Dr. Antonio Nucci

By Supranamaya Ranjan

My colleague, Kevin McTiernan, and I recently spoke at the ISS World Conference in Washington, DC. A key concern we highlighted in our presentations is how standards for Lawful Interception are in denial about denial-of-service attacks. Participants were not fully aware of how DoS, DDoS, scans and Internet worms could interfere with successful interception, and why it is increasingly important for carriers and ISPs to think about securing their LI infrastructure.

A malicious entity can prevent law enforcement agencies and ISPs from successfully intercepting targeted events and traffic data by simply launching a denial-of-service attack on the ISP’s infrastructure. The techniques available to attackers are extensive and bewildering. One could congest the ISP’s network with a SYN flood attack, UDP flood, ICMP Smurf attack or other sophisticated DoS variants. One could also bring down the web portal being used for “LI Reporting?” by sending a flood of HTTP requests towards the web server. These attacks could begin with port scans directed towards the ISP’s network in order to locate the IP address of the reporting web server or the other vulnerable service ports that are open. Exacerbating this is the fact that the tools and resources needed for launching these attacks are easily available on the Internet.

Why exactly would this be important for carrier networks and ISPs? Well, a lot of the DoS, DDoS, scan and worm attacks we’ve seen so far in the Internet have been launched by thrill-seeking script kiddies, or by cyber extortionists looking for some quick bucks, or by spammers looking for unpatched vulnerable machines so that they could add them to their bot armies. However, once ISPs become compliant to CALEA and ETSI in 2007, the scenario will very likely change and cyber mafias will get yet another customer – the thugs and terrorists, who upon learning of impending intercept warrants against them, can be expected to approach the cyber mafias to prevent successful interception! The results will be disastrous, with cyber attacks launched as fast as warrants are issued. Unfortunately, it will be the ISPs and carriers who will bear the brunt of a cyber thug or mafia nexus. Imagine being an ISP that suddenly starts getting a huge number of phone calls from disgruntled customers who couldn’t check their emails, couldn’t access their banking accounts, and couldn’t order life-saving drugs online – all because you are being DDoS’ed for opening up a cyber warrant against a few thugs.

The picture may appear gloomy, but unified security and LI solutions like NarusInsight are fortunately now available. LEAs and ISPs can proactively address the challenge by deploying LI solutions with built-in security capabilities, or by complementing existing LI infrastructures with proven network security solutions.

By Kevin McTiernan

Those outside the San Francisco Bay Area may or may not be aware of the juggernaut underway in San Francisco over Municipal WiFi (or maybe they are witnessing their own version). After a nearly two-year process, Google/Earthlink were selected to provide inexpensive WiFi to the city. Similar to other locations, the business model would offer free, ad-sponsored and a paid, premium service. While most hoped to be able to access the service by the end of this year, it will most likely be available in late 2007. The delays are mostly political and are evidenced in the criticisms voiced thus far in town-hall meetings sponsored by Google and Earthlink. Requests range from no ads for the free service to Google paying to bus kids to the zoo; and, requests for changes such as not requiring users to log in. While an outsider may characterize it as lunacy, it really demonstrates how many perspectives people can have on the same issue and what makes San Francisco such a great city.

But is Muni-WiFi a social program or a utility? Whether free or not, people will expect a certain quality of service. How can Google/Earthlink maintain the integrity (and thus QoS) if anyone is allowed to attach to the network? What’s worse, in the event of a natural or other disaster, such “openness?” could be used against the network to frustrate the efforts of first responders or citizens looking to be informed. An untraceable, open network full of users and the potential for press is the dream scenario for most hackers. When such attacks happen, and they will, law enforcement will be called on to investigate and punish those behind the deed. With no logins, nothing to verify the user, law enforcement’s investigative ability will be severely hampered – unless they infiltrate the bus ride to the zoo.

Which brings me to my angle on the situation – such networks will need to assist law enforcement with investigations. WiFi at 300kbps (the rate for free WiFi in San Francisco) is broadband. If it accesses the public Internet, it is Internet Access. Broadband Internet Access is required to comply with CALEA (The Communications Assistance for Law Enforcement Act) by May of 2007. This means that all of these Muni-WiFi networks will have to enable the ability to assist law enforcement with investigations (including lawful intercept).

I think people might want to stop looking at Muni-WiFi as a social program and start looking at it for what it is, a utility - just like electricity. It is expected to be there when needed and it must be allowed to put in measures such as power meters (to get paid) or the ability to turn off a node (block access) to ensure the grid stays up. The fact that it may be accessed for a cheap price must not change this view.

By Kevin McTiernan

In a speech at the International Association of Police Chiefs conference in Boston, FBI Director, Robert Mueller, made the case for Data Retention. This echoes a request just over a month ago from Attorney General Alberto Gonzalez. Of concern is the ability for terrorists and criminals to cloak themselves “in the anonymity of the Internet.?” Data Retention is the requirement for an ISP or Service Provider to keep records of communications and store them for a period of time. The purpose of this is to allow Law Enforcement (under court approval and judicial oversight) to request the records from the carrier to conduct investigations.

What they are asking for is not new. The European Union passed Data Retention legislation in December 2005 (Directive 2006/24/EC). It requires retention for a period of 6 to 24 months. It also requires all service providers to comply by September 15, 2007 (for traditional telephony service) and by March 15, 2009 (for Internet access service). Member states can legislate the retention period and the deadline for Internet access (September 2007 or March 2009).

Ireland, Spain, Malta, Italy, Denmark, Portugal, France, Slovakia and Hungary currently require compliance for traditional telephony and Internet access by September 2007. The United Kingdom, Czech Republic, Germany, Luxembourg, the Netherlands, Slovenia, Sweden, Poland, Lithuania, Austria, Cyprus, Belgium, Estonia, Greece, Finland, and Latvia require compliance for traditional telephony by September 2007 and Internet access by March 2009.

The fact that the legislation in the U.S. is behind Europe on Data Retention should not be a surprise. The “cuffs?” put on U.S. law enforcement (no pun) when compared to European law enforcement is staggering. The mandate for carriers to assist in the interception of Internet Access in the U.S. is only coming around in May 2007; Dutch ISPs have been mandated to provide this since 2002! The intercept order rate in Italy is 1 per 600 persons; it’s about 1 per 170,000 in the U.S. Italy authorizes 300 times more intercepts per person than the U.S.!

Comments of Director Mueller and Attorney General Gonzalez.

Article on wiretaps in Holland.

By Kevin McTiernan

U.S. Department of Homeland Security Chief, Michael Chertoff, described a new and unnerving scenario to the International Association of Police Chiefs in Boston last Monday – Internet resources geared towards radicalism combined with websites teaching terrorist tactics resulting to a new breed of terrorist. “They can train themselves over the Internet. They never have to necessarily go to the training camp or speak with anybody else and that diffusion of a combination of hatred and technical skills in things like bomb-making is a dangerous combination,” Secretary Chertoff said.

Bombing and other plots, both in the U.S. and overseas, have been thwarted by surveillance and infiltration of groups. With ready resources (websites, video, audio, chat rooms) to stoke their hatred and plan attacks, combined with the relative privacy of the Internet, how can this kind of terrorist be discovered, let alone be stopped? This is Chertoff’s concern, “Those are the kind of terrorists that we may not be able to detect with spies and satellites.” While terrorist cells wish to cause major damage to the U.S., one cannot ignore the home-grown terrorists – Columbine, the D.C. sniper, and most recently, the schoolhouse attack in Pennsylvania. Secretary Chertoff definitely has his hands full!

See Secretary Chertoff’s comments.