the designer. According to the Sans Institute, “The most common way they spread is on porn picture sites. Users click on picture after picture and do not notice the executable (.exe) files.” (pg.27 Security 351 manual) Unfortunately, user downloaded malware is not usually blocked by Norton anti-virus or AdAware.
According to Sans (Experts and their comments on the second quarter update  to SANS Top 20 Internet Security Threats), “Dhamankar [Expert comment]: When a user browses a malicious site, the webpage being displayed can be coded to exploit the flaw even without any warning. The site can then install all kinds of malicious program on user’ systems such as backdoors, Trojans, spyware, adware, keystroke loggers etc. A set of sites, we have seen exploiting the IE flaws are the porn sites! In some cases, the domain the user is trying to visit may have been poisoned, and he may be directed to the attacker’s domain.”
Kaspersky Labs (A leading international anti-virus company) offerers a glossary of Trojan terms and their capabilities in their viruslist.com site.
- Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines.
- PSW Trojans steal passwords from victim machines (although some steal other types of information also: IP address, registration details, e-mail client details, and so on).
- Trojan Clickers re-direct victim machines to a specified web site, either to raise the ‘hit-count’ of a site, or for advertising purposes, or to organize a DoS attack on a specified site, or to direct the victim to a web site containing other malicious code.
- Trojan Droppers and Trojan Downloaders install malicious code on a victim machine, either a new malicious program or a new version of some previously installed malware.
- Trojan Proxies function as a proxy server and provide anonymous access to the Internet: they are commonly used by spammers for large-scale distribution of spam e-mail.
- Trojan Spies track user activity, save the information to the user’s hard disk and then forward it to the author or ‘master’ of the Trojan.
- Trojan Notifiers inform the author or ‘master’ that malicious code has been installed on a victim machine and relay information about the IP address, open ports, e-mail address and so on.
- Archive bombs are designed to sabotage anti-virus programs. They take the form of a specially constructed archive file that ‘explodes’ when the archive is opened for scanning by the anti-virus program’s de-compressor. The result is that the machine crashes, slows down or is filled with garbage data.
One that did not make the above list is Rbot-GR which has the ability of turning on a user’s webcam without their permission allowing the hacker to watch and record anything within sight of the camera without the computer owner’s knowledge (Sans Security 351 manual p. 27). This has serious implications for young students who usually keep their computers in the bedroom and are more likely to have webcams attached to their computers.
In essence, hackers in control of Trojans can do anything they want with the exception of physically unplugging the machine. It is impossible for a person meeting the requirements of the DoD 8570 IAT Level II Technician and GSEC certification to not know the capabilities of Trojans. Otherwise there would be no purpose or method for securing network systems. More information from SANS on Malware and the relation of Trojans and Porn is shown in Appendix B. US-Cert references the 2004 America Online and the National Cyber Security Alliance Online Safety Study which proves the opposite of what Ms. Perkins testified. i.e.
“DIAL-UP [NB] vs. BROADBAND [BB]: The study also found that narrowband users are at particular risk from viruses and spyware, perhaps because their use of a firewall is dramatically lower:
25% of NB users currently have a virus infection (vs. 15% of BB users)
88% of NB users have spyware/adware on their computer (vs. 74% of BB users)
Only 7% of NB users have any firewall (vs. 51% of BB users). ”
Make note Stephano did not use a firewall.
After four or more examples of blatant perjury, all of Perkins testimony should be thrown out. If not, it’s time to move on to her boldest and most disgusting lie which forced me to get up and leave the Court. It occurred after a weekend recess where she claimed that she looked all weekend long on the CERT site for the MK@MSITStore vulnerability and did not find it. This was so bold and unexpected that I had simply not prepared the defense for a response. She further amplified that even if it it did exist there were no know Trojans operating on that exploit. Her statements are unacceptable for her level of certified security knowledge.
Every nation on earth has security issues which are usually first described in newsgroups and forums. Each nation and security firm has a different naming method and language. In order to bring order to this knowledge base, the prime naming group is mitre.org which is French. Problems are giving CVE numbers with the year being the second 4 numbers and then the last 4 giving the sequence of listing in that year. Whether you use Google or MSN Live Search, you find CVE-2004-0380 is the technical name for Roozbeth Afrasiabi’s Report on IE ms-its: and mk:@MSITStore Vulnerability which was accepted as evidence at trial. An equally cumbersome alias (aka) was named in the CVE release and is the “MHTML URL Processing Vulnerability”.
