From: InfoSec News (alertsinfosecnews.org)
Date: Fri Jul 13 2007 - 02:04:30 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.techworld.com/security/news/index.cfm?newsID=9463

By Jeremy Kirk
IDG News Service
12 July 2007

A highly sophisticated spying operation that tapped into the mobile
phones of Greece's prime minister and other top government officials has
highlighted weaknesses in telecommunications systems that still use
decades-old computer code.

The spying case, where the calls of around 100 people using Vodafones
network were secretly tapped, remains unsolved and is still being
investigated. Also complicating the case are question marks over the
suicide in March 2005 of a top engineer at Vodafone Group in Greece in
charge of network planning.

A look [1] into how the hack was accomplished has revealed an operation
of breathtaking depth and success, according to an analysis on IEEE
Spectrum Online, the website of the Institute of Electrical and
Electronics Engineers.

The case includes the "first known rootkit that has been installed in an
[phone] exchange," said Diomidis Spinellis, an associate professor at
the Athens University of Economics and Business, who wrote the report
with Vassilis Prevelakis, an assistant professor of computer science at
Drexel University in Philadelphia.

A rootkit is a special programme that buries itself deep into an OS for
some malicious activity and is extremely difficult to detect.

The rootkit enabled a transaction log to be disabled and allow call
monitoring on four switches made by Telefonaktiebolaget LM Ericsson
within Vodafone's equipment. The software enabled the hackers to monitor
phone calls in the same way as law enforcement agencies would do, but
without the normal required court order. The software allowed for a
second, parallel voice stream to be sent to another phone for
monitoring.

The intruders covered their tracks by installing patches on the system
to route around logging mechanisms that would alert administrators that
calls were being monitored. "It took guile and some serious programming
chops to manipulate the lawful call-intercept functions in Vodafone's
mobile switching centres," the authors wrote.

The secret operation was finally discovered around January 2005 when the
hackers tried to update their software and interfered with the way text
messages were forwarded, which generated an alert. Investigators found
hackers had installed 6,500 lines of code, an extremely complex coding
feat.

"The size of the code is not something that somebody could hack in a
weekend," Spinellis said. "It takes a lot of expertise and time to do
that."

The investigation, which included a Greek parliamentary inquiry, netted
no suspects, partly because key data was lost or was destroyed by
Vodafone, the authors wrote. It is not known if the hack was an inside
job.

Vodafone may have been able to discover the scheme sooner through
statistical call analysis that could have linked the calls of those
being monitored, to calls to phones used to monitor the conversations,
they wrote. Carriers already do that sort of analysis, but more for
marketing than security reasons.

But the defense against rogue code, viruses and rootkits is complicated
because of the way the telecom infrastructure has developed. "Complex
interactions between subsystems and baroque coding styles (some of them
remnants of programmes written 20 or 30 years ago) confound developers
and auditors alike," the report said.

[1] http://www.spectrum.ieee.org/jul07/5280

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]