Loading ...
Sorry, an error occurred while loading the content.

call data report vulnerabilities

Expand Messages
  • Goldsmith, Tim
    Hi, Can anyone on this list help give me insight (either on the list or privately) about the potential vulnerability of Call Data Report information from
    Message 1 of 10 , Nov 12, 2001
    • 0 Attachment
      Hi,
      Can anyone on this list help give me insight (either on the list or
      privately) about the potential vulnerability of Call Data Report information
      from commercial telephone companies getting into the hands of non-authorized
      individuals? As I understand it, in addition to the secure closed loop
      networks that the government currently uses, much of their communications
      pass through conventional phone networks via microwave or fiber.

      I think the suggestion is that an individual at a telecom company could
      access billing related information across other companies for ill purposes.
      Apparently something similar happened in 1997 in Los Angeles and compromised
      an LAPD drug investigation.

      We are working on an investigation looking into how a terrorist might
      theoretically use CDRs for traffic analysis to gain insight to the terrorism
      investigation, especially when the federal government utilizes these private
      telecom carriers. At this stage I don't know if this would just be limited
      to private phone conversations via cellphone, pager or PDAs, or over law
      enforcement networks like NLETS or INFRAGUARD which I understand travel over
      public carriers but have secure hardware on the terminal ends.

      This list has one of the most unique pools of talent in this field so I
      thought I would ask...I am clearly not an expert.

      Thanks for anything you might provide! I know this is a sensitive subject
      and group members here are properly sensitive to national security concerns.

      Tim Goldsmith
    • Stephen H Chapman
      Tom Your question has as many answers as there are many different types of telephone switching systems in use and not all call data or call records are
      Message 2 of 10 , Nov 12, 2001
      • 0 Attachment
        Tom
        Your question has as many answers as there are many different types of
        telephone switching systems in use and not all call data or call records are
        processed in a uniform standard way..Many systems store the data on mag tape
        at the switching site and this data is given to the processing center on a
        daily basis. It also depends upon the use of the data. The small independent
        companies often do their own call recording. The larger telephone companies
        often use centralized message accounting. Independent PBX operators may have
        their own local records in addition to what their Local carrier provides.
        If I was to look for areas of potential compromise the data processing
        centers would be my first choice. However it is possible with some stored
        program switching systems to make an auxiliary local record of calls
        originating from a specified phone. On system that this may be done there
        should be a policy that this is prohibited unless authorized by a senior
        responsible person. On many systems a person on the test board can access
        any line on the switch without any other person being cognizant that this is
        happening. There are good technical reasons for this capability but there
        can be abuses by unscrupulous people. Motto, never say anything abusive,
        sensitive, personal or classified in any telephone conversation. You never
        know who is listening.
        Regard Steve Chapman
        ----- Original Message -----
        From: "Goldsmith, Tim" <tim.goldsmith@...>
        To: <coldwarcomms@yahoogroups.com>
        Sent: Monday, November 12, 2001 3:20 PM
        Subject: [coldwarcomms] call data report vulnerabilities


