Archive for the ‘hacker’ Category
Here’s the list of talks that Gareth Williams might have attended at BlackHat 2010. The slides are here. I wonder if he got the “I’m the Fed” t-shirt?
Well, speak of the devil. Peter Foster makes his appearance in the Murdoch scandal and fingers the Sun directly.
He said he then received an email from a Dublin-based private investigator calling himself ”Autarch”, who told Mr Foster he tapped into his mother’s phone in December 2002.
That month, The Sun published the ”Foster tapes”, which featured transcripts of Mr Foster talking about selling the story of his links with Tony Blair’s wife, Cherie. Yesterday, Mr Foster said he had since had a Skype conversation with the investigator in Dublin, in which Autarch described how he tapped into Mr Foster’s mother’s phone.
”He said she was using an analogue telephone which they were able to intercept,” Mr Foster said. Autarch said he discussed the hacking with Sun journalists.
However, this story – at least this version of it – probably isn’t true. It is true that the first-generation analogue mobile phone systems like TACS in the UK and AMPS in the States were unencrypted over the air, and therefore could be trivially intercepted using a scanner. (They were also frequency-division duplex, so you needed to monitor two frequencies at once in order to capture both parties to the call.) It is also true that they were displaced by GSM very quickly indeed, compared to the length of time it is expected to take for the GSM networks to be replaced. In the UK, the last TACS network (O2′s) shut down in December 2000. It took a while longer in the Republic of Ireland, but it was all over by the end of 2001.
So Foster is bullshitting…which wouldn’t be a surprise. Or is he? TACS wasn’t the only analogue system out there. There were also a lot of cordless phones about using a different radio standard. Even the more modern DECT phones are notorious for generating masses of radio noise in the 2.4GHz band where your WiFi lives. It may well be the case that “Autarch” was referring to an analogue cordless phone. Because a lot of these were installed by individual people who bought them off the shelf, there was no guarantee that they would be replaced with newer devices. (Readers of Richard Aldrich’s history of GCHQ will note that his take on the “Squidgygate” tape is that it was probably a cordless intercept.)
This would have required a measure of physical surveillance, but then again so would an attempt to intercept mobile traffic over-the-air as opposed to interfering with voicemail or the lawful intercept system.
The Daily Beast has a further story, which points out that the then editor David Yelland apologised after being censured by the Press Complaints Commission (no wonder he didn’t go further in the Murdoch empire) and makes the point that such an interception was a crime in both the UK and Ireland at the time. They also quote Foster as follows:
According to Foster, the investigator told him that, for four days at the height of Cheriegate, he had been sitting with another detective outside Foster’s mother’s flat in the Dublin suburbs, intercepting and recording the calls to her cordless landline
The Sun hardly made any effort to conceal this – they published what purports to be a transcript, as such.
The fact that a majority of this year’s graduates from USAF basic pilot training are assigned to drone squadrons has got quite a bit of play in the blogosphere. Here, via Jamie Kenny, John Robb (who may still be burying money for fear of Obama or may not) argues that the reason they still do an initial flight training course is so that the pilot-heavy USAF hierarchy can maintain its hold on the institution. He instead wants to recruit South Korean gamers, in his usual faintly trendy dad way. Jamie adds the snark and suggests setting up a call centre in Salford.
On the other hand, before Christmas, the Iranians caught an RQ-170 intelligence/reconnaissance drone. Although the RQ-170 is reportedly meant to be at least partly stealthy, numerous reports suggest that the CIA was using it among other things to get live video of suspected nuclear sites. This seems to be a very common use case for drones, which usually have a long endurance in the air and can be risked remaining over the target for hours on end, if the surveillance doesn’t have to be covert.
Obviously, live video means that a radio transmitter has to be active 100% of the time. It’s also been reported that one of the RQ-170′s main sensors is a synthetic-aperture radar. Just as obviously, using radar involves transmitting lots of radio energy.
It is possible to make a radio transmitter less obvious, for example by saving up information and sending it in infrequent bursts, and by making the transmissions as directional as possible, which also requires less power and reduces the zone in which it is possible to detect the transmission. However, the nature of the message governs its form. Live video can’t be burst-transmitted because it wouldn’t be live. Similarly, real-time control signalling for the drone itself has to be instant, although engineering telemetry and the like could be saved and sent later, or only sent on request. And the need to keep a directional antenna pointing precisely at the satellite sets limits on the drone’s manoeuvring. None of this really works for a mapping radar, though, which by definition needs to sweep a radio beam across its field of view.
Even if it was difficult to acquire it on radar, then, it would have been very possible to detect and track the RQ-170 passively, by listening to its radio emissions. And it would have been much easier to get a radar detection with the advantage of knowing where to look.
There has been a lot of speculation about how they then attacked it. The most likely scenario suggests that they jammed the command link, forcing the drone to follow a pre-programmed routine for what to do if the link is lost. It might, for example, be required to circle a given location and wait for instructions, or even to set a course for somewhere near home, hold, and wait for the ground station to acquire them in line-of-sight mode.
Either way, it would use GPS to find its way, and it seems likely that the Iranians broadcast a fake GPS signal for it. Clive “Scary Commenter” Robinson explains how to go about spoofing GPS in some detail in Bruce Schneier’s comments, and points out that the hardware involved is cheap and available.
Although the military version would require you to break the encryption in order to prepare your own GPS signal, it’s possible that the Iranians either jammed it and forced the drone to fall back on the civilian GPS signal, and spoofed that, or else picked up the real signal at the location they wanted to spoof and re-broadcast it somewhere else, an attack known as “meaconing” during the second world war when the RAF Y-Service did it to German radio navigation. We would now call it a replay attack with a fairly small time window. (In fact, it’s still called meaconing.) Because GPS is based on timing, there would be a limit to how far off course they could put it this way without either producing impossible data or messages that failed the crypto validation, but this is a question of degree.
It’s been suggested that Russian hackers have a valid exploit of the RSA cipher, although the credibility of this suggestion is unknown.
The last link is from Charlie Stross, who basically outlined a conceptual GPS-spoofing attack in my old Enetation comments back in 2006, as a way of subverting Alistair Darling’s national road-pricing scheme.
Anyway, whether they cracked the RSA key or forced a roll-back to the cleartext GPS signal or replayed the real GPS signal from somewhere else, I think we can all agree it was a pretty neat trick. But what is the upshot? In the next post, I’m going to have a go at that…
OK, so “Not All That” Foxy Liam Fox is in trouble.
“He is an odd bloke,” said one fellow minister. “He has fingers in so many pies that you kind of think one of them will land him in trouble somewhere along the line.”
Another Tory MP said Fox’s tendency to name-drop and brag about his close friendships with Republicans in the US, media magnates such as David and Frederick Barclay (owners of the Daily Telegraph), and his endless globe-trotting, even before he entered the cabinet, has made many bristle and help explain why he has plenty of enemies in the Tory party and in Whitehall. “I think you either roll with the bluster or find it repellent,” said a Tory MP.
Ah, one of them. Anyway. Part of the problem is this famous meeting where his bestie Adam Werritty just happened to turn up. What was on offer? Well, a product called Cellcrypt, whose makers were trying to sell it to the MoD to stop evilly-disposed persons from eavesdropping on British soldiers’ phone calls back to the UK. (Note: this is going to be long. Technical summary: voice encryption apps for GSM-style mobile networks can guarantee that your call will not be overheard, but not that your presence cannot be monitored, and not necessarily that the parties to your calls cannot be identified.)
Back in the early days of Iraq, the CPA permitted one mobile phone operator in each of its three zones to set up. The British zone, CPA-South/Multinational Division South-East, let the Kuwaiti national telco, MTC (now Zain and busy running Mo Ibrahim’s old Celtel business into the ground) set up there with a partner some of us may have heard of. It’s from Newbury and it’s not a pub or an estate agency and its logo is a big red comma…funny how Vodafone never talked that particular investment up, innit? Anyway. Later the Iraqi government did a major tender for permanent licences and Orascom got most of it, but that’s another story.
One thing that did happen was that soldiers took their mobiles with them to Iraq, and some of them pretty soon realised that buying a local SIM card in the bazaar was much cheaper than making roaming calls back to the UK. Either way, lots of +44 numbers started showing up in their VLR, the big database that keeps track of where phones are in a GSM network so it can route incoming calls.
Pretty soon someone who – presumably – worked for the MTC-Voda affiliate and whose purposes were not entirely aligned with Iraq The Model realised that you could use the VLR to follow the Brits (and the Yanks and the Danes and the Dutchmen and Kiwis and all sorts of contractors) around. Not only that, you could ring up their families in the UK and make threats with the benefit of apparently supernatural knowledge.
