A Gateway for Hackers: The Security Threat in the New Wiretapping Law

[David Farber <dave () farber net>]

Begin forwarded message:

From: dewayne () warpspeed com (Dewayne Hendricks)
Date: September 23, 2007 3:20:32 PM EDT
To: Dewayne-Net Technology List <xyzzy () warpspeed com>
Subject: [Dewayne-Net] A Gateway for Hackers: The Security Threat in  
the New Wiretapping Law

[Note:  This item comes from reader Jeff Hodges.  Catching up on  
older items.  DLH]

From: Jeff.Hodges () KingsMountain com
Date: August 14, 2007 9:49:41 AM PDT
To: dewayne () warpspeed com
Subject: A Gateway for Hackers: The Security Threat in the New  
Wiretapping Law

*A Gateway for Hackers*
*The Security Threat in the New Wiretapping Law*

<Washington Post>

By Susan Landau
Thursday, August 9, 2007;  Page A17

<http://www.washingtonpost.com/wp-dyn/content/article/2007/08/08/ 
AR2007080801961.html>

Current administration policy is replete with examples of quickly  
enacted efforts whose consequences led to the opposite effect.  
(Beware of what you wish for . . . .) With Congress caving last week,  
the National Security Agency no longer needs a Foreign Intelligence  
Surveillance Act (FISA) warrant to wiretap if one party is believed  
to be outside the United States. This change looks reasonable at  
first, but it could create huge long-term security risks for the  
United States.

The immediate problem is fiber optics. Until recently,  
telecommunication signals came through the air. The NSA used  
satellites and antennas to pick up conversations of foreigners  
talking to other foreigners. Modern communications, however, use  
fiber; since conversations don't go through the air, the NSA wants to  
access communications at land-based switches.

Because communications from around the world often go through the  
United States, the government can still get access to much of the  
information it seeks. But wiretapping within the United States has  
required a FISA search warrant, and the NSA apparently found using  
FISA too time-consuming, even though emergency access was permitted  
as long as a warrant was applied for and granted within 72 hours of  
surveillance.

Avoiding warrants for these cases sounds simple, though potentially  
invasive of Americans' civil liberties. Most calls outside the  
country involve foreigners talking to foreigners. Most communications  
within the country are constitutionally protected -- U.S. "persons"  
talking to U.S. "persons." To avoid wiretapping every communication,  
NSA will need to build massive automatic surveillance capabilities  
into telephone switches. Here things get tricky: Once such  
infrastructure is in place, others could use it to intercept  
communications.

Grant the NSA what it wants, and within 10 years the United States  
will be vulnerable to attacks from hackers across the globe, as well  
as the militaries of China, Russia and other nations.

Such threats are not theoretical. For almost a year beginning in  
April 2004, more than 100 phones belonging to members of the Greek  
government, including the prime minister and ministers of defense,  
foreign affairs, justice and public order, were spied on with  
wiretapping software that was misused. Exactly who placed the  
software and who did the listening remain unknown. But they were able  
to use software that was supposed to be used only with legal permission.

The United States itself has been attacked. In six hours in August  
2006, remote attackers entered computers at the Army Information  
Systems Engineering Command at Fort Huachuca, Ariz.; the Defense  
Information Systems Agency in Arlington; the Naval Ocean Systems  
Center in San Diego; and the Army Space and Strategic Defense Command  
in Huntsville, Ala. The hackers transported more than 10 terabytes of  
data to South Korea, Hong Kong or Taiwan, and from there to the  
People's Republic of China. Each intrusion was only 10 to 30 minutes.  
The downloaded information included Army helicopter mission-planning- 
systems specifications and flight-planning software used by the Army  
and Air Force.

U.S. communications technology is fragile and easily penetrated.  
While advanced, it is not decades ahead of that of our friends or our  
rivals. Compounding the issue is a key facet of modern systems  
design: Intercept capabilities are likely to be managed remotely, and  
vulnerabilities are as likely to be global as local. In simplifying  
wiretapping for U.S. intelligence, we provide a target for foreign  
intelligence agencies and possibly rogue hackers. Break into one  
service, and you get broad access to U.S. communications.

The Greek wiretapping and Chinese thefts from U.S. military sites are  
warnings that entities other than the NSA could exploit the  
vulnerabilities of U.S. communications networks. Were the proposed  
wiretapping technology penetrated by foreign intelligence services,  
U.S. security and privacy could be quickly and severely compromised.

In its effort to provide policymakers with immediate intelligence,  
the NSA forgot the critical information security aspect of its  
mission: protecting U.S. communications against foreign interception.  
So did Congress. Lawmakers granted the warrantless wiretapping only  
for six months -- and they need to look carefully before it endangers  
U.S. national security for the long term.

--
Susan Landau, co-author of "Privacy on the Line: The Politics of  
Wiretapping
and Encryption," is a distinguished engineer at Sun Microsystems  
Laboratories.
---


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com