Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

nullcon 2010 - Corporate Security and Intelligence – the dark links


Hier ansehen

1 von 61 Anzeige

Weitere Verwandte Inhalte

Ähnlich wie nullcon 2010 - Corporate Security and Intelligence – the dark links (20)


Weitere von n|u - The Open Security Community (20)

Aktuellste (20)


nullcon 2010 - Corporate Security and Intelligence – the dark links

  1. 1. Intelligence Operations  g p &  Corporate Security:  C t S it the dark links the dark links [Release 0.4] An analysis of two weird case studies An analysis of two weird case studies Raoul  Nobody Chiesa Raoul “Nobody” Chiesa Nullcon 2010, Goa, India
  2. 2. Talk s Rules Talk’s Rules • NO Audio, no Video, no A/V recording. • No pictures. No pictures. • No disclose outside of the conference itself (“PH Neutral‐like” approach) (“PH N l lik ” h) • Questions at the end, please.  Q ,p
  3. 3. Agenda Disclaimer(s) Introduction What Corporate Security should b and is Wh t C t S it h ld be d i What Intelligence should be and is Management Models Historical links between CS & I CS & I Case Studies Case I Case II Conclusions Bibliography and Links and Links
  4. 4. Who am I ? I ? • I’ b I’ve been a “bad guy” from 1986 til 1995 Th th b t d me. “b d ”f 1986 until 1995. Then they busted • So I grow up, basically inventing a job I do love.  • I run my own security consulting company, @Mediaservice.net, since 1997, and a sister company specialized in Digital Forensics (atpss.net)  since 2005. • I’m into Security R&D, I could say at 360°. y y • I’m an OSSTMM Key Contributor. • I’m a Board of Directors member for many associations (ISECOM,  CLUSIT, TSTF.net, OWASP Italy) and I work with some others (ICANN,  CLUSIT TSTF net OWASP‐Italy) and I work with some others (ICANN APWG, GCSC, ENISA, etc.). • I am the Worldwide Technical Contact Officer at the UNICRI (United Nations Interregional Crime & Justice Research Institute) on cybercrime Crime & Justice Institute) on cybercrime issues • I travel the world giving out speeches and meeting nice folks as you !
  5. 5. Some stuff you asked me  yesterday and this morning • UNICRI Cybercrime Homepage: – http://www.unicri.it/wwd/cyber_crime/index.php • UNICRI C b UNICRI Cybercrime T i i F i Training Framework: k – http://www.unicri.it/wwd/cyber_crime/links.php • UNICRI Cybercrime links: – http://www.unicri.it/wwd/cyber_crime/links.php • A cool hacking tools page from my Red Team: – http://oxdeadbeef.info • On botnets, 0‐days and reverse engineering from a friend: – http://extraexploit.blogspot.com • O M bil (h d t) S On Mobile (handset) Security, from It li f i d it f Italian friends: – http://www.mseclab.com • Hackers Profiling Questionnaire: – http://hpp.recursiva.org
  6. 6. Agenda Disclaimer(s) Introduction What Corporate Security should b and is Wh t C t S it h ld be d i What Intelligence should be and is Management Models Historical links between CS & I CS & I Case Studies Case I Case II Conclusions Bibliography and Links and Links
  7. 7. Disclaimer(s)
  8. 8. Disclaimer I don’t think if you will ever see this talk again in some other y g conference, maybe somebody will shot me before So, please pay attention to what I will tell you. And, it took me 2 years to acquire all the documents (public and not public ones) and correlate the information I will d il you i a f minutes. i f i ill detail in few i • There are (still) many rumors regarding what exactly happened; ( ) y g g y pp ; • there are many unanswered questions regarding what happened (and an on‐going court trial); • for this talk we assume that what is publicly known is what actually happened; • the ideas and opinions presented here are my own and do not represent any views or opinions nor the United Nations but my opinions, Nations, personal ones.
  9. 9. Disclaimer (bis) Why did I take the decision to analyze these two cases? • In the Telecom Italia affair, the mass media coverage has been huge, while none from the IT sector even wrote something about what happened (!) * • In the Vodafone Greece scandal, international newspapers did not write so much about what happened (language didn’t help), whilst on the technical site, some researches have been published (IEEE mainly). • A terrific image related to “penetration testers” popped up: unethical people, false, criminals; “Tiger Team” cannot even be used anymore as a word i some national markets… d in ti l k t • I think it is essential to speak about these scandals and clarity should be done as soon as possible. d ibl * Books have been written by some of the arrested subjects; see bibliography at the end of this talk talk.
  10. 10. Last disclaimer (aka “I want to believe”) I want believe ) Raoul, why the hell did you take the decision to analyze these two cases ? (a XXXXXX agent & friend, August 2008) • I used to know some of the people involved (Telecom Italia I used some of the people involved (Telecom Italia  affair).  • I use to have “some knowledge” of mobile operator’s  g p MSCs (Vodafone Hellas affair) • All the times I’m attending some Infosec event, friends used to ask me “What the fuck happened out there ?!?” me “What the fuck out there • I love weird stories. I love to teach what I know. • I am a damned curious guy I am a damned guy. • I want to believe – that IT Security and criminality will not merge so easily. Not again. so easily. Not
  11. 11. “After 1989, Italtel used to have 150/200 employees in Soviet  Union, working closely with th U i ki l l ith the governments of th t f the  republics from the former Soviet block. At the same time, SISMI wasn’t even able to infiltrate a  single agent into those countries. g g Who ruled more? Who was the one able to obtain more  information?” July 28th, 2008 Giuliano Tavaroli Former Telecom Italia and Pirelli CISO
  12. 12. Agenda Disclaimer(s) Introduction What Corporate Security should b and is Wh t C t S it h ld be d i What Intelligence should be and is Management Models Historical links between CS & I CS & I Case Studies Case I Case II Conclusions Bibliography and Links and Links
  13. 13. PART I PART I Introduction
  14. 14. What Corporate Security should be Corporate Security should • From wikipedia: (http://en.wikipedia.org/wiki/Corporate_Security) Corporate Security identifies and effectively mitigates or manages, at an early  stage, any developments that may threaten the resilience and continued survival of a corporation.  f ti It is a well organized corporate function that oversees and manages the close  coordination of all functions within the company that are concerned with  security, continuity and safety, and contributes to the fulfillment of good  corporate governance, responsibility, observance or compliance of prevailing  legal regulations, as well as the meeting of customers, suppliers, and other  business partner’s requirements in accordance with corporate objectives.
  15. 15. What Corporate Security often is Corporate Security often • FPOL (Fi t P i t f Lif ) f S t FPOL (First Point of Life) for System Integrators and  I t t d Vendors. • SPOL (Second Point of Salary) for retired LEOs SPOL (Second Point of Salary) for LEOs. • Breaking laws (in a hundreds of ways!). • Outsourcing “black jobs” (checks on people, PIs Outsourcing  black jobs (checks on people, PIs activities, IT attacks, D/DoS, etc..). • A BU playing “internal, political wars” with other BUs. • A personal “IT Army” for the management. • A facility from where help out some collegues at LEAs. • A link to Secret Services (Intelligence Agencies). • A place where IT Security is the last thing :(
  16. 16. What Intelligence (agencies) should be g ( g ) • From wikipedia: (http://en.wikipedia.org/wiki/Intelligence agency) An intelligence agency is a governmental agency that is devoted to the information gathering (known in the context as "intelligence") for purposes of national security and defense. Means  of information gathering may include espionage, communication interception, cryptanalysis,  of information gathering may include espionage, communication interception, cryptanalysis, cooperation with other institutions, and evaluation of public sources. The assembly and  propagation of this information is known as intelligence analysis. Intelligence agencies can provide the following services for their national governments: provide analysis in areas relevant to national security; provide analysis in areas relevant to national security; give early warning of impending crises; serve national and international crisis management by helping to discern the intentions of  current or potential opponents; inform national defense planning and military operations; protect secrets, both of their own sources and activities, and those of other state agencies;  and may act covertly to influence the outcome of events in favor of national interests. Intelligence agencies are also involved in defensive activities such as counter‐espionage or  counter‐terrorism. Some agencies are accused of being involved in assassination, arms sales, coups d'état, and  the placement of misinformation (propaganda) as well as other covert operations, in order to  th l t f ii f ti ( d ) ll th t ti i d t support their own or their governments' interests.