This obviously wasn’t ideal. Efforts were made to mitigate the problem; soldiers were discouraged from using local GSM networks, more computers and public phones were made available. The eventual solution, though, was to get some nice new ruggedised small-cell systems from companies like Private Mobile Networks Ltd., which basically pack a small base station and a base station controller and a satellite backhaul terminal into a tough plastic box of a suitably military colour. You open it up, unfold the antenna, turn on the power, and complete some configuration options. It logs into the mobile operator who’s providing service to you via the satellite link.
Now, because radio signals like all radiation lose intensity with the inverse square of the distance, you’ll be vastly louder than everyone else. So any mobile phone nearby will roam onto your private mobile network and will be in the UK for mobile phone purposes, a bit like the shipping container that’s technically in Egypt at the end of Four Lions. And none of this will touch any other mobile network that might be operating in your area. Obviously you can also use these powers for evil, by snarfing up everyone else’s traffic, and don’t for a moment think this isn’t also done by so-called IMSI catchers.
You’re not meant to do this, normally, because you probably don’t have a licence to use the GSM, GSM/PCS, or UMTS frequencies. But, as the founder of PMN Ltd. told a colleague of mine, the answer to that is “we’ve got bigger tanks”.
So, where were we? Well, the problem with trying to do…something…with Cellcrypt is that it doesn’t actually solve this problem, because the problem wasn’t originally that the other side could listen to the content of voice calls. Like all telecoms interception stories, it was about the traffic analysis, not the content. Actually, they probably could listen in as well because some of the Iraqi and Afghan operators may not have been using up-to-date or even *any* air interface encryption.
But if you’re going to fix this with an encryption app like Cellcrypt, you’ve got to make sure that every soldier (and sailor and diplomat and journo and MoD civilian) installs it, it works on all the phones, and you absolutely can’t make calls without it. Also, you’ve got to make sure all the people they talk to install it.
And the enemy can still follow you because the phones are still registering in the VLRs!
So, there’s not much point relying on OTA voice encryption to solve a problem that’s got nothing to do with the voice bearer channel. However, bringing your own small cell network certainly does solve the problem, elegantly, and without needing to worry about what kind of phones people bring along or buy locally.
And the military surely understand this, as by the time of the famous meeting, they’d already started deploying them. Also, back when this was a big problem, 19 year-old riflemen usually didn’t have the sort of phones that would run a big hefty application like Cellcrypt, which also uses the mobile data link and therefore would give them four figure phone bills.
To sum up, Werritty was helping someone market gear that the MoD didn’t need, that was hopelessly unfit for purpose, wouldn’t actually do what the MoD wanted, and would cost individual soldiers a fortune, by providing privileged access to the Secretary of State for Defence.
The Obscurer has possibly the first intelligent article on the whole “turn off their Facebook! that’ll learn em!” furore. Notably, they interviewed one-man UK mobile industry institution Mike Short. Go, read, and up your clue. I especially liked that the piece provided some facts about the 7th July 2005 terrorist incident and the mobile networks.
There is only one reported case of a UK network being closed by police. During the 7/7 London suicide bombings, O2 phone masts in a 1km square area around Aldgate tube station were disconnected for a number of hours.
Police have an emergency power to order masts to be put out of action known as MTPAS – Mobile Telecommunication Privileged Access Scheme. The move has to be approved by Gold Command, by the officers in highest authority during a major incident, and is designed to restrict all but emergency service phones with registered sim cards from making calls. But a shutdown can have dangerous knock-on effects. Short says that phones within the Aldgate zone automatically sought a signal from live masts outside it, overloading them and causing a network failure that rippled out “like a whirlpool”.
On the day, other networks were simply overloaded as Londoners sought reassurance and information. Vodafone alone experienced a 250% increase in call volumes
MTPAS is the GSM-land equivalent of the old fixed phone Telephone Preference Scheme (not to be confused with the new one that blocks cold-callers), which permitted The Authorities to turn off between 1% and 90% of phone lines in order to let official traffic through. As far as I know, the Met never asked for it and it was City of London Police who initiated it without asking the Met or anyone else, and in fact O2 UK’s network had been keeping up with demand up to that point, before the closure caused the cascade failure Short describes.
The significance of O2 is that it used to be “Surf the Net, Surf the BT Cellnet” and some residual gaullist/spook reflex in the government tried to keep official phones on what was then one of two British-owned networks.
