SÄPO doesn’t have time for virus scans
Earlier this week Torrentfreak reported that the Danish police investigating anakata for hacking charges had discovered that the analyzed computer had been hacked and infected by malware. Kristina Svartholm reported that the computer had been infected by more than 500 trojans.
Let’s rewind the tape from Denmark to Sweden, where the same computer (seizure 2012-0201-BG25023-26) was used as evidence against anakata. My translated version of the Swedish Security Service’s investigation of remote control possibilities can be downloaded from here. I also wrote a short paper in response to the investigation report which can be read here (tl;dr version available here).
The 12 SLOC Python example that I wrote and included in the paper played an important role in having all intrusion and fraud charges regarding the Nordea bank dropped. In the paper I also called the investigators biased for working with the assumption that computers can only be remotely controlled in legit ways, such as PowerShell and Remote Desktop mentioned by anakata as technical possibilities in hearings.
The Swedish Appeal court agreed with the points that I made and Jacob Applebaum pointed out in his witness testimony: remote control could not be excluded, hence the SÄPO investigation written by Jesper Blomström fell. Anakata was however sentenced for intrusions dated 2011 as it was considered “unlikely” that it would have been hacked since 2011 without notice.
A very important point to raise here is the fact that Jesper Blomström was the same person who made the discoveries of sensitive data originating from Denmark on the computer in question. He was also the one who rang to Denmark with his revelations. What Jesper found on the laptop and his investigation was the entire basis for extraditing Gottfrid from Sweden to face similar charges with evidence originating from the same harddrive as the court in Sweden had already ruled may have been remotely controlled.
Let’s revisit the court hearing with Jesper:
“I also think that it’s important to read the introduction of the PM when reading the conclusions, because we were given a task from the Stockholm County Police department that the computer had been remotely controlled first through one way that we investigated and then another that we controlled, so that you have that in the back of your head when you read the PM.”
“It’s when we write that we don’t see any programs that have been used for remotely controlling the computer. Based on the given task and the circumstances then in those frames we don’t see any traces.”
“It can be worth adding that we haven’t looked at every every file in every computer, because it’s like a giant haystack with enormous, thousands, of files in various ways. And then we would need to go through each individual program: is it this one that has remotely controlled, is it this, is it this, and that whole part. There hasn’t been any investigation like that on the computer because there is simply not enough time.”
The Swedish Security Service didn’t have time to do an antivirus scan on the computer and since the Stockholm County Police department didn’t specify it in their request nobody in Sweden appears to have scanned the computer for viruses.
This is outrageous on every level possible. Gottfrid was sentenced to jail in Sweden because the police didn’t have time to find anything that may have been in his favor. Guilty until proven innocent, eh?
This entire fiasco could have been avoided if Sweden had replaced the so called IT Security Specialists involved in the investigation with any ten year old from the street who learned Norton at Christmas family dinner, because obviously the computer was infected and obviously it was discovered as soon as somebody ran a virus scan.