        >
        > Hi,
        > Can anyone on this list help give me insight (either on the list or
        > privately) about the potential vulnerability of Call Data Report
        information
        > from commercial telephone companies getting into the hands of
        non-authorized
        > individuals? As I understand it, in addition to the secure closed loop
        > networks that the government currently uses, much of their communications
        > pass through conventional phone networks via microwave or fiber.
        >
        > I think the suggestion is that an individual at a telecom company could
        > access billing related information across other companies for ill
        purposes.
        > Apparently something similar happened in 1997 in Los Angeles and
        compromised
        > an LAPD drug investigation.
        >
        > We are working on an investigation looking into how a terrorist might
        > theoretically use CDRs for traffic analysis to gain insight to the
        terrorism
        > investigation, especially when the federal government utilizes these
        private
        > telecom carriers. At this stage I don't know if this would just be limited
        > to private phone conversations via cellphone, pager or PDAs, or over law
        > enforcement networks like NLETS or INFRAGUARD which I understand travel
        over
        > public carriers but have secure hardware on the terminal ends.
        >
        > This list has one of the most unique pools of talent in this field so I
        > thought I would ask...I am clearly not an expert.
        >
        > Thanks for anything you might provide! I know this is a sensitive subject
        > and group members here are properly sensitive to national security
        concerns.
        >
        > Tim Goldsmith
        >
        >
        >
        >
        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        >
        >
        >
      • albertjlafrance@cs.com
        That s a very interesting question; unfortunately I don t have enough knowledge of current phone systems to answer. As you note, a lot of sensitive government
        Message 3 of 10 , Nov 12, 2001
        • 0 Attachment
          That's a very interesting question; unfortunately I don't have enough
          knowledge of current phone systems to answer. As you note, a lot of
          sensitive government communications are on dedicated, secure networks. But
          the most valuable information for a criminal, in terms of tracking an
          investigation, might be data concerning the calls which go over the public
          network. For example, knowing the origin and destination of call to a
          law-enforcement "tip-line", a call from an FBI agent to a local police
          department, or a call from a confidential informant to his police contact
          could help a criminal determine if authorities were closing in on him, or if
          a witness of member of his own organization might be providing damaging
          information.

          Albert

          In a message dated 11/12/2001 6:25:05 PM Eastern Standard Time,
          tim.goldsmith@... writes:

          > Hi,
          > Can anyone on this list help give me insight (either on the list or
          > privately) about the potential vulnerability of Call Data Report
          information
          > from commercial telephone companies getting into the hands of
          non-authorized
          > individuals?
          <SNIP>
        • albertjlafrance@cs.com
          Weren t there reports a year or two ago about an alleged compromise of the White House phone system by a foreign intelligence agency? I recall the stories
          Message 4 of 10 , Nov 12, 2001
          • 0 Attachment
            Weren't there reports a year or two ago about an alleged compromise of the
            White House phone system by a foreign intelligence agency? I recall the
            stories were pretty vague; it wasn't clear to me if they were describing
            interception of conversations, or just of billing data.

            Albert
          • Jim Burks
            Concur with Albert. Interesting question. It would be as interesting, if not more so, to access the billing and switch records of the CELLULAR providers,
            Message 5 of 10 , Nov 12, 2001
            • 0 Attachment
              Concur with Albert. Interesting question.

              It would be as interesting, if not more so, to access the billing
              and switch records of the CELLULAR providers, rather than the
              IXCs (AT&T, MCI, Sprint). The cellular data is more 'interesting',
              especially the switch data, which contains the cell where the
              call originated. It also is more likely to contain the actual
              subscriber's originating number. Most PBX systems in use today
              don't send the originating station ID, because they haven't
              upgraded to ISDN PRI trunks that allow sending the station
              ID rathern than the trunk ID. That 'masks' whether the call
              originated from the FBI anti-terrorist group, or the IRS field
              office in the same building.

              To my knowledge, the phone company has always considered the
              AMA (automated message accounting) information secret, and
              disclosure prohibition dates back a long way. It's a termination
              offense. In fact, one of the
              Marilyn Monroe conspiracy theories from the early 60's
              revolves around supposedly missing AMA records of Marilyn
              calling one of the Kennedys after taking a bottle full of pills.

              The traditional phone companies have worked very hard
              at information security (Baby Bells, AT&T and MCI).
              They were hit hard by toll fraud during the 70's with
              the blue box guys, and in the 80's with switch hackers.
              While the AMA data doesn't allow making LD calls directly,
              it also contains calling card data which DOES allow toll
              fraud.

              Short answer is: they protect that carefully from outside
              hackers. But, a lot of customer service people have access
              to billing information. Large customers get their call
              detail on CD's, or via online transfer now. It might
              be possible to get that.

              Traffic analysis would give a lot of information to a
              Bin Ladin-type group, or others.

              BTW, NLETS is a message-based data network, operating over
              leased lines - at least when I worked with it in the 80's.
              It's probably moved to Frame Relay now, but I'll bet they
              still don't allow dial up - they definitely didn't they.

              You would have to attach a data tap to the link passing
              the 'interesting' traffic, rather than capture AMA
              traffic to make any sense of it.

              Also, never underestimate pure low-tech solutions.
              If you could get physical access to a voice line you
              wanted outgoing logs for, you could put a DTMF
              recorder on it. Check out www.sandman.com for examples.

              You might also ask this question on
              news:comp.dcom.telecomm. It's not as good a group as
              when Pat was moderating it, but people who actually
              do telco carrier stuff hang out there.

              Jim Burks


              -----Original Message-----
              From: albertjlafrance@... [mailto:albertjlafrance@...]
              Sent: Monday, November 12, 2001 7:00 PM
              To: coldwarcomms@yahoogroups.com
              Subject: Re: [coldwarcomms] call data report vulnerabilities


              That's a very interesting question; unfortunately I don't have enough
              knowledge of current phone systems to answer. As you note, a lot of
              sensitive government communications are on dedicated, secure networks. But
              the most valuable information for a criminal, in terms of tracking an
              investigation, might be data concerning the calls which go over the public
              network. For example, knowing the origin and destination of call to a
              law-enforcement "tip-line", a call from an FBI agent to a local police
              department, or a call from a confidential informant to his police contact
              could help a criminal determine if authorities were closing in on him, or if
              a witness of member of his own organization might be providing damaging
              information.

              Albert

              In a message dated 11/12/2001 6:25:05 PM Eastern Standard Time,
              tim.goldsmith@... writes:

              > Hi,
              > Can anyone on this list help give me insight (either on the list or
              > privately) about the potential vulnerability of Call Data Report
              information
              > from commercial telephone companies getting into the hands of
              non-authorized
              > individuals?
              <SNIP>

              Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
            • rickchem@hotmail.com
              Tim- Somebody on TV did an expose on obtaining billing records from a phone company. I m not sure if it was national, or local, but it had nothing to do w/
              Message 6 of 10 , Nov 12, 2001
              • 0 Attachment
                Tim-
                Somebody on TV did an expose on obtaining billing records from a
                phone company. I'm not sure if it was national, or local, but it had
                nothing to do w/ terrorists, more w/ identity theft and investigative
                practice.
                Anyways, it is pretty standard private investigator practice to
                get phone records of people you want to find, track, or otherwise, by
                fraud. You call and say you lost the bill, or say you want the
                records for your daughter's or son's cell phone. All you need to do
                is find the right rep - maybe try as many as 10 times- but eventually
                you'll find one that will give them to you. Its not legal, but it
                seems to be pervasive. The TV piece actually did it and was able to
                get somebodies records, even when somebody told the company that they
                anyone requesting info had to give a code word.
                I'd check around on the alt.2600 newsgroups and the like. But,
                I'd say a terrorist link is suspect. Why would anyone do that
                painful sort of statistical analysis if they were a terrorist? As
                has been mentioned before, every fiber route in the country is
                labeled in plain sight . . .
              • Paxton Heckman
                As I understand it from training a few years ago, NLETS is pretty much as secure as it can get. All local agencies are tied by a direct line to a state agency
                Message 7 of 10 , Nov 13, 2001
                • 0 Attachment
                  As I understand it from training a few years ago,
                  NLETS is pretty much as secure as it can get. All
                  local agencies are tied by a direct line to a state
                  agency (usually the state police) who then has a line
                  directly to the switch. All traffic is routed through
                  the switch if is comes/goes out of state, and as to my
                  knowledge, there is no dial up access. After I get
                  home from work, I'll post a more detailed message on
                  how it works, but it is considered very secure.



                  --- "Goldsmith, Tim" <tim.goldsmith@...>
                  wrote:
                  >
                  > Hi,
                  > Can anyone on this list help give me insight (either
                  > on the list or
                  > privately) about the potential vulnerability of Call
                  > Data Report information
                  > from commercial telephone companies getting into the
                  > hands of non-authorized
                  > individuals? As I understand it, in addition to the
                  > secure closed loop
                  > networks that the government currently uses, much of
                  > their communications
                  > pass through conventional phone networks via
                  > microwave or fiber.
                  >
                  > I think the suggestion is that an individual at a
                  > telecom company could
                  > access billing related information across other
                  > companies for ill purposes.
                  > Apparently something similar happened in 1997 in Los
                  > Angeles and compromised
                  > an LAPD drug investigation.
                  >
                  > We are working on an investigation looking into how
                  > a terrorist might
                  > theoretically use CDRs for traffic analysis to gain
                  > insight to the terrorism
                  > investigation, especially when the federal
                  > government utilizes these private
                  > telecom carriers. At this stage I don't know if this
                  > would just be limited
                  > to private phone conversations via cellphone, pager
                  > or PDAs, or over law
                  > enforcement networks like NLETS or INFRAGUARD which
                  > I understand travel over
                  > public carriers but have secure hardware on the
                  > terminal ends.
                  >
                  > This list has one of the most unique pools of talent
                  > in this field so I
                  > thought I would ask...I am clearly not an expert.
                  >
                  > Thanks for anything you might provide! I know this
                  > is a sensitive subject
                  > and group members here are properly sensitive to
                  > national security concerns.
                  >
                  > Tim Goldsmith
                  >


                  __________________________________________________
                  Do You Yahoo!?
                  Find the one for you at Yahoo! Personals
                  http://personals.yahoo.com
                • Stephen H Chapman
                  When you are in the switchroom you have access to all the circuits thru that switch and no dial up is required. You can also setup on many switches a remote
                  Message 8 of 10 , Nov 13, 2001
                  • 0 Attachment
                    When you are in the switchroom you have access to all the circuits thru that
                    switch and no dial up is required. You can also setup on many switches a
                    remote switchroom modem access that allows you to access all functions of
                    the switch that a switch room tech could access if he was physically present
                    in that switch room. A switch that has this capability normally would use
                    it for remote technical assistance. It has a very legitimate use but it can
                    also be mis-used for subversive purposes.
                    Steve Chapman
                    ----- Original Message -----
                    From: "Paxton Heckman" <packy41@...>
                    To: <coldwarcomms@yahoogroups.com>
                    Sent: Tuesday, November 13, 2001 1:37 AM
                    Subject: Re: [coldwarcomms] call data report vulnerabilities


                    > As I understand it from training a few years ago,
                    > NLETS is pretty much as secure as it can get. All
                    > local agencies are tied by a direct line to a state
                    > agency (usually the state police) who then has a line
                    > directly to the switch. All traffic is routed through
                    > the switch if is comes/goes out of state, and as to my
                    > knowledge, there is no dial up access. After I get
                    > home from work, I'll post a more detailed message on
                    > how it works, but it is considered very secure.
                    >
                    >
                    >
                    > --- "Goldsmith, Tim" <tim.goldsmith@...>
                    > wrote:
                    > >
                    > > Hi,
                    > > Can anyone on this list help give me insight (either
                    > > on the list or
                    > > privately) about the potential vulnerability of Call
                    > > Data Report information
                    > > from commercial telephone companies getting into the
                    > > hands of non-authorized
                    > > individuals? As I understand it, in addition to the
                    > > secure closed loop
                    > > networks that the government currently uses, much of
                    > > their communications
                    > > pass through conventional phone networks via
                    > > microwave or fiber.
                    > >
                    > > I think the suggestion is that an individual at a
                    > > telecom company could
                    > > access billing related information across other
                    > > companies for ill purposes.
                    > > Apparently something similar happened in 1997 in Los
                    > > Angeles and compromised
                    > > an LAPD drug investigation.
                    > >
                    > > We are working on an investigation looking into how
                    > > a terrorist might
                    > > theoretically use CDRs for traffic analysis to gain
                    > > insight to the terrorism
                    > > investigation, especially when the federal
                    > > government utilizes these private
                    > > telecom carriers. At this stage I don't know if this
                    > > would just be limited
                    > > to private phone conversations via cellphone, pager
                    > > or PDAs, or over law
                    > > enforcement networks like NLETS or INFRAGUARD which
                    > > I understand travel over
                    > > public carriers but have secure hardware on the
                    > > terminal ends.
                    > >
                    > > This list has one of the most unique pools of talent
                    > > in this field so I
                    > > thought I would ask...I am clearly not an expert.
                    > >
                    > > Thanks for anything you might provide! I know this
                    > > is a sensitive subject
                    > > and group members here are properly sensitive to
                    > > national security concerns.
                    > >
                    > > Tim Goldsmith
                    > >
                    >
                    >
                    > __________________________________________________
                    > Do You Yahoo!?
                    > Find the one for you at Yahoo! Personals
                    > http://personals.yahoo.com
                    >
                    >
                    >
                    >
                    > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                    >
                    >
                    >
                  • ozob99@yahoo.com
                    ... information ... authorized ... loop ... communications ... could ... purposes. ... compromised ... might ... terrorism ... these private ... limited ...
                    Message 9 of 10 , Nov 14, 2001
                    • 0 Attachment
                      --- In coldwarcomms@y..., "Goldsmith, Tim" <tim.goldsmith@f...> wrote:
                      >
                      > Hi,
                      > Can anyone on this list help give me insight (either on the list or
                      > privately) about the potential vulnerability of Call Data Report
                      information
                      > from commercial telephone companies getting into the hands of non-
                      authorized
                      > individuals? As I understand it, in addition to the secure closed
                      loop
                      > networks that the government currently uses, much of their
                      communications
                      > pass through conventional phone networks via microwave or fiber.
                      >
                      > I think the suggestion is that an individual at a telecom company
                      could
                      > access billing related information across other companies for ill
                      purposes.
                      > Apparently something similar happened in 1997 in Los Angeles and
                      compromised
                      > an LAPD drug investigation.
                      >
                      > We are working on an investigation looking into how a terrorist
                      might
                      > theoretically use CDRs for traffic analysis to gain insight to the
                      terrorism
                      > investigation, especially when the federal government utilizes
                      these private
                      > telecom carriers. At this stage I don't know if this would just be
                      limited
                      > to private phone conversations via cellphone, pager or PDAs, or
                      over law
                      > enforcement networks like NLETS or INFRAGUARD which I understand
                      travel over
                      > public carriers but have secure hardware on the terminal ends.
                      >
                      > This list has one of the most unique pools of talent in this field
                      so I
                      > thought I would ask...I am clearly not an expert.
                      >
                      > Thanks for anything you might provide! I know this is a sensitive
                      subject
                      > and group members here are properly sensitive to national security
                      concerns.
                      >
                      > Tim Goldsmith



                      Call Data from the larger centers was transmitted on 50KB analog
                      wideband data service as official services; later on DDS.One such
                      link was Richmond,Va to the Fairview Data Center in Silver
                      Spring,Md.This could have been compromised by skilled employees with
                      sophisticated equipment, as could anything in a CO if the time &
                      motivation were there(except for KY/KW & one time pad encryption),
                      but I suspect the risks/consequences far outweighed any rewards
                      unless the employee was a mole.
                    • Stephen H Chapman
                      Tim A switchroom tech can have access to CDR information at that specific site for a limited time for current calls only. He does not have access to Historical
                      Message 10 of 10 , Nov 14, 2001
                      • 0 Attachment
                        Tim
                        A switchroom tech can have access to CDR information at that specific site
                        for a limited time for current calls only. He does not have access to
                        Historical Call Data. The Tech cannot access other switches and download
                        their call data CDR current and historical data is only available at the
                        Data Processing sight. Customer Service for that phone company can access a
                        customers number and see where they have been calling.
                        The specific points of vulnerability are,

                        1 Subversive activity by a switch room tech and what he can access in real
                        time eavesdropping. activity and short term CDR information.

                        2 The call processing data center where current and historical data is
                        stored. The probability of data being stolen is small but it can happen.

                        3 The customer service center has access to all call records for calls
                        dialed by their subscriber customer base.

                        4. The only true telephone circuits that are truly protected at this time
                        are those using NSA approved encryption devices at the originating and
                        terminating points of the call.. If you try to monitor those circuits you
                        will hear a meaningless garble of sound. A few years ago NSA gave
                        authorization for certain manufacturers e.g.: AT&T, MOTOROLA, RCA to produce
                        a telephone set that had embedded a NSA crypto chip. The general purpose was
                        to have an NSA approved crypto Telephone set that could be purchased for use
                        in the US and allow the end users to pass company sensitive information
                        between two points and know that any attempt to monitor the conversation
                        would only be useless garbage to the eavesdropper. The only part of these
                        type of calls always in the clear was the dialed number. Immediately upon
                        identification you could enter the encrypted mode.

                        Tim have you had any contact with anyone from HTCIA. High Technology
                        Criminal Investigation Association. I dropped my membership since I retired.
                        Steve chapman


                        ..
                        ----- Original Message -----
                        From: <ozob99@...>
                        To: <coldwarcomms@yahoogroups.com>
                        Sent: Wednesday, November 14, 2001 12:41 PM
                        Subject: [coldwarcomms] Re: call data report vulnerabilities


                        > --- In coldwarcomms@y..., "Goldsmith, Tim" <tim.goldsmith@f...> wrote:
                        > >
                        > > Hi,
                        > > Can anyone on this list help give me insight (either on the list or
                        > > privately) about the potential vulnerability of Call Data Report
                        > information
                        > > from commercial telephone companies getting into the hands of non-
                        > authorized
                        > > individuals? As I understand it, in addition to the secure closed
                        > loop
                        > > networks that the government currently uses, much of their
                        > communications
                        > > pass through conventional phone networks via microwave or fiber.
                        > >
                        > > I think the suggestion is that an individual at a telecom company
                        > could
                        > > access billing related information across other companies for ill
                        > purposes.
                        > > Apparently something similar happened in 1997 in Los Angeles and
                        > compromised
                        > > an LAPD drug investigation.
                        > >
                        > > We are working on an investigation looking into how a terrorist
                        > might
                        > > theoretically use CDRs for traffic analysis to gain insight to the
                        > terrorism
                        > > investigation, especially when the federal government utilizes
                        > these private
                        > > telecom carriers. At this stage I don't know if this would just be
                        > limited
                        > > to private phone conversations via cellphone, pager or PDAs, or
                        > over law
                        > > enforcement networks like NLETS or INFRAGUARD which I understand
                        > travel over
                        > > public carriers but have secure hardware on the terminal ends.
                        > >
                        > > This list has one of the most unique pools of talent in this field
                        > so I
                        > > thought I would ask...I am clearly not an expert.
                        > >
                        > > Thanks for anything you might provide! I know this is a sensitive
                        > subject
                        > > and group members here are properly sensitive to national security
                        > concerns.
                        > >
                        > > Tim Goldsmith
                        >
                        >
                        >
                        > Call Data from the larger centers was transmitted on 50KB analog
                        > wideband data service as official services; later on DDS.One such
                        > link was Richmond,Va to the Fairview Data Center in Silver
                        > Spring,Md.This could have been compromised by skilled employees with
                        > sophisticated equipment, as could anything in a CO if the time &
                        > motivation were there(except for KY/KW & one time pad encryption),
                        > but I suspect the risks/consequences far outweighed any rewards
                        > unless the employee was a mole.
                        >
                        >
                        >
                        >
                        >
                        >
                        >
                        >
                        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
                        >
                        >
                        >
                      Your message has been successfully submitted and would be delivered to recipients shortly.