Anyway, this weekend seems to have the theme “The Intersection of Charlie Stross and the August 2011 Riots”. Charlie’s talk at USENIX is sensibly sceptical about some tech dreams as they apply to networking.
This leaves aside a third model, that of peer to peer mesh networks with no actual cellcos as such – just lots of folks with cheap routers. I’m going to provisionally assume that this one is hopelessly utopian, a GNU vision of telecommunications that can’t actually work on a large scale because the routing topology of such a network is going to be nightmarish unless there are some fat fibre optic cables somewhere in the picture. It’s kind of a shame – I’d love to see a future where no corporate behemoths have a choke hold on the internet – but humans aren’t evenly distributed geographically.
Especially as the theoretical maximum bandwidth of one fibre is about the same as the entire radio spectrum. And the point about routing table size and complexity is a very good one, especially as it’s assumed that the routers aren’t CRS-1s but rather Linksys fifty quidders or mobile phones.
However, one thing the liberation technologists should take away from the riots is that you shouldn’t get hung up on bandwidth. It’s great to be able to post the photos on Flickr, but it’s more useful to have your own secure voice and messaging. When the Egyptian government relented on its GSM cut-off, the Egyptian Twitter feeds lit up with calls for more people to this or that exit of Tahrir Square or medical supplies to the clinic or (and I remember this) that a lost child was waiting at the press tent.
It was what NANOG users would call operational content. There was of course no need whatsoever for it to go via a Bay Area website – all Twitter provided was the one-to-many element, very important, and the publicity on the Web. The latter is a nice-to-have feature, the former, critical. Text, or even voice, is not a high bandwidth application and doesn’t necessarily need access to the global Internet.
So yes – perhaps there is in fact quite a bit of angular momentum to be had in a mobile mesh-WLAN client as an instrument of democracy, as long as you’re willing to accept that it’s not the sort of thing that can be exclusive to people who agree with you. But then, that’s the test of whether or not you actually believe in democracy.
Something else, between Charlie’s USENIX talk and the riots. Isn’t one of the biggest disappointments, from a police point of view, the performance of CCTV? No doubt it will help put some of the rioters in jail. But it didn’t prevent the riots and neither did it seem to help quell them much. It’s possible that the whole idea that potential surveillance (like the original panopticon) is a policing influence isn’t as strong as it’s made out to be.
Another point; not all crimes are punished or even taken notice of. This is obvious. Less obvious is that the degree to which the police ignore crime is an important political fact. Is it possible that CCTV, by forcing them to make at least a token response to everything that passes in camera range, actually contributed to using up the police strength? In a riot, the police aim is to demonstrate public, mass control. They are usually willing to ignore quite a lot of individual criminality in the process. It’s possible that surveillance culture and technology are opposed to strategy.
Am I right in thinking that Andy Hayman’s testimony yesterday fingered Met press chief Dick Fedorcio? Hayman admitted he’d regularly had dinner with News International executives while he was meant to be investigating them. He mentioned that he had done this in the company of the head of communications of the Met, presumably with his approval, although Hayman was also acting in his capacity as ACPO media lead.
Fedorcio has had the same job since 1997. He was named by Nick Davies as having been present in the meeting where the Met demanded to know why Dave Cook was being followed by News International private detectives, and apparently intervened with senior police officers to get them to go easy on NI. Surely the guy in charge of police-press-political relations is a key figure in a scandal that’s all about relations between the press, the police, and politics?
Like the key News International men, Alex Marunchak and Greg Miskiw, there’s no sign of him. The Home Affairs committee, and indeed anyone else who wants the truth about this, must call Fedorcio without delay. Oh, and is Greg Miskiw in the UK?
Second point. Yesterday’s New York Times claims that Miskiw and others on the NOTW were able to locate mobile phones by paying £500 a shot to a corrupt police officer. That is to say, this policeman had access to the lawful intercept systems that are part of all GSM and UMTS cellular networks, or at least he could task people who did. ETSI Specification 01.33 defines this as a standard element of all GSM networks and the corresponding 3GPP TS 33.106 does so for UMTS ones.
If this is so, they could certainly also get pen-register information – lists of calls to and from given phone numbers – and even tap the calls themselves.
This is a massive violation of the UK’s critical national infrastructure security, of the Regulation of Investigatory Powers Act, and of the Data Protection Act. News International, their police contact, and the police force responsible (not necessarily the Met) should all be prosecuted.
There is an urgent need to audit the lawful interception systems’ logs, among other things to find out if there are other unauthorised users out there. International standards foresee a detailed audit trail as part of these systems in order to preserve the legal chain-of-evidence. If the Interception Request message was submitted in proper form from the police to the telcos, the operators are legally in the clear, but if I was in charge of their network security I’d suspend processing the requests until such an audit was carried out as we now know that an unknown but significant percentage of them are illegal.
Thank fuck we didn’t build that giant national ID card database.
Third point. Not that anyone will answer this, but were any of the Prime Minister’s designated deputies for nuclear retaliation subject to illegal telecoms surveillance?
Fourth point. Circling back to the Defence Vetting Agency and Andy Coulson, the vetting procedure as described on the DVA Web site states that in some cases, the decision may be taken to issue a security clearance subject to risk management measures taken by the department involved. In these cases, the DVA will disclose information to the sponsoring department that it would usually keep confidential. Did they make such a recommendation to the Prime Minister’s office, and if so, what was the information?
The Libyan rebels are making progress, as well as robots. Some of them are reported to be within 40 miles of Tripoli, those being the ones who the French have been secretly arming, including with a number of light tanks. Now that’s what I call protecting civilians.
They are also about to take over the GSM network in western Libya like they did in the east. How do I know? I’m subscribed to the Telecom Tigers group on LinkedIn and so I get job adverts like these two.
ZTE BSC Job: URGENT send cv at [e-mail] for the job position or fw to your friends : Expert Telecom Engineer ZTE BSC.Location:Lybia,Western Area,1300USD/day,start immediate
URGENT send cv at [e-mail] for the job position or fw to your friends : ERICSSON MGW/BSS/BSC 2G/RAN Implementation Senior Expert Engineer.Location:Lybia,Gherian,Western Mountains,1300-1500 USD/day
In fact, one of the ads explicitly says that the job is in the rebel zone and the other is clear enough. What the rebels are planning to do is clear from the job descriptions:
must be able to install a ZTE latest generation BSC – platform to be integrated with 3rd party switching platform,solid knowledge of ZTE BSC build out and commissioning to connect up to 200 existing 2G/3G sites
To put it another way, they want to unhook the existing BTSs – the base stations – from Libyana and link them to a core system of their own, and in order to do this they need to install some Chinese-made Base Station Controllers (BSCs – the intermediary between the radio base stations and the central SS7 switch in GSM).
Here’s the blurb for the Ericsson post:
Responsible for commissioning and integrating an Ericsson 2G BSS network (2048-TRX Ericsson BSC plus Ericsson BTSs) in a multi-vendor environment. Will be responsible for taking the lead and ownership of all BSS commissioning and integration, leading the local team of BSS engineers, and managing the team through to completion of integration.
Experience of Ericsson MGW implementation, and integration of MGW with BSS, is highly desirable. Experience of optical transmission over A-interface.
Compilation, creation and coordination of BSC Datafill. This will include creating, generating, seeking and gathering of all Datafill components (Transport, RF Frequencies, neighbor relations, handovers, Switch parameters, ABIS mapping, etc.) based on experience and from examination of existing network configuration and data. Loading of Datafill into the BSC to facilitate BTS integration.
Working with the MSC specialists to integrate the BSC with the MSC. Providing integration support to BTS field teams; providing configuration and commissioning support to the BSC field team.
So they’ve got some Ericsson BSCs, the base stations are Ericsson too, and an MSC (Mobile Switching Centre, the core voice switch) has been found from somewhere – interesting that they don’t say who made it. That’ll be the “3rd party switching platform” referred to in the first job. They’re doing VoIP at some point, though, because they need a media gateway (MGW) to translate between traditional SS7 and SIP. They need engineers to integrate it all and to work out what the various configurations should be by studying what Gadhafi’s guys left. (It’s actually fairly typical that a mobile network consists of four or so different manufacturers’ kit, which keeps a lot of people in pies dealing with the inevitable implementation quirks.)
The successful candidate will also have some soft skills, too:
Willing to work flexible hours, excellent interpersonal skills and the ability to work under pressure in a challenging, diverse and dynamic environment with a variety of people and cultures.
You can say that again. Apparently, security is provided for anyone who’s up for the rate, which doesn’t include full board and expenses, also promised.
They already have at least one candidate.