HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » General Discussion (Forum) » Stop Freaking Out About t... » Reply #24
In the discussion thread: Stop Freaking Out About the NSA [View all]

Response to UrbScotty (Original post)

Fri Jun 7, 2013, 01:28 AM

24. This!

 

Well, not that.

This:

http://www.themediaconsortium.com/reporting/wp-content/uploads/2008/03/affidavit-bp-final.pdf

My name is Babak Pasdar, President and CEO of Bat Blue Corporation. I have given this affidavit to
Thomas Devine, who has identified himself as the legal director of the Government Accountability
Project, without any threats, inducements or coercion.

I have been a technologist in the computer and computer security industry for the past nineteen years
and am a "Certified Ethical Hacker" (E-Commerce Consultants International Council.) I have worked
with many enterprise organizations, telecommunications carriers, as well as small and medium sized
organizations in consulting, designing, implementing, troubleshooting, and managing security systems.
This statement is to make a record ofmy concerns about the privacy implications for our society from
what I personally witnessed at a major telecommunications carrier, as summarized below.

What I know:

• I know I saw a circuit that everyone called the "Quantico Circuit."

• I know that all other sites had store numbers or affiliate numbers. The "Quantico Circuit" was
the only site being migrated that had such a unique name.

• I know that it was a third party connecting to the client's network via the "Quantico Circuit."

• I know everyone was uncomfortable talking about it.

• I know that connecting a third party to your network core with no access control is against all
standard security protocols, and would fail almost any compliance standard.

• 1 know that I was a trusted resource. During the project, I at all times had access and control
over the communications to the most sensitive of the organization's systems. This included
their sales applications, billing systems, text messaging and mobile internet access, including email
and web. I even had a client badge for entry to the building and access to facilities.

• I know the client had Network VCRs situated at various locations throughout their data centers.
These devices collected and recorded all network communications and had the capacity to store
them for days, possibly weeks.

• I know that many of the organization's branch offices and affiliate systems did not have that
unfettered access, because I instituted the controls.

What is likely, based on normal industry practice:

• A third party had access to one or more systems within the organization.

• The third party could connect to one or more of the client's systems. This would include the
billing system, fraud detection system, text messaging, web applications. Moreover, Internet
communications between a mobile phone and other Internet systems may be accessed.

• The client could connect to one or more of the third party's systems.

• The client's Data and Cell networks are interconnected.

• It is unlikely that any logging was enabled for any access to the Quantico circuit, because the
client's technical experts suggested that this was not enabled. They were tentative in even
discussing the subject. Even if logging was enabled the logging system was so inappropriately
sized that it was useless.

What is possible due to consistency with known facts but for which I don't have proof:

• The third party may be able to access the billing system to find information on a particular
person. This information may include their billing address, phone number(s), as well as the
numbers and information of other people on their plan. Other information could also include
any previous numbers that the person or others on their plan called, and the outside numbers
who have called the people on the plan.

• The third party may be able to identify the Electronic Security Number (ESN) of the plan
member's phones. This is a unique identifier that distinguishes each mobile device on the
carrier's network.

• With the ESN information and access to the fraud detection systems, a third party can locate or
track any particular mobile device. The person's call patterns and location can be trended and
analyzed.

• With the ESN, the third party could tap into any and all data being transmitted from any
particular mobile device. This would include Internet usage, e-mails, web, file transfers, text
messages and access to any remote applications.

• It also would be possible in real-time to tap into any conversation on any mobile phone
supported by the carrier at any point.

• It would be possible for the third party to access the Network VCR devices and collect a variety
of information en masse. The Network VCR collects all communications between two systems
indiscriminately. It would then archive this information making it available for retrieval on demand.
The third party could access the Network VCR systems and collect all data
communications for single mobile device such as text messaging, Internet access, e-mail, web
access, etc. over some period of minutes, hours, days or weeks. The same can be done for
communications of multiple, many or even all mobile devices for some period of minutes,
hours, days or weeks.

• Even if the client did not provide specific login and access for the third party to one or more of
their systems, without any access controls it is possible for the third party to leverage
vulnerabilities to "compromise" the client systems and obtain control or collect sensitive
information.

Reply to this post

Back to OP Alert abuse Link to post in-thread

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 64 replies Author Time Post
UrbScotty Jun 2013 OP
randome Jun 2013 #1
Agnosticsherbet Jun 2013 #2
Spitfire of ATJ Jun 2013 #38
Agnosticsherbet Jun 2013 #61
ForgoTheConsequence Jun 2013 #3
BlueCheese Jun 2013 #4
blkmusclmachine Jun 2013 #19
ScreamingMeemie Jun 2013 #25
Maedhros Jun 2013 #27
ohheckyeah Jun 2013 #5
OnyxCollie Jun 2013 #6
leftstreet Jun 2013 #7
Fearless Jun 2013 #8
Hell Hath No Fury Jun 2013 #9
newmember Jun 2013 #23
grahamhgreen Jun 2013 #35
msongs Jun 2013 #10
Fire Walk With Me Jun 2013 #11
DevonRex Jun 2013 #12
ForgoTheConsequence Jun 2013 #13
backscatter712 Jun 2013 #15
DevonRex Jun 2013 #16
SlimJimmy Jun 2013 #30
DevonRex Jun 2013 #32
SlimJimmy Jun 2013 #50
backscatter712 Jun 2013 #14
Cali_Democrat Jun 2013 #17
forestpath Jun 2013 #60
blkmusclmachine Jun 2013 #18
sabrina 1 Jun 2013 #20
Bonobo Jun 2013 #21
RKP5637 Jun 2013 #53
ScreamingMeemie Jun 2013 #22
Art_from_Ark Jun 2013 #28
LineReply This!
OnyxCollie Jun 2013 #24
ohheckyeah Jun 2013 #26
Maedhros Jun 2013 #29
MisterP Jun 2013 #36
treestar Jun 2013 #48
Puzzledtraveller Jun 2013 #58
woo me with science Jun 2013 #31
tinrobot Jun 2013 #33
Defectata Jun 2013 #34
Cali_Democrat Jun 2013 #37
Spitfire of ATJ Jun 2013 #39
MFrohike Jun 2013 #40
moondust Jun 2013 #41
markiv Jun 2013 #52
MrMickeysMom Jun 2013 #42
Douglas Carpenter Jun 2013 #43
YeahSureRight Jun 2013 #44
LittleBlue Jun 2013 #45
Le Taz Hot Jun 2013 #46
treestar Jun 2013 #47
BenzoDia Jun 2013 #49
markiv Jun 2013 #51
RKP5637 Jun 2013 #54
KG Jun 2013 #55
bowens43 Jun 2013 #56
cali Jun 2013 #57
me b zola Jun 2013 #59
Dreamer Tatum Jun 2013 #62
AgingAmerican Jun 2013 #63
chervilant Jun 2013 #64
Please login to view edit histories.