Posted by: David Schneier
Laws, Investigations and Ethics
The FBI has delivered a treasure trove of documents on its DCS-3000 electronic surveillance system, which paint a fairly distressing picture of the system itself and the ways in which it is used. The system comprises a massive nationwide private network that connects FBI wiretapping facilities and gives agents the ability to activate remote wiretaps with the click of a mouse, pulling in active voice conversations, text messages and other traffic. Wired News details the system’s capabilities thusly:
Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans.
FBI wiretapping rooms in field offices and undercover locations around the country are connected through a private, encrypted backbone that is separated from the internet. Sprint runs it on the government’s behalf.
All of which is pretty impressive. But, the documents also include descriptions of the DCS-3000′s security features, which a number of experts have said are painfully lacking. For example, instead of requiring strong authentication such as smart cards or biometrics from users, the system relies on passwords. Steve Bellovin, a security pioneer who spent years at AT&T Labs before moving to Columbia University, writes in his blog entry on the DCS-3000 that the real threat to the system is from insiders.
The most obvious example is the account management scheme described in the DCS-3000 documents: there are no unprivileged userids. In fact, there are no individual userids; rather, there are two privileged accounts. Each has different powers; however, as the documents themselves note, each can change the other’s permissions to restore the missing abilities. Where is the per-user accountability? Why should ordinary users run in privileged mode at all? The answers are simple and dismaying.
Instead of personal userids, the FBI relies on log sheets. This may provide sufficient accountability if everyone follows the rules. It provides no protection against rule-breakers. It is worth noting that Robert Hanssen obtained much of the information he sold to the Soviets by exploiting weak permission mechanisms in the FBI’s Automated Case System. The DCS-3000 system doesn’t have proper password security mechanisms, either, which brings up another point: why does a high-security system use passwords at all? We’ve know for years how weak they are. Why not use smart cards for authentication?
We can’t even rely on just the log sheets: the systems support remote access, via unencrypted telnet.
My biggest concern, though, lies in the words of one of the FBI’s own security evaluations: the biggest threat is from insiders. The network is properly encrypted for protection against outside attackers. The defenses against insiders — yes, rogue FBI agents or employees — are far too weak.
To sum up: we have a system that accesses very sensitive data, with few technical protections against inside attacks, and generic defenses that don’t seem to fit the threat model.
There are more documents to come as a result of the Electronic Frontier Foundation’s FOIA request, and it will be fascinating to see what other revelations they contain. Stay tuned.