From Schneier on Security :
June 22, 2006
Greek Wiretapping Scandal
Back in February, I wrote about a major wiretapping scandal in Greece. The Wall Street Journal has a really interesting article (link only good for a week, unfortunately) about it:
Behind the bugging operation were two pieces of sophisticated software, according to Ericsson. One was Ericsson's own, some basic elements of which came as a preinstalled feature of the network equipment. When enabled, the feature can be used for lawful interception by government authorities, which has become increasingly common since the Sept. 11 terror attacks. But to use the interception feature, operators like Vodafone would need to pay Ericsson millions of dollars to purchase the additional hardware, software and passwords that are required to activate it. Both companies say Vodafone hadn't done that in Greece at the time.
The second element was the rogue software that the eavesdroppers implanted in parts of Vodafone's network to achieve two things: activate the Ericsson-made interception feature and at the same time hide all traces that the feature was in use. Ericsson, which analyzed the software in conjunction with Greece's independent telecom watchdog, says it didn't design, develop or install the rogue software.
The software allowed the cellphone calls of the targeted individuals to be monitored via 14 prepaid cellphones, according to the government officials and telecom experts probing the matter. They say when calls to or from one of the more than 100 targeted phones were made, the rogue software enabled one of the interceptor phones to be connected also.
The interceptor phones likely enabled conversations to be secretly recorded elsewhere, the government said during a February 2006 news conference. At least some of the prepaid cellphones were activated between June and August 2004. Such cellphones, particularly when paid for in cash, typically are harder to trace than those acquired with a monthly subscription plan.
Vodafone claims it didn't know that even the basic elements of the legal interception software were included in the equipment it bought. Ericsson never informed the service provider's top managers in Greece that the features were included nor was there a "special briefing" to the relevant technical division, according to a Vodafone statement in March.
But Ericsson's top executive in Greece, Bill Zikou, claimed during parliamentary-committee testimony that his company had informed Vodafone about the feature via its sales force and instruction manuals.
Vodafone and Ericsson discovered something was amiss in late January 2005 when some Greek cellphone users started complaining about problems sending text messages. Vodafone asked Ericsson to look into the issue. Ericsson's technicians spent several weeks trying to figure out the problem, with help from the equipment maker's technical experts at its headquarters in Sweden. In early March of that year, Ericsson's technicians told Vodafone's technology director in Greece of their unusual discovery about the cause of the problems: software that appeared to be capable of illegally monitoring calls. It's unclear exactly how the rogue software caused the text-messaging problem.
Ericsson confirmed the software was able to monitor calls, and Vodafone soon discovered that the targeted phones included those used by some of the country's most important officials. On March 8, Mr. Koronias ordered that the illegal bugging program be shut down, in a move he has said was made to protect the privacy of its customers. He called the prime minister's office the next evening.
The head of Greece's intelligence service, Ioannis Korantis, said in testimony before the parliamentary committee last month that Vodafone's disabling of the software before authorities could investigate hampered their efforts. "From the moment that the software was shut down, the string broke that could have lead us to who was behind this," he said. Separately, he distanced his own agency from the bugging effort, saying it didn't have the technical know-how to effectively monitor cellphone calls.
