Risk
6/28/2011
03:35 PM
50%
50%

Microsoft Wins Patent For Internet Spying Technology

The company has patented a method for intercepting Web-based communications so they can silently be recorded.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Microsoft has been granted a patent for technology that acts as a wiretap of sorts for Internet communication, allowing governments or other law-enforcement authorities to record the data without detection.

Dubbed "Legal Intercept," using the technology means "data associated with a request to establish a communication is modified to cause the communication to be established via a path that includes a recording agent" that silently records the data, according to a filing with the U.S. Patent and Trademark Office.

In other words, the technology intercepts Internet communications data so it can be recorded for the purposes of reviewing it later by, presumably, government or law-enforcement officials.

"Sometimes, a government or one of its agencies may need to monitor communications between telephone users," Microsoft said in the filing, describing how a recording device can be placed at a central office to record communications over a traditional telephone network.

But with Voice over IP and other Internet-based communications, "the [conventional] model for recording communications does not work," according to Microsoft.

The company filed for the patent on Dec. 23, 2009, and patent number 20,110,153,809 for the technology was granted on June 23.

Microsoft declined to comment about if and how it plans to use the technology and if it plans to possibly sell it to the federal government, according to a spokesperson reached via email.

It's no secret the federal government is looking for better ways to legally intercept Internet communications, and that it feels hampered by the inadequate ways to do so at the moment.

FBI officials have complained at length about the "going dark" problem, which refers to their inability to intercept electronic communications in a timely and efficient fashion even when they have a warrant to do so.

Part of the problem is that companies that have access to the communications don't have the capability to access it and get it in the hands of officials quickly and efficiently.

It's unclear whether the technology Microsoft patented will help alleviate this problem, but as described in the patent fling, it certainly should make it easier to record Internet-based communications delivered via a variety of means--including Voice over Internet Protocol, smartphones, PCs, set-top boxes, and Internet-based gaming devices such as Microsoft's own Xbox.

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.