Ellen Nakashima

NSA’s use of software flaws to hack foreign targets posed risks to cybersecurity

To penetrate the computers of foreign targets, the National Security Agency relies on software flaws that have gone undetected in the pipes of the Internet. For years, security experts have pressed the agency to disclose these bugs so they can be fixed, but the agency hackers have often been reluctant. Now with the mysterious release of a cache of NSA hacking tools over the weekend, the agency has lost an offensive advantage, experts say, and potentially placed at risk the security of countless large companies and government agencies worldwide. Several of the tools exploited flaws in commercial firewalls that remain unpatched, and they are out on the Internet for all to see. Anyone from a basement hacker to a sophisticated foreign spy agency has access to them now, and until the flaws are fixed, many computer systems may be in jeopardy.

Civil liberties groups ask FCC to probe Baltimore police use of cellphone tracking devices

Several civil liberties organizations filed a complaint asking the Federal Communications Commission to investigate the use of cellphone tracking devices by the Baltimore Police Department.

The complaint alleges that the Baltimore police, like many other police agencies across the country, are using devices that mimic cellphone towers to track suspects through their cellphone locations, in violation of federal law that requires a license. The groups are also alleging that the use of the disruptive surveillance technology overwhelmingly affects black residents — and does so without appropriate transparency and oversight. “There’s a pattern of law enforcement agencies around the country engaging in racially discriminatory policing, and that extends to surveillance technology,” said Laura Moy, director of Georgetown University’s Institute for Public Representation, who filed the complaint on behalf of the groups. The Communications Act, the groups say, requires a license to operate the devices on frequencies reserved for wireless carriers. But an FCC official said that local police agencies do not need a license under the law. She said at one point that the devices did not transmit on the wireless spectrum — which experts dispute. At another point, she suggested that local law enforcement is exempt from the requirement. In general, she could not give a clear explanation of why a license was not needed.

Judge criticizes secrecy rules surrounding FBI requests for companies’ data

In a recent ruling, U.S. District Judge James E. Boasberg for the District of Columbia criticized new rules regarding how long the government can demand secrecy from companies when it requests data on national security cases.

These demands, called national security letters (NSLs), are administrative subpoenas issued by FBI officials without having to seek judicial approval. They are generally accompanied by orders forbidding the recipients from disclosing the NSL’s existence. Judge Boasberg is the first judge to publicly assess new gag-order rules issued by the attorney general as mandated by the USA Freedom Act of 2015. These require the government to revisit gag orders when an investigation ends or on the three-year anniversary of the original subpoena. But Judge Boasberg said the rules contain “several large loopholes.” And thus, he said, they “give the court some pause” as to whether they comply with the law. He rejected the open-ended nature of the gag order, which accompanied requests for data on two of the company’s customers. Such “an indefinite bar . . . seems inconsistent with the intent of the law,” he wrote. He required that officials reconsider the need for the order’s secrecy every three years or until the gag is no longer necessary.

Clinton campaign — and some cyber experts — say Russia is behind email release

A top official with Hillary Clinton’s campaign accused the Russian government of orchestrating the release of damaging Democratic Party records to help the campaign of Republican Donald Trump — and some cybersecurity experts agree.

The extraordinary charge came as some national security officials have been growing increasingly concerned about possible efforts by Russia to meddle in the election, according to several individuals familiar with the situation. Although other experts remain skeptical of a Russian role, the hacking incident has caused alarm within the Clinton campaign and also in the national security arena. Officials from various intelligence and defense agencies, including the National Security Council, the Department of Defense, the FBI and the Department of Homeland Security, attended the White House meeting Thursday, on the eve of the email release. If the accusation is true, it would be the first time the Russians have actively tried to influence an election in this manner, analysts said.

FCC selects Swedish firm to run sensitive national database routing phone calls

The Federal Communications Commission selected a Swedish-owned firm to run a sensitive national database that routes billions of phone calls across the country, apparently satisfied that the award would not jeopardize national security. The vote by the five commissioners clears the way for Telcordia, owned by Ericcson and based in New Jersey, to proceed with the challenging task of building a system that can track calls and text messages by nearly every phone number in North America while ensuring the data remains secure.

The database handles the intercarrier routing of calls and texts for more than 650 million US phone numbers and for more than 2,000 carriers. If numbers are scrambled or deleted, a massive communications breakdown could occur. The database is particularly important for the FBI and other law enforcement agencies that query the database every day, several million times a year, in the course of criminal and intelligence investigations to track which phone company provides service for a particular number. Security experts say that if a foreign spy agency wants to know which of its agents the United States has under surveillance, it could attempt to hack the system to see what numbers the FBI has wiretaps on. The system includes the phone number, database and the platform that tells law enforcement which carrier owns which number.

Neustar, Telcordia battle over FCC contract to play traffic cop for phone calls, texts

Influential lawmakers are urging the Federal Communications Commission not to ignore national security as it prepares to choose a company to play the critical role of traffic cop for virtually every phone call and text message in North America. At issue is the security of the most significant cog in the telecommunications network that most Americans have never heard of.

The Number Portability Administration Center, or NPAC, handles the routing of all calls and texts for more than 650 million US and Canadian phone numbers for more than 2,000 carriers. If numbers are scrambled or erased, havoc could ensue.

In a letter sent to FCC Chairman Tom Wheeler, Rep Mike Rogers (R-MI) and Rep CA Dutch Ruppersberger (D-MD), Chairman and ranking Democrat of the House Intelligence Committee, urged the FCC to consult the FBI and other security agencies before picking a firm.

Proliferation of new online communications services poses hurdles for law enforcement

Federal law enforcement and intelligence authorities say they are increasingly struggling to conduct court-ordered wiretaps on suspects because of a surge in chat services, instant messaging and other online communications that lack the technical means to be intercepted.

A “large percentage” of wiretap orders to pick up the communications of suspected spies and foreign agents are not being fulfilled, FBI officials said. Law enforcement agents are citing the same challenge in criminal cases; agents, they say, often decline to even seek orders when they know firms lack the means to tap into a suspect’s communications in real time.

The government wants to wiretap online communications -- or in some cases hack them

Law enforcement and intelligence agencies want to be able to wiretap social media, instant message and chat services. But building in ways to wiretap these kinds of communication can lead to less secure systems, say technical experts, including former National Security Agency officials.

Some security experts suggest hacking as an alternative, but other experts -- including FBI officials -- say that method poses serious risks.

Right now, only phone companies, broadband providers and some Internet phone services are required by law to build in intercept capabilities, but the government wants to extend that requirement to online communication providers.

How spy agencies keep their ‘toys’ from law enforcement

The prospect that classified capabilities can be revealed in a criminal case means that the most sophisticated surveillance technologies are not always available to law enforcement because they are classified, current and former officials say.

And sometimes it's not just the tool that is classified, but the existence itself of the capability -- the idea that a certain type of communication can be wiretapped -- that is secret.

Court gave NSA broad leeway in surveillance, documents show

Virtually no foreign government is off-limits for the National Security Agency, which has been authorized to intercept information “concerning” all but four countries, according to top-secret documents.

The United States has long had broad no-spying arrangements with those four countries -- Britain, Canada, Australia and New Zealand -- in a group known collectively with the United States as the Five Eyes. B

ut a classified 2010 legal certification and other documents indicate the NSA has been given a far more elastic authority than previously known, one that allows it to intercept through US companies not just the communications of its overseas targets but any communications about its targets as well. The certification -- approved by the Foreign Intelligence Surveillance Court and included among a set of documents leaked by former NSA contractor Edward Snowden -- lists 193 countries that would be of valid interest for US intelligence.

The certification also permitted the agency to gather intelligence about entities including the World Bank, the International Monetary Fund, the European Union and the International Atomic Energy Agency.