Apparently, US-Cert was ready for the release as they published their Vulnerability Note VU#323070 on CVE-2004-380 on the same date and described the use of the mk:@MSITStore vulnerability. According to US-Cert, “the attacker could execute arbitrary code with the privileges of the user running IE.” In other words the hacker could surf the net, add favorites, bookmark favorites, change home pages or pretty much do what ever they wanted. In more modest terms, they acknowledge that the hacker could “modify/create content etc.” on the infected computer.
In Cyber Security Bulletin SB04-105, US-Cert describes the systems that CVE-2004-0380 attacks and it includes XP SP1 and Internet Explorer 5 and 6 which is what Mr. Stephano used. They describe the attacks and scripts as being “Bug discussed in newsgroups and websites. Proof of Concept code has been published and this issue is know to be exploited in the wild.” The proof of Concept was accepted as evidence but the newsgroup and forum information accepted by US-Cert was rejected as evidence for the defense of Mr. Stephano as not being authoritative despite being authoritative enough for US-Cert.gov and mitre.org.
On April 26, 2004, US-Cert published Technical Cyber Alert TA04-099A which reiterated the information in the original Vulnerability Note, but in Cyber Security Bulletin SB04-119, they served notice that “This vulnerability appears to be exploited by the Ibiza Trojan, W32/Bugbear.E and various web sites that host malicious URL’s and related malware.” From bug discussions in newsgroups and websites I found porn surfers were a very high risk group and were being exploited by visiting web sites.
It is simply impossible for any person claiming to be a computer forensic expert to deny the existence of the mk:@MSITStore exploit (CVE-2004-380); the fact that the information was available at US-Cert; or that Trojans and malicious hosts were using it to control machines. (See Appendix C for US-Cert Documentation.)
Every avenue of defense that Atty. Webster attempted to introduce was cut off by a bold lie from Ms. Perkins. She lied that:
1.She did not know what a honeypot was.
2.That the technician was not on line.
3.The machine was fully updated and protected.
4.That Trojans do not work on dial-up.
5.That Trojans are not involved with pornography.
6.That Trojans cannot control machines.
7.That the mk:@MSITStore vulnerability was not documented on US-Cert.
8.That no Trojans operated on that exploit.
9.That exploits of that vulnerability were not being used to control Machines.
Take note in Appendix D, the analysis of Reports by ICE and Customs made prior to the report by Ms. Perkins all prove that there were no know victims of Child pornography on the Stephano machine. Also note that the chain of evidence on what was analyzed after she handled the original hard drive is not included in her report. Compare this to the Documentation of the FBI CART Certified Forensic Examiner to name witnesses, and document the making of the mirror copy with identity numbers. Notice the cavalier report of the duplicate copy made by Ms. Perkins and the fact that the evidence of child pornography was found on a CD which was not documented in any way by either MS. Perkins or the Child Victim Identification Unit.
This report has been restricted to items of fact gleaned mostly from the public record of US-Cert, The Sans Institute and anti-virus software companies. Issues which should be explored at a retrial relating to the seedy world or Child pornography include: Government Tolerance of Web sites publishing child pornography (17 out of 20 named at trial were still on line in the USA when the trial started and several are still publishing the pictures shown at trial); the ability of an arthritic Mr. Stephano to type every URL in the Log in a very short period of time; and the fact that involuntary pop-ups and pop-unders are logged in without ever being typed. Episodes of extremely high visit counts in very short periods of time are documented from the log in Appendix E. The loading of pictures at speeds beyond any human ability to type is referred to as “pornloaders” based on suggestive names of the websites in the visit count.
Perhaps most unexpected was the identification of three web sites which are know to operate on the mk:MSITStore: vulnerability identified as the “Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability” or the MHTMLRedir.Exploit. The last of the three, showpower.sdcf.biz/down.exe was impressive in running up a visit count of 455 URL’s before permanently shutting the machine down and forcing it to the repair shop.
The intent of this report was not to prove Mr. Stephano’s innocence but to prove that Ms. Perkins lied so much in her testimony that she is guilty of perjury and no juror could have made an informed decision based on the actual facts. However, the final analysis described in Appendices E & F would appear to prove that Mr. Stephano was not responsible for all of the images on the machine as it is impossible to tell which sites he actually visited.
In closing, I am reminded of that witticism which circulates among Lawyers.
“Oh what a wicked web we weave
when first we practice to deceive”
“But then when we have practiced quite a while
how vastly we improve our style”.
“Success at trials can be child’s play
when willing to lie to win the day.”