FBI Wiretap Net: Ubiquitous and Vulnerable

Wired News reports on what the Electronic Frontier Foundation has discovered about the FBI wiretapping system known called DCSNet, for Digital Collection System Network. It's easily deployed with a few mouse clicks to monitor pen-registers and trap-and-traces (a type of surveillance that collects signaling information -- primarily the numbers dialed from a telephone -- but no communications content) as well as the content of phone calls and text messages.

The systems runs on Microsoft Windows, an operating system known for security vulnerabilities, and is configured in such a way to exacerbate them. An internal 2003 audit uncovered numerous security vulnerabilities in DCSNet including:

• Inadequate logging
• Insufficient password management
• Lack of antivirus software (critical when running Windows)
  
• Unlimited numbers of incorrect passwords were allowed without locking the machine (allowing for brute force password cracking)
• Shared logins rather than individual accounts
• The system requires user accounts have administrative privileges in Windows, allowing a hacker who got into the machine to gain complete control

Steven Bellovin, a Columbia University computer science professor and longtime surveillance expert, observes that "Any time something is tappable there is a risk .... when you start designing a system to be wiretappable, you start to create a new vulnerability. A wiretap is, by definition, a vulnerability from the point of the third party. The question is, can you control it?"