Interferences of the CIA in Europe: wiretaps
Wiretappings: The Tsalikidis case
On march the 4th 2005 Vodafone Greece discovered a spying software in its network. On march the 9th Costas Tzalikidis, security manager of the British company, was found hung in his apartment. On march the 10th mister Koronias, Vodafone CEO, meets the Greek Prime Minister and tells him that his telephone has been spyed for months, as well as the phones of State top officials. The biggest scandal in recent Greek history. The controversy originated by this (still ongoing) involves politicians, foreign telephone companies, secret services and foreign intelligence companies. On july 21st 2006 Amedeo Bove, security manager of Italian Telecom, commits suicide in Naples. His death happens while Telecom is involved in wiretapping affair. There are many disturbing aspects to this case. The radar network controlled by Bove was able to catch sensitive pieces of information about any citizen, without leaving any trace. Moreover Bove had helped Milan judges in tracing the phone calls in the area of Via Gerzoni, in Milan, where, on the 17th of February 2003 imam Abu Omar was kidnapped. The following investigation allowed Milan’s Attorney General to send arrest warranties to CIA agents involved in the abduction and to arrest the Sismi managers who cooperated with American secret agents. Adamo Bove and Costas Tzalikidis, two security managers, two suicides, two wiretapping affairs. Strange connections for one scenario: the one of European telecomunications destiny. While Italian judges still investigate on Bove’s strange death (and it’s not impossible that he could have been pushed to commit suicide), realtives of the Greek Tzalikidis and their lawyer claim that Costa was killed. By whom? by Mario Sanna
www.rainews24.it - www.mariorossi.net
Greek telephone tapping case 2004-2005
...On January 24, 2005, an intruder update of exchange software resulted in customer text messages not being sent. Vodafone Greece sent firmware dumps of the affected exchanges to Ericsson for analysis. On March 4, 2005, Ericsson located the rogue code, 6500 lines of code written in the PLEX language used by Ericsson AXE switches.[6] Writing such sophisticated code in a very esoteric language required a high level of expertise. Much of Ericsson's software development for AXE had been done by an Athens-based company named Intracom Telecom, so the skills needed to write the rogue software were likely available within Greece.[7]
On March 7, 2005, Ericsson notified Vodafone of the existence of rogue wiretaps and software in their systems. The next day the general manager of the Greek Vodafone branch, George Koronias, asked for the software to be removed and deactivated. Because the rogue software was removed before law enforcement had an opportunity to investigate, the perpetrators were likely alerted that their software had been found and had ample opportunity to turn off the "shadow" phones to avoid detection.[6] According to the head of Greece's intelligence service, Ioannis Korantis: "From the moment that the software was shut down, the string broke that could have lead [sic] us to who was behind this."[3]
On March 9, the Network Planning Manager for Vodafone - Greece, Kostas Tsalikidis, was found dead in an apparent suicide. According to several experts questioned by the Greek press, Tsalikidis was a key witness in the investigation of responsibility of the wiretaps. Family and friends believe there are strong indications he was the person who first discovered that highly sophisticated software had been secretly inserted into the Vodafone network.[2] Tsalikidis had been planning for a while to quit his Vodafone job but told his fiancée not long before he died that it had become "a matter of life or death" that he leave, says the family's lawyer, Themis Sofos.[3] There is speculation that either he committed suicide because of his involvement in the tapping of the phones, or he was murdered because he had discovered, or was about to discover, who the perpetrators were.[6][8]
In November, 2007, press reports in Greece quoted the Tsalikas family attorney, Themistokles Sofos, as saying they had commenced legal action against Vodafone, "suspect[ing] he was poisoned".[9]
On March 10 Kornoias asked to meet Prime Minister Karamanlis to discuss matters of national security. At 20:00 on the same day he presented the facts to the Minister of Public Order and the Prime Minister's chief of staff, and on the next day he presented them to the Prime Minister.
A preliminary judicial investigation was carried out, which due to the complexity of the case, lasted until February 1, 2006. The preliminary investigation did not point out any persons connected with the case. The investigation was hindered by the fact that Vodafone disabled the interception system, and therefore locating the intercepting phones was no longer possible (the phones were apparently switched off), and that Vodafone had incorrectly purged all access logs. Police rounded up and questioned as suspects persons who called the monitoring phones, but all callers claimed they called these phones because their number was previously used by another person.
Ericsson has checked their equipment in other markets world-wide and has not found the illegal software installed anywhere else. "As far as Ericsson knows, this is a unique incident. We have never discovered anything like this before or since." Vodafone spokesman Ben Padovan said.[3]
After a four-month investigation of his death, Supreme Court prosecutor Dimitris Linos said that the death of Tsalikidis was directly linked to the scandal. "If there had not been the phone tapping, there would not have been a suicide," he said...
Kostas Tsalikidis
...Kostas Tsalikides died on March 9th, 2005 at the age of 39 - it looked like a suicide. He was Vodafone’s - Greece, Network Planning Manager.
A year later it was uncovered that Vodafone in Greece was involved in one of the biggest political scandals of recent history - tapping mobile phones of members of the cabinet, the Prime Minister, and hundreds of others.
