AT&T Tech Paints Stark Picture of NSA Telecom Spying

AT&T employee-turned-whistleblower Mark Klein, a 62-year-old retired telecommunications technician, was in Washington Wednesday to meet with members of Congress to convince them that telecommunications companies shouldn’t get immunity for the part they played in helping the National Security Agency (NSA) collect and record massive amounts of Americans’ Internet communications.

When Klein worked for AT&T in 2002, he said he received e-mails from higher management advising technicians of a special visit from the NSA and that an NSA agent was going to interview another technician for a “special job.” In January 2003, he toured AT&T’s Folsom Street facility in San Francisco, where a new 24-by-48-foot secret room was being built adjacent to telecommunications switches.

At the time, Klein was a fiber optics technician, and he said he became aware that AT&T’s WorldNet Internet service’s optical circuits had been split so that electronic voice and data traffic from AT&T’s customers could be copied and diverted to the secret room, which was locked and controlled by the NSA.

“My job required me to enable the physical connections between AT&T customers’ Internet communications and the NSA’s illegal, wholesale copying machine for domestic e-mails, Internet phone conversations, Web surfing and all other Internet traffic. I have first-hand knowledge of the clandestine collaboration between one giant telecommunications company, AT&T, and the National Security Agency to facilitate the most comprehensive illegal domestic spying program in history,” Klein stated.

Evidence for a Class Action Lawsuit

The Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T in January 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the NSA in its massive program to wiretap and data-mine Americans’ communications, actions which the EFF said are illegal. On July 20, 2006, a federal judge denied the government’s and AT&T’s motions to dismiss the case, chiefly on the ground of the States Secrets Privilege, allowing the lawsuit to go forward. On Aug. 15, the case was heard by the Ninth Circuit Court of Appeals.

The EFF lawsuit arose from news reports in December 2005, which first revealed that the NSA had been intercepting Americans’ phone calls and Internet communications without any court oversight, which the EFF said violates privacy safeguards established by Congress and the U.S. Constitution. This surveillance program, purportedly authorized by President Bush as early as 2001, intercepts and analyzes phone and Internet communications of millions of ordinary Americans. EFF has complied and published supporting documents, reports and court materials on its AT&T Class Action area on its Web site.

On behalf of a nationwide class of AT&T customers, EFF says it’s suing “to stop this illegal conduct and hold AT&T responsible for violating the law and the fundamental freedoms of the American public.”

The EFF scored a minor victory Tuesday when a federal judge ruled that AT&T must either halt any routine destruction of documents or arrange the preservation of accurate copies.

The Plot Thickens

Meanwhile, the Justice Department has reportedly sought to block the lawsuit — and as many as 40 other, similar suits with telecoms around the country — by using the state secrets privilege, which would block the release of any information that might endanger national security.

Last month, the Senate Intelligence Committee approved a bill that would reduce the government’s ability to eavesdrop on terrorism suspects and protect civil liberties, but which also includes a clause that would grant the telecommunications companies, including but not limited to AT&T, immunity from lawsuits stemming from privacy violations with the NSA.

Sen. Leahy and the White House

Sen. Patrick Leahy, a Vermont Democrat and chairman of the Senate Judiciary Committee, called out the immunity issue as a concern a week ago, both to the privacy of Americans as well as a shield for the Bush Administration.

“At the outset I should acknowledge the grave concern I have with one aspect of S.2248. It seeks to grant immunity — or, as Senator [Christopher] Dodd (D-Conn.) has called it, ‘amnesty’ — for telecommunications carriers for their warrantless surveillance activities from 2001 through this summer, which would seem to be contrary to FISA (Federal Intelligence Surveillance Act) and in violation of the privacy rights of Americans,” Leahy noted.

“I am considering carefully what we are learning from these materials,” he added. “Congress should be careful not to provide an incentive for future unlawful corporate activity by giving the impression that if corporations violate the law and disregard the rights of Americans, they will be given an after-the-fact free pass. If Americans’ privacy is to mean anything, and if the rule of law is to be respected, that would be the wrong result. A retroactive grant of immunity or preemption of state regulators does more than let the carriers off the hook. Immunity is designed to shield this administration from any accountability for conducting surveillance outside the law. It could make it impossible for Americans whose privacy has been violated illegally to seek meaningful redress.”

Rock and a Hard Place

Right or wrong, it is hard to imagine that the executives at any telecom were pleased to see the NSA show up at their doorsteps.

