nullcon 2010 - corporate security and intelligence – the dark links

Intelligence Operations g p&

C t S itCorporate Security: the dark linksthe dark links

[Release 0.4]

An analysis of two weird case studiesAn analysis of two weird case studies

Raoul “Nobody” ChiesaRaoul Nobody Chiesa

Nullcon 2010, Goa, India

Talk’s RulesTalk s Rules

• NO Audio, no Video, no A/V recording.

• No pictures.No pictures.

• No disclose outside of the conference itself(“PH N l lik ” h)(“PH Neutral‐like” approach)

• Questions at the end, please. Q , p

Agenda

Disclaimer(s)Disclaimer(s)

IntroductionWh t C t S it h ld b d iWhat Corporate Security should be and is

What Intelligence should be and is

Management Models

Historical links between CS & IHistorical links between CS & I

Case StudiesCase I

Case II

Conclusions

Bibliography and LinksBibliography and Links

Who am I ?Who am I ?

• I’ b “b d ” f 1986 til 1995 Th th b t d• I’ve been a “bad guy” from 1986 until 1995. Then they busted me.• So I grow up, basically inventing a job I do love. • I run my own security consulting company, @Mediaservice.net, since

1997, and a sister company specialized in Digital Forensics (atpss.net) since 2005.

• I’m into Security R&D, I could say at 360°.y y• I’m an OSSTMM Key Contributor.• I’m a Board of Directorsmember for many associations (ISECOM,

CLUSIT TSTF net OWASP‐Italy) and I work with some others (ICANNCLUSIT, TSTF.net, OWASP Italy) and I work with some others (ICANN, APWG, GCSC, ENISA, etc.).

• I am the Worldwide Technical Contact Officer at the UNICRI (UnitedNations Interregional Crime & Justice Research Institute) on cybercrimeNations Interregional Crime & Justice Research Institute) on cybercrimeissues

• I travel the world giving out speeches and meeting nice folks as you !

Some stuff you asked me yesterday and this morning

• UNICRI Cybercrime Homepage:– http://www.unicri.it/wwd/cyber_crime/index.phpUNICRI C b i T i i F k• UNICRI Cybercrime Training Framework:– http://www.unicri.it/wwd/cyber_crime/links.php

• UNICRI Cybercrime links:– http://www.unicri.it/wwd/cyber_crime/links.php

• A cool hacking tools page from my Red Team:– http://oxdeadbeef.infohttp://oxdeadbeef.info

• On botnets, 0‐days and reverse engineering from a friend:– http://extraexploit.blogspot.comO M bil (h d t) S it f It li f i d• On Mobile (handset) Security, from Italian friends:– http://www.mseclab.com

• Hackers Profiling Questionnaire:– http://hpp.recursiva.org

Agenda




Management Models


Case StudiesCase I

Case II

Conclusions


Disclaimer

I don’t think if you will ever see this talk again in some othery gconference, maybe somebody will shot me before So, please payattention to what I will tell you. And, it took me 2 years to acquire allthe documents (public and not public ones) and correlate thei f i I ill d il i f iinformation I will detail you in a few minutes.

• There are (still)many rumors regarding what exactly happened;( ) y g g y pp ;• there are many unanswered questions regarding what happened

(and an on‐going court trial);• for this talk we assume that what is publicly known is what actually• for this talk we assume that what is publicly known is what actually

happened;• the ideas and opinions presented here are my own and do not

represent any views or opinions nor the United Nations but myrepresent any views or opinions, nor the United Nations, but mypersonal ones.

Disclaimer (bis)Why did I take the decision to analyze these two cases?

• In the Telecom Italia affair, the mass media coverage has been huge, whilenone from the IT sector even wrote something about what happened (!) *

• In the Vodafone Greece scandal, international newspapers did not write somuch about what happened (language didn’t help), whilst on the technicalsite, some researches have been published (IEEE mainly).

• A terrific image related to “penetration testers” popped up: unethicalpeople, false, criminals; “Tiger Team” cannot even be used anymore as a

d i ti l k tword in some national markets…

• I think it is essential to speak about these scandals and clarity should bed ibldone as soon as possible.

* Books have been written by some of the arrested subjects; see bibliography at the endof this talkof this talk.

Last disclaimer(aka “I want to believe”)(aka I want to believe )

Raoul, why the hell did you take the decision to analyzethese two cases ? (a XXXXXX agent & friend, August 2008)

• I used to know some of the people involved (Telecom ItaliaI used to know some of the people involved (Telecom Italia affair).

