Secret German IP Addresses Leaked

From Wikileaks:

The PDF document holds a single paged scan of an internally distributed mail from German telecommunications company T-Systems (Deutsche Telekom), revealing over two dozen secret IP address ranges in use by the German intelligence service Bundesnachrichtendienst (BND). Independent evidence shows that the claim is almost certainly true and the document itself has been verified by a demand letter from T-systems to Wikileaks.

Posted on November 20, 2008 at 7:26 AM • 29 Comments

Comments

natenidoNovember 20, 2008 8:28 AM

Update: http://wikileaks.org/wiki/Notfalls%C3%A4uberung_des_BND_nach_Wikileaks_Enth%C3%BCllung ("Emergency cleansing by BND after Wikileaks disclosure")

http://wikileaks.org/wiki/Talk:German_Secret_Intelligence_Service_(BND)_T-Systems_network_assignments%2C_13_Nov_2008

It seems that within three days after publication of the 13 Nov Wikileaks article, T-Systems had the allocations of these IP ranges deleted in the RIPE database, effectively moving them into larger, more anonymous pools.

Carlo GrazianiNovember 20, 2008 9:10 AM

Hardly earth-shattering intelligence -- I'd bet a substantial sum that all governments know each other's IP address ranges, broken out by department and agency. So keeping this sort of thing secret is weak protection, principally from amateurs and small-time criminals.

I do think the Wikipedia angle is fascinating, though. Knowing the ownership of an IP range allows anyone to mine the Wikipedia edits database for contributions from that source. This was known, but the potential for side-channel intelligence leakage is something I'd never heard of before. It would be fun to do this more systematically, to see how the intelligence establishments of the US, UK, France, Russia, China, etc. have cast their reflections in Wikipedia.

JeroenNovember 20, 2008 9:11 AM

Expecting any significant amount of security from keeping secret which IP's you use is pretty sad for the foreign intelligence agency of one of the richest countries in the world.

TenNovember 20, 2008 9:25 AM

@Carlo Graziani
>It would be fun to do this more systematically, to see how the intelligence establishments of the US, UK, France, Russia, China, etc. have cast their reflections in Wikipedia.

Unless they use Tor or something similar to do this...

SR71November 20, 2008 9:54 AM

@jeroen:
they are probably worried about datamining.

We know that the IP ranges include BND web proxy or NAT box used for surfing by BND people.

Now, THIS becomes a SERIOUS PROBLEM. What if some Google employee looks up searches done by BND in the last years ?
This could reveal persons BND is interested in (I'm sure BND googles their suspects !). This applies to social networking websites, webmail sites, ... name it yourself.

German law enforcement set up this trap for themselves: data retention (Vorratsdatenspeicherung) enforces long-term storage of web server logs.

MarkusNovember 20, 2008 10:17 AM

So even if it wasn´t their secret IP range, they should also send demanding letters from T-Systems to Wikileaks and move these IP-ranges.

There´s nothing like plausible misinformation....

KaukomieliNovember 20, 2008 10:21 AM

@SR71: That was my first thought, too.

It is not important that the IP-range has been moved now, because logs kept on forum-sites, npd, whatever will still be there and can be checked against those IPs, searches etc. - everything is tracable now with just one supporter having access to logs.

Clive RobinsonNovember 20, 2008 12:36 PM

@ SR71, Kaukomieli,

"It is not important that the IP-range has been moved now, because logs kept on forum-sites"

You have missed two points which are even more important.

1, At some point the IP addressess would have been subject to a traceroute. Now even thought the IP addressess have been changed how much of the tracerout path is still valid?

And can therfore be used to re-localise the physical interfaces...

2, knowing the past searches etc made from those IP addressess will due to the difficulty of changing the behaviour act a s a significant indicator of future trafic from the new unknown IP addressess (ie loging into hotmail account xxxx from IP address X.Y.Z.0 not A.B.C.0).

Combine these two and the new IP address range could be unmasked in just a few days...

As has been noted in the past security by obscurity is illusory at best...

SR71November 20, 2008 12:39 PM

@Kaukomieli:

right, I can think of zillion possibilites how people having acces to certain web server logs could reveal sensitive information via simple datamining, knowing past BND IP ranges:

* Say, BND employees submitted some private orders from work computers, like ordering a book from amazon or renting a DVD. Looking for orders from the BND IP ranges could reveal home addresses and names of BND employees (bad);
* Booking a car for inspection or otherwise filling some car information online could reveal BND car number plates;
* Online bookings of flights from BND IP ranges could reveal BND agents and their undercover identities (booking a flight for an undercover agent from BND computer sounds like a silly thing to do, but people do silly things)
* BND employees who checked private webmail from work could have revealed their private emails and their home addresses (any "order confirmation" email usually has the home address inside).
* ...

What is really bad about it is that BND has no idea who will use this information, how the informaiton will be used, and which of zillion risks are real.

On the other hand, wasn't it BND who built this brave new world for us? Welcome too, BND!

Russell CokerNovember 20, 2008 1:54 PM

There are some interesting ideas being presented about how hostile parties could use the IP address information.

I wonder how long it will take for corporate IT departments to realise that they face similar threats. Should personal webmail etc be banned from corporate IP addresses as a security measure?

Carlo GrazianiNovember 20, 2008 2:49 PM

C'mon, guys, IP address ranges for government TLAs are easily discoverable, and are public information. For example:

I, kazoo > host www.cia.gov
www.cia.gov has address 198.81.129.136
I, kazoo > whois 198.81.129.136
[Querying whois.arin.net]
[whois.arin.net]
ANS Communications, Inc BLK198-15-ANS (NET-198-80-0-0-1)
198.80.0.0 - 198.81.255.255
Central Intelligence Agency OIT-BLK1 (NET-198-81-128-0-1)
198.81.128.0 - 198.81.191.255
I, kazoo > whois '\!NET-198-81-128-0-1'
[Querying whois.arin.net]
[whois.arin.net]

OrgName: Central Intelligence Agency
OrgID: CIA-1
Address: GCS, ND1
City: Washington
StateProv: DC
PostalCode: 20505
Country: US

NetRange: 198.81.128.0 - 198.81.191.255
CIDR: 198.81.128.0/18
NetName: OIT-BLK1
NetHandle: NET-198-81-128-0-1
Parent: NET-198-80-0-0-1
NetType: Reassigned
Comment:
RegDate: 1997-02-11
Updated: 1998-03-30

RTechHandle: ANM3-ORG-ARIN
RTechName: Central Intelligence Agency
RTechPhone: +1-703-874-5401
RTechEmail: edsn@ucia.gov

OrgTechHandle: DW1276-ARIN
OrgTechName: Wheelock, David
OrgTechPhone: +1-703-613-9840
OrgTechEmail: davidw@ucia.gov

The "Sensitive Information About IP Blocks Leaked" story is a non-story. The "Weblogs May Be Datamined for Access by Spooks" story _may_ be a story. However, my guess is that those intelligence agencies with publically-known IP addess ranges have regulations about employee Internet usage and outbound-traffic-monitoring programs designed to prevent this sort of leakage, precisely because they are aware of the risk. It is agencies who think they are safe because their IP address range is secret that are exposed to this risk.

L. Simpson - no, no, too obvious - Lisa S.November 20, 2008 3:30 PM

@Russell Coker,

They already are for some of us. Though I'm told it's for fear of viruses from attachments, not fear of associating the home and work addresses.

AnonymousNovember 20, 2008 4:07 PM

@Carlo Graziani

> IP address ranges for government TLAs are easily discoverable, and are public information.

Not if these guys use a "cover company", as they did.
However this company was not registered in the "Handelsregister" and used a post-box address (at a location not far away from the "known" BND headquarter).

WikiWonderNovember 20, 2008 5:00 PM

@Carlo, Wikileaks != Wikipedia. Same basic technology (MediaWiki), different data.

stayawayfromgovsNovember 21, 2008 12:48 AM

Yeah all of us have those old huge iprange txts with fbi, nsa sipr, niprnet blocks which are still in use so what.

You can't do to much against a complete blackhole network where there are no services, but ddos them or do datamining on google get the whois infos, send trojans to their mails what their mailgw pbly cut down. With a little more work figure out what pages do they watch usually and pwn one of those servers load it up with 0day mpack and hope for the best.


Messing with govs and gov agencies is pointless unless you have a very good reason to do it. People would think omg el8 haxxors pwned BND and pulled the names of all their agents. I doubt you would find anything interesting there but junk data. Even if you would you couldn't use it on your own.

That's why threats coming from the inside on those networks because an outsider looking for needle in the haystack and even if he put a lot of time in it and finds it probably can't use it.

PhaedrusNovember 21, 2008 2:05 AM

The interesting part in knowing these IPs is not the possibility to "pwn" a host. As stated earlier in comments, the real threat is data mining and correlation of data.
Agencies like BND do the very same thing. The agencies must put their trust into the telcos that they have secured their data retention systems, and that any leak is detected. Not to mention Google, even though they will do no evil.

dogNovember 21, 2008 2:40 AM

It seems PDF format poor design (in terms of security) is currently the second cause of data leakage... after, duh, dumb users... :)

NitpickerNovember 21, 2008 7:39 AM

Web server logs are not enforced by data retention laws in Germany. On the contrary: storing IP addresses in Germany is forbidden by privacy law, although no-one seems to care, not even official federal sites, also because it's the default for most servers and no-one bothers to switch that.

Data retention is about something else: the storage of the IP address to person mapping, i.e., your Internet provider needs to store at what time which IP address was allocated to which account (=person).

Further, all anonymizers must store the remapping of IP addresses (so that they are not anonymizing anymore).

To counter-act this, everyone (you might be 'asked' to hand over your logs) should either switch off their server logs, or at least remove the IP addresses. The Apache module mod_removeip does this. It's easy. Install it now, you do not need to spy on IPs!

Additionally, data retention forces large (>1000 clients IIRC) email providers to store who sent emails to who. If you run your own dedicated server, you do not need to do this.

Please don't mix this up, I know its strange and confusing and even contradicting rules, but without a good distinction, arguments cannot succeed.

Carlo GrazianiNovember 21, 2008 10:28 AM

@WikiWonder: You might want to read the actual article at WikiLeaks. They describe fun that they had looking for Wikipedia edits from the BND IP range.

lbNovember 21, 2008 3:17 PM

@Carlo Graziani
Yup. I don't know wether there are English sources on that.
An example is this: http://de.wikipedia.org/w/index.php?diff=prev&oldid=8557599

"It is well-known underhand that many offshore branches of the Goethe-Institut serve as inofficial domiciles of the BND."

changed to

"Offshore branches of the Goethe-Institut do not serve as inofficial domiciles for the BND, though."

I am German but I still hope, the translation is accurate.

RogerNovember 21, 2008 9:50 PM

@Carlo Graziani:
> It would be fun to do this more systematically, to see how the intelligence establishments of the US, UK, France, Russia, China, etc. have cast their reflections in Wikipedia.

If you drill into the Wikipedia edits made from the BND IP ranges, they are certainly not intelligence operations. They are some bored office worker making comments about his favourite football (soccer) teams.

NetzblockiererFebruary 21, 2010 2:50 PM

Such nooby guys in there...

I beleive they play crysis on their Win2003-servers if the do not fix their computers!

This is embrassing, and it calls itself as federal intelligence service!

NOOBS! GET OUT THE NET!

NetzblockiererFebruary 21, 2010 2:57 PM

@Carlo Graziani:

THAT ARE ONLY THE WEBSERVERS OFICIAL LISTED!

BND spreads his infrastructures in several companys: see de.wikipedia.org/wiki/BND (german)
unforunally, you can Whois them, too... but I believe that wikipedias infos were outdated!
They inserted some agents as moderators into wikipedia, and even begin to infiltrate wikileaks, because it offers better and more accurate information...

BND are NOOBs!
Yeah, and data-retention does not work, I show you...

NetzblockiererMay 1, 2012 2:19 PM

Somehow, I'm disgusted from the noobishness of German intel authorities.

Seems as if they refused to learn since my application for an apperenticeship at the BKA, which I revoked after realizing they would use me ''operative'' aka. for hacking of external sources due to ''investigation''.

They did not even lock up the switches in the floors in their tetriary location in Meckenheim. So if anybody with a piece of 1337 skillz is in there, I would like to ask him if he can Wireshark their network for a few mins and publish the traffic after analysing it - I'll bet most is (enforced unencrypted) HTTP from employees surfing at Google, XING, Facebook and eBay during their scheduled working time!

The fact, that I'm still alive proves me that they don't gess who I am.

However I may publish a list of ''cover companies'' they have. See following adress - a building full of BND ''cover corp.'': ''Helene-Weber-Allee 23, München'' ... You can buy used cars they had from www.zoll-auktion.de - all having car registrations from munich [M] and numbers between 14000 and 16999.

German Intel prefers to use Google Maps or ''partner intel'' alike CIA or MI5 rather than investigation on their own - they outsourced torture to the USA and Ghaddafi' - Lybia.
You don't believe me?I have the facts on my desk!

However the AnonyPwnies said something to GEMA that applies to all IT - also in private households: ''Hire a full-time Admin and treat him good!''

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..