Malware

SPOTLIGHT ON SECURITY

DCAC: A Field Day for the Heat

“Domestic Communications Assistance Center” is the kind of name you’d give to a couples counseling collective. At the FBI, though, it’s the name that’s been given to an agency designed to be at the cutting edge of digital snooping.

The mission of the DCAC, located at the FBI facility in Quantico, Va., includes intercepting and decoding Skype conversations, building wiretap hardware, developing tools for analyzing gigabytes of data obtained from wireless carriers or social networks and providing a help desk for minor league snoopers like state and local police, according to a report by Declan McCullagh in Cnet last week.

The center is part of an initiative within the U.S. Justice Department called “Going Dark,” which refers to law enforcement’s diminishing ability to keep tabs on technology-savvy criminals and terrorists.

Much of law enforcement’s authority to eavesdrop on threats to law and order comes from the 1994 Communications Assistance for Law Enforcement Act (CALEA).

“When CALEA was passed, things were fairly simple,” Steve Bock, president of Subsentio, a security consulting firm, explained to TechNewsWorld. “There were two networks: wireline and wireless.”

“Now we have a network or networks,” he continued. “It’s very complicated.”

A rewrite of the law would be useful, he maintained. “There are so many security holes in our nation’s networks for criminals and terrorists to communicate with each other that the current structure simply does not work,” he added.

Security holes or not, the level of secrecy surrounding the DCAC concerns some government watchdogs. “It’s important for Congress and the public to know what capabilities are being developed at the DCAC so they can evaluate what the FBI is doing,” Gregory T. Nojeim, director of the Project on Freedom, Security and Technology at the Center for Democracy & Technology.

Good Year for Malware

McAfee released its first-quarter threats report last week. It revealed that malware samples collected during the period hit a new four-year high and could reach 100 million samples by year’s end.

One threat vector that will continue to grow in the coming months will be infected websites, according to McAfee Labs Messaging Data Architect Adam Wosotowsky.

“Many of those sites are in the United States,” he told TechNewsWorld. “In fact, the United States is most prolific attacker of other country’s websites in the world.”

In some ways, the United States is paying for being ahead of the world on Internet development, he observed. “For that reason, we’re also the world leader of web pages that haven’t been updated in five years,” he said.

“When you have a Web page that hasn’t been updated in five years and you’re using something like PHP or MySQL, then you can be open to MySQL injection attacks or cross-site scripting,” he explained.

Wosotowsky also waved a red flag over the growing number of botnet software development kits (SDKs) appearing on the Net’s black market. “That’s something that’s going to increase over time,” he noted. “That’s going to be a large danger area.”

Trust on the Internet

Last year, a virtual earthquake shook the trust structure of the Internet. DigiNotar, a company that issues certificates used by browsers to establish secure connections on the Web, was hacked and its certificates used to spy on some 300,000 Google Gmail users.

A proposal that would address the flaw in the certificate system that facilitated that attack was submitted last week to the Internet Engineering Task Force, a standards group.

The proposal would create a new extension, called the “Trust Assertions for Certificate Keys” (TACK), for the Net’s trust system. After a Web surfer with a TACK-enabled browser visits a site that’s using the technology a few times, a “pin” would be created on the user’s computer. If the user encounters a site masquerading as the pinned location, the browser will reject the session and alert the user that something is wrong.

The extension, which was submitted by Moxie Marlinspike and Trevor Perrin, received high praise from cryptographer Nate Lawson. “It really is one of the few initiatives in recent times to have a huge impact on your family’s actual security, as well as dissidents in countries like Iran,” he wrote at the Hacker News forum.

Breach Diary

  • May 21: ICANN Top Level Domain (TLD) application system goes back online. A technical glitch that allowed application information to be viewed by unauthorized eyes forced the Lords of the Internet to take the system offline on April 12.
  • May 22: Anonymous posts to the Internet 1.7GB of data obtained in a breach of a server operated by the U.S. Bureau of Justice statistics.
  • May 24: California reportedly changes how it transports payroll data following breach that compromised personal information of 700,000 people. Data will be transported by courier, rather than being dropped in the post. The state is also exploring encrypting the data. Currently it’s stored on microfiche.
  • May 24: South Shore Hospital, located near Boston, agrees pay US$750,000 to Massachuetts to resolve allegations it failed to protect personal and confidential health information of more than 800,000 consumers.
  • May 24: Imperva releases a report detailing flaws at militarysingles.com that allowed hackers to expose in March personal information of 170,000 of the site’s members.
  • May 25: SK Communications announces it will appeal court award of 1 million won ($844) to the victim of a data breach in which hackers stole the names, email addresses, phone numbers and residential registration codes (the Korean equivalent of Social Security numbers) of more than 35 million users of websites operated by the company. If each victim were to obtain a similar award, the Korean company would be on the hook for nearly $30 billion.

Calendar

  • June 17-22: 24th Annual FIRST Conference. Malta Hilton. Sponsored by Forum of Incident Response and Security Teams. Late fee registration (April 1-June 1): $2,500.
  • June 26: Cyber Security: The Perfect Storm. 2-4:15 p.m. Capital Visitor Center, Washington D.C. Sponsored by MeriTalk Cyber Security Exchange and Sens. Tom Carper (D-Del.) and Scott Brown (R-Mass.).
  • June 29: Third Suits and Spooks Anti-conference. Bel Air Bay Club, Palisades, Calif. Sponsored by Taia Global and Pacific Council on International Policy.
  • August 20-23: Gartner Catalyst Conference. San Diego, Calif. Early bird price (before June 23): $1,995. Standard price: $2,295.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels