Wednesday, January 9, 2008

Got Meat? Thoughts on the FBI Carnavore System

Some months ago, I downloaded from the EFF the freedom of information mandated information relating to the DCS-3000 system. I spent a few days (evenings really) looking over the information and thought that I might provide my own insight into what I found.

For the record I have no access to any sore of inside or classified material. If I did, it would be illegal and against my own code of ethics to do so - anything here can be found out on the internets. I do have some familiarity with the style of paperwork which composes many of the most interesting parts of the information. NIST based Site Security Plans are excruciating to do under any conditions, so my condolences to those people who had to put together that package...

The most up to date run down of the design and operation of the DCS-3000 seems to be a Wired article from August 29, 2007. Besides that, the original documents (and a good many more interesting things!) can be found here. This entry is meant to augment the already published information rather than replace it, since they did such a nice job of describing the other details of the system.

Overall Design
The overall design of the system is actually a number of different systems which fulfill many different functions and suggest that the overall mission of the system has grown somewhat organically. Exercising my somewhat anemic graphic arts skills, I have put together a diagram of what I suspect things look like. This is a composite of various hints, diagrams and information from the various pdf files available.Please be kind as I have limited graphics skills... In addition to the boxes shown, there are also connections to the internal FBI network, storage components and the usual collection of infrastructure components.

One of the most interesting things I discovered is in the MultiVANGuard section, so if you are skimming take a look there.

A few details and notes follow - first some notes on each of the hardware and software components, then thoughts on the general security architecture provided in the system.

DCS-3000
This seems to be the general control system for interacting with the telco switches as well as the main interactive gateway to the other systems(?). The two basic classes of wiretapping are Call Data Channel (CDC) which is more of a pen-register style, recording call metadata. The second is Call Content Channel (CCC) which records both call metadata and content.

Logins happen into this system as well as the other through a set of id's which are (at a minimum) DCSAdmin and ERFAdmin.

The following applications are described in the site security document:

Client: Users Guide 070207_dcs03.pdf
The DCS Client application is configured to collect data for Court-approved surveillance operations. The Client receives call related data from the DCS Server or MultiServer and packages it into target data files that are saved, forwarded, or printed. At times, the Client is used to reformat and export call related data for use in external databases. The Client cannot record call content. However, installing a Recorder Control Interface (RCI) card allows the Client to control standard recording devices, which record such audio.

Server: Users Guide 070207_dcs04.pdf
Breakdown of options described in the server section of the user documentation, and a few notes where it might be interesting. The server is designed to operate on a single recording event.
  • Using the DCS Server
  • Working in the Server Window
  • Configuring the Server
  • Configuring the Client
  • Configuring the VSELP Decoder
From Wikipedia:
Vector Sum Excited Linear Prediction (VSELP) is a speech coding method used in the IS-54 standard. This codec was used in early TDMA cell phones in the United States. It was also used in the first version of RealAudio for audio over the Internet. The IS-54 VSELP standard was published by the Telecommunications Industry Association in 1989.
  • Establishing a Connection
  • Monitoring Activity
  • Storing Target Data Files
  • Shutting Down the DCS Server
MultiServer
See above and below for details.

VANGuard
See below. 'MultiFOO' is just 'FOO' that is designed for multiple source data instances.

MultiVANGuard
Notes on MultiVANGuard (this might be a red herring) from penlink.com, a company that specializes in communication interception and analysis. Regardless, this shows that the technology exists as of 03/02/2007 for Skype interception, which is interesting in and of itself.

A snippet from the page includes:
Updated ETSI 101 671, et al.  Add support for Ericsson specific ASN.1 messages.
Updated GISH by addiing support for SMS messages containing commas.
Updated GIS Mapping for calls and cell tower records to add a button to allow user to toggle transparency of cell tower sectors.
* Phone Company Autoload : Added Skype.
* Phone Company Autoload : Added Snake River PCS.
* Phone Company Autoload : Removed both Sprint Spectrum options.

* Phone Company Autoload : Removed VoiceBox (delimited) [old format, no column indicators].
* Phone Company Autoload : Updated Alltel Tolls.
* Phone Company Autoload : Updated Bell South CSV.
* Phone Company Autoload : Updated Bell South Trap and Trace.

* Phone Company Autoload : Updated Centennial Wireless.
* Phone Company Autoload : Updated Cricket CSV.
* Phone Company Autoload : Updated Dobson Communications.
* Phone Company Autoload : Updated Generic Multi-format [Windstream text format, Alltel PDF, Edge Wireless, Cingular PDF].

* Phone Company Autoload : Updated MCI Business Gold.
* Phone Company Autoload : Updated Nextel CSV.
* Phone Company Autoload : Updated Qwest CSV.
* Phone Company Autoload : Updated SBC Trap File.

* Phone Company Autoload : Updated T-Mobile Prepaid.
* Phone Company Autoload : Updated TeleSur [Suriname Telco].
* Phone Company Autoload : Updated Unicel.
* Phone Company Autoload : Updated Verizon Wireless.

* Phone Company Autoload : Updated VoiceBox Session Detail.
* Phone Company Autoload : Updated Vonage.
And so much more. I suspect that this represents more or less the cutting edge in current communication decoding technology. The whole list is quite interesting to look over

DCS-5000
This is the system designed to handle FISA related activity, so it operates at a higher security level that the DCS-3000 which it is connected to. Naturally there is not all that much information on this system in the documentation. Reason suggests that there is not much in the way of technical differences between the software on the 5000 and the 3000, but really I have no idea. The main difference between the two systems function is the sensitivity of the information that is being looked at. The CI 100 has the interesting job of segregating the lower classified DCS-3000 from it's higher classified neighbor while still allowing for information flow. More on it below.

DCS-6000
This system is used for Title III style, full content (ie CCC) type wiretap orders. Like the DCS-5000, the same data that can be accessed from the DCS-3000 can be as well from the DCS-6000.

Pix Firewall
Since the DCS-3000 and DCS-6000 exist at the same security clearance level, there is no need for anything more complicated than a classical firewall to be placed between them. I suspect a more detailed reading of the SSP for the 3000 system will lend a listing of windows based services which are required, but that is not what I am looking for here.

CI 100 (link to base document)
This system is designed to be an information level firewall which sits between the higher security DCS-5000 and the less paranoid 3000. There is a whole chapter in the users guide on this pair of (windows based Dell servers).

From p.20:
The CI-100 acts a a controlled interface security device connecting an unclassified system (Low side) with a confidential or secret system (i.e., High side). The connection between the two security domains is accomplished by a "one-way transfer" (OWT) through the use of a modified RS-232 serial cable or fiber optic cable. The modified cable permits information to travel from the low side to the high side and eliminates the possibility of the high system from passing data to the low. This is accomplished by converting the data packets from TCP/IP to serial or UDP, both connectionless protocols. The data is pushed from the low side and across the OWT cable to the high system. Once on the classified system, the information is converted back to TCP/IP and sent out to the classified network.
There is quite a bit more, but the system is just a firewall for information running on a windows box. Really quite cool...

Cisco 2610
This system is referenced in the training manual, and I suspect just used for general interaction with the other, non-DOJ telco equipment. Any details were redacted.

JSI-3084 (link to base document)
This is an interesting bit of equipment. Since all the useful diagrams are blocked out, I had to infer the existence of this system from the system security architecture diagram, figure 3 attachment B in the April 28, 2006 Site Security Plan for the DCS 3000 where it is listed as a separate accreditation device.

Not really sure exactly what this system does, but it may be a legacy pen register device (but that is just a guess based on a table of system descriptions.

Notes:
The most surprising thing was the presence of two system level accounts without any strong password controls. Based on a description of running services, there may be kerberos available which would be quite useful for user level authentication (with the usual access control attached to each account).

Access to the account information is assigned to a "need to know" basis, which is always a little suspicious. There is no way to confirm that any of the passwords are different. There were other interesting things in the POEMS (basicly a list of things that the auditing agency found wrong which need to get fixed). There were quite a few scary things like portable drives being plugged in and no anti-virus software installed.

That's it - there are hundreds of pages which can probably yield even more interesting results, but I really don't have the time. If anybody actually reads this and wants to know more, please leave a comment and I can add whatever you would like to see.

3 comments:

Spiros said...

Obviously, I have no idea what any of this means; being an utter and total Luddite, this all reeks of Black Magic to me. Howsobeit, I am intigued by the term "kerberos", as distinguished from the more usual, Latinate "cerberus". Was "cerberus" previously appropriated for some other arcane network security function?
Also, I love the phrase "all details were redacted".

set.element said...

Indeed - 'cerberus' has been used for a number of projects. I could tell you more, but I might get redacted...

Sorry about the shameless technical content. My muse can be something of a dork.

cheers

s.e

Spiros said...

No apologies necessary, or even accepted; follow your bliss.