Gemalto downplays impact of NSA and GCHQ hacks on its SIM cards

Dutch digital security firm Gemalto, which is the world’s biggest manufacturer of SIM cards, has reported back on internal investigations triggered by last week’s revelations about the NSA and GCHQ hacking into its systems and stealing encryption keys that are supposed to protect phone users’ communications.

On Wednesday Gemalto said it reckoned a series of intrusions into its systems in 2010 and 2011 could have matched up with the attacks described in documents leaked by Edward Snowden and published by The Intercept. However, it downplayed the impact of the attacks on its systems and SIM encryption key transfer mechanisms, hinting that the methods described in the documents were more likely to have affected its rivals.

For a start, Gemalto said these attacks, which involved the “cyberstalking” of some of its employees in order to penetrate its systems, only affected its office networks:

The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data…

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.

Regarding that method of targeting encryption keys in transit, Gemalto said it had put in place “highly secure exchange processes” before 2010, which explained why the documents noted how the NSA and GCHQ failed to steal the keys for certain Pakistani networks.

The company said that at the time “these data transmission methods were not universally used and certain operators and supplies had opted not to use them,” though Gemalto itself used them as standard practice, barring “exceptional circumstances.” In other words, Gemalto does it right (most of the time) while other suppliers may not have been so cautious.

Gemalto, whose stock price was whacked by last week’s revelations, also said that the attacks could only have affected 2G SIM cards, due to enhanced security measures introduced in 3G and 4G versions. “Gemalto will continue to monitor its networks and improve its processes,” it added. “We do not plan to communicate further on this matter unless a significant development occurs.”

On Tuesday, another SIM card vendor, Germany’s Giesecke & Devrient (G&D), said last week’s report had prompted it to “introduce additional measures to review the established security processes together with our customers.”

UK access to NSA mass surveillance data was illegal, court rules

The system through which U.K. spy agency GCHQ can access data from NSA mass surveillance programs was in violation of fundamental rights, the Investigatory Powers Tribunal has ruled. However, the limits of that finding have left human rights groups dissatisfied.

The decision came as a result of a case brought about by Privacy International, Liberty and other human rights groups regarding the Prism and Upstream programs. Prism is the scheme through which U.S. intelligence gets users’ communications from service providers in that country, and Upstream intercepts bulk data from the internet’s core infrastructure.

In December the IPT ruled that it was legal in principle for GCHQ get data from these programs now – i.e. from December 2014, in the post-Snowden world, where people actually know what’s going on — but it held back on saying whether there had been historical breaches of human rights.

Having subsequently heard out both the complainants and the intelligence agencies, the tribunal said on Friday that the data-sharing regime had violated the rights to privacy and free expression, as set out in Articles 8 and 10 of the European Convention on Human Rights. However, it reiterated that it believes the system now no longer does so.

In a statement on Friday, Privacy International said it and Pakistani NGO Bytes For All would ask the IPT, which generally acts as a secret court, to “confirm whether their communications had been unlawfully collected prior to December 2014 and, if so, demand their immediate deletion.”

The groups also disputed the December ruling’s assertion that the disclosure of “a limited subset of rules governing intelligence-sharing and mass surveillance” made everything OK. They will now appeal that ruling with the European Court of Human Rights, as will Liberty.

Here’s what Liberty legal director James Welch said in the statement:

We now know that, by keeping the public in the dark about their secret dealings with the National Security Agency, GCHQ acted unlawfully and violated our rights. That their activities are now deemed lawful is thanks only to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed Government.

But the Intelligence Services retain a largely unfettered power to rifle through millions of people’s private communications – and the Tribunal believes the limited safeguards revealed during last year’s legal proceedings are an adequate protection of our privacy. We disagree, and will be taking our fight to the European Court of Human Rights.

“We must not allow agencies to continue justifying mass surveillance programs using secret interpretations of secret laws,” Privacy International deputy director Eric King added. “The world owes Edward Snowden a great debt for blowing the whistle, and today’s decision is a vindication of his actions.”

Levitation program tracked file-sharing sites, Snowden doc shows

The Canadian spy agency CSE monitors activity across over 100 free file upload sites, a newly-revealed PowerPoint document from NSA whistleblower Edward Snowden’s cache has shown.

The document describing CSE’s Levitation program was published on Wednesday by The Intercept, reporting alongside Canadian broadcaster CBC. Although Canada has long been known to be a member of the core Anglophone “Five Eyes” spying club, this is the first Snowden revelation putting it at the forefront of one of the Eyes’ mass surveillance programs.

Using an internet cable-tap program called Atomic Banjo, CSE’s agents were at the time of the presentation’s authoring collecting HTTP metadata for 102 cyberlocker sites, including Sendspace and Rapidshare, and tracking 10-15 million “events” each day to find “about 350 interesting download events per month.” And yes, this meant filtering out loads of TV shows and such.

According to the presentation, the technique yielded a “German hostage video” (the hostage was killed, according to The Intercept) and an “AQIM [Algerian al-Qaeda] hostage strategy”.

In total, there were 2,200 file addresses that effectively acted as traps once CSE had identified them. Once the agents have an IP address for someone downloading a suspect file, they then run a query on it through GCHQ’s Mutant Broth tool to see which ad cookies have been tracking them (insecure marketing technologies provide an easy vehicle for spying efforts), what their likely Facebook ID is, and so on.

SendSpace told CBC that no-one had permission to trawl its service for data, and internet policy lawyer Tamir Israel told the broadcaster that the program was potentially very intrusive, as CSE (known until last year as CSEC) could pick whichever documents it wanted.

UK wants hot tech grads to do spy work before building startups

The British government is considering a program that would see the most promising tech graduates spend some time working for the GCHQ signals intelligence agency, the U.K.’s equivalent to the NSA, before they move into the private sector.

As per a Thursday article in The Independent, confirmed to me by the Cabinet Office on Friday, the scheme would give the U.K. a rough equivalent to the system in Israel, where many tech entrepreneurs have come out of Unit 8200 of the Israel Defence Force. Unit 8200 is also a signals intelligence operation, and the cybersecurity firm Palo Alto Networks is a notable spinout.

According to the Cabinet Office sources quoted in the Independent piece, the idea would be to “capitalize on the expertise in GCHQ in terms of IT commercialization” by creating “a secure space where business can work with GCHQ and build an eco-system between the two.” (Side note: For more security-related U.K. civil-service-speak, check out the brilliant Sir Bonar Neville-Kingdom spoof account on Twitter.)

In short, part of the attraction lies in the idea of making money out of GCHQ’s in-house spy tech. In Israel, some Unit 8200 technologies have ended up being commercialized through startups created by former members. The Cabinet Office reckons the same could be done in the U.K., particularly around cybersecurity technologies — Cabinet Office boss Francis Maude visited Israel in November and, I am told, came away with lots of ideas around “digital and cyber”.

No doubt GCHQ would also benefit from the fresh ideas bubbling away in the brains of U.K. tech’s future stars, not to mention the potential for continued links in the future.

Of course, all Israelis have to go through the army anyway, so funnelling bright young tech minds through the local spook house is a relatively easy task there. GCHQ and the Cabinet Office may have a harder time of convincing promising British techies to spend time hanging around spooks, particularly with GCHQ’s mass surveillance programs – illegal under international law — having been exposed by the leaks of NSA contractor Edward Snowden.

While GCHQ has remained tight-lipped about its specific activities, since the Snowden leaks it has made a couple attempts at publicity. In November its new chief, Robert Hannigan, attacked U.S. tech firms for “benefiting” terrorists by extending encryption across their products and networks, and in December it released a tablet app for kids to, er, teach them the basics of encryption.

UK cable-tapping programs are legal, spy court rules

The U.K.’s Investigatory Powers Tribunal (IPT), a semi-secret court that deals with complaints over the authorities’ surveillance activities, has declared that the authorities’ tapping of major internet cables that touch the U.K. is legal in principle and does not breach human rights.

The ruling came in a case that had been brought about by Amnesty International, Privacy International, Liberty and the ACLU. The case centered on the U.S. Prism program and a British scheme called Tempora, which – according to the documents revealed by NSA leaker Edward Snowden – involved U.K. spy agency GCHQ tapping into much of the world’s communications by targeting core internet infrastructure.

The U.K. is a crucial hub for these cables, giving the spies the ability to monitor data flowing from most parts of the world. To do so, it has secured help from carriers such as the Vodafone-owned Cable & Wireless.

The IPT ruled on Friday that GCHQ could in principle legally tap the cables under the Regulation of Investigatory Powers Act 2000 (RIPA), a piece of anti-terror legislation that enables much of the U.K. authorities’ surveillance activities. It also said Prism, through which the NSA gains access to data from the systems of web service providers, is legal and conducted with sufficient oversight.

However, the court is still keen to find out more about the past legality of GCHQ receiving bulk intercepted material, which may relate to British citizens, from the NSA and other international partners.

Privacy International and Bytes for All, a Pakistani NGO defending activists in that country who feared their communications were being monitored by the British, said in a statement that they will now appeal the IPT ruling at the European Court of Human Rights.

The IPT stated in its ruling:

Technology in the surveillance field appears to be advancing at break-neck speed. This has given rise to submissions that the UK legislation has failed to keep abreast of the consequences of these advances, and is ill fitted to do so; and that in any event Parliament has failed to provide safeguards adequate to meet these developments. All this invariably creates considerable tension between the competing interests, and the ‘Snowden revelations’ in particular have led to the impression voiced in some quarters that the law in some way permits the Intelligence Services carte blanche to do what they will. We are satisfied that this is not the case.

It went on to say that the intelligence services must get a warrant to intercept “substantial quantities of communications” and can only access material from those communications “if it is necessary in the interests of national security, for the purpose of preventing or detecting serious crime or for the purpose of safeguarding the economic wellbeing of the United Kingdom.”

The case has already uncovered more than was previously known about the U.K. authorities’ previously secret legal rationales for their spies’ activities. It is also the first case in which the IPT has held public hearings — though many of the hearings were still closed.

Further hearings about “whether there has been in fact any unlawful interception or treatment of the Claimants’ communications” — in other words, whether the spies broke the law before Snowden and this case forced them to reveal their policies — will also be held behind closed doors.

Privacy International deputy director Eric King said:

With GCHQ’s mass surveillance of undersea cables reported to have increased by as much as 7000% in the last five years, today’s decision by the IPT that this is business as usual is a worrying sign for us all. The idea that previously secret documents, signposting other still secret documents, can justify this scale of intrusion is just not good enough, and not what society should accept from a democracy based on the rule of law.

Bytes for All country director Shahzad Ahmed added:

The idea that the UK is not obliged to offer any privacy protections or safeguards to individuals outside of Britain when conducting surveillance is absurd, and puts at risk the privacy and free expression of human rights activists around the world.

Here’s the ruling:

Investigatory Powers Tribunal Tempora ruling

[protected-iframe id=”1ef3d0d253caf8070399f08f91de0a2f-14960843-16988840″ info=”https://www.scribd.com/embeds/249250025/content?start_page=1&view_mode=scroll&show_recommendations=true” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

This article was updated several times with new information.

NSA spies on carriers to break call encryption, report suggests

The NSA spies on the internal emails and documents of major mobile carriers and their industry body, the GSM Association, according to an article published Thursday by The Intercept.

According to the piece, the spy agency is or was running a program called AURORAGOLD, which involved targeting the GSMA in order to find or even create weak spots in carriers’ network technology. If this is the case, it may be yet another example of the foolhardy breaking of widely used security mechanisms in ways that other spies and criminals can potentially also exploit.

The GSMA’s “IR.21” documents are shared between carriers to allow customers to roam internationally between their networks. According to the NSA documents published by The Intercept, IR.21s provide valuable information about new technology that the carriers are using, helping spies to figure out how to “discover vulnerabilities,” “introduce vulnerabilities where they do not yet exist” and find threats to the spies’ existing surveillance methods.

The GSMA is also a hub for the development of new cellular privacy technology. Worryingly, the article suggests that the AURORAGOLD program may have aided NSA attempts to crack A5/3, a type of encryption for cellular communications. Earlier stories based on the Snowden leaks indicated that the NSA has already cracked the older and weaker — but widely used — A5/1 cipher.

It’s not entirely clear whether or not the NSA and GCHQ have had success in cracking A5/3 yet, but some experts are worried:

As the piece noted, the U.K.-based GSMA receives funding from the U.S. National Institute of Standards and Technology (NIST), which has already had to warn companies off using one of its own security standards because Snowden’s leaks indicated the NSA had tampered with it.

GSMA spokeswoman Claire Cranton told me by email: “We are aware of the Intercept story and are currently investigating the claims made in the piece. We are unable to offer any further comment at this time.”