An amazing story was published on its pages by Vice Motherboard . It turned out that Facebook hired third-party information security experts and spent a six-figure sum on creating an exploit for the 0-day vulnerability in the Tails operating system. This was done for the sake of deanonymization and the capture of one person whom the employees of the social network considered one of the worst cybercriminals of all time.
Journalists say that for many years, until 2017 , a resident of California harassed and terrorized young girls using chats, email and Facebook. He extorted candid photographs and videos from his victims, and also threatened to kill and rape them. Worse, he often sent colorful and very specific threats to his victims, promising to arrange shooting and bombing in girls’ schools if they didn’t send him photos and videos of a sexual nature.
This man’s name is Buster Hernandez, and on the net he was known by the name Brian Kil. However, Hernandez’s identity is now known, and he previously posed such a threat and so skilfully hid his data that Facebook leadership took an unprecedented step and helped the FBI crack it and collect evidence that ultimately led to the arrest and conviction.
According to Vice Motherboard, Facebook was forced to hire a third-party company that developed an exploit to hack Buster Hernandez’s system. This exploit was not directly transmitted to the FBI, and it is generally unclear if the FBI knew that Facebook was involved in the development of this tool. According to the newspaper’s own sources, this was the first and only time in history that Facebook helped law enforcement agencies crack a specific person.
As a result, the FBI and Facebook used the exploit for the zero-day vulnerability in the secure Tails operating system to find out the real IP address of Hernandez, which ultimately led to his arrest.
Journalists note that this previously unknown case of cooperation between the social network and the FBI not only highlights the technical capabilities of Facebook (as well as a third-party company involved in the case) and law enforcement, but also raises complex ethical issues. For example, it is appropriate for private companies to provide assistance in breaking their own users.
It is interesting that, according to several current and former Facebook employees, whom reporters spoke on condition of anonymity, this decision was considered very controversial even within the company itself.
“The only acceptable result for us was Buster Hernandez, who was held accountable for unlawful acts against young girls,” a Facebook spokesperson told the publication who wished to remain anonymous. “It was a unique case, because he [Hernandez] used such sophisticated methods of concealing his identity that we took extraordinary measures and worked with security experts to help the FBI hold him accountable.”
Former Facebook employees familiar with the situation told reporters that Hernandez’s actions were so extreme that the company simply had no other choice and had to act.
“In this case, there was absolutely no risk for other users, only for this only person on whose account we had more than reasonable suspicions. “We would never make any changes that would affect anyone else, for example, would not introduce a backdoor for encryption,” says a former Facebook employee who is familiar with the situation. “Since there were no risks to the privacy of others, and the negative influence of this person was so great, I don’t think we had a different choice.”
The publication says that the crimes of Buster Hernandez were disgusting. Journalists even characterize the reading of the FBI indictment as a “sickening lesson.” So, according to court documents, Hernandez got in touch with underage girls via Facebook and wrote something like: “Hi, I have to ask you something. It seems to be important. How many guys did you send your dirty pictures to? Because I have some of them. “
When the victim answered, Hernandez demanded that they send him their candid videos and photographs, otherwise he would threaten to send the allegedly available photos to all her friends and family (in reality, of course, he did not have any “incriminating evidence” on the victims )
After that, he continued to terrorize his victims for a long time (in some cases, it lasted for months and even years), threatening to release their photos and videos. He sent the girls long and naturalistic threats of rape. He wrote that he could attack them and kill their families or blow up their schools if they did not continue to supply him with explicit content. In some cases, he told the victims that if they killed themselves, he would post their nude photos on the memorial pages.
“I want to leave a trail of death and fire [at your high school],” Hernandez wrote in 2015. “I JUST GO IN THERE UNIDENTIFIED DIRECTLY TOMORROW … I will kill your whole class and save you one last thing.” I will bend over you when you scream, cry and beg for mercy before cutting your * banana throat from ear to ear. “
Hernandez stated that “he wants to be the worst cyber-terrorist who ever lived,” and claimed that the police would not be able to catch him: “You thought the police would already find me, but they did not find me. they have no idea. The police are useless, ”he wrote. “Everyone, please pray for the FBI, because they will never reveal this lmao case … I am and will always be outside the law.”
On Facebook, Hernandez was considered the worst offender ever to use the platform, as several former employees of the social network told Vice Motherboard at once. According to them, Facebook even appointed a special employee who followed all of Hernandez’s actions for about two years and developed a new machine learning system designed to detect users who create new accounts and communicate with children in attempts to exploit them. This system helped locate Hernandez, identify his other pseudonyms, and find his victims.
