Last bastion of trust falls
IT security practices have always been dominated by trust, often myopically. Specialized applications are still deployed with the assumption that end users, be they customers, contractors, or employees, would not attempt to abuse that trust. Lexis Nexis fell victim to this trust as did Choicepoint when they assumed paying customers would not actually have criminal designs on their data.
Last week I pointed out that our most trusted employees, data base analysts, could have base motives as well. This misplaced trust is slowly succumbing to a trust-but-verify model where strict access controls and monitoring are used to minimize the internal threat.
Another layer of trust has recently been demonstrated to be dangerous. That is the trust in our communication infrastructure, in particular: voice. Obviously, any law enforcement agency can use legal means to tap a phone switch and record conversations if they have jumped through the right legal hoops. But what about an internal employee of the phone company? Can they program the phone switches to tap into our conversations? Would they do this?
Apparently so. In 2005 it came to light that a major breach in security had occurred and over one hundred phones of government officials, activists, and US embassy personnel had been tapped into and possibly all of their phone conversations recorded. Just imagine the rich fodder available to an extortionist or political operative that had access to those conversations!
There is now an entertaining article available at IEEE that details how this hack was achieved. It is one of the most sophisticated attacks that has ever been detailed to this extent. Over 6,500 lines of code were inserted into various modules that ran the Ericsson switches owned and operated by Vodaphone Greece. To me it has all the hallmarks of an insider job. The hackers were experts in switches, new how to cover their tracks, and quickly ran when they detected signs of being discovered. The fact that an employee was found hung in his apartment soon after the discovery of the hack is probably relevant as well.
“A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability to hackers and moles.”
The code used the modules that Ericsson ships with every switch that allows phone conversations to be tapped and split off to other phones. So, in this case the hackers were able to remotely monitor all the calls made by their targets and able to cover their tracks. And oh, by the way, Ericsson switch software is developed in ....Greece!
It is too bad, but Vodaphone opted to shut down the hack before they called in law enforcement, thus ruining any chance of tracking down the culprits. This is one of the most egregious instances of failed computer emergency response activity ever.
If you are responsible for internal security at your organization read this article. Then think about how you could avoid this level of sophistication in an attack. If you work at a phone company think about beefing up your monitoring of suspicious activity beyond just accounting. In the mean time the rest of us can begin to worry that our conversations are being listened in on. Skype anyone?