Sources that have spoken to the New York Times say electronic eavesdropping may have occurred on pipes that carry data between company servers.
Two of America’s leading Internet companies, both master’s of innovation and security, have been beaten by a classic hack attack: when the front door is secured go through the back.
Google and Yahoo no doubt spend millions on securing their servers from a variety of different attacks and exploits. Both companies have the occasional security breach, and there’s a huge incentive to stay one step ahead of cyber crooks trying to break into email accounts.
But keeping ahead of America’s electronic spy agency has proven particularly challenging.
For the most part Google and Yahoo don’t own the high-capacity fiber connections between their data centers around the world. They lease space from backbone providers like Verizon and Level 3 Communications.
One particular backbone provider has proven to be a weak point in security for Google and Yahoo. Sources that spoke to the New York Times say that the NSA bypassed the intricate security of these companies by tapping into the fiber-optic pipes of Level 3 Communications. This man-in-the-middle attack isn’t a particularly new method of attack for the agency, as it has been tapping into telegraph and phone lines using the same methodology for decades.
While Level 3 Communications won’t comment to the press about this, the Times noticed an interesting clause in a recent financial filing.
“It is our policy and our practice to comply with laws in every country where we operate, and to provide government agencies access to customer data only when we are compelled to do so by the laws in the country where the data is located. We are party to an agreement with the U.S. Departments of Homeland Security, Justice and Defense addressing the U.S. government’s national security and law enforcement concerns. This agreement imposes significant requirements on us related to information storage and management; traffic management; physical, logical and network security arrangements; personnel screening and training; and other matters.”
To be fair the participation of Level 3 Communications is probably not voluntary. It’s been previously reported that U.S. authorities will often make licensing and regulatory processes difficult should communications companies not play along with requests for wiretapping capabilities.
Source: New York Times