Month: July 2013
Leslie James Pickering noticed something odd in his mail last September: a handwritten card, apparently delivered by mistake, with instructions for postal workers to pay special attention to the letters and packages sent to his home.
“Show all mail to supv” — supervisor — “for copying prior to going out on the street,” read the card. It included Mr. Pickering’s name, address and the type of mail that needed to be monitored. The word “confidential” was highlighted in green.
“It was a bit of a shock to see it,” said Mr. Pickering, who with his wife owns a small bookstore in Buffalo. More than a decade ago, he was a spokesman for the Earth Liberation Front, a radical environmental group labeled eco-terrorists by the Federal Bureau of Investigation. Postal officials subsequently confirmed they were indeed tracking Mr. Pickering’s mail but told him nothing else.
As the world focuses on the high-tech spying of the National Security Agency, the misplaced card offers a rare glimpse inside the seemingly low-tech but prevalent snooping of the United States Postal Service.
Mr. Pickering was targeted by a longtime surveillance system called mail covers, a forerunner of a vastly more expansive effort, the Mail Isolation Control and Tracking program, in which Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States — about 160 billion pieces last year. It is not known how long the government saves the images.
Together, the two programs show that postal mail is subject to the same kind of scrutiny that the National Security Agency has given to telephone calls and e-mail.
The mail covers program, used to monitor Mr. Pickering, is more than a century old but is still considered a powerful tool. At the request of law enforcement officials, postal workers record information from the outside of letters and parcels before they are delivered. (Opening the mail would require a warrant.) The information is sent to the law enforcement agency that asked for it. Tens of thousands of pieces of mail each year undergo this scrutiny.
The Mail Isolation Control and Tracking program was created after the anthrax attacks in late 2001 that killed five people, including two postal workers. Highly secret, it seeped into public view last month when the F.B.I. cited it in its investigation of ricin-laced letters sent to President Obama and Mayor Michael R. Bloomberg. It enables the Postal Service to retrace the path of mail at the request of law enforcement. No one disputes that it is sweeping.
“In the past, mail covers were used when you had a reason to suspect someone of a crime,” said Mark D. Rasch, who started a computer crimes unit in the fraud section of the criminal division of the Justice Department and worked on several fraud cases using mail covers. “Now it seems to be, ‘Let’s record everyone’s mail so in the future we might go back and see who you were communicating with.’ Essentially you’ve added mail covers on millions of Americans.”
Bruce Schneier, a computer security expert and an author, said whether it was a postal worker taking down information or a computer taking images, the program was still an invasion of privacy.
“Basically they are doing the same thing as the other programs, collecting the information on the outside of your mail, the metadata, if you will, of names, addresses, return addresses and postmark locations, which gives the government a pretty good map of your contacts, even if they aren’t reading the contents,” he said.
But law enforcement officials said mail covers and the automatic mail tracking program are invaluable, even in an era of smartphones and e-mail.
In a criminal complaint filed June 7 in Federal District Court for the Eastern District of Texas, the F.B.I. said a postal investigator tracing the ricin letters was able to narrow the search to Shannon Guess Richardson, an actress in New Boston, Tex., by examining information from the front and back images of 60 pieces of mail scanned immediately before and after the tainted letters sent to Mr. Obama and Mr. Bloomberg showing return addresses near her home. Ms. Richardson had originally accused her husband of mailing the letters, but investigators determined that he was at work during the time they were mailed.
In 2007, the F.B.I., the Internal Revenue Service and the local police in Charlotte, N.C., used information gleaned from the mail cover program to arrest Sallie Wamsley-Saxon and her husband, Donald, charging both with running a prostitution ring that took in $3 million over six years. Prosecutors said it was one of the largest and most successful such operations in the country. Investigators also used mail covers to help track banking activity and other businesses the couple operated under different names.
Other agencies, including the Drug Enforcement Administration and the Department of Health and Human Services, have used mail covers to track drug smugglers and Medicare fraud.
“It’s a treasure trove of information,” said James J. Wedick, a former F.B.I. agent who spent 34 years at the agency and who said he used mail covers in a number of investigations, including one that led to the prosecution of several elected officials in California on corruption charges. “Looking at just the outside of letters and other mail, I can see who you bank with, who you communicate with — all kinds of useful information that gives investigators leads that they can then follow up on with a subpoena.”
But, he said: “It can be easily abused because it’s so easy to use and you don’t have to go through a judge to get the information. You just fill out a form.”
For mail cover requests, law enforcement agencies submit a letter to the Postal Service, which can grant or deny a request without judicial review. Law enforcement officials say the Postal Service rarely denies a request. In other government surveillance programs, like wiretaps, a federal judge must sign off on the requests.
The mail cover surveillance requests are granted for about 30 days, and can be extended for up to 120 days. There are two kinds of mail covers: those related to criminal activity and those requested to protect national security. Criminal activity requests average 15,000 to 20,000 per year, said law enforcement officials, who spoke on the condition of anonymity because they are prohibited by law from discussing them. The number of requests for antiterrorism mail covers has not been made public.
Law enforcement officials need warrants to open the mail, although President George W. Bush asserted in a signing statement in 2007 that the federal government had the authority to open mail without warrants in emergencies or in foreign intelligence cases.
Court challenges to mail covers have generally failed because judges have ruled that there is no reasonable expectation of privacy for information contained on the outside of a letter. Officials in both the Bush and Obama administrations, in fact, have used the mail-cover court rulings to justify the N.S.A.’s surveillance programs, saying the electronic monitoring amounts to the same thing as a mail cover. Congress briefly conducted hearings on mail cover programs in 1976, but has not revisited the issue.
The program has led to sporadic reports of abuse. In May 2012, Mary Rose Wilcox, a Maricopa County supervisor in Arizona, was awarded nearly $1 million by a federal judge after winning a lawsuit against Sheriff Joe Arpaio. The sheriff, known for his immigration raids, had obtained mail covers from the Postal Service to track her mail. The judge called the investigation into Ms. Wilcox politically motivated because she had been a frequent critic of Mr. Arpaio’s, objecting to what she considered the targeting of Hispanics in his immigration sweeps. The case is being appealed.
In the mid-1970s the Church Committee, a Senate panel that documented C.I.A. abuses, faulted a program created in the 1950s in New York that used mail covers to trace and sometimes open mail going to the Soviet Union from the United States.
A suit brought in 1973 by a high school student in New Jersey, whose letter to the Socialist Workers Party was traced by the F.B.I. as part of an investigation into the group, led to a rebuke from a federal judge.
Postal officials refused to discuss either mail covers or the Mail Isolation Control and Tracking program.
Mr. Pickering says he suspects that the F.B.I. requested the mail cover to monitor his mail because a former associate said the bureau had called with questions about him. Last month, he filed a lawsuit against the Postal Service, the F.B.I. and other agencies, saying they were improperly withholding information.
A spokeswoman for the F.B.I. in Buffalo declined to comment.
Mr. Pickering said that although he was arrested two dozen times for acts of civil disobedience and convicted of a handful of misdemeanors, he was never involved in the arson attacks the Earth Liberation Front carried out. He said he became tired of focusing only on environmental activism and moved back to Buffalo to finish college, open his bookstore, Burning Books, and start a family.
“I’m no terrorist,” he said. “I’m an activist.”
Mr. Pickering has written books sympathetic to the liberation front, but he said his political views and past association should not make him the target of a federal investigation. “I’m just a guy who runs a bookstore and has a wife and a kid,” he said.
July 3, 2013
An earlier version of this article misstated the Justice Department position once held by Mark Rasch. He started a computer crimes unit in the criminal division’s fraud section, but he was not the head of its computer crimes unit, which was created after his departure.
Source: New York Times
A two minute SIM card hack could allow an intruder to listen to your phone calls, send text messages from your phone number and make mobile payments from your account. The vulnerability, discovered by a German security researcher, is present in an estimated 750 million SIM cards – around one in four of all SIM cards.
Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it …
The vulnerability was discovered by Karsten Nohl, founder of Security Research Labs in Berlin – the man who, back in 2009, created a tool to break the GSM encryption, enabling anyone with a scanner and a laptop to listen in to cellphone calls. The system used to encrypt GSM calls was strengthened as a result of his work.
This new vulnerability relates to the encryption system used on SIM cards. Nohl found that by sending a fake carrier text message to a phone, in about 25 percent of cases the phone would reply with an error message that revealed the 56-bit security key for the SIM. A second text message claiming to be a software update, and which the SIM would accept because it used the encryption key, would then allow a virus to be installed which would allow a hacker wide-ranging control over the phone.
The system works only with SIM cards using an older encryption method known as Data Encryption Standard, or DES. More modern SIMs use stronger encryption methods, which cannot be hacked in the same way, but there’s no way to tell which system your SIM uses.
Nohl will report his findings in detail at the Black Hat security conference in August, but he has already provided details to mobile operators so that they can address the vulnerability. A spokesperson for the GSM Association said:
We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted.
We should find out at the conference whether or not this is the case …
Source: 9 To 5 Mac