  17. 17. What “Intelligence” often is Intelligence often • Buying 0‐day exploits from the underground  p and/or Infosec companies. • Hacking into suspects’boxes. • R Running extraordinary retention programs,  i di i thus unauthorized by the Country where the  operation is running. • ……..other nasty things we could really not say other here!
  18. 18. A look at the managements structures
  19. 19. The structure The structure • No matter if we are speaking about the  Corporate Security of a multinational rather than the Internal Secret Service of a State. They do run models and do have defined structures. • It i really i t is ll interesting t study th i approaches,  ti to t d their h since it helps out in better understanding their information flows, peoples roles and decision‐ i f i fl l l dd i i makers. (AKA Human’s Reverse Engineering ;)
  20. 20. Intelligence Agencies:  general model l d l
  21. 21. Intelligence Agencies:  the USA model * th USA d l * ex Intelligence Reform g and Terrorism Prevention Act_2004
  22. 22. Intelligence Agencies:  the Italy model * th It l d l * ex law 801_1977
  23. 23. Intelligence Agencies:  the Italy model * th It l d l * ex law 124_2007
  24. 24. Intelligence Agencies:  the Greece model * th G d l * ex law february 2008
  25. 25. IS Management – Evolution of the models the models Original Evolved Nowadays N d approach approach approach
  26. 26. IS Management models – today’s standard today’s standard CEO AD Financial Planning General Department & Business Control Information HR & Organizational Risk Management Procedures Department Legal & Corporate Affair Administration Department BU BU BU BU BU
  27. 27. IS Management models – Tavaroli’s approach Tavaroli’s approach CEO Human Resources Finance & Organization Public P bli Security, S f t & S it Safety & Legal Affairs Facilities Media Relations Commercial Supply Chain & Strategy Technology Operations Management Corporate Communication
  28. 28. IS Management models – A good “security dept.” A good “security dept ” approach Security Risk Analysis Security Compliance Crisis Management Security Awareness & Business Continuity Information Security, International Physical Security Data Privacy Security Operation e (Fraud) Management
  29. 29. Historical links • There are very‐well known historical links between telcos and  governments: – AT&T & NSA – Telecom Italia & Italtel with SISMI and SISDE – Deutsche Telecom and Siemens Telecom and Siemens – OTE Hellas & EYP • Why ? – Because LEAs and IAs know that information is power. They have always known this.  – That’s why they always want to be able to eavesdrop, intercept, and That s why eavesdrop, intercept, and  collect data. – Also political scandals are a part of history; whenever “communication”  begins, then IAs begin to monitor politicians, both locally and abroad. • …What about hackers & telcos then ??
  30. 30. Agenda Disclaimer(s) Introduction What Corporate Security should b and is Wh t C t S it h ld be d i What Intelligence should be and is Management Models Historical links between CS & I CS & I Case Studies Case I Case II Conclusions Bibliography and Links and Links
  31. 31. PART II PART II Case studies
  32. 32. The Case Studies • So I said “hackers & telcos”. So, I said hackers & telcos • This may mean as well “telcos & hacking”…(not “hacking telcos”: that’s another point ;) • This concept leads us to the two case studies we the two case studies are going to analyze: – the Vodafone Greece Scandal h d f d l – the Telecom Italia Affair
  33. 33. In one shot ‐ Greece • Basically, what the heck happened ? • Vodafone Hellas: +One hundreds “VIP” mobile subscribers have been eavesdropped:  Government members, Defense officials mainly, including the Greek Prime  Minister, Foreign, Defence, Public Order officials, etc. Mi i t F i D f P bli O d ffi i l t Calls from and to +100 SIMs were diverted to 14 “pay‐as‐you‐go” mobile  phones.  Four BTS were “interested” by the area where these receiving SIMs where BTS were interested by the area where located.  “Incidentally”, Athens US Embassy is right in the middle of them ☺ This has been done via a high‐level hack to the Ericsson AXE GSM MSC; building  a rootkit “ k d” ki “parked” in the RAM area, since obviously the MSC was in  h b l h “production” (!!!). “The Hack” was discovered on March 7th, 2005, by Ericsson technical staff. One year later at least. Maybe longer….nobody knows at least. Maybe On March 9th, a Vodafone “top technician” (KT) commited suicide. (Kostas Tsalikidis, 39 y.o., Head of Network Design). EYP (Hellas National Intelligence Agency) began investigating at once. × Right now, no‐one has no idea about who did it and why.
  34. 34. Case Study I:  Actors involved • Some elite hacker. – Retired Ericsson technical guy(s) ?  g y( ) • Some seriously‐intentioned IA (CIA?). • Some historical and geo‐political situation  (Carpe Diem). • Local politicians and National Secret Service • Th Ol The Olympic Games ? i G • The “best hack of 2005” prize. For sure. p
  35. 35. Targeted people (Vodafone Hellas/1) people (Vodafone Hellas/1) • GOVERNMENT TARGETS: GOVERNMENT TARGETS: Karamanlis, Kostas Prime Minister of Greece (two phones of 20) Elef. 3Feb  Molyviatis, Petros then Foreign Minister, a private phone Elef. 3Feb  Spiliotopoulos, Spilios Spiliotopoulos Spilios then Minister of Defense Elef 3Feb Voulgarakis Elef. 3Feb Voulgarakis,  Giorgos then Minister of Public Order Elef. 3Feb Papaligouras, Anastasios Minister of Justice Elef. 3Feb Valinakis, Giannis Alternate Foreign Minister Elef. 3Feb Dimas, Stavros EU Commissioner Elef. 3Feb Bakoyianni, Dora  then Mayor of Athens Elef. 3Feb Vallindas, Giorgos Ambassador, Foreign h f h l f b ll d b d i Ministry Mideast Division Director Elef. 3Feb Choreftaki, Glykeria Foreign Ministry employee Elef. 3Feb Papantoniou, Giannis PASOK MP, ex  Minister of Defense Elef Apostolidis Pavlos then Head of Greek Apostolidis, Pavlos Head of Intelligence Service (EYP), his car phone Nea Karamanli, Natasha wife of Prime Minister Nea eight unidentified foreign ministry officials Nea unnamed intelligence officials EYP operations officers Nea Korandis,  Giannis current EYP di Gi i EYP director, then A b h Ambassador to T k hi private car d Turkey, his i phone Nea 3‐16 Molyviati, Lora daughter of former Foreign Minister Nea 3‐16
  36. 36. Targeted people (Vodafone Hellas/2) people (Vodafone Hellas/2) • POLICE/SECURITY TARGETS: POLICE/SECURITY TARGETS: Maravelis, Dimitris Police officer in Olympic Security Elef. 3Feb Maris,  Giorgos lawyer, legal advisor to Public Order Ministry Elef. 3Feb  Angelakis, Dimitris Police in Olympic Security or EYP unionist Elef. 3Feb  Angelakis Dimitris Police in Olympic Security or EYP unionist Elef 3Feb Sontis, Theodore U.S. Embassy Greek‐American, gave to security detail Elef Kyriakakis, Evstratios Former Director, Criminological Service, Greek Police Ta Nea Galiatsos, G. Director of Exercises, Athens Olympic Security  Ta Nea Mitropoulos, G. Chief of Staff, Ministry of Public Order Ta Nea l hi f f ff i i f bli d Konstantinidis, V Olympic Games Security Director Ta Nea Nasiakos, Fotis Former Chief, Greek Police (phone given to another) Ta Nea Dimoschakis,  An. Chief Staff, Greek Police Ta Nea Syrros, St. Former An Chief of Staff Greek Police Ta Nea Syrros St Former director of Counterterrorism division, Greek Police Ta Nea Galikas, D. Director of Counterterrorism Division, Greek Police Ta Nea Angelakos, Giorgos Chief of Greek Police Ta Nea seven senior military Senior officers in general staff Ta Nea G ff T N General S ff C l Staff Communications Di C i i Dir Communications Di i i Director,  chief of General Staff Defense Ministry staffer Defense Ministry staff  company Eleft 2/5
