Monday, September 29, 2008

The Law of Unintended Consequences - Security Creates Its Own Threat

An anti-war blog has posted an article alleging Israeli spying on US government communications by installing backdoors into telephone systems. Regardless of the accuracy of the article or its political slant, it does bring up an interesting issue: When can security controls or measures create vulnerabilities?

Specifically, the article discusses the potential vulnerability created by implementation of the FBI's 1994 Communications Assistance for Law Enforcement Act (CALEA) that mandated telecommunication providers develop the capability for law enforcement agencies to wiretap any communication in the U.S.:
"The real novelty – and the danger – of CALEA is that telecom networks are today configured so that they are vulnerable to surveillance. "We've deliberately weakened the computer and phone networks, making them much less secure, much more vulnerable both to legal surveillance and illegal hacking," says former DOJ cybercrimes prosecutor Mark Rasch. "Everybody is much less secure in their communications since the adopting of CALEA."
This issue is not academic: I have investigated many serious computer crimes where the intruder(s) targeted security information and controls to determine the status of investigations, to introduce backdoors into control systems or lockout or monitor the activities of investigators. Too often the very tools used by security personnel and investigators were used against them or in some way compromised.

It is critical that security professionals and engineers understand that many technological controls can (and probably will be) used by an adversary to their advantage. This is particularly true of communication systems and any control that monitors activity or collects intelligence data such as log files, network and host vulnerability scans, IP based communication systems such as VoIP and IP based surveillance and access control systems.

Trojan Horse: How Israeli Backdoor Technology Penetrated the US Government's Telecom System and Compromised National Security

No comments: