Friday, March 7, 2008

THEY'RE GONNA GETCHA!

[I got this nasty little buggger off of WIRED. I went through What Really Happened to get there.]

A U.S. government office in Quantico, Virginia, has direct, high-speed access to a major wireless carrier's systems, exposing customers' voice calls, data packets and physical movements to uncontrolled surveillance, according to a computer security consultant who says he worked for the carrier in late 2003.

"What I thought was alarming is how this carrier ended up essentially allowing a third party outside their organization to have unfettered access to their environment," Babak Pasdar, now CEO of New York-based Bat Blue told THREAT LEVEL. "I wanted to put some access controls around it; they vehemently denied it. And when I wanted to put some logging around it, they denied that."

Pasdar won't name the wireless carrier in question, but his claims are nearly identical to unsourced allegations made in a federal lawsuit filed in 2006 against four phone companies and the U.S. government for alleged privacy violations. That suit names Verizon Wireless as the culprit.

Pasdar has executed a seven-page affidavit for the nonprofit Government Accountability Project in Washington, which on Tuesday began circulating the document (.pdf), along with talking points (.doc), to congressional staffers hashing out a Republican proposal to grant retroactive legal immunity to phone companies who cooperated in the warrantless wiretapping of Americans.

According to his affidavit, Pasdar tumbled to the surveillance superhighway in September 2003, when he led a "Rapid Deployment" team hired to revamp security on the carrier's internal network. He noticed that the carrier's officials got squirrelly when he asked about a mysterious "Quantico Circuit" -- a 45 megabit/second DS-3 line linking its most sensitive network to an unnamed third party.

Quantico, Virginia, is home to a Marine base. But perhaps more relevantly, it's also the center of the FBI's electronic surveillance operations.

"The circuit was tied to the organization's core network," Pasdar writes in his affidavit. "It had access to the billing system, text messaging, fraud detection, web site, and pretty much all the systems in the data center without apparent restrictions."

The 2006 lawsuit (.pdf), which is suspended pending an appeals court ruling, describes a similar arrangement, naming Verizon.

No comments: