TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
nullcon 2010 - Corporate Security and Intelligence – the dark links
1. Intelligence Operations
g p
&
Corporate Security:
C t S it
the dark links
the dark links
[Release 0.4]
An analysis of two weird case studies
An analysis of two weird case studies
Raoul Nobody Chiesa
Raoul “Nobody” Chiesa
Nullcon 2010, Goa, India
2. Talk s Rules
Talk’s Rules
• NO Audio, no Video, no A/V recording.
• No pictures.
No pictures.
• No disclose outside of the conference itself
(“PH Neutral‐like” approach)
(“PH N l lik ” h)
• Questions at the end, please.
Q ,p
4. Who am I ?
I ?
• I’ b
I’ve been a “bad guy” from 1986 til 1995 Th th b t d me.
“b d ”f 1986 until 1995. Then they busted
• So I grow up, basically inventing a job I do love.
• I run my own security consulting company, @Mediaservice.net, since
1997, and a sister company specialized in Digital Forensics (atpss.net)
since 2005.
• I’m into Security R&D, I could say at 360°.
y y
• I’m an OSSTMM Key Contributor.
• I’m a Board of Directors member for many associations (ISECOM,
CLUSIT, TSTF.net, OWASP Italy) and I work with some others (ICANN,
CLUSIT TSTF net OWASP‐Italy) and I work with some others (ICANN
APWG, GCSC, ENISA, etc.).
• I am the Worldwide Technical Contact Officer at the UNICRI (United
Nations Interregional Crime & Justice Research Institute) on cybercrime
Crime & Justice Institute) on cybercrime
issues
• I travel the world giving out speeches and meeting nice folks as you !
5. Some stuff you asked me
yesterday and this morning
• UNICRI Cybercrime Homepage:
– http://www.unicri.it/wwd/cyber_crime/index.php
• UNICRI C b
UNICRI Cybercrime T i i F
i Training Framework:
k
– http://www.unicri.it/wwd/cyber_crime/links.php
• UNICRI Cybercrime links:
– http://www.unicri.it/wwd/cyber_crime/links.php
• A cool hacking tools page from my Red Team:
– http://oxdeadbeef.info
• On botnets, 0‐days and reverse engineering from a friend:
– http://extraexploit.blogspot.com
• O M bil (h d t) S
On Mobile (handset) Security, from It li f i d
it f Italian friends:
– http://www.mseclab.com
• Hackers Profiling Questionnaire:
– http://hpp.recursiva.org
8. Disclaimer
I don’t think if you will ever see this talk again in some other
y g
conference, maybe somebody will shot me before So, please pay
attention to what I will tell you. And, it took me 2 years to acquire all
the documents (public and not public ones) and correlate the
information I will d il you i a f minutes.
i f i ill detail in few i
• There are (still) many rumors regarding what exactly happened;
( ) y g g y pp ;
• there are many unanswered questions regarding what happened
(and an on‐going court trial);
• for this talk we assume that what is publicly known is what actually
happened;
• the ideas and opinions presented here are my own and do not
represent any views or opinions nor the United Nations but my
opinions, Nations,
personal ones.
9. Disclaimer (bis)
Why did I take the decision to analyze these two cases?
• In the Telecom Italia affair, the mass media coverage has been huge, while
none from the IT sector even wrote something about what happened (!) *
• In the Vodafone Greece scandal, international newspapers did not write so
much about what happened (language didn’t help), whilst on the technical
site, some researches have been published (IEEE mainly).
• A terrific image related to “penetration testers” popped up: unethical
people, false, criminals; “Tiger Team” cannot even be used anymore as a
word i some national markets…
d in ti l k t
• I think it is essential to speak about these scandals and clarity should be
done as soon as possible.
d ibl
* Books have been written by some of the arrested subjects; see bibliography at the end
of this talk
talk.
10. Last disclaimer
(aka “I want to believe”)
I want believe )
Raoul, why the hell did you take the decision to analyze
these two cases ? (a XXXXXX agent & friend, August 2008)
• I used to know some of the people involved (Telecom Italia
I used some of the people involved (Telecom Italia
affair).
• I use to have “some knowledge” of mobile operator’s
g p
MSCs (Vodafone Hellas affair)
• All the times I’m attending some Infosec event, friends
used to ask me “What the fuck happened out there ?!?”
me “What the fuck out there
• I love weird stories. I love to teach what I know.
• I am a damned curious guy
I am a damned guy.
• I want to believe – that IT Security and criminality will not
merge so easily. Not again.
so easily. Not
11. “After 1989, Italtel used to have 150/200 employees in Soviet
Union, working closely with th
U i ki l l ith the governments of th
t f the
republics from the former Soviet block.
At the same time, SISMI wasn’t even able to infiltrate a
single agent into those countries.
g g
Who ruled more? Who was the one able to obtain more
information?”
July 28th, 2008
Giuliano Tavaroli
Former Telecom Italia and Pirelli CISO
12. Agenda
Disclaimer(s)
Introduction
What Corporate Security should b and is
Wh t C t S it h ld be d i
What Intelligence should be and is
Management Models
Historical links between CS & I
CS & I
Case Studies
Case I
Case II
Conclusions
Bibliography and Links
and Links
14. What Corporate Security should be
Corporate Security should
• From wikipedia:
(http://en.wikipedia.org/wiki/Corporate_Security)
Corporate Security identifies and effectively mitigates or manages, at an early
stage, any developments that may threaten the resilience and continued survival
of a corporation.
f ti
It is a well organized corporate function that oversees and manages the close
coordination of all functions within the company that are concerned with
security, continuity and safety, and contributes to the fulfillment of good
corporate governance, responsibility, observance or compliance of prevailing
legal regulations, as well as the meeting of customers, suppliers, and other
business partner’s requirements in accordance with corporate objectives.
15. What Corporate Security often is
Corporate Security often
• FPOL (Fi t P i t f Lif ) f S t
FPOL (First Point of Life) for System Integrators and
I t t d
Vendors.
• SPOL (Second Point of Salary) for retired LEOs
SPOL (Second Point of Salary) for LEOs.
• Breaking laws (in a hundreds of ways!).
• Outsourcing “black jobs” (checks on people, PIs
Outsourcing black jobs (checks on people, PIs
activities, IT attacks, D/DoS, etc..).
• A BU playing “internal, political wars” with other BUs.
• A personal “IT Army” for the management.
• A facility from where help out some collegues at LEAs.
• A link to Secret Services (Intelligence Agencies).
• A place where IT Security is the last thing :(
16. What Intelligence (agencies) should be
g ( g )
• From wikipedia:
(http://en.wikipedia.org/wiki/Intelligence agency)
An intelligence agency is a governmental agency that is devoted to the information gathering
(known in the context as "intelligence") for purposes of national security and defense. Means
of information gathering may include espionage, communication interception, cryptanalysis,
of information gathering may include espionage, communication interception, cryptanalysis,
cooperation with other institutions, and evaluation of public sources. The assembly and
propagation of this information is known as intelligence analysis.
Intelligence agencies can provide the following services for their national governments:
provide analysis in areas relevant to national security;
provide analysis in areas relevant to national security;
give early warning of impending crises;
serve national and international crisis management by helping to discern the intentions of
current or potential opponents;
inform national defense planning and military operations;
protect secrets, both of their own sources and activities, and those of other state agencies;
and may act covertly to influence the outcome of events in favor of national interests.
Intelligence agencies are also involved in defensive activities such as counter‐espionage or
counter‐terrorism.
Some agencies are accused of being involved in assassination, arms sales, coups d'état, and
the placement of misinformation (propaganda) as well as other covert operations, in order to
th l t f ii f ti ( d ) ll th t ti i d t
support their own or their governments' interests.
17. What “Intelligence” often is
Intelligence often
• Buying 0‐day exploits from the underground
p
and/or Infosec companies.
• Hacking into suspects’boxes.
• R
Running extraordinary retention programs,
i di i
thus unauthorized by the Country where the
operation is running.
• ……..other nasty things we could really not say
other
here!
19. The structure
The structure
• No matter if we are speaking about the
Corporate Security of a multinational rather than
the Internal Secret Service of a State. They do run
models and do have defined structures.
• It i really i t
is ll interesting t study th i approaches,
ti to t d their h
since it helps out in better understanding their
information flows, peoples roles and decision‐
i f i fl l l dd i i
makers. (AKA Human’s Reverse Engineering ;)
25. IS Management –
Evolution of the models
the models
Original Evolved Nowadays
N d
approach approach approach
26. IS Management models –
today’s standard
today’s standard
CEO
AD
Financial Planning
General Department
& Business Control
Information
HR & Organizational
Risk Management
Procedures
Department
Legal & Corporate Affair Administration Department
BU BU BU BU BU
27. IS Management models –
Tavaroli’s approach
Tavaroli’s approach
CEO
Human Resources
Finance &
Organization
Public
P bli Security, S f t &
S it Safety
& Legal Affairs Facilities
Media Relations
Commercial Supply Chain &
Strategy Technology
Operations Management Corporate
Communication
28. IS Management models –
A good “security dept.”
A good “security dept ” approach
Security
Risk Analysis Security Compliance
Crisis Management
Security Awareness
& Business Continuity
Information Security,
International
Physical Security Data Privacy
Security Operation
e (Fraud) Management
29. Historical links
• There are very‐well known historical links between telcos and
governments:
– AT&T & NSA
– Telecom Italia & Italtel with SISMI and SISDE
– Deutsche Telecom and Siemens
Telecom and Siemens
– OTE Hellas & EYP
• Why ?
– Because LEAs and IAs know that information is power. They have always
known this.
– That’s why they always want to be able to eavesdrop, intercept, and
That s why eavesdrop, intercept, and
collect data.
– Also political scandals are a part of history; whenever “communication”
begins, then IAs begin to monitor politicians, both locally and abroad.
• …What about hackers & telcos then ??
30. Agenda
Disclaimer(s)
Introduction
What Corporate Security should b and is
Wh t C t S it h ld be d i
What Intelligence should be and is
Management Models
Historical links between CS & I
CS & I
Case Studies
Case I
Case II
Conclusions
Bibliography and Links
and Links
32. The Case Studies
• So I said “hackers & telcos”.
So, I said hackers & telcos
• This may mean as well “telcos & hacking”…(not
“hacking telcos”: that’s another point ;)
• This concept leads us to the two case studies we
the two case studies
are going to analyze:
– the Vodafone Greece Scandal
h d f d l
– the Telecom Italia Affair
33. In one shot ‐ Greece
• Basically, what the heck happened ?
• Vodafone Hellas:
+One hundreds “VIP” mobile subscribers have been eavesdropped:
Government members, Defense officials mainly, including the Greek Prime
Minister, Foreign, Defence, Public Order officials, etc.
Mi i t F i D f P bli O d ffi i l t
Calls from and to +100 SIMs were diverted to 14 “pay‐as‐you‐go” mobile
phones.
Four BTS were “interested” by the area where these receiving SIMs where
BTS were interested by the area where
located.
“Incidentally”, Athens US Embassy is right in the middle of them ☺
This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building
a rootkit “ k d”
ki “parked” in the RAM area, since obviously the MSC was in
h b l h
“production” (!!!).
“The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. One
year later at least. Maybe longer….nobody knows
at least. Maybe
On March 9th, a Vodafone “top technician” (KT) commited suicide. (Kostas
Tsalikidis, 39 y.o., Head of Network Design).
EYP (Hellas National Intelligence Agency) began investigating at once.
× Right now, no‐one has no idea about who did it and why.
34. Case Study I:
Actors involved
• Some elite hacker.
– Retired Ericsson technical guy(s) ?
g y( )
• Some seriously‐intentioned IA (CIA?).
• Some historical and geo‐political situation
(Carpe Diem).
• Local politicians and National Secret Service
• Th Ol
The Olympic Games ?
i G
• The “best hack of 2005” prize. For sure.
p
35. Targeted people (Vodafone Hellas/1)
people (Vodafone Hellas/1)
• GOVERNMENT TARGETS:
GOVERNMENT TARGETS:
Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb
Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb
Spiliotopoulos, Spilios
Spiliotopoulos Spilios then Minister of Defense Elef 3Feb Voulgarakis
Elef. 3Feb Voulgarakis,
Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, Anastasios
Minister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign Minister
Elef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora
then Mayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, Foreign
h f h l f b ll d b d i
Ministry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria Foreign
Ministry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex
Minister of Defense Elef Apostolidis Pavlos then Head of Greek
Apostolidis, Pavlos Head of
Intelligence Service (EYP), his car phone Nea Karamanli, Natasha wife of
Prime Minister Nea eight unidentified foreign ministry officials Nea
unnamed intelligence officials EYP operations officers Nea Korandis,
Giannis current EYP di
Gi i EYP director, then A b
h Ambassador to T k hi private car
d Turkey, his i
phone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea
3‐16
36. Targeted people (Vodafone Hellas/2)
people (Vodafone Hellas/2)
• POLICE/SECURITY TARGETS:
POLICE/SECURITY TARGETS:
Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris,
Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb
Angelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb
Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3Feb
Sontis, Theodore U.S. Embassy Greek‐American, gave to security detail
Elef Kyriakakis, Evstratios Former Director, Criminological Service, Greek
Police Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security
Ta Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta Nea
l hi f f ff i i f bli d
Konstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, Fotis
Former Chief, Greek Police (phone given to another) Ta Nea Dimoschakis,
An. Chief Staff, Greek Police Ta Nea Syrros, St. Former
An Chief of Staff Greek Police Ta Nea Syrros St Former director of
Counterterrorism division, Greek Police Ta Nea Galikas, D. Director of
Counterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chief
of Greek Police Ta Nea seven senior military Senior officers in general
staff Ta Nea G
ff T N General S ff C
l Staff Communications Di C
i i Dir Communications Di
i i Director,
chief of General Staff Defense Ministry staffer Defense Ministry staff
company Eleft 2/5
37. Targeted people (Vodafone Hellas/3)
people (Vodafone Hellas/3)
• FOREIGNER CITIZIENS TARGETS
FOREIGNER CITIZIENS TARGETS:
Meim, Mohamad Pakistani Elef Moktar, Ramzi
Sudanese Elef Maloum, Udin
Sudanese Elef Maloum Udin Elef Jamal Abdullah
Jamal, Abdullah
Lebanon radio reporter or Syrian journalist, now fast
food operator Elef Sadik, Hussein Moh. Pakistani store
owner El f T k Ib hi Ah t I i El f K di A i
Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris
Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, Chadi
Lebanese al Jazeera reporter, Gr resident Elef Basari,
p , ,
Mohamed Iraqi immigrant Igoumenitsa, 3 years,
furniture factory worker Nea 3‐16 Unnamed Syrian
Unnamed Syrian 3 years Nea 3 16 Unnamed Iraqi
Syrian, 3 years 3‐16 Unnamed
Unnamed Iraqi, 2 years Nea 3‐16
38. Targeted people (Vodafone Hellas/4)
people (Vodafone Hellas/4)
• UNEXPLAINED TARGETS
UNEXPLAINED TARGETS:
Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis,
Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaos
g y ,
Pegasus financial co, underwear firm Nea 3‐16 Cretan
businessman shipper of remote control airplanes,
including Souda Bay Vima 3/25 Cretan refrigeration tech
Bay Vima 3/25 Cretan
Refrigeration tech from Ag. Nikolaos Crete Vima 3/25
Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgos
criminal lawyer, Thebes
criminal lawyer Thebes mayor candidate Elef 3Feb
candidate Elef. 3Feb
Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb
Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis,
Angelos Elef k
A l El f unknown card phone 6942 5447 A ti t d
d h 6942 5447.. Activated
2/28/05 Vima 2/25
39. In one shot ‐ Italy
SANITIZED
YOU SHOULD HAVE ATTENDED NULLCON 2010 IN ORDER TO ATTEND
THIS NICE TALK…SORRY FOLKS !
40. Case Study II:
Actors involved
SANITIZED
YOU SHOULD HAVE ATTENDED NULLCON 2010 IN ORDER TO ATTEND
THIS NICE TALK…SORRY FOLKS !
42. Case Study II: Actors involved
y
SANITIZED
YOU SHOULD HAVE ATTENDED NULLCON 2010 IN ORDER TO ATTEND
THIS NICE TALK…SORRY FOLKS !
43. Case Study II – Actions: Build the infrastructure
SANITIZED
YOU SHOULD HAVE ATTENDED NULLCON 2010 IN ORDER TO ATTEND
THIS NICE TALK…SORRY FOLKS !
44.
45. Please, gimme a Timeline!!!
Please gimme a Timeline!!!
• Yep, I know. This scandal is huge.
• This affair would need something like an 8
affair would 8
hour talk, to let you really understand WTF
happened.
happened
• That’s why I skipped the lunch and spent some
time to build an event timeline ☺
50. Agenda
Disclaimer(s)
Introduction
What Corporate Security should b and is
Wh t C t S it h ld be d i
What Intelligence should be and is
Management Models
Historical links between CS & I
CS & I
Case Studies
Case I
Case II
Conclusions
Bibliography and Links
and Links
52. Conclusions/Telecom Italia
/
• An innocent man has been induced to commit suicide.
Whatever th t
Wh t the true f t are, he’s dead.
facts h ’ d d
• A 5 years period of very negative image for Telecom Italia
Group.
p
• Even if all the facts must be proven in Law Court, those
ordered attacks and the TV images showing thousands of
dossiers of private citiziens – STASI like – impressed a lot of
private citiziens STASI like a lot
normal people.
• The world discovered the existence of RADAR (Counter
Fraud System, that can be abused just like a Lawful
Interception System) at Telecom Italia Mobile.
• Tiger Team = very bad word (!)
Tiger Team = very word (!)
• IMHO, a strong damage happened also to the worldwide
underground scene (HITB, Bluehat, etc..).
53. Conclusions/Vodafone Hellas
Conclusions/Vodafone Hellas
• A dead man here too…
• A very light negative image of Vodafone
A very negative image Vodafone
Hellas: media didn’t hit that much the subject
on the news coverage.
on the news coverage
• Obscure CIA links ?
• Rootkit Ericsson AXE MSC.
54. General Conclusions
• These two cases are just the top of the iceberg.
• These “incidents” happen everyday in IAs and
pp y y
telco companies. They just don’t say it.
• Avoiding this shit to happen again it’s up to us
it s up to us,
the infosec guys.
• ALL of you should contribute to this.
• I want to believe. Still.
• Hackers are clean people, not criminals.
57. Links
ITALIAN:
• http://it.wikipedia.org/wiki/Scandalo_Telecom‐Sismi
• http://it.wikipedia.org/wiki/Giuliano_Tavaroli
• http://it.wikipedia.org/wiki/Tiger_team
• http://it.wikipedia.org/wiki/Laziogate
ENGLISH:
• Who is Telecom Italia: http://en.wikipedia.org/wiki/Telecom_Italia
• Italy’s byzantine Telecom Italia scandal shakes the Republic:
http://www.zmag.org/znet/viewArticle/3086
p // g g/ / /
• Telecom Italia scandal in the news again:
• http://kindlingman.wordpress.com/2006/10/26/telecom‐italia‐scandal‐in‐the‐news‐again/
• Very good resumes of the facts:
• http://kindlingman wordpress com/2006/10/26/telecom‐italia‐scandal‐in‐the‐news‐again/
http://kindlingman.wordpress.com/2006/10/26/telecom italia scandal in the news again/
• http://www.theregister.co.uk/2008/04/14/telecom_italia_spying_probe_update/
• http://www.guardian.co.uk/commentisfree/2007/apr/18/itsirritatingforitaliansto?gusrc=rss&feed=glob
al
• Wiretapping: the Tsalikidis’ case:
http://www.rainews24.rai.it/ran24/inchieste/27102006_intercettazioni‐eng.asp
• Diplomacy Lessons: Vodafone Eavesdropping Scandal:
http://www.bradykiesling.com/vodafone_scandal.htm
http://www.bradykiesling.com/vodafone scandal.htm
• The Athens Affair: http://www.spectrum.ieee.org/jul07/5280
58. Books
• 2007 ‐ M i
Massimo Mucchetti. Il Baco del Corriere. Milano, Feltrinelli,
M h tti Il B d lC i Mil F lt i lli
2007. (ISBN 88‐07‐17132‐5)
• 2008 ‐ Giorgio Boatti, Giuliano Tavaroli: Spie, 241 pp, Mondadori,
Collana Frecce, ISBN 9788804580720
C ll F ISBN 9788804580720
• 2008 ‐ Sandro Orlando: La repubblica del ricatto ‐ Dossier segreti e
depistaggi nell'Italia di oggi (prefazione di Furio Colombo, 299 pp,
Chiarelettere editore srl, Milano, ISBN 9788861900042
Chi l tt dit l Mil ISBN 9788861900042
• 2008 ‐ Emilio Randacio: Una vita da spia ‐ 007 si nasce o si diventa?,
182 pp, Rizzoli, Collana Futuropassato, ISBN 9788817020572
• 2008 ‐ Giorgio Boatti: Spie, 241 pp, Mondadori, Collana Frecce, ISBN
9788804580720
• 2009 ‐ Andrea Pompili. Le Tigri di Telecom. Roma, 2009. ISBN
p g ,
9788862220682.
59. Acknowledgements
• Hemanshu Asolia and Aseem Jakhar f giving
h li d kh for i i
me blind trust with this Final Key Note talk,
about which he didn’t know anything at all…
Thank you guys!
• All of the nullcon staff.
• All of YOU for attending this wonderful
YOU, for
International Security & Hacking Event ☺
• Th
The underground: pentesters, security
d d t t it
researchers, hackers….that’s us!
61. Contacts, Q&A
QUESTIONS ?
QUESTIONS ?
Raoul Chiesa
(the crazy guy that decided to tell you what he knows about
a couple of real shitty incidents)
mailto: chiesa@UNICRI.it
Subject: nullcon 2010, Intelligence Operations
GPG Key: http://raoul.EU.org/RaoulChiesa.asc
GPG Key: http://raoul EU org/RaoulChiesa asc