Sonntag, 6. Oktober 2019

My Take on the Gemalto "Great SIM Heist" bombshell story
(originally posted 22.02.2015 on Google+)
[Update 01.03.2015]
From Gemalto's statement, it is not clear whether they had access to the unredacted documents or not. With it, they could assess the story much better, because names and email addresses were (with good reason) redacted in the published documents.

On Twitter, I asked Gemalto, The Intercept and the authors of the article if Gemalto had access to the unredacted documents, but I got no reply:

https://twitter.com/twrweb/status/570583046375800832
https://twitter.com/twrweb/status/571027915875467264

And I asked other people familiar with the topic, nobody could say for sure. Google had no answer either.

So, of course it could be possible that Gemalto had access, and Gemalto didn't answer me because they said they would not comment any further. And The Intercept doesn't talk to a Snowden denier like me. Or both just do not care to answer a private person with just 150 followers on Twitter. This may be possible.

But it may also be possible that they both don't want to answer this question. It is possible that Gemalto just did not ask for the unredacted documents (for whatever reason), and The Intercept was quite happy that Gemalto didn't ask and could not validate the story too thoroughly.

Both is possible. So far, none of the open questions was answered. We still don't know if the story was entirely correct or completely bogus. Or something in between.
[/Update]


[Update 26.02.2015]
Yesterday, Gemalto published a statement with the result of its investigations. In it, Gemalto rejected most parts of the Intercept's reporting. And contrary to some media reports, Gemalto didn't even confirm a GCHQ / NSA attack, because they clearly said:

"All comments in this publication assume that the published documents are real and refer accurately to events that occurred during 2010 and 2011. Our publication here below does not aim at confirming partially or entirely nor at providing elements to refute partially or entirely the contents of those website published documents."
http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx

So all that Gemalto basically said is: "If the published documents are real and refer accurately to attacks against us, then we can confirm that we experienced some sophisticated attacks which could have been launched from nation-state attackers like NSA or GCHQ."
They further said they now believe the attacks came from GCHQ / NSA, but they didn't confirm it.

The Intercept and some others criticised Gemalto's statement, saying it was in part incorrect, and that it would be impossible to finish a thorough investigation within that a short timeframe. This may be correct, but this doesn't change the fact that the published documents didn't prove the Intercept's claims, and that Gemalto didn't confirm any of them. So we are where we were before, the Intercept's interpretations could be right or completely wrong. But the claims came from the Intercept, so they are the ones who hold the carry of proof.
[/Update]

The latest Snowden-based revelation from The Intercept, the "SIM heist", doesn't add up at several points, and leaves a lot of question marks behind.

The first point that's worth to mention is, that even if the article is basically correct on all its points, it however shows that GCHQ and NSA are primarily interested in SIM cards from conflict areas like Somalia, Yemen or Afghanistan, not in those of innocent people in western countries, as this chart clearly shows:

https://firstlook.org/theintercept/document/2015/02/19/imsis-identified-ki-data-network-providers-jan10-mar10-trial/

The Intercept tries its best to mislead the reader here.

The second point is, that even if we assume that GCHQ and NSA could obtain the keys from virtually all SIM cards of the world, this still doesn't mean they are able to listen to each cell phone call they want to. The key on the SIM card encrypts the data between the phone and the base station, so if the intelligence agencies actually want to listen to a call, they need to get close to the target and eavesdrop on its wireless traffic.

This means, that even if we buy all the claims in the article, this again is no proof at all for mass surveillance.


That's what else is to say is more complex.

One of the first questions I asked myself after reading the story was: Why should GCHQ and NSA do this? I mean, they always have to weigh between what they can gain and the related risks. And here is obviously a big imbalance. The keys are not necessary to break the very weak 2G encryption (most voice calls are done under 2G, at least back in 2010), while 3G and LTE is almost always only used for internet data (which is often encrypted at higher layers too). But on the other side, Gemalto is obviously a very hard target, with serious risks of getting caught.
It just makes no (or very little) sense for GCHQ to attack Gemalto, and Gemalto so far didn't confirm they were attacked.

Another question you should ask: Why came this revelation that late? I mean, if this story is basically correct, then of course it was one of the most interesting revelations so far. But why did Greenwald wait that long? I cannot believe he overlooked it. But I don't have any good explanation either.

