>From - Sat Mar 02 00:57:24 2024
Received: by 10.35.58.8 with SMTP id l8mr13352317pyk.1188405709196;
Wed, 29 Aug 2007 09:41:49 -0700 (PDT)
Return-Path: <jm..._at_tscm.com>
Received: from swip007.ftl.affinity.com (lvs00-fl-swip007.ftl.affinity.com [216.219.253.17])
by mx.google.com with ESMTP id a28si3171788pye.2007.08.29.09.41.48;
Wed, 29 Aug 2007 09:41:49 -0700 (PDT)
Received-SPF: neutral (google.com: 216.219.253.17 is neither permitted nor denied by best guess record for domain of jm..._at_tscm.com) client-ip=216.219.253.17;
Authentication-Results: mx.google.com; spf=neutral (google.com: 216.219.253.17 is neither permitted nor denied by best guess record for domain of jm..._at_tscm.com) smtp.mail=jm..._at_tscm.com
Received: from [70.22.253.64] ([70.22.253.64]:30985 "EHLO Raphael.tscm.com")
by swip007.ftl.affinity.com with ESMTP id S362288AbXH2QUn (ORCPT
<rfc822;T..._at_googlegroups.com>);
Wed, 29 Aug 2007 12:20:43 -0400
Message-Id: <7.0.1.0.2.20070829120410.083931b0_at_tscm.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Wed, 29 Aug 2007 12:09:46 -0400
To: TSCM-L <TSCM-..._at_googlegroups.com>
From: "James M. Atkinson" <jm..._at_tscm.com>
Subject: Point, Click ... Eavesdrop: How the FBI Wiretap Net Operates
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
http://www.wired.com/politics/security/news/2007/08/wiretap
Point, Click ... Eavesdrop: How the FBI Wiretap Net Operates
By Ryan Singel 08.29.07 | 2:00 AM
The FBI has quietly built a sophisticated, point-and-click
surveillance system that performs instant wiretaps on almost any
communications device, according to nearly a thousand pages of
restricted documents newly released under the Freedom of Information Act.
The surveillance system, called DCSNet, for Digital Collection System
Network, connects FBI wiretapping rooms to switches controlled by
traditional land-line operators, internet-telephony providers and
cellular companies. It is far more intricately woven into the
nation's telecom infrastructure than observers suspected.
It's a "comprehensive wiretap system that intercepts wire-line
phones, cellular phones, SMS and push-to-talk systems," says Steven
Bellovin, a Columbia University computer science professor and
longtime surveillance expert.
DCSNet is a suite of software that collects, sifts and stores phone
numbers, phone calls and text messages. The system directly connects
FBI wiretapping outposts around the country to a far-reaching private
communications network.
Many of the details of the system and its full capabilities were
redacted from the documents acquired by the Electronic Frontier
Foundation, but they show that DCSNet includes at least three
collection components, each running on Windows-based computers.
The $10 million DCS-3000 client, also known as Red Hook, handles
pen-registers and trap-and-traces, a type of surveillance that
collects signaling information -- primarily the numbers dialed from a
telephone -- but no communications content. (Pen registers record
outgoing calls; trap-and-traces record incoming calls.)
DCS-6000, known as Digital Storm, captures and collects the content
of phone calls and text messages for full wiretap orders.
A third, classified system, called DCS-5000, is used for wiretaps
targeting spies or terrorists.
What DCSNet Can Do
Together, the surveillance systems let FBI agents play back
recordings even as they are being captured (like TiVo), create master
wiretap files, send digital recordings to translators, track the
rough location of targets in real time using cell-tower information,
and even stream intercepts outward to mobile surveillance vans.
FBI wiretapping rooms in field offices and undercover locations
around the country are connected through a private, encrypted
backbone that is separated from the internet. Sprint runs it on the
government's behalf.
The network allows an FBI agent in New York, for example, to remotely
set up a wiretap on a cell phone based in Sacramento, California, and
immediately learn the phone's location, then begin receiving
conversations, text messages and voicemail pass codes in New York.
With a few keystrokes, the agent can route the recordings to language
specialists for translation.
The numbers dialed are automatically sent to FBI analysts trained to
interpret phone-call patterns, and are transferred nightly, by
external storage devices, to the bureau's Telephone Application
Database, where they're subjected to a type of data mining called
link analysis.
FBI endpoints on DCSNet have swelled over the years, from 20 "central
monitoring plants" at the program's inception, to 57 in 2005,
according to undated pages in the released documents. By 2002, those
endpoints connected to more than 350 switches.
Today, most carriers maintain their own central hub, called a
"mediation switch," that's networked to all the individual switches
owned by that carrier, according to the FBI. The FBI's DCS software
links to those mediation switches over the internet, likely using an
encrypted VPN. Some carriers run the mediation switch themselves,
while others pay companies like VeriSign to handle the whole
wiretapping process for them.
The numerical scope of DCSNet surveillance is still guarded. But we
do know that as telecoms have become more wiretap-friendly, the
number of criminal wiretaps alone has climbed from 1,150 in 1996 to
1,839 in 2006. That's a 60 percent jump. And in 2005, 92 percent of
those criminal wiretaps targeted cell phones, according to a report
published last year.
These figures include both state and federal wiretaps, and do not
include antiterrorism wiretaps, which dramatically expanded after
9/11. They also don't count the DCS-3000's collection of incoming and
outgoing phone numbers dialed. Far more common than full-blown
wiretaps, this level of surveillance requires only that investigators
certify that the phone numbers are relevant to an investigation.
The Justice Department reports the number of pen registers to
Congress annually, but those numbers aren't public. According to the
last figures leaked to the Electronic Privacy Information Center,
judges signed 4,886 pen register orders in 1998, along with 4,621
time extensions.
CALEA Switches Rules on Switches
The law that makes the FBI's surveillance network possible had its
genesis in the Clinton administration. In the 1990s, the Justice
Department began complaining to Congress that digital technology,
cellular phones and features like call forwarding would make it
difficult for investigators to continue to conduct wiretaps. Congress
responded by passing the Communications Assistance for Law
Enforcement Act, or CALEA, in 1994, mandating backdoors in U.S.
telephone switches.
CALEA requires telecommunications companies to install only
telephone-switching equipment that meets detailed wiretapping
standards. Prior to CALEA, the FBI would get a court order for a
wiretap and present it to a phone company, which would then create a
physical tap of the phone system.
With new CALEA-compliant digital switches, the FBI now logs directly
into the telecom's network. Once a court order has been sent to a
carrier and the carrier turns on the wiretap, the communications data
on a surveillance target streams into the FBI's computers in real time.
The Electronic Frontier Foundation requested documents on the system
under the Freedom of Information Act, and successfully sued the
Justice Department in October 2006.
In May, a federal judge ordered the FBI to provide relevant documents
to the EFF every month until it has satisfied the FOIA request.
"So little has been known up until now about how DCS works," says EFF
attorney Marcia Hofmann. "This is why it's so important for FOIA
requesters to file lawsuits for information they really want."
Special Agent Anthony DiClemente, chief of the Data Acquisition and
Intercept Section of the FBI's Operational Technology Division, said
the DCS was originally intended in 1997 to be a temporary solution,
but has grown into a full-featured CALEA-collection software suite.
"CALEA revolutionizes how law enforcement gets intercept
information," DiClemente told Wired News. "Before CALEA, it was a
rudimentary system that mimicked Ma Bell."
Privacy groups and security experts have protested CALEA design
mandates from the start, but that didn't stop federal regulators from
recently expanding the law's reach to force broadband internet
service providers and some voice-over-internet companies, such as
Vonage, to similarly retrofit their networks for government surveillance.
New Technologies
Meanwhile, the FBI's efforts to keep up with the current
communications explosion is never-ending, according to DiClemente.
The released documents suggest that the FBI's wiretapping engineers
are struggling with peer-to-peer telephony provider Skype, which
offers no central location to wiretap, and with innovations like
caller-ID spoofing and phone-number portability.
But DCSNet seems to have kept pace with at least some new
technologies, such as cell-phone push-to-talk features and most VOIP
internet telephony.
"It is fair to say we can do push-to-talk," DiClemente says. "All of
the carriers are living up to their responsibilities under CALEA."
Matt Blaze, a security researcher at the University of Pennsylvania
who helped assess the FBI's now-retired Carnivore
internet-wiretapping application in 2000, was surprised to see that
DCSNet seems equipped to handle such modern communications tools. The
FBI has been complaining for years that it couldn't tap these services.
The redacted documentation left Blaze with many questions, however.
In particular, he said it's unclear what role the carriers have in
opening up a tap, and how that process is secured.
"The real question is the switch architecture on cell networks," said
Blaze. "What's the carrier side look like?"
Randy Cadenhead, the privacy counsel for Cox Communications, which
offers VOIP phone service and internet access, says the FBI has no
independent access to his company's switches.
"Nothing ever gets connected or disconnected until I say so, based
upon a court order in our hands," Cadenhead says. "We run the
interception process off of my desk, and we track them coming in. We
give instructions to relevant field people who allow for
interconnection and to make verbal connections with technical
representatives at the FBI."
