OpenStack 03/15/2015 (p.m.)
Did NSA, GCHQ steal the secret key in YOUR phone SIM? It's LIKELY • The Register
The NSA and Britain's GCHQ hacked the world's biggest SIM card maker to harvest the encryption keys needed to silently and effortlessly eavesdrop on potentially millions of people.
That's according to documents obtained by surveillance whistleblower Edward Snowden and leaked to the web on Thursday.
"Wow. This is huge – it's one of the most significant findings of the Snowden files so far," computer security guru Bruce Schneier told The Register this afternoon.
"We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can."
The damning slides, published by Snowden's chums at The Intercept, detail the activities of the as-yet unheard-of Mobile Handset Exploitation Team (MHET), run by the US and UK. The group targeted Gemalto, which churns out about two billion SIM cards each year for use around the world, and targeted it in an operation dubbed DAPINO GAMMA.
Gemalto's hacking may also bring into question some of its other security products as well. The company supplies chips for electronic passports issued by the US, Singapore, India, and many European states, and is also involved in the NFC and mobile banking sector.
It's important to note that this is useful for tracking the phone activity of a target, but the mobile user can still use encryption on the handset itself to ensure that some communications remain private.
"Ironically one of your best defenses against a hijacked SIM is to use software encryption," Jon Callas, CTO of encrypted chat biz Silent Circle told The Register. "In our case there's a TCP/IP cloud between Alice and Bob and that can deal with compromised routers along the path as well as SIM issues, and the same applies to similar mobile software."
- On Wednesday the UK government admitted that its intelligence agencies had in fact broken the ECHR when spying on communications between lawyers and those suing the British state, so GCHQ might want to reconsider that statement.
If you follow the "November" link you'[l learn that yes, indeed, the UK government lawyers were happily getting the content of their adversaries privileged attorney-client communications. Conspicuously, the promises of reform make no mention of what is surely a disbarment offense in the U.S. I doubt that it's different in the UK. Discovery rules of procedure strictly limit how parties may obtain information from the other side. Wiretapping the other side's lawyers is not a permitted from of discovery. Hopefully, at least the government lawyers in the case in which the misbehavior was discovered have been referred for disciplinary action.
- - By Paul Merrell
The British government has admitted that its practice of spying on confidential communications between lawyers and their clients was a breach of the European Convention on Human Rights (ECHR).
Details of the controversial snooping emerged in November: lawyers suing Blighty over its rendition of two Libyan families to be tortured by the late and unlamented Gaddafi regime claimed Her Majesty's own lawyers seemed to have access to the defense team's emails.
The families' briefs asked for a probe by the secretive Investigatory Powers Tribunal (IPT), a move that led to Wednesday's admission.
"The concession the government has made today relates to the agencies' policies and procedures governing the handling of legally privileged communications and whether they are compatible with the ECHR," a government spokesman said in a statement to the media, via the Press Association.
"In view of recent IPT judgments, we acknowledge that the policies applied since 2010 have not fully met the requirements of the ECHR, specifically Article 8. This includes a requirement that safeguards are made sufficiently public."
The guidelines revealed by the investigation showed that MI5 – which handles the UK's domestic security – had free reign to spy on highly private and sensitive lawyer-client conversations between April 2011 and January 2014.
MI6, which handles foreign intelligence, had no rules on the matter either until 2011, and even those were considered void if "extremists" were involved. Britain's answer to the NSA, GCHQ, had rules against such spying, but they too were relaxed in 2011.
"By allowing the intelligence agencies free rein to spy on communications between lawyers and their clients, the Government has endangered the fundamental British right to a fair trial," said Cori Crider, a director at the non-profit Reprieve and one of the lawyers for the Libyan families.
"For too long, the security services have been allowed to snoop on those bringing cases against them when they speak to their lawyers. In doing so, they have violated a right that is centuries old in British common law. Today they have finally admitted they have been acting unlawfully for years."
Crider said it now seemed probable that UK snoopers had been listening in on the communications over the Libyan case. The British government hasn't admitted guilt, but it has at least acknowledged that it was doing something wrong – sort of.
"It does not mean that there was any deliberate wrongdoing on the part of the security and intelligence agencies, which have always taken their obligation to protect legally privileged material extremely seriously," the government spokesman said.
"Nor does it mean that any of the agencies' activities have prejudiced or in any way resulted in an abuse of process in any civil or criminal proceedings. The agencies will now work with the independent Interception of Communications Commissioner to ensure their policies satisfy all of the UK's human rights obligations."
So that's all right, then.
Posted from Diigo. The rest of Open Web group favorite links are here.
No comments:
Post a Comment