The next problem -- as always with the Snowden revelations -- are the published documents. We can read them, and at first sight they seem to prove what is claimed in the article, but we don't know the context they were written. So let's have a closer look at the document which should prove the successful hacking of Gemalto:

https://firstlook.org/theintercept/document/2015/02/19/dapino-gamma-cne-presence-wiki/

I got amazed when I read "Our Workshop Aims". What does this mean? This is a clear hint that the document is not a documentation of a real operation, but rather training material. And if it is training material, it could either describe a virtual attack against Gemalto, or it could explain based on a real attack against Gemalto. We just can't say, because we don't know the context.
I think Gemalto could give an answer here, if they have the unredacted documents. So we have to stay tuned until their final statement.

Another document left me skeptical as well:

https://firstlook.org/theintercept/document/2015/02/19/pcs-harvesting-scale/

The Intercept interprets this as a description of an ongoing operation to collect as much SIM card keys as possible. However, if you read it, it sounds much more like a case study from a research department, with a focus on the comparison between automated vs manual collection. So again, we do not know the real context of this document, so we just can't tell.

The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle

Geteilt mit: Öffentlich
Thomas Dirscherl - 2015-02-23 10:40:42+0100
"Why should GCHQ and NSA do this?" Indeed. Really puzzles me aswell.

The only explanation I could come up with is they just got so used to harvesting all the data they could get that they don't really weight gains and risks in a sensible way.

That would fit in the greater picture of all the revelations. There are tremendous amounts of secret operations, with a lot of them potentially causing diplomatic, political and economic damage when exposed. They were still carried out, most of the time probably without the knowledge of congress. And they lack proper OpSec (else it would not have been possible to copy as much documents as Snowden did) despite better knowledge.

To me, that imbalance in gain/risk assessment makes them look completely out of control.
Rolf Weber - 2015-02-23 11:54:15+0100
With your conclusion, you seem to assume that the story is basically true. I really doubt it. I think this "revelation" is as wrong and misleading as most of the others before.

Maybe we should wait until Wednesday for further discussion. Gemalto announced a press conference with results about its investigations:

http://www.gemalto.com/press/Pages/Update-on-the-SIM-card-encryption-keys-matter.aspx

Maybe we know more then ...
Thomas Dirscherl - 2015-02-23 12:27:51+0100
My conclusion does not depend on this story or on any other individual story, but on the wast amount of documents published in the last 2 years. So far, I've never come across anyone - be it a media outlet, be it NSA spokespersons - who doubted the credibility of the source documents.

Whether media coverage of those documents is true or misleading is of no importance at all concerning my conclusion. There is no reason to assume media coverage of previously secret documents would be fundamentally different to any other media coverage. Exaggerated headlines and unfavorable descriptions of their power abuse usage should have been factored into the weighting of risks and benefits of their actions.
Rolf Weber - 2015-02-23 13:46:36+0100
It is not only about exaggerations. The alleged hack of Gemalto was not only exaggerated, but IMO completely wrong. At least there is no evidence so far.
The same as with many other stories, like the "direct access" or "millions of Germans tapped" -- turned out to be completely wrong.

So if you don't refer to the headlines, but to the documents: Which documents do you exactly mean? Which of them clearly shows "shocking" actions?

You can blame NSA for a lot, but not that nobody took into account that the documents could be stolen and totally misrepresented by biased "journalists".
Thomas Dirscherl - 2015-02-23 14:16:04+0100
I don't need actions to be "shocking" to make my point (although a lot of actions will probably be shicking for other secret services, as most probably were unaware of the NSA's advantage). And I don't need the headlines.

I don't blame the NSA for the biased presentation of the documents by journalists. I blame the NSA for bad decision making. They knew there would be biased reporting. They knew there would be sensationalist headlines. They knew this would lead to diplomatic, political and economic problems, mainly for the US. They knew that would weaken USA's position in the world. As a political partner, as a trade partner, as well as a moral institution. And despite that knowledge they carried on with their programs. And they did not even care enough to keep them secret. If a single person was able to retreive quite a bunch of documents, how many documents might have been stolen by Chinese or Russian agencies?
Rolf Weber - 2015-02-23 15:23:02+0100
But which wrong decision do you exactly mean?
We agree, that if Gemalto was attacked, then it was a wrong decision. But there is no proof, we just don't know.
So which of NSA's proven (not alleged!) actions were wrong decisions?
Even the eavesdropping of Merkel (which I consider to be proven) was not clearly wrong.