In addition, several FBI offices were involved in the “hunt” for Hernandez, and the Bureau attempted to hack and deanonymize it on their own, but failed because the hacking tool they used was not adapted against Tails. According to journalists, Hernandez noticed this hacking attempt and then mocked the FBI.
As mentioned above, Hernandez used the secure Tails operating system to work. It is a Debian Linux family of OS based on strong data protection principles. In fairness, it must be said that Tails is widely used not only by criminals, but by journalists, activists, human rights activists and dissidents who fear surveillance by the police and governments. Mention of this OS you can often see on the pages] [ .
As a result, the Facebook security team, which was then led by Alex Stamos, concluded that they could do more, that the FBI needed their help to expose Brian Kil. Then Facebook hired a consulting IB firm to develop a hacker tool, spending a six-figure sum on this.
Sources of the publication describe this tool as an exploit for a zero-day vulnerability. A third-party firm worked with Facebook engineers, and together they created a program that exploited the bug in the Tails video player. The vulnerability allowed to identify the real IP address of a person viewing a specially crafted video. Then, according to three current and former employees, Facebook passed this exploit to an intermediary who had already transferred the FBI tool.
After that, the FBI received a warrant and secured the support of one of the victims, who sent the malicious video to Hernandez. As a result, in February of this year, the man pleaded guilty under article 41 of the charge, including the production of child pornography, coercion and seduction of minors, threats of murder, kidnapping and harm. Buster Hernandez is currently awaiting sentencing and is likely to spend the rest of his life in prison.
The fact that the hack was committed through Tails, and not through Facebook itself, adds an interesting aspect to the incident. Although this particular exploit was intended to be used against a specific criminal, the transfer of zero-day exploits to law enforcement carries a risk that the tool will be used in other, less serious cases in the future. Journalists write that it is impossible to jeopardize the security of a product in only one case, without jeopardizing all other users, which is why hacker tools and exploits for 0-day bugs are sometimes sold for huge amounts. If they fall into the wrong hands, this can be disastrous.
Tails developers told the publication that they did not know anything about the history of Baster Hernandez and did not imagine what vulnerability was used to deanonymize him. The Tails press service called this information new and possibly confidential, and also assured that the exploit had never been submitted to the trial of the Tails development team (it simply did not know about it).
Vice Motherboard suggests that the developers were not warned about the vulnerability in advance, since the FBI intended to use this bug against a specific target. Also, journalists’ own sources believe that the Facebook security team found such actions appropriate, since the vulnerable code has already been fixed in the upcoming Tails release. In fact, the exploit had a very short “shelf life”.
Moreover, apparently, the Tails developers did not learn about this vulnerability at all, although they fixed it in one of the releases. One of the former Facebook employees who worked on the project said that Tails developers planned to notify about 0-day, but this was no longer necessary, since the code was fixed without it.
Facebook officials told Vice Motherboard that the company, of course, does not specialize in developing hacker tools and exploits and does not want law enforcement agencies to expect the social network to do so regularly. Facebook emphasizes that direct hacking of a suspect can only be used if all other options have been exhausted.
FBI officials declined to comment on the story, saying they were not commenting on pending investigations.
The publication notes that Facebook employees regularly have to deal with suspects in various crimes, from ordinary cybercriminals to stalkers, extortionists and people involved in seducing minors. Several teams, consisting of their security specialists, are engaged in this at once, some of which used to work in law enforcement agencies, including the FBI and the New York Police Department.
These people are so proud of their work that, according to journalists, they used to have their own meeting room, where they posted photographs of people who were eventually arrested due to their actions and collected newspaper clippings about the cases investigated.
According to all sources with which representatives of the publication talked, trying to catch Baster Hernandez was the first and only time Facebook directly connected to the case and helped the FBI find the suspect by developing a tool specifically for his deanonymization. Moreover, for some current and former Facebook employees, this decision was extremely controversial.
“A precedent is when a private company buys 0-day to chase a criminal … This idea is a complete fucking fucker … it’s dumb to hell,” said an employee who knew about the investigation and development of the exploit.
“Everything we did was absolutely legal, but we are not law enforcement agencies. I would be surprised if circumstances reappeared in such a way that this could happen again, ”another source said.
Photo: CATHRYN VIRGINIA / MOTHERBOARD