May 20th, 2008
What is the U.S. doing about security? Part 2.
Wow that was quick. No sooner did I get done posting my last article and I see on Wired the following story:
Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys — and that information turns out to be not very sensitive after all.
This time around, University of Pennsylvania professor Matt Blaze discovered that the Justice Department’s Inspector General’s office had failed to adequately obfuscate data in a March report (.pdf) about FBI payments to telecoms to make their legacy phone switches comply with 1995 wiretapping rules. That report detailed how the FBI had finished spending its allotted $500 million to help telephone companies retrofit their old switches to make them compliant with the Communications Assistance to Law Enforcement Act or Calea– even as federal wiretaps target cellphones more than 90 percent of the time.
This isn’t the first time the Justice Department has made such an error. In 2007, a U.S. attorney referred to Threat Level’s own David Kravets (then at the AP) as a hacker for discovering similar hidden information in a Balco steriod case filing. As far back as 2003, a report on minorities in the Justice Department was also vulnerable. The gaffes may seem humorous, but tell that to confidential informants, for whom such a slip-up could be fatal.
In fact, all one needs to do is open the Calea report with Adobe Reader or Foxit reader, and highlight the tables and cut and paste them into a text editor, something Blaze discovered accidentally when trying to copy a portion of the report into an e-mail to a student.
Argh… come ON! I thought crypto and hidden messages was the one place the government might do ok, but apparently they thought hidden tables was an adequate form of data hiding. Oh hey, by the way, while we’re here, don’t open up that doc in Foxit unless you’ve applied the patch.
Click more for even more non-sensery…
So what data was hidden? The article goes on to explain:
The FBI paid Verizon $2500 a piece to upgrade 1,140 old telephone switches. Oddly the report didn’t redact the total amount paid to the telecom — slightly more than $2.9 million dollars — but somehow the bad guys will win if they knew the number of switches and the cost paid.
FBI survey results about wiretaps could also be found hidden under the redaction layer.
For the record, in 2005 and 2005, from talking to federal, state and local law enforcement agencies believed that the top emerging technologies causing surveillance concerns were VOIP, broadband and prepaid cellphones. While cops have long fretted about encryption and one might expect it to be in this list, it seems to have never been a problem for wiretapping.
In 2005, only 8 percent had tried tapping internet phone calls, but that number rose to 34 percent in 2006. In 2006, 35 percent of agencies had tried some sort of surveillance on broadband, but the question wasn’t asked in 2005.
The price of wiretaps and pen traps still limits surveillance, according to 68 percent of agencies in 2005 and 65 percent in 2006. Meanwhile, telecoms seem to be getting better at providing data in standard formats to cops, whose complaints about data format fell dramatically from 60 percent in 2005 to 12 percent in in 2006.
But, oddly, 41 percent of agencies in 2006 say investigations have been hampered by companies not complying with Calea’s mandates, while in 2005, that number was only 22 percent.
Other nuggets? Hidden info in a blacked-out screenshot of the FBI’s wiretapping help-line complaint-management software reveals that even wiretappers have IT problems.
Cops in Montgomery County, Maryland had trouble right after Christmas in 2007 getting wiretap info delivered. Not far away in Baltimore (the honorary wiretap capital of the United States), cops had problems just before Christmas using the FBI’s database of cell towers, which help cops figure out target’s location and movements. Kenner, Louisiana, cops just wanted a user name and password to chat in the Law Enforcement forum on ASKCalea.
Ok, good, so it wasn’t anything too dangerous, but just another example of stupidity.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