• I use to have “some knowledge” of mobile operator’s g pMSCs (Vodafone Hellas affair)

• All the times I’m attending some Infosec event, friendsused to ask me “What the fuck happened out there ?!?”used to ask me “What the fuck happened out there ?!?”

• I love weird stories. I love to teach what I know.• I am a damned curious guy• I am a damned curious guy.• I want to believe – that IT Security and criminality will notmerge so easily. Not again.merge so easily. Not again.

“After 1989, Italtel used to have 150/200 employees in Soviet U i ki l l ith th t f thUnion, working closely with the governments of the republics from the former Soviet block.

At the same time, SISMI wasn’t even able to infiltrate a single agent into those countries.g g

Who ruled more? Who was the one able to obtain more information?”

July 28th, 2008

Giuliano TavaroliFormer Telecom Italia and Pirelli CISO

Agenda




Management Models


Case StudiesCase I

Case II

Conclusions


PART IPART I

Introduction

What Corporate Security should beWhat Corporate Security should be

• From wikipedia:(http://en.wikipedia.org/wiki/Corporate_Security)

Corporate Security identifies and effectively mitigates or manages, at an early stage, any developments that may threaten the resilience and continued survivalf tiof a corporation.

It is a well organized corporate function that oversees and manages the close coordination of all functions within the company that are concerned with security, continuity and safety, and contributes to the fulfillment of good corporate governance, responsibility, observance or compliance of prevailing legal regulations, as well as the meeting of customers, suppliers, and other business partner’s requirements in accordance with corporate objectives.

What Corporate Security often isWhat Corporate Security often is

FPOL (Fi t P i t f Lif ) f S t I t t d• FPOL (First Point of Life) for System Integrators and Vendors.

• SPOL (Second Point of Salary) for retired LEOsSPOL (Second Point of Salary) for retired LEOs.• Breaking laws (in a hundreds of ways!).• Outsourcing “black jobs” (checks on people, PIsOutsourcing black jobs (checks on people, PIsactivities, IT attacks, D/DoS, etc..).

• A BU playing “internal, political wars” with other BUs.• A personal “IT Army” for the management.• A facility from where help out some collegues at LEAs.• A link to Secret Services (Intelligence Agencies).• A place where IT Security is the last thing :(

What Intelligence (agencies) should beg ( g )• From wikipedia:(http://en.wikipedia.org/wiki/Intelligence agency)

An intelligence agency is a governmental agency that is devoted to the information gathering(known in the context as "intelligence") for purposes of national security and defense. Means of information gathering may include espionage, communication interception, cryptanalysis,of information gathering may include espionage, communication interception, cryptanalysis, cooperation with other institutions, and evaluation of public sources. The assembly and propagation of this information is known as intelligence analysis.Intelligence agencies can provide the following services for their national governments:provide analysis in areas relevant to national security;provide analysis in areas relevant to national security;give early warning of impending crises;serve national and international crisis management by helping to discern the intentions of current or potential opponents;inform national defense planning and military operations;protect secrets, both of their own sources and activities, and those of other state agencies; and may act covertly to influence the outcome of events in favor of national interests.

Intelligence agencies are also involved in defensive activities such as counter‐espionage or counter‐terrorism.Some agencies are accused of being involved in assassination, arms sales, coups d'état, and th l t f i i f ti ( d ) ll th t ti i d tthe placement of misinformation (propaganda) as well as other covert operations, in order to support their own or their governments' interests.

What “Intelligence” often isWhat Intelligence often is

• Buying 0‐day exploits from the underground and/or Infosec companies.p

• Hacking into suspects’boxes.

R i di i• Running extraordinary retention programs, thus unauthorized by the Country where the operation is running.

• other nasty things we could really not say• ……..other nasty things we could really not sayhere!

A look at the managements structures

The structureThe structure

• No matter if we are speaking about the Corporate Security of a multinational rather thanthe Internal Secret Service of a State. They do runmodels and do have defined structures.

It i ll i t ti t t d th i h• It is really interesting to study their approaches, since it helps out in better understanding theiri f i fl l l d d i iinformation flows, peoples roles and decision‐makers. (AKA Human’s Reverse Engineering ;)

Intelligence Agencies: l d lgeneral model

Intelligence Agencies: th USA d l *the USA model *

* ex Intelligence Reformgand Terrorism PreventionAct_2004

Intelligence Agencies: th It l d l *the Italy model *

* ex law 801_1977

Intelligence Agencies: th It l d l *the Italy model *

* ex law 124_2007

Intelligence Agencies: th G d l *the Greece model *

* ex law february 2008

IS Management –Evolution of the modelsEvolution of the models

N dOriginalapproach

Evolvedapproach

Nowadaysapproach

IS Management models –today’s standardtoday’s standard

AD CEO

General Department Financial Planning & Business Control

HR & OrganizationalProcedures

InformationRisk Management

Department

Legal & Corporate Affair Administration Department

BU BU BU BU BU

IS Management models –Tavaroli’s approachTavaroli’s approach

CEO

FinanceHuman Resources

&OrganizationOrganization

P bli S it S f t &Public & Legal Affairs

Security, Safety &Facilities

Strategy Technology Commercial Operations

Supply ChainManagement

Media Relations&

Corporate CommunicationCommunication

IS Management models –A good “security dept ” approachA good “security dept.” approach

Security

Risk Analysis Security Compliance

Crisis ManagementSecurity Awareness Crisis Management & Business Continuity

Physical SecurityInformation Security,

Data Privacy e (Fraud) Management

InternationalSecurity Operatione (Fraud) Management

Historical links• There are very‐well known historical links between telcos and

governments:– AT&T & NSA– Telecom Italia & Italtel with SISMI and SISDE– Deutsche Telecom and SiemensDeutsche Telecom and Siemens– OTE Hellas & EYP

• Why ?Why ?– Because LEAs and IAs know that information is power. They have always

known this. – That’s why they always want to be able to eavesdrop, intercept, andThat s why they always want to be able to eavesdrop, intercept, and

collect data.– Also political scandals are a part of history; whenever “communication”

begins, then IAs begin to monitor politicians, both locally and abroad.

• …What about hackers & telcos then ??

Agenda




Management Models


Case StudiesCase I

Case II

Conclusions


PART IIPART II

Case studies

The Case Studies

• So I said “hackers & telcos”So, I said hackers & telcos .

• This may mean as well “telcos & hacking”…(not“hacking telcos”: that’s another point ;)

• This concept leads us to the two case studies we• This concept leads us to the two case studies weare going to analyze:

h d f d l– the Vodafone Greece Scandal

– the Telecom Italia Affair

In one shot ‐ Greece• Basically, what the heck happened ?

• Vodafone Hellas:+One hundreds “VIP” mobile subscribers have been eavesdropped: Government members, Defense officials mainly, including the Greek Prime Mi i t F i D f P bli O d ffi i l tMinister, Foreign, Defence, Public Order officials, etc.Calls from and to +100 SIMs were diverted to 14 “pay‐as‐you‐go” mobile phones. Four BTS were “interested” by the area where these receiving SIMs whereFour BTS were interested by the area where these receiving SIMs wherelocated. “Incidentally”, Athens US Embassy is right in the middle of them☺This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building

ki “ k d” h b l ha rootkit “parked” in the RAM area, since obviously the MSC was in “production” (!!!).“The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. Oneyear later at least. Maybe longer….nobody knowsyear later at least. Maybe longer….nobody knowsOn March 9th, a Vodafone “top technician” (KT) commited suicide. (KostasTsalikidis, 39 y.o., Head of Network Design).EYP (Hellas National Intelligence Agency) began investigating at once.

× Right now, no‐one has no idea about who did it and why.

Case Study I: Actors involved

• Some elite hacker.– Retired Ericsson technical guy(s) ? g y( )

• Some seriously‐intentioned IA (CIA?).

• Some historical and geo‐political situation (Carpe Diem).

• Local politicians and National Secret Service

Th Ol i G ?• The Olympic Games ?

• The “best hack of 2005” prize. For sure.p

Targeted people (Vodafone Hellas/1)Targeted people (Vodafone Hellas/1)

• GOVERNMENT TARGETS:• GOVERNMENT TARGETS:Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb Spiliotopoulos Spilios thenMinister of Defense Elef 3Feb VoulgarakisSpiliotopoulos, Spilios thenMinister of Defense Elef. 3Feb Voulgarakis, Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, AnastasiosMinister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign MinisterElef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora h f h l f b ll d b d ithenMayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, ForeignMinistry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria ForeignMinistry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex Minister of Defense Elef Apostolidis Pavlos then Head of GreekMinister of Defense Elef Apostolidis, Pavlos then Head of GreekIntelligence Service (EYP), his car phone Nea Karamanli, Natasha wife ofPrime Minister Nea eight unidentified foreign ministry officials Neaunnamed intelligence officials EYP operations officers Nea Korandis, Gi i EYP di h A b d T k hi iGiannis current EYP director, then Ambassador to Turkey, his private carphone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea3‐16


• POLICE/SECURITY TARGETS:• POLICE/SECURITY TARGETS:Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris, Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3FebAngelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb Sontis, Theodore U.S. Embassy Greek‐American, gave to security detailElef Kyriakakis, Evstratios Former Director, Criminological Service, GreekPolice Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security

l hi f f ff i i f bli dTa Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta NeaKonstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, FotisFormer Chief, Greek Police (phone given to another) Ta Nea Dimoschakis, An Chief of Staff Greek Police Ta Nea Syrros St Former director ofAn. Chief of Staff, Greek Police Ta Nea Syrros, St. Former director ofCounterterrorism division, Greek Police Ta Nea Galikas, D. Director ofCounterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chiefof Greek Police Ta Nea seven senior military Senior officers in general

ff T N G l S ff C i i Di C i i Distaff Ta Nea General Staff Communications Dir Communications Director, chief of General Staff Defense Ministry staffer Defense Ministry staff company Eleft 2/5


FOREIGNER CITIZIENS TARGETS• FOREIGNER CITIZIENS TARGETS:Meim, Mohamad Pakistani Elef Moktar, RamziSudanese Elef Maloum Udin Elef Jamal AbdullahSudanese Elef Maloum, Udin Elef Jamal, Abdullah Lebanon radio reporter or Syrian journalist, now fast food operator Elef Sadik, Hussein Moh. Pakistani store

El f T k Ib hi Ah t I i El f K di A iowner Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, ChadiLebanese al Jazeera reporter, Gr resident Elef Basari, p , ,Mohamed Iraqi immigrant Igoumenitsa, 3 years, furniture factory worker Nea 3‐16 Unnamed SyrianUnnamed Syrian 3 years Nea 3 16 Unnamed IraqiUnnamed Syrian, 3 years Nea 3‐16 Unnamed IraqiUnnamed Iraqi, 2 years Nea 3‐16


UNEXPLAINED TARGETS• UNEXPLAINED TARGETS:Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis, Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaosg y ,Pegasus financial co, underwear firm Nea 3‐16 Cretanbusinessman shipper of remote control airplanes, including Souda Bay Vima 3/25 Cretan refrigeration techincluding Souda Bay Vima 3/25 Cretan refrigeration techRefrigeration tech from Ag. Nikolaos Crete Vima 3/25 Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgoscriminal lawyer Thebes mayor candidate Elef 3Febcriminal lawyer, Thebes mayor candidate Elef. 3Feb Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis, A l El f k d h 6942 5447 A ti t dAngelos Elef unknown card phone 6942 5447.. Activated2/28/05 Vima 2/25

In one shot ‐ Italy

SANITIZEDSANITIZED

YOU SHOULD HAVE ATTENDED NULLCON 2010 IN ORDER TO ATTEND THIS NICE TALK…SORRY FOLKS !

Case Study II: Actors involved

SANITIZEDSANITIZED


Googling

Case Study II: Actors involvedy

SANITIZEDSANITIZED


Case Study II – Actions: Build the infrastructure

SANITIZEDSANITIZED


Please gimme a Timeline!!!Please, gimme a Timeline!!!

• Yep, I know. This scandal is huge.

• This affair would need something like an 8This affair would need something like an 8 hour talk, to let you really understandWTF happenedhappened.

• That’s why I skipped the lunch and spent some time to build an event timeline☺

What happened: Timeline (2000‐2002)

SANITIZEDSANITIZED



SANITIZEDSANITIZED


Agenda




Management Models


Case StudiesCase I

Case II

Conclusions


Conclusions

Conclusions/Telecom Italia/• An innocent man has been induced to commit suicide.

Wh t th t f t h ’ d dWhatever the true facts are, he’s dead.• A 5 years period of very negative image for Telecom Italia

Group.p• Even if all the facts must be proven in Law Court, those

ordered attacks and the TV images showing thousands ofdossiers of private citiziens STASI like impressed a lot ofdossiers of private citiziens – STASI like – impressed a lot ofnormal people.

• The world discovered the existence of RADAR (CounterFraud System, that can be abused just like a LawfulInterception System) at Telecom Italia Mobile.

• Tiger Team = very bad word (!)• Tiger Team = very bad word (!) • IMHO, a strong damage happened also to the worldwide

underground scene (HITB, Bluehat, etc..).

Conclusions/Vodafone HellasConclusions/Vodafone Hellas

• A dead man here too…

• A very light negative image of VodafoneA very light negative image of Vodafone Hellas: media didn’t hit that much the subjecton the news coverageon the news coverage.

