CAT | Surveillance
When you think your phone is connected to your wireless provider, you might actually be connected to a rogue tower set up to capture your data.
Such devices have been demonstrated at the Black Hat security conference and a law enforcement fake tower called “Stingray” has been known for some time. Recently sophisticated secure phones have been able to detect these fake towers and people are starting to map them. Popular Science covered it here, and here.
There is very little transparency around law enforcement or US Intelligence use of such devices, so the could just as easily be operated by foreign intelligence services, criminals, or hackers. If we had strong end to end encryption there would be little to worry about, but many Internet connections and all phone calls are vulnerable to this attack.
Here is a new “as a service” offering I had never considered. Companies are supporting ISPs in responding to classified FISA court search warrants for the ISPs, including helping to capture the data and deciding if the request is proper.
Ars technica in conjunction with NPR conducted an excellent experiment showing how much and what kind of information can be obtained through capture off the wire. This is the type of information that a national intelligence service would see by tapping into ISPs.
They simulated this by using a penetration testing device installed at NPR reporter Steve Henn’s house (with his cooperation).
The amount of information is amazing. Even seemingly inactive devices are constantly making requests and connecting to services.
While many connections to key services like email and banking are encrypted, most others are not, revealing a great deal about Steve’s research activities.
It is absolutely worth a read.
Vodafone recently released a “Law Enforcement Disclosure Report”. Because Vodafone provides services in so many countries, this provides a unique insight into the range of surveillance capabilities and requirements across a spectrum of nations. In six countries they are required to provide direct connections to their network for the local government. This allows those governments to capture content and meta-data without making individual requests to Vodafone. They are not saying which 6 countries those are out of fear of penalties or retaliation.
In Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey it is illegal to reveal information about various kinds of intercepts, so the report does not provide information on those countries.
The report also provides good information on the frequency of requests for information from various countries.
One lesson from this is, despite the impression one might have gotten from the Snowden leaks, the US is far from the only country doing this kind of surveillance.
Attorney General’s new war on encrypted web services – Security – Technology – News – iTnews.com.au
Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.
Australians may want to start to start taking steps to protect themselves now.
End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.
Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.
Finally, let your voice be heard on this issue by reaching out to your members of parliament.