The authorities and the media strongly feel that Costas‘ death was associated with his position in the company.
Calendar of events according to the press
March 4, 2005 Vodafone discovers (as per company statements) foreign “interception” software in its network. Vodafone Greece doesn’t formally take the position that Ericsson installed before the Olympic games a “legal interception” software, which was subsequently locked and shut down.
March 5, 2005 Vodafone decides to remove the foreign interception software without finding the culprits of the wire tapping. Thus, according to many experts the culprits can no longer be traced. Mr. Koronias, CEO of Vodafone Greece, claimed before the Parliamentary Committee on Transparency that no one had asked him to reactivate the illegal software in order to trace the phones that intercepted the conversations in question.
The company claims that they have back up copies of the deleted data and that they committed no illegal act within the boundaries of the Act for the Protection of the Privacy of Telecommunications.
March 9, 2005 Mr. Costantinos Tsalikidis, Network Planning Supervisor for Vodafone and top level manager for the company, is found hanged in his apartment. He never left a (suicide) note nor any indication that he was suffering from any personal problems. No autopsy was conducted in situ, and the forensic report was inconclusive.
The circumstances around the death of Mr. Tsalikidis, were pronounced a year later as questionable and directly connected to his professional position at Vodafone, and the Athens Prosecutor re-opened the case. Vodafone Greece never sent a condolence telegraph to the deceased’s family, regardless of the fact that Mr. Tsalikidis worked at Vodafone for over a decade. March 10, 2005 The CEO of Vodafone Greece, Mr. Koronias, briefs the Prime Minister of Greece in the presence of a Prosecutor about the wire tapping. Among the phones that were tapped was that of the Prime Minister as well as all the ministers of the current government, Members of the Parliamentary Opposition, as well as other non-parliamentary officials. He also mentions the «suicide» without however, connecting it to the wire tapping incident.
The following year however, in the context of the legal proceedings that began on February 8, 2006, Mr. Koronias claimed that he had the complete approval of the government, especially the Prime Minister himself, for his actions. The matter was deemed one of top national security and top secret by the government. The question at hand is why the Greek Authority for the Assurance of Information and Communication Privacy was not informed and why regular legal procedures were not followed before deactivating the software.
March 11, 2005 The Prosecutor for the Supreme Court, Mr. Linos gives a direct order for an urgent and secret preliminary investigation to the Head Prosecutor in person. In this order there is no written mention of the suicide.
The question at hand concerns what are the findings of this 11-month investigation that has been conducted since 11 March 2005 until today, and why the entire case seems to be re-examined from scratch.
June 11, 2005 The local police precinct that investigated the death of Mr. Tsalikidis, closes the case on the suicide and sends the files to the Prosecutor’s office. According to the police, no evidence of a break-in was found, therefore, they did not see the need to conduct an autopsy nor to take fingerprints.
Vodafone Greece did not hand over any personal effects of Mr. Tsalikidis nor any data from his personal computer to his family or to the authorities, which would have greatly assisted in any investigation by the local precinct.
January 30, 2006 The Head Prosecutor, Mr. Papagelopoulos, claims to have been informed about the suicide case from the Major General, who mentioned the suicide outside of the court proceedings. A year later Vodafone Greece remained silent on the type of internal investigation that took place, on whether suspects were located and what type of sanctions were imposed on them relating to what is possibly the biggest political scandal in the modern history of Greece.
February 1, 2006 The preliminary investigation conducted by Mr. Papangelopoulos regarding the wire tapping is concluded with the closing statement that he was awaiting evidence from the State authorities.
February 2, 2006 Criminal charges are filed against unknown perpetrators for wire tapping. On the same day, three ministers make statements to the press where they congratulate Mr. Koronias for his stance to erase the software program. The next day the press characterizes the handling of this case as a huge political and communication blunder.
February 3, 2006 The press widely believes that the wire tapping case is related to the suicide of Mr. Tsalikidis. This is first page news in all the press and mass media of the country for the next two weeks. Countless news programs are assuming that the suicide of Mr. Tsalikidis may not have been a suicide.
