From the cryptography@metzdowd.com list:

A fascinating IEEE Spectrum article on the incident in which lawful
intercept facilities were hacked to permit the secret tapping of
the mobile phones of a large number of Greek government officials,
including the Prime Minister:

http://www.spectrum.ieee.org/print/5280

Hat tip: Steve Bellovin.

Perry
--
Perry E. Metzger perry@piermont.com

How the Greek cellphone network was tapped

Texas resident Rhonda Crain claims that Sony BMG Music Entertainment and others in the Recording Industry Association of America lawsuit illegally employed unlicensed investigators and were aware that they were disregarding the laws of her state. She filed an amended counterclaim Monday in the U.S. District Court for the Eastern District of Texas, Beaumont Division.

PI-license requirement for computer investigations used to counter-sue RIAA

The Defense Department is warning its American contractor employees about a new espionage threat seemingly straight from Hollywood: It discovered Canadian coins with tiny radio frequency transmitters hidden inside.

In a U.S. government report, it said the mysterious coins were found planted on U.S. contractors with classified security clearances on at least three separate occasions between October 2005 and January 2006 as the contractors traveled through Canada.

Defense workers warned about spy coins

Windows Vista includes an extensive reworking of core OS elements in order to provide content protection for so-called "premium content", typically HD data from Blu-Ray and HD-DVD sources. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista (for example hardware in a Macintosh computer or on a Linux server). This document analyses the cost involved in Vista's content protection, and the collateral damage that this incurs throughout the computer industry.

Peter Gutmann: A Cost Analysis of Windows Vista Content Protection

This paper examines the problem of surreptitious Internet interception from the eavesdropper’s point of view. We introduce the notion of ‘fidelity” in digital eavesdropping. In particular, we formalize several kinds of “network noise” that might degrade fidelity, most notably “confusion,” and show that reliable network interception may not be as simple as previously thought or even always possible. Finally, we suggest requirements for “high fidelity” network interception, and show how systems that do not meet these requirements can be vulnerable to countermeasures, which in some cases can be performed entirely by a third party without the cooperation or even knowledge of the communicating parties.

The Eavesdropper's Dilema - Matt Blaze et al... [PDF]

As cellular data services and applications are being widely deployed, they become attractive targets for attackers, who could exploit unique vulnerabilities in cellular networks, mobile devices, and the interaction between cellular data networks and the Internet.

In this paper, we demonstrate such an attack, which surreptitiously drains mobile devices’ battery power up to 22 times faster and therefore could render these devices useless before the end of business hours.

This attack targets a unique resource bottleneck in mobile devices (the battery power) by exploiting an insecure cellular data service (MMS) and the insecure interaction between cellular data networks and the Internet (PDP context retention and the paging channel).

The attack proceeds in two stages. In the first stage, the attacker compiles a hit list of mobile devices — including their cellular numbers, IP addresses, and model information — by exploiting MMS notification messages. In the second stage, the attacker drains mobile devices’ battery power by sending periodical UDP packets and exploiting PDP context retention and the paging channel.

This attack is unique not only because it exploits vulnerable cellular services to target mobile devices but also because the victim mobile users are unaware when their batteries are being drained. Furthermore, we identify two key vulnerable components in cellular networks and propose mitigation strategies for protecting cellular devices from such attacks from the Internet.

Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery

LONDON (AFP) - A fully-functioning replica of a secret British codebreaking machine which hastened the end of the Second World War more than 60 years ago was unveiled.

Turing Bombe machines cracked some 3,000 enemy messages in the German Enigma code every day and are said to have shortened the war by two years.

Britain's WWII Enigma codebreaking machines resurrected

HANDY ONE-LINERS FOR SED (Unix stream editor) Apr. 26, 2004 compiled by Eric Pement - pemente[at]northpark[dot]edu version 5.4

This puts the K in K-rad.

SED one-liners

Or: How I learned how to port scan company intranets using JavaScript!

Imagine visiting a blog on a social site like MySpace.com or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours.

This scenario is no longer one of fiction.

You can visit the proof of concept page I created and test drive it now.

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both "pen register" and "full audio" (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity.

In the most serious countermeasures we discovered, a wiretap subject superimposes a continuous low-amplitude "C-tone" audio signal over normal call audio on the monitored line. The tone is misinterpreted by the wiretap system as an "on-hook" signal, which mutes monitored call audio and suspends audio recording. Most loop extender systems, as well as at least some CALEA systems, appear to be vulnerable to this countermeasure.

John Markoff has a story on this today.

Ha... They were using old school dtmf techniques to detect call status! Thats a bizarre approach. You'd think they'd have some device that spoke SS7 and the network would simply send the digital call traffic to them. U: I just read the paper. Apparently there IS no good reason they are using inband signals. Its a good paper. Read it.

Of course, this kind of vulnerability isn't what I'm really interested in with respect to CALEA equipment. The big question is how does Law Enforcement get access to the CALEA system and is the security/authentication of that access method sufficient to prevent other parties from using the system. I've heard unsubstantiated whisperings that it isn't... U: The paper seems to allude to this suspicion as well...

Blue Boxing Wiretapping Systems