“My initial impression is that these companies are stuck. If they don’t give the government what it wants, the government comes after them. If they give the government what it wants, then private parties comes after them,” Jeff Kagan, a telecommunications industry analyst, told the E-Commerce Times. “Either way, they are exposed. I don’t think there’s a path for them to take that’s good for the shareholders or for the company.”

The people running the telecoms, it is easy to imagine, would likely have had some interest in helping protect Americans from terrorists, but at the same time they also have an interest in protecting those same Americans’ civil liberties — not to mention their own public images. “Those can be two competing thoughts — there’s not a solution that would satisfy everyone,” Kagan noted. “That’s the world we live in today whether we like it or not.”

The only major telecom widely reported to have stood up against the NSA request is Qwest.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

How often do you update your passwords?
Loading ... Loading ...

E-commerce Times Channels

5 Cyber Safety Tips To Survive the Internet, Hackers and Scammers

Navigating the internet can be a trouble-filled journey. Bad actors intent on exploiting uninformed users are constantly lurking behind emails, websites, and social media invites. Even your Wi-Fi router and those now-ubiquitous QR codes can be danger points. Add to that, the never-ending virus and malware threats.

Computer and mobile device users are often unaware of the danger zones. However, the internet need not be a constant trip through the badlands. What it takes to stay protected online is knowing what to avoid and how to protect yourself.

Here are five things in your control to help keep your digital activity safe.

1. QR Codes, Handy but Potentially Harmful

QR Code for TechNewsWorld.com
A safe QR code for TechNewsWorld.com

These postage-size image links to websites can be convenient. Just point your smartphone camera at it and instantly go to a website, tech support location, discount offer on a purchase, or restaurant menu.

However, QR codes can also take you to a nefarious place where malware or worse is waiting. QR codes can be programmed to link to anything, putting your privacy and security at big risk.

Think before you scan a QR code. If the code is displayed on a website or printed document you trust, it is probably a safe. If not, or you are unsure, check it out.

You can download reputable QR reader apps that will perform a security check on the endpoint of the QR code’s destination. One such safety tool I use is the Trend Micro QR Scanner app, available for Android and iOS.

2. Avoid ‘Unsubscribe’ Email Scams

This is a popular ongoing scam that has a high success rate for hackers. Potential victims get an email for a product offer or other business invitation. The opt-out action step is enticing, looks familiar, and sounds reasonable. “Don’t want to receive our emails? Click here to unsubscribe,” it beckons.

Sometimes the annoying repeat emails ask if you want to unsubscribe from future emails. Some even offer you a link to cancel a subscription.

Do not select any options. Clicking on the links or replying confirms your active address.

Never input your email address in the “unsubscribe me” field, either. More senders will follow.

A better solution to deleting the unwanted email, especially from an unknown sender, is to mark it as spam. That moves it to the spam folder. You also can add that sender to your email program’s block list, or set up a filter to automatically delete it before it reaches your inbox.

Finally, check out the free service Unroll.me. There you can unsubscribe from unwanted emails, keep others, or get the rest in a daily digest.

3. Lockout Facebook Hackers

Other villains try to usurp Facebook accounts. Hackers can change your password, email address, phone number, and even add a security code to lock you out of the pirated account. Before trouble happens, be proactive to prevent these situations. Facebook provides the following security settings you need to enable.

Enable two-factor authentication (2FA) to require your login approval on a separate device.

To do this, log in to your Facebook account on a desktop computer and navigate to Settings & privacy. Next, select Security and login. Then scroll down and edit the Two-factor authentication option. 

Facebook two-factor authentication settings

To complete this step, you must enter your Facebook password.


Activate these two additional features to block Facebook hackers:

  • Turn on the Code Generator feature in the Facebook mobile app
  • Set up login alerts to your email

First, open the Facebook mobile app and tap the magnifying glass, enter the term “code generator” and tap the search icon. Tap the result Code Generator to navigate to the next screen, then tap the button “Turn On Code Generator” to get a 6-digit code that changes every 30 seconds. You must enter this code within that short time span to login to your account on another device.

Next, set up alerts about unrecognized logins. You can do this from either a computer or a mobile device.

  • Computer: go to Settings & privacy > Settings > Security and login > Get alerts about unrecognized logins (see above screenshot).
  • Mobile app: tap Menu > Settings & privacy gear icon > Settings. Then tap Password and security. Next, scroll to Setting Up Extra Security > Get alerts about unrecognized logins > tap to select your preferred notification methods.