February 8, 2006 The investigation of Mr. Tsalikidis’ death is handed over to the highly experienced Prosecutor, Mr. Diotis. For the first time in a year since the death of Mr. Tsalikidis an investigation of his apartment is conducted. The results have not been made public yet.
March 9, 2006 The day of the anniversary of Mr. Tsalikidis’ death, Mr. Koronias is cross-examined by the Parliamentary Committee on Institutions and Transparency. He stated that he did not order or receive the «lawful interception» software program. He also said that as the producer of the software, Ericsson was responsible since they had fully trained personnel on the functioning of the software program.
Mr. Koronias stated that Vodafone has a very technologically elaborate security system and that it was because of his diligence that the incident was considered to be of «national security.» Parliament also suppoenaed the head of Ericsson to appear in a future hearing.
With regard to the death of Mr. Tsalikidis, Mr. Koronias said that he mentioned the «suicide» to the ministers that he met with in March 2005 and that Vodafone was assisting authorities in any way possible with their investigation. The question here is whether an internal investigation file exists on Mr. Tsalikidis, and if so why the family members have never been informed of its findings...
IEEE Spectrum: The Athens Affair
http://www.tsalikides.com
The Greek illegal wiretapping scandal: some translations and resources.
Email comments or more resources to gdanezis at esat dot kuleuven dot be
2006-02-07: Quintessenz was just provided a link to the technical manuals describing the interception interfaces of the equipment in the same family as the one used to make the illegal interceptions.
Translations:
The first hand source about how interception was taking place, through the lawful interception subsystems provided by Ericsson:Greek Government Press Briefing: 06-02-02. Below is a rough translation by G. Danezis:
BOULGARAKIS (Public order minister): Good day. It is the case indeed that Mr Koronias (CEO of Vodaphone), who asked, as Mr Rousopoulos suggested, to meet with the prime minister or someone that could get in touch with him -- the PM, I believe, was absent at that time in Madrid for a convention on terrorism -- had a meeting in Mr Aggelou's office with us. He informed us that in a routine control that took place on his company's software, it was realised that there was a system that was wiretapping some mobile phones. Mr Koronias briefed us in detail, which was initially difficult for us due to the level of technical details. In brief the system was setup in the following way: The [mobile phone] companies have software that allows then to activate mobile phones. This software has different subsystems. For example, it has a subsystem to send sms messages, a subsystem for images messages, a subsystem for the voicemail etc. There is also a subsystem that deals with lawful conferencing (lowphone interception) [(sic) this should be 'lawful interception']. This system, that is provided by Ericsson, has either been bought nor activated by Vodaphone. As Mr Koronias explained to us, there were some customer complaints about calls not getting through, delays or messages not getting delivered. In any case they were they were not provided with the full services they should and a routine investigation was started to look into the matter. Because they could not find out what the problem was, they asked for a control from the 'mother' company [ed: British Vodaphone] -- beyond the greek company -- that sent people here to study the matter further. During this process it was found that in some way the lawful interception subsystem had been activated, for some numbers: while those numbers were called it was active, and it was deactivating itself when the callers hand up, resulting in being invisible. In other words there was a process that was working only for some phone number, while they were talking, and after that the it was hiding itself using a special method. Every time someone would do a regular check of the system, they would not be able to detect it. Through that process it was found. The question is what phones were listened to, in what way they were doing it, and where, at the end, someone could record, if someone could record, what was going on.
As the minister told you there is a list of people under surveillance that is now being made public.
There were about 100 numbers under surveillance. They were under surveillance though Vodaphone with 14 'shadow' phones. There were 14 to 16 -- more like 14, but it is not important -- phones that were working as electronic shadows of the 100 phones. When a number was called, though the system described before, it was connected in some way with one of the shadows, that was working a bit like in duplex. Most probably the shadow using some software was performing the recoding. Using a system of redirections, in case a [shadow] phone was called twice, another out of the 14 numbers would be called, and if it was also busy another one would be called, etc. In other words this system was wiretapping those 100 numbers, redirecting them to the 10 phones, that most likely were then recorded somewhere else.
I said it as simply as I could, but the system is roughly that.