  37. 37. Targeted people (Vodafone Hellas/3) people (Vodafone Hellas/3) • FOREIGNER CITIZIENS TARGETS FOREIGNER CITIZIENS TARGETS: Meim, Mohamad Pakistani Elef Moktar, Ramzi Sudanese Elef Maloum, Udin Sudanese Elef Maloum Udin Elef Jamal Abdullah Jamal, Abdullah  Lebanon radio reporter or Syrian journalist, now fast  food operator Elef Sadik, Hussein Moh. Pakistani store owner El f T k Ib hi Ah t I i El f K di A i Elef Tarek, Ibrahim Ahmet Iraqi Elef Kadir, Aris  Kurd Elef Thair, Hermiz Iraqi Elef Ayoubi, Chadi Lebanese al Jazeera reporter, Gr resident Elef Basari,  p , , Mohamed Iraqi immigrant Igoumenitsa, 3 years,  furniture factory worker Nea 3‐16 Unnamed Syrian Unnamed Syrian 3 years Nea 3 16 Unnamed Iraqi Syrian, 3 years 3‐16 Unnamed Unnamed Iraqi, 2 years Nea 3‐16
  38. 38. Targeted people (Vodafone Hellas/4) people (Vodafone Hellas/4) • UNEXPLAINED TARGETS UNEXPLAINED TARGETS: Fergadis, Theodoros businessman Elef. 3Feb Kakotaritis,  Giorgos blanket factory? Elef. 3Feb Linardos, Nikolaos g y , Pegasus financial co, underwear firm Nea 3‐16 Cretan businessman shipper of remote control airplanes,  including Souda Bay Vima 3/25 Cretan refrigeration tech Bay Vima 3/25 Cretan Refrigeration tech from Ag. Nikolaos Crete Vima 3/25  Koika, Katerina journalist Elef. 3Feb Psychogios, Giorgos criminal lawyer, Thebes criminal lawyer Thebes mayor candidate Elef 3Feb candidate Elef. 3Feb  Makris, Kostas Elef. 3Feb Barbarousi, Dimitra Elef. 3Feb  Notas, Anastasios Elef Pavlidis, Pavlos Elef Pnevmatikakis,  Angelos Elef k A l El f unknown card phone 6942 5447 A ti t d d h 6942 5447.. Activated 2/28/05 Vima 2/25
  41. 41. Googling
  44. 44. Please, gimme a Timeline!!! Please gimme a Timeline!!! • Yep, I know. This scandal is huge. • This affair would need something like an 8 affair would 8  hour talk, to let you really understand WTF  happened. happened • That’s why I skipped the lunch and spent some  time to build an event timeline ☺
  49. 49. Agenda Disclaimer(s) Introduction What Corporate Security should b and is Wh t C t S it h ld be d i What Intelligence should be and is Management Models Historical links between CS & I CS & I Case Studies Case I Case II Conclusions Bibliography and Links and Links
  50. 50. Conclusions
  51. 51. Conclusions/Telecom Italia / • An innocent man has been induced to commit suicide.  Whatever th t Wh t the true f t are, he’s dead. facts h ’ d d • A 5 years period of very negative image for Telecom Italia  Group. p • Even if all the facts must be proven in Law Court, those ordered attacks and the TV images showing thousands of dossiers of private citiziens – STASI like – impressed a lot of private citiziens STASI like a lot normal people. • The world discovered the existence of RADAR (Counter Fraud System, that can be abused just like a Lawful Interception System) at Telecom Italia Mobile. • Tiger Team = very bad word (!) Tiger Team = very word (!)  • IMHO, a strong damage happened also to the worldwide underground scene (HITB, Bluehat, etc..).
  52. 52. Conclusions/Vodafone Hellas Conclusions/Vodafone Hellas • A dead man here too… • A very light negative image of Vodafone A very negative image Vodafone  Hellas: media didn’t hit that much the subject on the news coverage. on the news coverage • Obscure CIA links ? • Rootkit Ericsson AXE MSC.
  53. 53. General Conclusions • These two cases are just the top of the iceberg. • These “incidents” happen everyday in IAs and  pp y y telco companies. They just don’t say it. • Avoiding this shit to happen again it’s up to us it s up to us,  the infosec guys. • ALL of you should contribute to this. • I want to believe. Still. • Hackers are clean people, not criminals.
  54. 54. Acknowledgements,  Acknowledgements References and Links References and Links
  55. 55. Links ITALIAN: • http://it.wikipedia.org/wiki/Scandalo_Telecom‐Sismi • http://it.wikipedia.org/wiki/Giuliano_Tavaroli • http://it.wikipedia.org/wiki/Tiger_team • http://it.wikipedia.org/wiki/Laziogate ENGLISH: • Who is Telecom Italia: http://en.wikipedia.org/wiki/Telecom_Italia • Italy’s byzantine Telecom Italia scandal shakes the Republic:  http://www.zmag.org/znet/viewArticle/3086 p // g g/ / / • Telecom Italia scandal in the news again: • http://kindlingman.wordpress.com/2006/10/26/telecom‐italia‐scandal‐in‐the‐news‐again/ • Very good resumes of the facts:  • http://kindlingman wordpress com/2006/10/26/telecom‐italia‐scandal‐in‐the‐news‐again/ http://kindlingman.wordpress.com/2006/10/26/telecom italia scandal in the news again/ • http://www.theregister.co.uk/2008/04/14/telecom_italia_spying_probe_update/ • http://www.guardian.co.uk/commentisfree/2007/apr/18/itsirritatingforitaliansto?gusrc=rss&feed=glob al • Wiretapping: the Tsalikidis’ case:  http://www.rainews24.rai.it/ran24/inchieste/27102006_intercettazioni‐eng.asp • Diplomacy Lessons: Vodafone Eavesdropping Scandal:  http://www.bradykiesling.com/vodafone_scandal.htm http://www.bradykiesling.com/vodafone scandal.htm • The Athens Affair: http://www.spectrum.ieee.org/jul07/5280
  56. 56. Books • 2007 ‐ M i Massimo Mucchetti. Il Baco del Corriere. Milano, Feltrinelli,  M h tti Il B d lC i Mil F lt i lli 2007. (ISBN 88‐07‐17132‐5) • 2008 ‐ Giorgio Boatti, Giuliano Tavaroli: Spie, 241 pp, Mondadori,  Collana Frecce, ISBN 9788804580720 C ll F ISBN 9788804580720 • 2008 ‐ Sandro Orlando: La repubblica del ricatto ‐ Dossier segreti e  depistaggi nell'Italia di oggi (prefazione di Furio Colombo, 299 pp,  Chiarelettere editore srl, Milano, ISBN 9788861900042 Chi l tt dit l Mil ISBN 9788861900042 • 2008 ‐ Emilio Randacio: Una vita da spia ‐ 007 si nasce o si diventa?,  182 pp, Rizzoli, Collana Futuropassato, ISBN 9788817020572 • 2008 ‐ Giorgio Boatti: Spie, 241 pp, Mondadori, Collana Frecce, ISBN  9788804580720 • 2009 ‐ Andrea Pompili. Le Tigri di Telecom. Roma, 2009. ISBN  p g , 9788862220682.
  57. 57. Acknowledgements • Hemanshu Asolia and Aseem Jakhar f giving h li d kh for i i me blind trust with this Final Key Note talk,  about which he didn’t know anything at all… Thank you guys! • All of the nullcon staff. • All of YOU for attending this wonderful YOU, for International Security & Hacking Event ☺ • Th The underground: pentesters, security  d d t t it researchers, hackers….that’s us!
  58. 58. Co act Q& onta ts,  &A
  59. 59. Contacts, Q&A QUESTIONS ? QUESTIONS ? Raoul Chiesa (the crazy guy that decided to tell you what he knows about a couple of real shitty incidents) mailto: chiesa@UNICRI.it Subject: nullcon 2010, Intelligence Operations GPG Key: http://raoul.EU.org/RaoulChiesa.asc GPG Key: http://raoul EU org/RaoulChiesa asc