If you have trouble logging in, head to facebook.com/login/identify to fix the problem. If you are unable to login there, go to this Facebook help page instead and fill out the request form for Facebook to review your account. You will need to answer a few security questions to prove your identity. This might include providing proof of ID like a photo of a driver’s license.

4. Secure Your Wi-Fi Router

The flood of people working remotely since Covid put home Wi-Fi routers squarely in hackers’ target sights. As a result, malware attacks on home Wi-Fi networks are on the rise because residential setups often lack the level of security and protection that is found on enterprise networks.

One nasty attack tool, dubbed ZuoRAT, is a remote access trojan designed to hack into small office/home office routers. It can affect macOS, Windows, and Linux computers.

With it, hackers can collect your data and hijack any sites you visit while on your network. One of ZuroRAT’s worst factors is that once your router is infected, it can infect other routers to continue spreading the hackers’ access.

Apply these steps to better secure your home/office Wi-Fi network:

  • Be sure to enable WPA2 or WPA3 encryption on your routers. The default factory setting is often the outdated WEP (Wired Equivalent Privacy) security protocol, or none is set at all. Check the user manual or the router manufacturer’s website for directions.
  • Change your router’s SSID (Service Set Identifier) and password. This is critical. Typically, the factory setting shows the router’s make or model and has a universal password such as 0000 or 1234. Rename the SSID to not easily identify you. Avoid names that include, for example, all or parts of your name or address. Make sure the password is very strong.
  • For added protection, change the router’s password regularly. Yes, this is a big inconvenience because you also must update the password on all your devices that use that Wi-Fi network. But considering it will keep out hackers, it is well worth the hassle.
  • Keep the router’s firmware updated. Check the user manual and/or the manufacturer’s website for steps to download the latest updates.

FAQ
How do I create a password that is hard to hack?

The strongest passwords have all these characteristics:

  • Lengthy — the more characters, the better
  • A mix of upper-case and lower-case letters, numerals, and special characters
  • No dictionary words or anything related to personal information

Pro Tip: When using a password generator, always change at least a few characters from the random result to create your final credentials.

5. Beware of Phony Tech Support Schemes

Some fraudsters call on the phone to tell you they are a tech support division working for a well-known computer or software company. The caller claims to be calling in response to an alert from your computer of a virus detection or malware on your device. The scammer offers to fix it if you simply provide your credit card number.

Hang up. Your computer is not infected.

A modified version of this tech support scam is a text or email claiming the same details. Do not reply. Just delete the message and move on.

You might also be browsing the web when a pop-up message crashes onto your screen. I have received very loud audio alerts warning me that my computer is at risk and not to turn it off without responding for help.

In all these cases, the scammers want to scare you to comply with their instructions. The action they want you to take to let them fix the alleged problem will hurt your bank account and possibly let them transmit real infections.

Follow these best practices to protect yourself from tech support fraud:

  • Never let a scammer con you into going to a website or clicking on a link.
  • Never agree to a remote connection by the so-called tech support agent that initiated contact to you.
  • Never give payment information in exchange for technical support you did not initiate. Legitimate tech companies will not call you and ask for payment to fix a problem they claim to have discovered on your device.

If you suspect your computer has a virus or malware problem, initiate contact with a repair center yourself. You probably already have a support plan or active warranty from where you purchased the computer. If you have not contacted a tech support company, the call or message you received is illegitimate.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security

Digital Devices of Corporate Brass Ripe for Hacker Attacks

Digital devices and home networks of corporate executives, board members and high-value employees with access to financial, confidential and proprietary information are ripe targets for malicious actors, according to a study released Tuesday by a cybersecurity services firm.

The connected home is a prime target for cybercriminals, but few executives or security teams realize the prominence of this emerging threat, noted the study based on an analysis of data from more 1,000 C-suite, board members and high profile executives from over 55 U.S.-based Fortune 1000 companies who are using the executive protection platform of BlackCloak.

“BlackCloak’s study is exceptional,” observed Darren Guccione, CEO of Keeper Security, a password management and online storage company.

“It helps illuminate the pervasive issues and vulnerabilities caused by millions of businesses migrating to distributed, remote work while at the same time, transacting with corporate websites, applications and systems from unsecured home networks,” he told TechNewsWorld.

BlackCloak’s researchers discovered that nearly a quarter of the executives (23%) have open ports on their home networks, which is highly unusual.

BlackCloak CISO Daniel Floyd attributed some of those open ports to third-party installers. “They’re an audio-visual or IT company that, because they don’t want to send a truck out when things break, they’ll set up port-forwarding on the firewall,” he told TechNewsWorld.

“It allows them to remotely connect to the network to solve problems,” he continued. “Unfortunately, they’re being set up improperly with default credentials or vulnerabilities that haven’t been patched for four or five years.”

Exposed Security Cameras

An open port resembles an open door explained Taylor Ellis, a customer threat analyst with Horizon3 AI, an automated penetration testing as a service company in San Francisco. “You wouldn’t leave your door unlocked 24/7 in this day and age, and it’s the same way with an open port on a home network,” he told TechNewsWorld.

“To a business leader,” he continued, “the threat of breaking and entering escalates when you have an open port providing access to sensitive data.”

“A port acts like a communication gateway for a specific service hosted on a network,” he said. “An attacker can easily open a backdoor into one of these services and manipulate it to do their bidding.”

Of the open ports on the home networks of corporate brass, the report noted, 20% were connected to open security cameras, which can also pose a risk to an executive or board member.

“Security cameras have often been used by threat actors both to plant and distribute malware, but perhaps more importantly to provide surveillance on patterns and habits — and if the resolution is good enough, to see passwords and other credentials being entered,” noted Bud Broomhead, CEO of Viakoo, a developer of cyber and physical security software solutions in Mountain View, Calif.

“Many IP cameras have default passwords and out-of-date firmware, making them ideal targets for being breached and once breached making it easier for threat actors to move laterally within the home network,” he told TechNewsWorld.

Data Leaks

The BlackCloak researchers also discovered that the personal devices of corporate brass were equally, if not more, insecure than their home networks. More than a quarter of the execs (27%) had malware on their devices, and more than three-quarters of their devices (76%) were leaking data.

One way data leaks from smartphones is through applications. “A lot of apps will ask for sensitive permissions that they don’t need,” Floyd explained. “People will open the app for the first time and just click through the settings not realizing they’re giving the app access to their location data. Then the app will sell that location data to a third party.”

“It’s not only executives and their personal devices, it’s everyone’s personal devices,” added Chris Hills, chief security strategist at BeyondTrust, maker of privileged account management and vulnerability management solutions in Carlsbad, Calif.

“The amount of data, PII, even PHI, that the common smartphone contains these days is mind-boggling,” he told TechNewsWorld. “We don’t realize how vulnerable we can be when we don’t think about security as it relates to our smartphones.”

Personal device security doesn’t seem to be top of mind for many executives. The study found that nearly nine out of 10 of them (87%) have no security installed on their devices.

Mobile OS Security Deficient

“Many devices ship without security software installed, and even if they do it may not be sufficient,” Broomhead noted. “For example, Samsung Android devices ship with Knox security, which has had security holes found in it previously.”

“The device manufacturer may try to make tradeoffs between security and usability that may favor usability,” he added.

Hills maintained that most people are comfortable and content in thinking that the underlying operating system of their smartphone contains the needed security measures to keep the bad guys out.

“For the common person, it’s probably enough,” he said. “For the business executive that has more to lose given their role in a business or company, the security blanket of the underlying operating system just isn’t enough.”

“Unfortunately, in most cases,” he continued, “there is so much we focus on trying to protect as individuals, sometimes some of the most common get overlooked, such as our smartphones.”

Privacy Protections Lacking

Another finding by the BlackCloak researchers was that most personal accounts of executives, such as email, e-commerce, and applications, lack basic privacy protections.

In addition, they discovered security credentials of executives — such as bank and social media passwords — are readily available on the dark web, making them susceptible to social engineering attacks, identity theft, and fraud.

Nearly nine of 10 executives (87%) have passwords currently leaked on the dark web, the researchers noted, and more than half (53%) are not using a secure password manager. Meanwhile, only 8% have activated multifactor authentication enabled across a majority of the applications and devices.

“While measures like multifactor authentication aren’t perfect, these basic best practices are essential, especially for the board/C-suite who often opt-out of the requirement as a matter of convenience,” Melissa Bischoping, an endpoint security research specialist with Tanium, maker of an endpoint management and security platform in Kirkland, Wash. told TechNewsWorld.

“Attacking personal digital lives might be a new risk for enterprises to consider,” the researchers wrote, “but it is a risk that requires immediate attention. Adversaries have determined that executives at home are a path of least resistance, and they will compromise this attack vector for as long as it is safe, seamless, and lucrative for them to do so.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy