Schneier on Security
A blog covering security and security technology.
« Terrorists, Data Mining, and the Base Rate Fallacy |
| Unreliable Programming »
July 10, 2006
Greek Wiretapping Scandal: Perpetrators' Names
According to The Guardian:
Five senior Vodafone technicians have been accused of being the operational masterminds of an elaborate eavesdropping scandal enveloping the mobile phone giant's Greek subsidiary.
The employees, named in a report released last week by Greece's independent telecoms watchdog, ADAE, allegedly installed spy software into Vodafone's central systems.
Still no word on who the technicians were working for.
I've written about this scandal before: here, here, and most recently here.
Posted on July 10, 2006 at 1:28 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This reminds me of the Crypto AG story. In the 80s (or was it the 70s), the NSA managed to get a back door inserted into Crypto AG's encryption hardware; Libya was a big customer, so they could read all of the Libyan government's "secure" communications.
Maybe the US spooks are still at it, bribing employees of foreign telecom companies to bug their equipment. Or maybe it's the Turks, or just domestic crooks.
"The apparent suicide of its network planning manager, Kostas Tsalikides, a day after the discovery of the devices ..."
To acquire the services of an insider, bribery and/or blackmail is sometime used. Typically, somenbody is offered a small bribe to do something harmless looking but clearly a breach of trust. Once an employee has been trapped by the possibility of exposure for their breach of trust, then the employee can be blackmailed into doing an attacker's bidding. I believe this sort of thing has been seen before in the banking industry. It is the classic way to gain leverage over insiders. I feel sorry for Kostas Tsalikides. I have no doubt he was trapped in a situation where he had to choose between personal disgrace or doing the NSA'a bidding and hoping it all faded away.
When "big boys" like NSA, organized crime etc do this it is always the small people who get hurt
All in all there does not appear to be anything new "technically" in the press release. Interestingly they name some of the WASP countries who are part of the UKUSA ComInt pact as being destination countries (I see smoke obscuring a mirror or three ;).
More importantly it does not indicate if those named are "Squirels" or "Goats" or indicate who the "Directing Mind" was/is.
It might well be the case that there is one very senior prinicpal within the organisation who simply issued orders down to selected subordinate staff. As was once pointed out to me many years ago,
"The chain of command like any chain is easily broken by breaking one weak link"
Unfortunatly for investigators it is likewise difficult to work back up the chain from physical evicence to the "directing mind" when the chain is broken.
I get the feeling that the final outcome of this, is in reality going to be inconclusive, and will just fade away once the sacrificial goats have been slaughtered.
One thing I have not seen mentioned anywhere is "billing information", telcos are fairly hot on knowing exactly who/when utilised their resources and to where the bill should be sent.
Probably the hardest part of keeping this sort of thing covered up would be aranging either payment, or suppressing the billing system from registering the outbound calls...
You would need to either find somebody sufficiently senior in the Telco to sign off on the costs and be able to get the "upgrade" software installed (which puts them up with the eagles). Or a number of people at the lower levels not just in the network side but also in the billing side.
@Ralph: "why the watchers must be watched."
And who, may I ask, is going to watch the watcher-watchers? And the watcher-watcher-watcherers? Soon we will all be watching the backs of our own heads without realising it is us, as the guy in the CCTV shot reaches for the big red button, and we reach for the big red button and OMG.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.