• Obscure CIA links ?

• Rootkit Ericsson AXE MSC.

General ConclusionsGeneral Conclusions

• These two cases are just the top of the iceberg.

• These “incidents” happen everyday in IAs and pp y ytelco companies. They just don’t say it.

• Avoiding this shit to happen again it’s up to us• Avoiding this shit to happen again it s up to us, the infosec guys.

• ALL of you should contribute to this.

• I want to believe. Still.

• Hackers are clean people, not criminals.

AcknowledgementsAcknowledgements, References and LinksReferences and Links

LinksITALIAN:• http://it.wikipedia.org/wiki/Scandalo_Telecom‐Sismi• http://it.wikipedia.org/wiki/Giuliano_Tavaroli• http://it.wikipedia.org/wiki/Tiger_team• http://it.wikipedia.org/wiki/Laziogate

ENGLISH:• Who is Telecom Italia: http://en.wikipedia.org/wiki/Telecom_Italia• Italy’s byzantine Telecom Italia scandal shakes the Republic:

http://www.zmag.org/znet/viewArticle/3086p // g g/ / /• Telecom Italia scandal in the news again:• http://kindlingman.wordpress.com/2006/10/26/telecom‐italia‐scandal‐in‐the‐news‐again/• Very good resumes of the facts: • http://kindlingman wordpress com/2006/10/26/telecom‐italia‐scandal‐in‐the‐news‐again/http://kindlingman.wordpress.com/2006/10/26/telecom italia scandal in the news again/• http://www.theregister.co.uk/2008/04/14/telecom_italia_spying_probe_update/• http://www.guardian.co.uk/commentisfree/2007/apr/18/itsirritatingforitaliansto?gusrc=rss&feed=glob

al

• Wiretapping: the Tsalikidis’ case: http://www.rainews24.rai.it/ran24/inchieste/27102006_intercettazioni‐eng.asp

• Diplomacy Lessons: Vodafone Eavesdropping Scandal: http://www.bradykiesling.com/vodafone scandal.htmhttp://www.bradykiesling.com/vodafone_scandal.htm

• The Athens Affair: http://www.spectrum.ieee.org/jul07/5280

BooksBooks

• 2007 M i M h tti Il B d l C i Mil F lt i lli• 2007 ‐Massimo Mucchetti. Il Baco del Corriere. Milano, Feltrinelli, 2007. (ISBN 88‐07‐17132‐5)

• 2008 ‐ Giorgio Boatti, Giuliano Tavaroli: Spie, 241 pp, Mondadori, C ll F ISBN 9788804580720Collana Frecce, ISBN 9788804580720

• 2008 ‐ Sandro Orlando: La repubblica del ricatto ‐ Dossier segreti e depistaggi nell'Italia di oggi (prefazione di Furio Colombo, 299 pp, Chi l tt dit l Mil ISBN 9788861900042Chiarelettere editore srl, Milano, ISBN 9788861900042

• 2008 ‐ Emilio Randacio: Una vita da spia ‐ 007 si nasce o si diventa?, 182 pp, Rizzoli, Collana Futuropassato, ISBN 9788817020572

• 2008 ‐ Giorgio Boatti: Spie, 241 pp, Mondadori, Collana Frecce, ISBN 9788804580720

• 2009 ‐ Andrea Pompili. Le Tigri di Telecom. Roma, 2009. ISBN p g ,9788862220682.

AcknowledgementsAcknowledgements

h li d kh f i i• Hemanshu Asolia and Aseem Jakhar for givingme blind trust with this Final Key Note talk, about which he didn’t know anything at all…Thank you guys!

• All of the nullcon staff.• All of YOU for attending this wonderfulAll of YOU, for attending this wonderfulInternational Security & Hacking Event☺Th d d t t it• The underground: pentesters, security researchers, hackers….that’s us!

&A

Q&

ts,

act

onta

Co

Contacts, Q&A

QUESTIONS ?QUESTIONS ?Raoul Chiesa(the crazy guy that decided to tell you what he knows abouta couple of real shitty incidents)

mailto: [email protected]: nullcon 2010, Intelligence Operations

GPG Key: http://raoul EU org/RaoulChiesa ascGPG Key: http://raoul.EU.org/RaoulChiesa.asc

nullcon 2010 - corporate security and intelligence – the dark links

Technology

f i trainingframework

th u i ki

th th b t d

li f i dit fitalian

unicri c b unicricybercrime

talk talk

unicricybercrime links

b ivebeen abadguyfrom