That the NSA obviously totally failed with its internal security (however no solid details are known), that is correct. But this is another story.
Thomas Dirscherl - 2015-02-23 16:00:50+0100
Examples:
The decision to have several programs capable of bulk data collection.
The decision, to pay RSA 10 Million USD to use weak encryption.
And why not: The decision to spy on Foreign Heads of Government like Angela Merkel.

I do not see any evidence of the benefits. Probably there are some (though I wonder why the NSA does not make them public, at least to some degree), but were they worth the costs? I highly doubt it. I'm fairly sure the US' long-term loss in credibility was severely underestimated by NSA officials. Or, alternatively (imho this is closely related), their ability to keep their secrets secret was severely overrated. In any case: wrong decisions.
Rolf Weber - 2015-02-23 17:07:59+0100
Almost all bulk data collection occurs in crisis areas with the help and consent of local autorities. There is nothing wrong with this. Mass surveillance in western countries was one of the many lies.

The story with RSA is not entirely clear. RSA denies it took money to use "weak" encryption. Even if the story is correct, then only RSA is to blame, not NSA, because the alleged "backdoor" in Dual_EC_DRBG is a very sophisticated one, which could only be exploited by NSA, not any third parties.

And to spy on foreign heads is simply the task of intelligence agencies. I agree that it is not smart to spy on friends, but Merkel's predecessor, chancellor Schröder, clearly showed that Germany is a very unreliable friend.

And the benefits are very simple: Gaining foreign intelligence.
Thomas Dirscherl - 2015-02-23 20:25:19+0100
So you consider that gain of foreign intelligence by eavesdropping on Merkel more important than the longterm effect of loss in credibility? Could you give an example of what information the NSA might eventually have gotten from Merkel which they could not have gotten otherwise and which is more important than a good relationship between Germany and the USA and thus renders spying on Merkel a smart move?
Rolf Weber - 2015-02-23 20:53:48+0100
No. Maybe I should correct me a bit. The eavesdropping on Merkel was a clear mistake, because she always was loyal. But mistakes are human, and this one is explainable with the behavior of her predecessor Schröder.
Thomas Dirscherl - 2015-02-24 06:31:07+0100
It is also explainable with being drunk of their own power and loss of control, as they clearly didn't do their homework when assessing the risk of their actions.
Rolf Weber - 2015-02-24 08:48:13+0100
We don't know. I think my explanation is much more likely, and you yours.
But there is also benefit of the doubt. :-)
Rolf Weber - 2015-02-26 08:41:37+0100
Updated the article regarding Gemalto's statement from yesterday.
Thomas Dirscherl - 2015-02-26 10:01:30+0100
Your interpretation makes no sense. In Gemalto's business, security is of upmost importance. So if there was any way they could deny the attacks without lying, they would do it. But they didn't, which means they couldn't. They even confirmed they have been hacked. Any they even confirmed what they were seeing aligned with the published documents.

I wonder which statement would have made you believe that Gemalto had been attacked by the NSA. The NSA has at least been looking at Gemalto as a target, Gemalto has been attacked. It makes perfect sense for the NSA to hack into Non-American-made SIM cards. Nobody provided even anecdotal evidence that someone other than the NSA might be the attacker. The NSA isn't even trying to deny they attacked Gemalto. What else do you need?

I get that you don't like the exaggerations and anti-NSA reporting of The Intercept and other media organizations. I would even say you had a point. If, yes if, you wouldn't use interpretations which are even further from the truth.
Rolf Weber - 2015-02-26 11:35:54+0100
Which interpretation do you mean? I read Gemalto's statement quite literally, and I just realized that they did NOT confirm a GCHQ / NSA attack. They only said that they believe it was an attack by GCHQ / NSA, because IF the Intercept's reporting was accurate and the published documents describe an actual attack on Gemalto, that what they observed could have been related to this attack.

