AT&T Tech Paints Stark Picture of NSA Telecom Spying

AT&T employee-turned-whistleblower Mark Klein, a 62-year-old retired telecommunications technician, was in Washington Wednesday to meet with members of Congress to convince them that telecommunications companies shouldn’t get immunity for the part they played in helping the National Security Agency (NSA) collect and record massive amounts of Americans’ Internet communications.

When Klein worked for AT&T in 2002, he said he received e-mails from higher management advising technicians of a special visit from the NSA and that an NSA agent was going to interview another technician for a “special job.” In January 2003, he toured AT&T’s Folsom Street facility in San Francisco, where a new 24-by-48-foot secret room was being built adjacent to telecommunications switches.

At the time, Klein was a fiber optics technician, and he said he became aware that AT&T’s WorldNet Internet service’s optical circuits had been split so that electronic voice and data traffic from AT&T’s customers could be copied and diverted to the secret room, which was locked and controlled by the NSA.

“My job required me to enable the physical connections between AT&T customers’ Internet communications and the NSA’s illegal, wholesale copying machine for domestic e-mails, Internet phone conversations, Web surfing and all other Internet traffic. I have first-hand knowledge of the clandestine collaboration between one giant telecommunications company, AT&T, and the National Security Agency to facilitate the most comprehensive illegal domestic spying program in history,” Klein stated.

Evidence for a Class Action Lawsuit

The Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T in January 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the NSA in its massive program to wiretap and data-mine Americans’ communications, actions which the EFF said are illegal. On July 20, 2006, a federal judge denied the government’s and AT&T’s motions to dismiss the case, chiefly on the ground of the States Secrets Privilege, allowing the lawsuit to go forward. On Aug. 15, the case was heard by the Ninth Circuit Court of Appeals.

The EFF lawsuit arose from news reports in December 2005, which first revealed that the NSA had been intercepting Americans’ phone calls and Internet communications without any court oversight, which the EFF said violates privacy safeguards established by Congress and the U.S. Constitution. This surveillance program, purportedly authorized by President Bush as early as 2001, intercepts and analyzes phone and Internet communications of millions of ordinary Americans. EFF has complied and published supporting documents, reports and court materials on its AT&T Class Action area on its Web site.

On behalf of a nationwide class of AT&T customers, EFF says it’s suing “to stop this illegal conduct and hold AT&T responsible for violating the law and the fundamental freedoms of the American public.”

The EFF scored a minor victory Tuesday when a federal judge ruled that AT&T must either halt any routine destruction of documents or arrange the preservation of accurate copies.

The Plot Thickens

Meanwhile, the Justice Department has reportedly sought to block the lawsuit — and as many as 40 other, similar suits with telecoms around the country — by using the state secrets privilege, which would block the release of any information that might endanger national security.

Last month, the Senate Intelligence Committee approved a bill that would reduce the government’s ability to eavesdrop on terrorism suspects and protect civil liberties, but which also includes a clause that would grant the telecommunications companies, including but not limited to AT&T, immunity from lawsuits stemming from privacy violations with the NSA.

Sen. Leahy and the White House

Sen. Patrick Leahy, a Vermont Democrat and chairman of the Senate Judiciary Committee, called out the immunity issue as a concern a week ago, both to the privacy of Americans as well as a shield for the Bush Administration.

“At the outset I should acknowledge the grave concern I have with one aspect of S.2248. It seeks to grant immunity — or, as Senator [Christopher] Dodd (D-Conn.) has called it, ‘amnesty’ — for telecommunications carriers for their warrantless surveillance activities from 2001 through this summer, which would seem to be contrary to FISA (Federal Intelligence Surveillance Act) and in violation of the privacy rights of Americans,” Leahy noted.

“I am considering carefully what we are learning from these materials,” he added. “Congress should be careful not to provide an incentive for future unlawful corporate activity by giving the impression that if corporations violate the law and disregard the rights of Americans, they will be given an after-the-fact free pass. If Americans’ privacy is to mean anything, and if the rule of law is to be respected, that would be the wrong result. A retroactive grant of immunity or preemption of state regulators does more than let the carriers off the hook. Immunity is designed to shield this administration from any accountability for conducting surveillance outside the law. It could make it impossible for Americans whose privacy has been violated illegally to seek meaningful redress.”

Rock and a Hard Place

Right or wrong, it is hard to imagine that the executives at any telecom were pleased to see the NSA show up at their doorsteps.

“My initial impression is that these companies are stuck. If they don’t give the government what it wants, the government comes after them. If they give the government what it wants, then private parties comes after them,” Jeff Kagan, a telecommunications industry analyst, told the E-Commerce Times. “Either way, they are exposed. I don’t think there’s a path for them to take that’s good for the shareholders or for the company.”

The people running the telecoms, it is easy to imagine, would likely have had some interest in helping protect Americans from terrorists, but at the same time they also have an interest in protecting those same Americans’ civil liberties — not to mention their own public images. “Those can be two competing thoughts — there’s not a solution that would satisfy everyone,” Kagan noted. “That’s the world we live in today whether we like it or not.”

The only major telecom widely reported to have stood up against the NSA request is Qwest.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

TechNewsWorld Channels

Hackers Cast LinkedIn as Most-Popular Phishing Spot

LinkedIn users are being steadily more targeted by phishing campaigns.

In recent weeks network audits revealed that the social media platform for professionals was in the crosshairs of 52 percent of all phishing scams globally in the first quarter of 2022.

This is the first time that hackers leveraged LinkedIn more often than any tech giant brand name like Apple, Google, and Microsoft, according to various reports.

Social media networks now overtake shipping, retail, and technology as the category most likely to be targeted by criminal groups, noted network security firm Check Point.

The phishing attacks reflect a 44 percent uplift from the previous quarter, when LinkedIn was in fifth place with only eight percent of phishing attempts. Now LinkedIn has surpassed DHL as the most targeted brand.

The second most targeted category is now shipping. DHL now holds second place with 14 percent of all phishing attempts during the quarter.

Checkpoint’s latest security report shows a trend toward threat actors leveraging social networks as a prime target. Hackers contact LinkedIn users via an official-looking email in an attempt to bait them to click on a malicious link.

Once lured, users face a login screen to a fake portal where hackers harvest their credentials. The fake website often contains a form intended to steal users’ credentials, payment details, or other personal information.

“The goal of these phishing attacks is to get victims to click on a malicious link. LinkedIn emails, like another commonly targeted sender, shipping providers, are ideal because the email shares only summary information, and the user is compelled to click through to the on-platform detail and content,” Archie Agarwal, founder and CEO at ThreatModeler, told the E-Commerce Times.

Ideal Pickings

Hackers target LinkedIn users for two key reasons, according to Agarwal. Phishing is a digital play on the confidence game built on trust. Exploiting victims’ trust in their LinkedIn network is a natural alternative to phishing on corporate sites.

“The other advantage to targeting LinkedIn users is that targets are easy to identify and prioritize. Users’ profiles publish their title and affiliations,” he said.

It makes sense for attackers to use LinkedIn as a hook for socially engineered phishing attacks, added Hank Schless, senior manager, for security solutions firm Lookout, as it is generally accepted as a usable professional platform.

“However, it is not that different from any other social platform where an attacker can create a fake but convincing profile and message one of your employees with a malicious link or attachment,” he told the E-Commerce Times.

Countermeasures

Rather than clicking on the email, LinkedIn users should instead go directly to the platform that supposedly notified them and look for that notification detail there, suggested Agarwal.

“Platforms like LinkedIn and DHL have an incentive to notify users through email and text but link the user back to the platform to raise visits/usage. This incentive will always stand at odds with protecting against phishing opportunities,” he said.

Phishing that appears to come from legitimate services cannot be stopped. At the same time, current defenses are not tuned to find these types of attacks, noted Patrick Harr, CEO of anti-phishing firm SlashNext.

“These attacks are rising, and the gateway to ransomware is phishing. As phishing continues to grow as a vector for ransomware attacks, zero-hour, real-time threat prevention solutions are critical to stopping these threats,” he told the E-Commerce Times.

The ability to block employee web traffic to phishing sites, via malicious links and other vectors, and stop a ransomware attack at the start of the kill chain, is paramount, he added.

Trust Factors In

The use of LinkedIn blurs the boundary between work purposes and personal career development. For individuals, such as sales and marketing professionals, or recruiters who are using LinkedIn for work purposes, employers should remind them that trust is not transitive.

Recognize that second-level connections are basically unknown individuals. All information on LinkedIn, no matter how professional it looks, can be entirely fake, observed Oliver Tavakoli, CTO at security firm Vectra AI.

“To avoid falling for LinkedIn scams, simply imagine the same message arriving via email in your work inbox. Apply the same training that you have received for identifying phishing scams. Only accept connections from people you have met or ones who have been formally introduced to you,” he told the E-Commerce Times.

LinkedIn should undertake efforts to find and delete fake profiles. It should also make it far easier for organizations to flag incorrect claims in fake profiles — for example, having worked at a particular organization — to quickly correct such inaccuracies, Tavakoli added.

“On the end-user front, there is no real substitute for education — teaching skepticism and not falling for the transitive effect of trust,” he advised.

Think About It

Considering that 92 percent of LinkedIn users’ data was exposed in the 2021 breach, it comes as no surprise cybercriminals have increased attacks leveraging LinkedIn data, prompted Harr. “However, based on our data, we are not seeing that LinkedIn has become the most imitated brand. This title belongs to Microsoft.”

With LinkedIn moving up the list of platforms used in phishing-related attacks, organizations should update their acceptable use policies (AUPs) to protect employees and mitigate the risk of web-based attacks, Schless recommended. Cloud-based web proxies such as secure web gateways (SWG) that are fed by rich threat intelligence datasets can help organizations build dynamic AUPs and protect enterprise data.

This enables admins to control which websites their employees and guest users can access with the purpose of blocking internet-borne malware, viruses, and phishing sites.

SWG is a critical solution to have in the modern enterprise security arsenal. It provides a way to block accidental access to malicious sites and can also be a safe tunnel to protect users from modern web-based threats such as ransomware, other malware, and phishing attacks, he explained.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Hacking

PII of Many Fortune 1000 Execs Exposed at Data Broker Sites

Research released Monday by a cybersecurity services provider reveals how widespread the risks are to executives and the organizations they ramrod from data brokers collecting sensitive data about them.

The provider, BlackCloak, published in a blog the results of an analysis of 750 of its customers, most of them executives and board members at Fortune 1000 or other large institutions. Among the company’s findings:

  • 99% of our executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100;
  • 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook;
  • 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors;
  • On average, online data brokers maintained more than three personal email addresses for every executive record.

“While maintaining data on three personal email addresses may not seem that significant to the novice eye, access to any personal email address raises the risks of unauthorized access, fraud and impersonation emails, among other digital threats,” wrote BlackCloak Director of Marketing Evan Goldberg.

Home as Soft Underbelly

The research also found that 40% of online data brokers had the IP address of an executive’s home network. “Not only could you use address information held by the broker to physically go to an executive’s home, but you could use the IP address to digitally break into their home from anywhere in the world,” observed BlackCloak Founder and CEO Chris Pierson.

“We see corporate executives targeted all the time in their personal lives,” he told TechNewsWorld. “If you’re targeting the CEO of GE, are you going to hack him at his GE email address, where he’s protected by corporate cybersecurity, or are you going to target him at his Gmail account or his wife’s account or his kids’ accounts, and get a foothold in his home?”

“Because everyone has been working from home for the past two years, it’s created the home as the soft underbelly of the corporation,” he said.

“Data broker information has been leveraged to commit identify theft and unemployment fraud over the past two years,” he added.

Some of the risks cited by BlackCloak are overblown, maintained Daniel Castro, vice president of the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.

“Data brokers are often selling data that is already public, such as information on voting records or campaign contributions,” he told TechNewsWorld.

“Similarly,” he continued, “information that is publicly accessible on social networks or on websites is not particularly sensitive.”

However, he acknowledged that cybercriminals can use that information to perpetrate phishing attacks and impersonate an executive.

Danger to Top Brass

“The reality is that data brokers present fertile grounds for hackers, abusers and stalkers,” observed Liz Miller, vice president and a principal analyst at Constellation Research, a technology research and advisory firm in Cupertino, Calif.

“Where else could you pay $29 for a complete dossier on an ex-girlfriend including current address and phone number, current associates residing in the same location and basic detail about that person?” she told TechNewsWorld. “When you actually think about what this intensely sensitive data can mean in the hands of someone with no moral or ethical compass, it should terrify people.”

Data brokers have only one reason for being, noted Greg Sterling, co-founder of Near Media, a news, commentary and analysis website. “Their raison d’etre is to collect as much data on as many households and people as possible,” he told TechNewsWorld.

“By definition then, they expose and transfer information that individuals might not want exposed or sold, or that might be sold non-consensually or without knowledge of the individuals involved.”

Armen Najarian, chief identity officer at Outseer, a provider of payment fraud protection solutions in Bedford, Mass. maintained that data brokers present significant risks to executives. “In the digital era, data is power,” he told TechNewsWorld. “It’s dangerous for any company to have such detailed profiles of highly influential business professionals.”

“Often these profiles will include highly personal information, like income and assets, which are used by cybercriminals to target and steal a victim’s identity,” he continued.

“By studying the online behavior of these executives, fraudsters have an intimate look at what’s going on in these individuals’ lives, making it easier for them to deploy highly targeted attacks,” he added.

Not So Anonymous Anonymity

Some data brokers and applications justify their voracious appetite for data by claiming they only share anonymized information, a claim disputed by the Electronic Frontier Foundation in a July 2021 article on its website written by Gennie Gebhart and Bennett Cyphers.

“Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name,” they wrote. “In particular, there’s no such thing as ‘anonymous’ location data. Data points like one’s home or workplace are identifiers themselves, and a malicious observer can connect movements to these and other destinations.”

“Another piece of the puzzle is the ad ID, another so-called ‘anonymous’ label that identifies a device,” they added. “Apps share ad IDs with third parties, and an entire industry of ‘identity resolution’ companies can readily link ad IDs to real people at scale.”

While governments in some other regions of the world have taken a harder line toward data brokers, that hasn’t been the case in the U.S. “It’s an area where the laws in the United States are not as robust as they could be,” Pierson said. “Over time, there have been a number of different legal proposals, but there have been no meaningful restrictions in what data brokers can do in the United States.”

“The best way to regulate data brokers would be to create a federal data privacy law that establishes basic consumer data rights, especially for sensitive personal data,” Castro advised. “Federal law is the best way to ensure that Americans have control of their information and avoids creating a complicated state-by-state patchwork of laws.”

“The U.S. government should absolutely consider enacting legislation to regulate data brokers,” added Najarian. “This is an issue that extends beyond Fortune 1000 executives. It affects every single person who uses the internet.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy