Slashdot Mirror

← Back to Stories (view on slashdot.org)

How NSA Spies Stole the Keys To the Encryption Castle

Posted by timothy on from the thanks-fellas-really-you've-done-enough dept.

Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.

29 of 192 comments (clear)

  1. NSA... by tekrat · · Score: 5, Insightful

    Can we all just agree that the NSA is the most nefarious hacking group, the most dangerous and out of control? That they make all the other so called "black hats" look like innocent little babies?

    I think we all need to work together to get rid of this terrible, nasty, unpredictable hacker group -- for the sake of national and international security. They represent a clear and present danger to the future of this country.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:NSA... by ATMAvatar · · Score: 5, Insightful

      I agree. It is becoming increasingly difficult to consider the NSA as anything other than an extremely well-funded criminal organization.

      --
      "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
    2. Re:NSA... by Charliemopps · · Score: 4, Insightful

      You don't seem to get it. No one wants the NSA. The American people have been polled, and overwhelmingly despise the NSA and what it does. Local and state governments have publicly declared their actions criminal, and Congress has overwhelmingly decried their activities. But they're still here and there's literally nothing we can do about it. That should tell you something.

      It's like we're all in a coffee shop, and a man armed with a 12 gauge just barged in to rob the place and demanded we all act normally. Even the cashier is nodding and offering him a latte... but in reality we're all glancing at each other wondering who's going to be brave enough to clock him over the head with their coffee mug first. There's one feeling that I think we've all felt in this country over the past 10yrs or so, and I think that feeling is best described as "Unease"

  2. How is this even remotely legal? by Jahoda · · Score: 5, Insightful

    Under what possible interpretation of the law can this be considered the actions of lawful government?

    1. Re:How is this even remotely legal? by Kjella · · Score: 4, Insightful

      "We are the law."

      --
      Live today, because you never know what tomorrow brings
    2. Re:How is this even remotely legal? by Ralph+Wiggam · · Score: 4, Informative

      Gemalto is in the Netherlands. It's entirely legal for the NSA and GCHQ to do anything they want outside of their home countries. They were both chartered 60+ years ago to spy on foreign communications. You can certainly argue that this attack was unethical, or a bad idea, and it was definitely illegal under Dutch law- but it was legal under British and American law.

    3. Re:How is this even remotely legal? by TheGratefulNet · · Score: 4, Insightful

      if this is true, then the NSA has blatantly broken law, STOLEN property (intellectual property, that's property, right? RIIIIGHT?) and nullified most of the network and systems security we have tried to put in place over the last 10 or 20 years.

      they also are using fear and intimidation to keep the population in check. ie, they are terrorists. state sponsored terrorists who steal without regard to their actions.

      so, when are they going to be tried for terrorism under the patriot act??

      --

      --
      "It is now safe to switch off your computer."
    4. Re:How is this even remotely legal? by Ralph+Wiggam · · Score: 4, Interesting

      British and American laws don't have jurisdiction over computers in the Netherlands.

    5. Re:How is this even remotely legal? by BoRegardless · · Score: 4, Insightful

      "We are the law."? No! They invent the law out of thin air. Plus legislators can't be held liable for what they say or vote for in Congress (unless you can prove a bribe or conflict of interest.)

      This is the sort of attitude that eventually destroys institutions from within, though it takes awhile.

      I do tend to agree that secession is inevitable in the US, just as it seems heading in that direction in the EU. What that will do is return some semblance (notice I said some) to States rights and hopefully smaller government, which currently redistributes about 50% of all earnings in the US. That is double what serfs paid in around a thousand years ago.

    6. Re:How is this even remotely legal? by NettiWelho · · Score: 4, Insightful

      Broken what law? Dutch law, I guess, so the Dutch would have to find and arrest them.

      It's not a violation of American law to rob a store in Paris.

      I believe the Netherlands have an extradition treaty with both UK and US.

      What's been done here is a crime in all 3 nations.. Besides, doesnt US consider hacking an act of war?

    7. Re:How is this even remotely legal? by bware · · Score: 4, Insightful

      http://yro.slashdot.org/story/15/02/18/0239259/russian-man-extradited-to-us-for-heartland-dow-jones-cyberattacks. The US seems more than willing to extradite and try someone from a foreign country for hacking US computers. It seems likely the US has an extradition treaty with the Netherlands. It seems likely the Netherlands has laws against hacking computers.

  3. I think people do not understand how deep it is. by Anonymous Coward · · Score: 5, Insightful

    It's not just about SIM cards.

    Gemalto makes smart card readers etc. Think not just communications, nor banking. Think secure access. We use things like that to ascertain authenticity and inviolability in signed documents, emails etc.

    We used.

  4. Class action lawsuit ? by Alain+Williams · · Score: 4, Interesting

    Should Gemalto be sued by people who use their cards & other products on the grounds that they did not adequately secure their computer systems and thus let in outside crackers to steal the encryption keys ? That the crack was done by GCHQ/NSA does not really alter things -- they were cracked. The point of this is that successful legal, and expensive, action would make all corporates treat security properly; this would have great benefits -- more than just keeping the spooks at bay.

    The only problem is that to sue Gemalto the plaintiffs would need to demonstrate that they have suffered. This might be hard, although insisting that they were all given new SIMs might be a start.

    1. Re:Class action lawsuit ? by Kjella · · Score: 4, Insightful

      So if somebody breaks into your house, steals your car keys and proceed to run somebody over they should sue you for manslaughter? Because you know you could have put those in a safe inside a vault inside a bunker and not in your spare pair of pants. No, what you describe is pretty much the reason the US legal system is what it is and having a ton of good lawyers on staff is a necessity. And it wouldn't really stop the NSA anyway.

      --
      Live today, because you never know what tomorrow brings
  5. This just keeps getting better and better by Anonymous Coward · · Score: 4, Informative

    We're not even over the NSA hard drive hacks and now this?

    Next you're gonna tell me Americans shove food up people's ass for freedom. Oh wait they do.

    HUGE SPY PROGRAM EXPOSED: NSA has hidden software in hard drives around the world
    Is the NSA Hiding in Your Hard Drive?
    NSA Has Ability To Hide Spying Software Deep Within Hard Drives: Cyber Researchers
    Is Your Hard Drive Hiding NSA Spyware?
    The NSA hides surveillance software in hard drives
    'Breakthrough' NSA spyware shows deep grasp of makers' hard drives
    NSA planted surveillance software on hard drives, report says
    NSA secret spying software discovered by Russian researchers
    NSA Hackers Infected Hard Drives With Impossible-To-Remove Spyware
    NSA Has Planted Surveillance Software Deep Within Hard Drives Since 2001: Kaspersky
    NSA program is embedding secret spying software in hard drives in Russia, China, Middle East, allowing agency to eavesdrop on most of worldâ(TM)s computers: report
    Destroying your hard drive is the only way to stop this super-advanced malware
    Hard drives beware, the NSA is coming for you
    Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic
    There's no way of knowing if the NSA's spyware is on your hard drive
    The NSA's Undetectable Hard Drive Hack Was First Demonstrated a Year Ago

  6. Re:A big surprise by aberglas · · Score: 4, Insightful

    Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.

    As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.

  7. Legal, schmeagle by fyngyrz · · Score: 5, Insightful

    Under what possible interpretation of the law can this be considered the actions of lawful government?

    Oh, I'm sure they can find something. You can't do anything about it -- you can't sue -- because you don't have standing. You'd have to show they were listening to *you*, just to start with, and then you'd have to have a few million to push it through to the supreme court.

    And *then* of course you'd be facing the same idiots that think "shall not infringe" means "infringe", "intrastate" means "interstate", article 3 means article 5, and that "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" means "as long as we think it's reasonable, we can search and seize to our heart's content", and " no ex post facto Law shall be passed" means "retroactive punishment is no problem."

    The only privacy you have at this point is in your own head. Assuming you haven't spoken, written down, or otherwise "shared" your thoughts.

    The system is broken. Badly. And very few care -- we're stuck on this downhill-all-the-way roller coaster ride.

    --
    I've fallen off your lawn, and I can't get up.
  8. Time to Embargo USA and UK by DavenH · · Score: 5, Insightful

    It's what they'd do.

  9. Re:A big surprise by Anonymous Coward · · Score: 5, Insightful

    That's already sort of the case. The NSA and similar agencies in other countries are LOADED with useless incompetent staff and engineers. It has everything to do with their impossible hiring practices combined with it being a shitty unethical job. They don't even pay super well, and anyone competent can make more in the private sector.

    This makes the whole thing even more scary to me, because being utterly corrupt and not very bright are pretty much absolute requirements for the job. The fact that they get anywhere at all is because they have a huge budget and federal backing to force companies to play along.

    I'm always extremely skeptical of stories that the NSA actually broke something through math. It's way way more plausible that they simply paid someone off on the inside.

  10. Re:Remarkable feat by xaxa · · Score: 4, Informative

    Remarkable feat! Guys from Bletchley Park — who also intercepted and decrypted everything they possibly could — would've been proud...

    These are the "guys from Bletchley Park" -- in the sense that it's the same government organisation.

    "During the Second World War, GC&CS was based largely at Bletchley Park ... GC&CS was renamed the "Government Communications Headquarters" in June 1946"

    http://en.wikipedia.org/wiki/G...

  11. Re:A big surprise by TWX · · Score: 5, Insightful

    I think the points are though, that first, companies do not do a good job of cybersecurity, or security at all for that matter. This is the issue that allowed another party to gain access to the crypto data for the SIM cards and for other security mechanisms in order to defeat them.

    And second, while the NSA and the British equivalent might be unweildy bureaucratic monsters where those in-charge might not even know what the appendages are doing, they're well-enough funded that they can afford to buy people off to socially-engineer their way in to places where they wouldn't otherwise have the right to go. That gives them the ability to get into corporate networks or to get data from individuals working for corporations; they buy their way in and the consequences of the actions of the employee are not the NSA's concern. All they want/need is the data, and if they can buy it for cash or buy their way in for cash then they might just do that.

    Security is hard. Ultimately it comes down to the individual employee, who has to have access to what he or she works on, but by having that access, also can be a risk. A multimillion dollar system can be compromised by a single technical employee because that employee needs access through those safeguards to do the job. It's really no different than bribing the guards at the castle to get in.

    --
    Do not look into laser with remaining eye.
  12. Every company should release their private data by CQDX · · Score: 5, Interesting

    on every US and UK government employee. Let them become life-time victims of identity theft. Let the Chinese and Russian intelligence agencies have a field day. It's the only hope we have that they'll learn.

  13. Of course... by chill · · Score: 4, Interesting

    Why do you think all the recent cell phones that are rated for classified voice, such as the Sectera Edge and Project Fish Bowl all run VoIP for classified communications?

    Because they know better than to trust the commercial telephone networks and their voice "security".

    --
    Learning HOW to think is more important than learning WHAT to think.
  14. USA! USA USA! by Anonymous Coward · · Score: 5, Insightful

    While I think some of the points, however plausible, are a bit on the side of paranoia, the Libertarians firmly believe that we should have only a defense force and not project power.

    The current rational now for IS - or whatever they are called now - is to fight them over there so they don't come over here. They just want control of the Middle East - they are no threat to us. Also, the Arabs, Persians, Kurds, and other people's of the Middle East have been dealing with their ethnic problems for thousands of years. And of course, being there, we the USA are going to fuck things up even more.

    Unfortunately, we have a populous who treats our military conquests like a football game. USA! USA! win! It makes small people feel big.

    We in the USA are small people who like big guns. We lost the idea of walk softly and carry a big stick.

    We bluster, shoot things up and wonder why other peoples hate us.

    But this football mentality is how you get people to volunteer to fight in idiotic and unjust wars - get the stupid people to die and get maimed for the elite.

  15. Re:Time to go back to land lines and cash. by BlueStrat · · Score: 4, Insightful

    At what point do we start putting these criminals away? They have broken every law on the books.

    One of the most insidious effects of this sort of Panopticon-level data collection & analysis is that it works as well against prosecutors, judges, AGs, and even SCOTUS justices, as it does some CEO or key IT admin somewhere they're interested in compromising.

    Parallel construction is blind, therefor the current US justice system no longer is. Along with every other government agency, bureau, department, etc, all the way down.

    Total Information = Total Control

    The US Government is under the control of those who control that information. Even if the target is squeaky-clean, they are perfectly capable of planting things like kiddie-porn or any other convenient data on a hard drive such that it would stand up to the type/depth of forensics used in the typical criminal trial.

    Threatening to leak damaging private information, especially when it involves an elected official right before a(n) (re)election, works without even involving the justice system or making a public scene.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  16. Snowden cared. by Anonymous Coward · · Score: 5, Insightful

    And, unlike most of us, Snowden actually did something about it. As a result of his revelations, political pressure is being applied to the government from many different directions to get the situation resolved.

    Of course, it cost Snowden his job, and his ability to live in his own country, and might still land him in jail or worse.

    You could swallow some of that cynicism and at least try to improve things. Maybe ask the government to grant snowden clemency?

    Nah. Why exert the effort to click an online petition when it is so much easier to just bitch about how hopeless things are?

  17. Snowden fatigue by goodmanj · · Score: 5, Interesting

    This should either be the biggest news story on the planet, or the biggest lie of the year, but the public response seems to be "meh". The problem is, Snowden stole too much. Or claims to have stolen too much. There have been so *many* earthshattering Snowden revelations that both the outrage and the fact-checking seems to have evaporated.

    This is a big problem either way.

  18. Re:I think people do not understand how deep it is by manu0601 · · Score: 4, Informative

    But on a smart card, asymmetric cryptography can be used. The private key is generated by the chip on user request. It is not supposed to leak outside of the device.

    As I understand, this SIM debacle is only possible because the cryptography used here is symmetric, which means the telephone operator must have a copy of the SIM key.

  19. Re:I think people do not understand how deep it is by kevinbr · · Score: 4, Interesting

    Gemalto generate a master SIM key with batches of cards shipped to each Mobile Operator. I work on a project for mobile payments, mediated with a STK loaded on each card. A HSM is loaded with all the master keys. If you have the master key, you can decrypt all the communications with the STK app on the SIM card. If the Master key leaks, all payment operations/transactions are fucked.