But the published documents don't prove an actual attack on Gemalto. They don't even prove Gemalto was picked as a target. I explained this in my post. But I ask you: What do you think, why do they write "Our Workshop Aims" in the document?

And again, I don't claim the Intercept's interpretation is wrong. It could be right. It is even possible GCHQ / NSA penetrated Gemalto's internal network without leaving a trace. But it's completely unproven.
Thomas Dirscherl - 2015-02-26 13:29:44+0100
Of course there is no definite proof. But before you said you consider it a fact that Merkel's phone was wiretapped by the NSA. Why? There is no proof whatsoever!

In a business where "We do not collect that data" means "We collect that data, but most of the time it is not used" reading statements like these literally makes as much sense as reading the bible literally.
Rolf Weber - 2015-02-26 13:45:57+0100
Regarding Merkel, it made some sense for NSA to monitor her, I interpret the statement of the US government as a confirmation, and the publsihed evidence was convincing. This is quite different to Gemalto. It made little sense for GCHQ / NSA to attack them, there is no confirmation at all from anybody, and the published evidence is very weak.

But I still wait on an answer from you. How do you read the quote "Our Workshop Aims" from the document?
Thomas Dirscherl - 2015-02-26 14:27:58+0100
So according to you, spying on Merkel, a close ally of the USA, which you consider a mistake, and which caused diplomatic as well as economical problems for the USA, makes more sense than getting encryption keys for SIM cards, which might be used by actual terrorists?

And you can't just read one statement literally and do your own interpretation on another statement. There is no proof at all that the NSA spied on Merkel. Period. Still you and everyone else knows they did it. And still everyone knows they attacked Gemalto. Only your view is too biased in this case, but that doesn't matter, as everyone else knows.

From wikipedia: In "office environments" a workshop describes a conference room meeting intended to create or generate plans, analysis, or design that supports organizational efforts.

That means people familiar with the matter sit together and try to find ways to achieve the aims of the workshop. So here, they thought about how they could get into Gemalto in order to perform Computer Network Exploitation.
Rolf Weber - 2015-02-26 16:14:02+0100
To monitor Merkel was only risky in case of internal leaks like this from Snowden, Gemalto however was operationally risky. You can see this on the fact that the alleged hack was noticed by Gemalto.

I have no problem with being called "biased" or "the only one". I was one of the very few who were skeptical about the very first "revelations" like the "direct access" or "BOUNDLESSINFORMANT". They all turned out to be completely wrong. For me it's more important to be right on the long run. ;-)

And regarding "workshop", I think it's absurd this kind of workshop was meant. But I don't know, you may be right, of course. So you see how difficult it is to interpret documents without knowing the correct context.
Thomas Dirscherl - 2015-02-26 16:34:57+0100
How would "workshop" have to be understood in order to back up your view that the wording "workshop" contradicts common interpretation of the facts?
Rolf Weber - 2015-02-26 17:19:04+0100
I think the document could be part of training material. So it could be a simulated attack on Gimalto during a training.
Thomas Dirscherl - 2015-02-26 17:23:46+0100
Wouldn't it say "training" then? THe term "training workshop" exists, but even then would it be a practical excercise, in our case involving actually hacking Gemalto for training purposes. But I would consider this very far-fetched. And whatever probability of that explanation was still there, it vanished completely after Gemalto confirmed they were hacked by someone.
Rolf Weber - 2015-02-26 17:34:51+0100
If it was a training, then of course they hacked in a lab, not in the real world.
Maybe it is far-fetched, but no less than the Intercept's interpretation.

And Gemalto also said they are attacked daily. It's simply not a fact the hack was from GCHQ / NSA.
Thomas Dirscherl - 2015-02-26 17:42:08+0100
It is indeed far-fetched. And of course they are attacked daily. But they discovered an attack which fits the description. Your interpretation is not completely impossible, but improbable enough to be discarded.
Rolf Weber - 2015-02-26 19:32:28+0100
Fits the description? It's not even clear if they had the unredacted documents.
Thomas Dirscherl - 2015-02-26 20:02:59+0100
Then they would have said they don't have enough information and they don't see anything which would fit the description, don't you think?
Rolf Weber - 2015-02-26 20:06:32+0100
I don't know. I asked them on Twitter, got no answer.

Keine Kommentare:

Kommentar veröffentlichen