When the list was provided to us by Mr Koronias, the PM ordered to have a full investigation. In the ministry for public order was started a very difficult and very detailed investigation. Why difficult and detailed? As soon as the system came to the attention of the company, the first thing it did was to isolate it. By isolating it the system stopped. Surely in this way was stopped one of the ways, that could maybe, lead to where the phones were. It was noticed when the [shadow] phone numbers were given to us that those phones number had been called. In particular, the 14 phones that I mentioned before, while not making calls were receiving calls. Since we could not get directly to them -- since there was no more the signal that I described you before -- we had to get at them indirectly. This was a complex and difficult task because because all those phones were pre-paid. This means that they had multiple owners in the past. To give you an example: one of those phones had received many calls. This phone has received all those calls [social network diagram of calls unfolded in the press room.] So we tried, using these calls, to get to this phone number. To find out why those calling were calling etc. This was a difficult, painful and time consuming process. Because those phones belong to someone. All those people were, after following all the legal process, were interrogated to find out the reason they called these phones. Were they calling, to listen to what the phones had been recoding using a secret pin? Was it possible for them to remotely activate some redirection?
I simply showed you one phone number but there were tens of those actions. I give you another card with phone numbers that were linked amongst them, because of the system of redirections in place. We had to study hundreds of calls that originated from phones all across Greece: on the islands, the cyclades, the dodekanese, in crete, in ebros, in thessaloniki, everywhere. Most of the phones that we could investigate -- because there were some we could not, because there were some pre-paid phones, that were calling pre-paid phones -- were people that were calling because they thought they were calling some previous owner of the phone. As you know pre-paid phones that are not used for a while, have their number returned to the company, that then gives it to someone else. Those callers thought they were calling the previous owners. And this comes out of many interviews.
In short, the whole process was painful and time consuming, and this is the reson that it took so long, because for every person interviewed we had to check that what they were saying was truthful, and cross check all the fact that were provided with what we knew. All this lead nowhere. All those calling though they were calling the previous owners.
In conclusion from the moment the phones stopped transmitting, it was difficult to determine the antena or cell they were active in, that was initially determined. And in particular it was initially determined in the wider region of the network that is serving by the following 6 mobile masts: From Lukavitos, to Mabili Sq, to the Athens Tower, and the area of the clinic 'White Cross'. Despite having a general geographic location about the masts that the [shadow] phones used, it was difficult using our systems, which are the best there are, to get a precise fix, because the phones were switched off. So no one could get close and find where the phones are. This is the reason the process took so long, and ended in the clarification of all the calls to the 14 shadow phones.
[...]
LAMPROPOULOS (Journalist): Two technical question. Mr Voulgarakis, you talked to the people that were calling [the shadow phones], did they give any information about someone picking up, who pick it up, and what are the results of the investigation of where the phones were bought? You told us these were shops in 'Ibi' and 'Nea Ionia'.
VOULGARAKIS: Mr Lampropoulos, since he is usually covering crime news, is giving us an interesting question. The first thing that surprised us when we got the list of numbers was that the call duration [from random people to the shadow phones] was in the order of seconds, which means that no one actually talked. That is the calls received by the phones in group B [the shadow phones], the phones under investigation. Phones in group A were my phone and the phone of mr Papaligouras, Mr Spiliotopoulos, etc. Those were known. The second group, that we are investigating, had calls that lasted a few seconds. One second, one and a half second. They were not normal calls. So our first hunch was that these calls were sending a code to activate a system, that would allows them to retrieve some intercepted voice data from those phones. [We thought] This was the reason there were so many calls. As a result when we approached the callers, that used the phone which called the phones, we knew how many times he had called, how much time they lasted, and the previous calls of the phone. I mean to say that there was a very big investigation.
JOURNALIST: What did they reply? What were they saying? Those 3 to 4 seconds what was happening?
VOULGARAKIS: Say they called Voulgarakis, for example, that they believed the phone belonged to, he did not pick up, and the voicemail was activated. Then the callers hang up.
JOURNALIST: In Greek or in English?
VOULGARAKIS: It was all in Greek. We also called.
JOURNALIST: Did you go to the shops in Nea Ionia?
VOULGARAKIS: We started an investigation, but there was no...(interruption into another, unrelated, question)...
No comments:
Post a Comment