Six Security-Related Stories to Help You Sleep At Night

I’m really not a conspiracy theorist, but some of these headlines keep me awake at night.

The location of your cell phone is being tracked, logged, and freely given to law enforcement: Paul Taylor, the Electronic Surveillance Manager for Sprint/Nextel, dropped a bombshell this week when he admitted that between October 2008 and October 2009, Sprint handled 8 million requests from law enforcement officials requesting the GPS information for customers’ cell phones. According to Wikipedia, Sprint/Nextel has just over 48 million customers, which means if you’re one of them, there’s a one in six chance that a member of law enforcement contacted Sprint last year and asked where your cell phone was. This information is given without a warrant — in fact, Sprint said they were getting so many requests that they set up a website to facilitate the number of requests. It would be naive to think that Sprint’s the only one doing this. (Link)

The government monitors essentially all internet traffic and phone calls: According to retired AT&T communications technician Mark Klein, in 2003 the NSA visited his AT&T location and added their own server room and servers, through which all AT&T backbone traffic is routed. The server room contained a Narus STA 6400, which according to Klein, is “known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets.” According to a 2006 Wired article, Narus “sells software to help internet service providers and telecoms monitor and manage their networks, look for intrusions, and wiretap phone calls as mandated by federal law.” The traffic is not limited to international internet traffic; domestic traffic is sifted through as well. According to the EFF, “the government has acquired and continue to acquire the content of the phone calls, emails, instant messages, text messages and web communications, both international and domestic, of practically every American who uses the phone system or the internet in an unprecedented suspicionless general search through the nation’s communications networks.” (Link 1 | Link 2)

The NSA keeps a log of every phone call made: This one’s kind of a no-brainer. Shortly after 9/11 the NSA made a deal with every major phone company (except Qwest) where each phone company would send the NSA their records of every phone call made, period. The logs (which show things like the the originating number, the destination number, the GPS location of both phones, and the duration of the call) are stored by the NSA in a giant database, where they can be searched for patterns that “denote criminal activity”. If you’ve made a phone call (or sent a text message for that matter) in the past decade, it’s listed in there. Tiger Woods is screwed. (Link)

Your work computer is not your own: “A 2005 survey by the American Management Association found that three-fourths of employers monitor their employees’ web site visits in order to prevent inappropriate surfing […] Just over half of employers review and retain electronic mail messages.” (PrivacyRights.org) That was five years ago — the numbers have gone up since then. Those that understand computer networking know how ridiculously simple it is to monitor and capture employees’ Internet traffic. It’s so simple, in fact, that you should simply assume at this point that all internet traffic at your workplace is being monitored and archived. Now, chances are your boss isn’t going through every record by hand; more likely, rules are in place to search for key phrases and destinations. If your employer uses software such as SMS or LANguard, your boss can literally see what’s on your computer screen at any given time without your knowledge. Monitoring doesn’t stop with your computer; the same goes with phone calls. At a minimum your employer can keep track of who you’ve called and how long you were on the phone. If you use Voice over IP (VoiP), I’d assume it’s being recorded as well. And e-mail? Again, no-brainer — every e-mail you send and receive at work is stored on a server and backed up somewhere else. Even when you delete them off your local machine, there’s still a copy somewhere.

The FBI can remotely turn on your cell phone’s microphone: In 2006, the FBI acquired a “roving bug” warrant for members of a New York crime family. A “roving bug” allows the FBI to turn on your cell phone’s microphone and listen to whatever’s going on in the room. This type of monitoring works whether or not the phone is turned on. The linked story notes that security-conscious businessmen have begun removing the battery from their cell phones when not in use. (Link)

Wireless security sucks: All you people with wireless routers in your house, listen up. If you do not have encryption enabled, I can sit down the street and “sniff” your traffic. That means I can see everything you are doing on the Internet — and, I can “see” your computer on the network, which means I may be able to hack into it and get to your files. Wireless routers support one or more types of encryption: WEP, WPA, and WPA2. WEP can be cracked in about two minutes. It’s better than nothing, but barely. A few months ago, Japanese scientists released a paper showing that they could crack WPA in about a minute. That leaves WPA2 as the last one standing, and who knows for how long. What’s the safest method of wireless networking? I don’t know. We’re all screwed. And by the way, this applies to anywhere you use public WiFi as well. I can sit outside Starbucks just as easily as I can sit down your street. Oh, and with a $10 antenna, I can extend my wireless distance to half a mile or more.