The nation's largest cell-phone providers -- whose customers are
targeted in the majority of wiretaps -- were less forthcoming. AT&T
politely declined to comment, while Sprint, T-Mobile and Verizon
simply ignored requests for comment.
Agent DiClemente, however, seconded Cadenhead's description.
"The carriers have complete control. That's consistent with CALEA,"
DiClemente said. "The carriers have legal teams to read the order,
and they have procedures in place to review the court orders, and
they also verify the information and that the target is one of their
subscribers."
Cost
Despite its ease of use, the new technology is proving more expensive
than a traditional wiretap. Telecoms charge the government an average
of $2,200 for a 30-day CALEA wiretap, while a traditional intercept
costs only $250, according to the Justice Department inspector
general. A federal wiretap order in 2006 cost taxpayers $67,000 on
average, according to the most recent U.S. Court wiretap report.
What's more, under CALEA, the government had to pay to make pre-1995
phone switches wiretap-friendly. The FBI has spent almost $500
million on that effort, but many traditional wire-line switches still
aren't compliant.
Processing all the phone calls sucked in by DCSNet is also costly. At
the backend of the data collection, the conversations and phone
numbers are transferred to the FBI's Electronic Surveillance Data
Management System, an Oracle SQL database that's seen a 62 percent
growth in wiretap volume over the last three years -- and more than
3,000 percent growth in digital files like e-mail. Through 2007, the
FBI has spent $39 million on the system, which indexes and analyzes
data for agents, translators and intelligence analysts.
Security Flaws
To security experts, though, the biggest concern over DCSNet isn't
the cost: It's the possibility that push-button wiretapping opens new
security holes in the telecommunications network.
More than 100 government officials in Greece learned in 2005 that
their cell phones had been bugged, after an unknown hacker exploited
CALEA-like functionality in wireless-carrier Vodafone's network. The
infiltrator used the switches' wiretap-management software to send
copies of officials' phone calls and text messages to other phones,
while simultaneously hiding the taps from auditing software.
The FBI's DiClemente says DCSNet has never suffered a similar breach,
so far as he knows.
"I know of no issue of compromise, internal or external," DiClemente
says. He says the system's security is more than adequate, in part
because the wiretaps still "require the assistance of a provider."
The FBI also uses physical-security measures to control access to
DCSNet end points, and has erected firewalls and other measures to
render them "sufficiently isolated," according to DiClemente.
But the documents show that an internal 2003 audit uncovered numerous
security vulnerabilities in DCSNet -- many of which mirror problems
unearthed in the bureau's Carnivore application years earlier.
In particular, the DCS-3000 machines lacked adequate logging, had
insufficient password management, were missing antivirus software,
allowed unlimited numbers of incorrect passwords without locking the
machine, and used shared logins rather than individual accounts.
The system also required that DCS-3000's user accounts have
administrative privileges in Windows, which would allow a hacker who
got into the machine to gain complete control.
Columbia's Bellovin says the flaws are appalling and show that the
FBI fails to appreciate the risk from insiders.
"The underlying problem isn't so much the weaknesses here, as the FBI
attitude towards security," he says. The FBI assumes "the threat is
from the outside, not the inside," he adds, and it believes that "to
the extent that inside threats exist, they can be controlled by
process rather than technology."
Bellovin says any wiretap system faces a slew of risks, such as
surveillance targets discovering a tap, or an outsider or corrupt
insider setting up unauthorized taps. Moreover, the architectural
changes to accommodate easy surveillance on phone switches and the
internet can introduce new security and privacy holes.
"Any time something is tappable there is a risk," Bellovin says. "I'm
not saying, 'Don't do wiretaps,' but when you start designing a
system to be wiretappable, you start to create a new vulnerability. A
wiretap is, by definition, a vulnerability from the point of the
third party. The question is, can you control it?"
----------------------------------------------------------------------------------------------------
World Class, Professional, Ethical, and Competent Bug Sweeps, and
Wiretap Detection using Sophisticated Laboratory Grade Test Equipment.
----------------------------------------------------------------------------------------------------
James M. Atkinson Phone: (978) 546-3803
Granite Island Group Fax: (978) 546-9467
127 Eastern Avenue #291 Web:
http://www.tscm.com/
Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
----------------------------------------------------------------------------------------------------
We perform bug sweeps like it's a full contact sport, we take no prisoners,
and we give no quarter. Our goal is to simply, and completely stop the spy.
----------------------------------------------------------------------------------------------------
Received on Sat Mar 02 2024 - 00:57:24 CST