Gemalto: NSA and GCHQ Probably Hacked Us, But Didn't Get SIM Encryption Keys

An anonymous reader writes: Last week The Intercept published a report saying agents from the NSA and GCHQ penetrated the internal computer network of Gemalto, the world's largest maker of SIM cards. Gemalto has done an internal investigation, and surprisingly decided to post its results publicly. The findings themselves are a bit surprising, too: Gemalto says it has "reasonable grounds to believe that an operation by NSA and GCHQ probably happened."

They say the two agencies were trying to intercept encryption keys that were being exchanged between mobile operators and the companies (like Gemalto) who supplied them with SIM cards. The company said it had noticed several security incidents in 2010 and 2011 that fit the descriptions in The Intercept's documents. Gemalto had no idea who was behind them until now. They add, "These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks." They claim proper use of encryption and isolation of different networks prevented attackers from getting the information they were after.

But can we believe them?

[raburton]

as per the subject

Re:But can we believe them?

[jools33]

If they really did get all of our SIMs private keys (which seems quite likely) the costs will be extreme to replace all SIMs - so it seems to me that this is what they want us to believe to keep costs down.

Re:But can we believe them?

[aaaaaaargh!]

Exactly this, what else would a security company say to the public, "We suck at security and all our keys where stolen"?

Re:But can we believe them?

[NatasRevol]

Why would the company selling SIMs not want everyone to replace their SIMs?

Re:But can we believe them?

[GoddersUK]

Initially I thought we could probably believe that they believed it. But then TFA said this:

...we are conscious that [they] have ... legal support that go[es] far beyond that ... typical. And, we are concerned that they[NSA, GCHQ et al] could be involved in such indiscriminate operations against private companies with no grounds for suspicion....

This seems to be a bit more than simply "you can't prove a negative"; it seems to be a warning carrying overtones of much that's been left unsaid. The reference to legal support seems to suggest that Gemalto have been on the receiving end of a visit from the men in dark glasses. "No grounds for suspicion" sounds like a ominous reference to suppressed truth, rather than just Russell's teapot

Re:But can we believe them?

You realize that no one would give them money for the replacement sims? they would be required to replace them for free like in any recall

Re:But can we believe them?

[ColdWetDog]

It does sound like a warrant canary, doesn't it?. A bit over complex and tortured, so to speak.

Re:But can we believe them?

[AmiMoJo]

GCHQ and the NSA were bragging in their internal documents that they have those encryption keys. If true, Gemalto would need to replace billions of SIMs (they manufacture about 2 billion a year) and there is zero chance they could recover the cost from GCHQ.

So no, we can't believe them.

Re:But can we believe them?

My first thought exactly. These are organizations known for their illegal activities and coercion. It wouldn't surprise me in the slightest if they leaned on the company, informing them that it would be in their best interest to tell the public that the spooks got nothing when, in fact, they got everything.

Re:But can we believe them?

[PopeRatzo]

But can we believe them?

Can you name a single reason why we should believe them?

Re:But can we believe them?

[phayes]

Belief in the fundamental good nature of Mankind?

Re:But can we believe them?

[NatasRevol]

But if they're 'upselling' the 'more secure' SIM, they don't have to give them away.

Re:But can we believe them?

+1 Funny

Re:But can we believe them?

[bill_mcgonigle]

You realize that no one would give them money for the replacement sims? they would be required to replace them for free like in any recall

Not just that - it might be worth it to the carriers to get the SIMs from anybody else.

Nobody buys their SSL certs from Diginotar anymore - there is a smoking crater on the crypto landscape where that incompetent business used to be.

Gemalto is left with having to prove the negative. We only need believe that their security and forensics people are more competent than the NSA/GCHQ attacker and cover-up people are, and continue to trust them on that basis. Gemalto cannot take a different position than they are now, no matter how confident they are/aren't.

Why aren't phones generating their own keys when they're activated at the store? Burn a fusible link if necessary. This would be more secure _and_ cheaper for the carriers. Oh, because NSA has plants on the GSM committees?

Re:But can we believe them?

[sasparillascott]

JMHO, because everybody would think it was Gmalto's fault that they let their keys get stolen (read the Intercept article, some of the security in transferring the key numbers to clients was really no security) and they should replace our SIM's for free - which would then bankrupt (or do something very severe to the company). So, the telling / facing the truth means severe pain for Co (or Bankruptcy) and top execs getting fired or just say everything is okay and act like they didn't really loose anything and hope it blows over - betting top execs go for option #2 (screw the truth or the potential security of customers).

Re:But can we believe them?

[the_other_chewey]

Why aren't phones generating their own keys when they're activated at the store? Burn a fusible link if necessary. This would be more secure _and_ cheaper for the carriers. Oh, because NSA has plants on the GSM committees?

No, because the subscriber identity is linked to the SIM card (it's in the name...),
and not to the phone. You can switch a SIM card into any phone (some simlock
issues excluded) and just keep going with your one subscriber identity.

Or put another SIM card in your phone and use a completely different one.
It's great when traveling.

It's a feature - it's even a "we actually want this" kind of feature.

Re:But can we believe them?

[tlhIngan]

this is what they want us to believe to keep costs down.

You won't believe how old the technology is in a SIM card. It's actually quite ancient.

Think about it - your SIM probably has a 32k storage area, yet if you saw the actual die, it's remarkably big for what it is (just an 8-bit microcontroller and storage) - something that would in normal circumstances literally the size of a grain of sand if you used recent, but not cutting edge, fab technology.

Instead, the dies are relatively big (measured in the mm scale) - it's because SIMs are so disposable so the manufacturers basically buy up ancient fabs and equipment for basically nothing. (It's probably sub-micron by now, but not the deep-sub-micron we use for bleeding edge stuff). Students in VLSI design often use micron-scale technology as it's basically extremely cheap to run. Even the masks used don't have to be particularly precise (a modern mask for a fab is on the order of $100K, each, and you often need 20 or more masks) so those are really cheap. And probably reused in the end, as well.

SIM cards are stupidly cheap because of this - which is the entire point - that $10 they charge for a SIM card is pure profit for the most part.

Re:But can we believe them?

Because many people in the world routinely swap sim cards.

Re:But can we believe them?

[Aaden42]

Doesn’t matter whether the identity is linked to phone or the card. On first activation of a new subscriber, have the SIM and the carrier they’re subscribing to do a key exchange dance. DH, PFS, etc. Burn the fuse on the SIM, and the SIM can’t be rewritten, and the SIM’s private half of the key pair never leaves the card.

The SIM can still be stuffed in any other (unlocked) phone, and it continues to communicate securely with the carrier it’s subscribed to. You can never re-subscribe a SIM to a different carrier or for a different user, so you need a new $5 SIM.

Re:But can we believe them?

[hjf]

It's 128K nowadays. And the SIMs here in Argentina are free if you buy a phone, or $1 if you buy the SIM at any random store on the street.

Re:But can we believe them?

[F.Ultra]

They don't want writable SIMS out on the market, that is why. Of course they are they anyways just like you can buy illegal weapons and drugs but that is probably the main reason why they implemented the SIM standard to be "burn at the factory only".

Re:But can we believe them?

[Dr_Barnowl]

Yeah, but that's a loss-leader.

They sell the SIM in the expectation that you'll spend money on service. It doesn't imply that the cost of the SIM is less than $1. The dollar is likely just something to incentivize the shop to sell them.

My provider will send you a package of multiple SIM cards to give out to people, for free. Doesn't imply that they have a zero cost.

Re:But can we believe them?

[Dr_Barnowl]

They wouldn't need a warrant canary - they are in Denmark and not subject to the force of a National Security Letter.

But as others have pointed out, if they come out and say their SIMs are compromised, the consumer outcry will cost them many millions. They have 2 billion units in the wild.

"Corporate responsibility" (to the shareholders...) dictates that they can't admit that, even if it's true.

Re:But can we believe them?

[rdnetto]

there is zero chance they could recover the cost from GCHQ

Interesting thought: we normally regard investor-state dispute settlement clauses negatively, but this is an actual case where they would be helpful in compensating Gemalto for the harm caused to them. Requiring the NSA, etc. to pay compensation for the harm caused could do a lot to curtail their actions.

Re:But can we believe them?

[Wolfrider]

--I'm a bit surprised nobody has mentioned the plot twist -- the NSA *didn't* get the SIM encryption keys 1st time around, but are now forcing/expecting everyone to replace their SIM cards with new ones - that have keys they DO know about...

/ paranoia

meanwhile at Fort Meade

[alen]

a bunch of NSA geeks are high fiving each other and can't seem to stop hooting and hollering with awesomeness

Re:meanwhile at Fort Meade

[TWX]

Maybe they'll high-five each other into a workers' compensation claim, exacerbating that old carpal tunnel injury...

Re:meanwhile at Fort Meade

[PopeRatzo]

a bunch of NSA geeks are high fiving each other and can't seem to stop hooting and hollering with awesomeness

You are absolutely correct, and they're doing it in public.

Anyone who has seen the NSA's twitter feed knows they love to joke about this stuff. The first time I saw it, I was sure it had to be a parody account, but in fact it was the actual NSA account. The Intercept did a whole story about the sec-bro culture at the NSA and how we've basically got a bunch of 8chan dickheads who have been given the keys to our lives.

Re: meanwhile at Fort Meade

LOL wut?

Seems like dry-as-a-bone "official government communications" stuff to me. Where's this secbro stuff you're talking about?
https://mobile.twitter.com/nsa_pr

Unless you're just making shit up.

Protip: you are.

Re: meanwhile at Fort Meade

[PopeRatzo]

Unless you're just making shit up.

You're looking at the wrong account. Go to the NSA's "Public Affairs Office"

https://twitter.com/nsa_pao

https://twitter.com/NSA_PAO/st...

https://twitter.com/NSA_PAO/st...

https://twitter.com/NSA_PAO/st...

IIRC, the really silly ones go back to right around Thanskgiving.

Re: meanwhile at Fort Meade

I don't see anything brosec, unwarranted, or out of line for a government office. Some silliness, to be sure, but nothing malicious or even unreasonable for the official Twitter feed of a government agency to post.

Try harder. You said these were basically 2xChanner brosec brogrammers that fucked privacy for the lulz, and their Twitter feed showed it.

I want see what you are talking about. So show me.

We were burgled but they didn't take anything...

[P33kP0k3]

Yeah. right. Sounds like the damage limitation engine is in full swing!

One word reply to that nonsensical assertion

Bias-ply

seperate networks doesn't mean secure at all.

Air gapped networks aren't secure just because they're air-gapped - there's lots of techniques:

https://www.schneier.com/blog/archives/2014/10/jumping_air_gap.html

http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/

and many other types of 'infected' media methods like USB keys. Sure it takes longer, but agencies are very patient.

Re:seperate networks doesn't mean secure at all.

I like Bruce Schneier. He is brilliant. In this case (first link above) though he wrote a pretty ridiculous post. Great point. All anyone needs is to already have compromised the system, and that it happens to have a scanner attached with the cover open just right so that you can control it with a laser pointer. I mean, sure, you'd have to be in the room and already have access to the air-gapped system, but that still counts as a way to beat an air gapped system right? In other news, I just discovered how to be a millionaire. Before you start, get yourself millions of dollars. OK. Now you are ready to go through the steps it takes to be a millionaire!

Re:seperate networks doesn't mean secure at all.

So how to data get from the air-gapped system? Manually typing it in on another external system?
Usually it's copied to a USB stick or some form of storage and then moved to an external system... Thing is that as soon as you managed to infect one or more of the protected systems you just need to move the data out... So a very simplistic description of such a hack..

Example 1:
1. Infect a system you have access to.. Lets say network-access in this instance..
2. Let the infected system flash a new firmware on USB sticks that gets plugged in..
3. USB stick gets used on a air-gapped system and infects that one. (maybe inject some code into the harddrive's firmware to prevent it from being removed during a reinstall)
4. Every future USB stick that gets plugged into either of those system will be infected and you you suddenly have instant access to all networked systems.
5. For each time a USB stick gets plugged into one of the air-gapped systems a chunk of data is put on unused blocks on the USB stick, and each time that USB stick gets plugged into a networked system it will send it over to your drop-point....

Example 2:
1. Intercept deliveries to the companies and flash new a new BIOS image's to the servers and new firmware for the harddrives (and scsi-controllers and so on)
- To trigger the harddrive exploit send something over that would normally be written to the disk.. This exploit could be anything from injecting code into binaries to temporarily adding a user to passwd/shadow or maybe just infect every single system there..
2. Let the airgapped systems run and collect data onto a few reserved on the harddrive and wait for them to be trashed and shipped out..

Example 3:
- Get some code running on a airgapped system in whatever way you want.. When enough data has been collected, and stored in some non-identifiable way on a harddrive, make the harddrive "fail" send your own tech to replace the disk.. There are loads of tech-guys that earn peanuts that gladly would smuggle out that data for them for a fee...

Example 4:
1. Infect airgapped systems.
2. Use power-analysis for the whole building to send out the data one bit at a time by increasing the load on all the servers by a percent or two..

There are *many* ways to get around an airgap without leaving a easily identifiable trace, it just requires skills/resources/money... 3 things the NSA have loads of.

Inevitability

Heeeeeeeeeeere, Eddie Eddie Eddie.... :) Oh, how we miss you so very much.

When groups like this attack you...

[geekmux]

...it's probably a wise assumption that they're not going to stop until they get what they're looking for.

Cute story, but intelligence agencies didn't target them for their super secret oatmeal cookie recipe.

Re:When groups like this attack you...

[DigitAl56K]

Exactly. Their explanation is basically, "we did notice a couple of breaches in the outer layer of our network, this was probably that, nothing serious was taken". Meanwhile the NSA is loading firmware-level rootkits into hard drives via numerous exploit techniques that can remote update and survive reformats, etc.

Yeah, buddy. Just because you didn't notice the intrusion did not mean it didn't happen. If the NSA wants in they're getting in, and they're good enough not to get caught in most cases.

Why would the Snowden materials say they got in if they didn't? It's not as if they were leaked intentionally.

Re:When groups like this attack you...

[ememisya]

The guy who released the statement probably is still working for the XXX agencies. They'll surely send an insider if the systems cannot be accessed remotely.

Re:When groups like this attack you...

Piss off, AC.

Re:When groups like this attack you...

[IamTheRealMike]

I think the Gemalto response seems reasonable, actually. The documents suggest they weren't doing anything more sophisticated than snarfing FTP or email transfers of key files, which Gemalto say they started phasing out in 2010. And the documents themselves say they weren't always successful.

NSA/GCHQ are not magic. They do the same kind of hacking ordinary criminals have been doing for years, just more of it and they spend more time on it. If Gemalto are now taking much better precautions over transfer of key material and the keys are being generated on air gapped networks, then it seems quite plausible that NSA/GCHQ didn't get in. Not saying they could NEVER have got in that way, but these guys are like anyone else, they take the path of least resistance.

Besides, it's sort of hard for them to do something about a hypothetical hack of their core systems that they can't detect and which isn't mentioned in the docs.

Re:When groups like this attack you...

Maybe the account Gemalto is telling is true. But getting into the office systems just means they were able to give the proper credentials to someone to physically get into the company and steal what they wanted once physically inside. And in that manner no break-in would be detected. And no data theft would be noticed.

yeahhhhhhhhhh...

....cause if the keys would be compromised, they had to exchange several hundred million SIMs for free, we can't have that...

Re:yeahhhhhhhhhh...

They don't have to exchange them for free. No court in the United States or UK will hold them accountable for the criminal actions of an intelligence agency. They want NSA executives as far away from a witness stand as possible.

Re:yeahhhhhhhhhh...

If *you* missplace the keys for the lock i bought (for a metric fuckload of money) from you, you wanna bet you're going to exchange the lock&key for free? And, most non-us companys don't give a flying fuck about the opinion of a US court, Gemalto also isn't in the us...

Re: yeahhhhhhhhhh...

Please explain how the actions of the NSA in this instance were "criminal."

Protip: they weren't.

The NSA is a sovereign arm of the U.S. government, fulfilling its legally mandated duty (by congress no less!) to expand and enhance America's sigint interception abilities around the world.

Let NSA+GCHQ buy Gemalto since their own their ass

[ad454]

North Korea hacks Sony => Cyber-Terrorism
USA & Great Britain hacks Gemalto => Patriotic-Duty

Of course Gemalto will say anything they can to limit economic damage, but without proper and transparent oversight of secret agencies they is no way to validate any claim by Gemalto that their 3G/4G SIM secrets were not stolen.

The best course of action is for Gemalto to simply be bought out official by the NSA and GCHQ, since they already own their asses, oops I mean assets.

They have Ki's

[Macfox]

Chances are they have the IMSI Ki keys. This is the info that is given to the carriers with each IMSI(SIM). That's all that is needed to dupe a SIM or decrypt coms. The vast majority(probably all) of these will use the default A3 /A8 encryption, so this will be a walk in the park (load IMSI+Ki into new card) to spin off duplicate SIMs for the next few years. Once you can dupe a SIM, you can then fool the VLR/HLR into redirecting calls/SMS or access Voicemail. No need to monitor the local airwaves.

Re:They have Ki's

At a nameless telco I used to work for, the Kis for all users were in an internal tool than any employee could access. What was missing was the OP key, of which there is only one. There's a good chance it was also posted somewhere on the intraweb, just not in the same tool.

Re:They have Ki's

By duping SIMs they can also reregister your number with Textsecure and MITM your Textsecure messages.

"Probably" is the keyword

This statement does not provide any information as the probability range is subjective. ... Also please consider that there are numerous examples of networks that were outside of direct internet connection that were penetrated by NSA / GCHQ (remember Iran) :)

No single point of failure is permissible

[Karmashock]

if the security of the cell network really falls on the security of a single company then that is unacceptable.

Re:No single point of failure is permissible

[xdor]

Your right, we should make this the responsibility of a single government agency. That way we don't have all this nasty hacking going on.

Re:No single point of failure is permissible

Yeah, many more smaller companies, each with less resources should fix that security issue right up.

Re:No single point of failure is permissible

[Karmashock]

If each one has to be individually subverted, then it is actually a great deal harder to compromise them.

A thousand companies with okay security are harder to breach then one company with great security.

In any case, you're just embracing the 'too big to fail' model which I would think at this point everyone should know is idiotic.

I'm not saying you're an idiot... but the idea you're standing behind is in fact idiotic. No offense.

Re:No single point of failure is permissible

[Karmashock]

I never said that. that wouldn't be any better either. What I'd prefer would be a distributed system where every company has its own encryption requiring each one to be subverted individually.

Re:No single point of failure is permissible

[Xylantiel]

Exactly. The problem here is the way the SIM is being used. The SIM manufacturer stores a key on the SIM and gives a copy to the carrier. Then if the NSA can just steal the key (from the SIM manufacturer or the carrier) they can do all sorts of nasty. The right way to do this is have a private key generated on the SIM and never leaving it and the carrier only gets the corresponding public key from the SIM manufacturer. Then the information that the SIM manufacturer and the carrier has is not sensitive and cannot be used to impersonate the SIM and decrypt communications. I'm sure there are reasonable historical reasons why the "right thing" is not being done. This reminds me of wifi which took several iterations of the standard to get something that is not trivially insecure, and even still it is not too hard to just pick the wrong settings and it becomes insecure.

Re:No single point of failure is permissible

[Karmashock]

I'd prefer if the cards came blank and the carrier just imprinted their own key on it at issue.

Re:No single point of failure is permissible

[DigitAl56K]

I'd prefer if the cards came with a cert from the carrier on it so your phone could verify it's talking to a real tower, disabling stingrays in the process, and then your phone generated and exchanged keys with the tower. It would periodically generate new ones and expire old ones when you weren't actively exchanging data or on a call, and weren't hopping between towers. The towers would counter-sign them and hand them back. You could then hop towers quickly because each new tower you tried to connect to only has to verify the networks own countersignature.

Re:No single point of failure is permissible

[Karmashock]

That's fine, I'm just saying that there shouldn't be a single company that can be exploited to compromise the whole fucking network.

Re:No single point of failure is permissible

[Etherwalk]

A thousand companies with okay security are harder to breach then one company with great security.

No they're not--they just take more resources. If there's one thing the NSA has, it's resources.

I would say a couple of companies with amazingly good security would have a better chance to keep them out then a thousand companies with okay security.

Re:No single point of failure is permissible

[Karmashock]

The NSA loves centralization. So by all means... play right into their hands. Its so much easier when you put all the eggs in one basket.

Re:No single point of failure is permissible

Or why not just let each sim-card generate it's own private key at first boot... No need to send the private key outside the sim-card.... Then when you want to sign up for a new operator all you do is register your public key with them and away we go, or when you want to switch delete the operators public key and inject the new operators public key...

No need for a central authority to make the cards.. Not even a need to use a sim-card.. it could all be in a secure area in the CPU..

Re:No single point of failure is permissible

[Karmashock]

I'm fine with that as well.

All these ideas are better then the current system. A centralized too big to fail system is dumb... I think we can all agree on that. Damn near anything is an improvement.

The idea should be to make every target so granular that the NSA won't bother unless they are literally and specifically interested in YOU.

A lot of the problem is that we have these overly centralized systems where in if the NSA wants to listen in on a terrorist or something they have to compromise the whole network. Which means the terrorists etc are basically using us as human shields... and the NSA doesn't care and shoots through us anyway. The analogy is terrible but you get my point. I'd like to not be a human shield for the terrorists or collateral damage when the NSA etc comes knocking. And the only way to do that is to so atomize security that they just won't touch our security keys unless they're interested specifically in you or me. And if they compromise either of us they'll only have compromised that one person and no one else.

Do that and they're not going to hack 100,000,000 people because they lack the resources and the interest. They might well hack 10,000 people... but they're probably going to be people that plausibly they should be trying to hack.

I like your idea a lot... I just wish they'd use end to end encryption that didn't even betray meta data to the cell tower. All the cell tower needs to know is a customer ID code and possibly some authorization key. The only part of the system that needs to know the phone number is actually the literal recipient of the call. But for the sake of argument the phone company could know as well. The cell tower doesn't need to know that at all though, much less need to be able to decrypt calls. All the cell tower needs to do is link your phone to the internet/phone company. It doesn't need to know who you're talking to or be able to decode your call.

Re:No single point of failure is permissible

[thegarbz]

There's not. There are many SIM card manufacturers. This one just happens to be one of the most popular, and it's helped along by the fact that all you really need is one client (a Telecom company) and you suddenly end up with millions of units of sale per year.

Interpretation

[Dan+East]

Translation of what they really said:

The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened

The attacks were sophisticated, thus the fact that we were compromised was justified. We will play the victim card straight off. We presume that because the attacks were sophisticated that it was the NSA and GCHQ, although any hacker group and nation-state would give their left arm for our encryption keys. However NSA and GCHQ are scary acronyms, and so we were supposedly up against the most powerful hacking group in the world, again, justifying the fact that they succeeded.

The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys

The attacks resulted in a theft of our SIM encryption keys, although not a "massive" one, whatever "massive" means.

The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft

Rare exceptions to our scheme led to theft.

In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack

Intelligence services were able to spy on communications on 2G mobile networks, due to this one known particular theft of SIM keys that we managed to discover. Even the most modern cell phones fall back on 3G and 2G mobile networks if 4G is not available, so this could affect any phone.

None of our other products were impacted by this attack

Products of ours were impacted by this particular attack, but at least it wasn't every single product we have.

The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator

We are trying to come up with better counter-measures to prevent them from continuing to access our encryption keys.

Re: Interpretation

And we also know that when towers are spoofed they tend to bump phones down to 2G! So there goes the fancy "3G/4G is safe" language...
Bump! Pwn!

Re:Interpretation

> None of our other products were impacted by this attack

"Our other products may have been impacted by other attacks, but that is not the topic today."

Now you do what we told you.

[iamcadaver]

This is likely what they were told to say.

Re:Now you do what we told you.

[rhazz]

By who? A foreign government agency with no jurisdiction?

Re:Let NSA+GCHQ buy Gemalto since their own their

North Korea hacks Sony => Cyber-Terrorism
USA & Great Britain hacks Gemalto => Patriotic-Duty

Or more accurately:

North Korea hacks Sony, gets some personal info that might hurt several thousand employees => Cyber-Terrorism

USA & Great Britain hacks Gemalto, gets keys that can decrypt the communication of millions => Patriotic-Duty

If Iran couldn't find Stuxnet

[Lawrence_Bird]

what makes these corporate suits think they can be certain they were not hacked or the uses of the hack... all inside of one week?

sounds like a lot of CYA

They will admin that a group penetrated their internal network, but they will not admin that they penetrated another internal network once they had access to the internal network? I find that highly unlikely. Once the attacker has access to the internal network, getting access to everything else is just a matter of time and sniffing ethernet frames.

Dang!

[GoddersUK]

From TFA:

We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.

A lot of good "informing the relevant authorities" turned out to be (unless the customer was in China or Russia or somewhere, I suppose). They were just like "dang, we'll have to try harder next time". Or perhaps "yay!, they bought the distraction!".

Re:Dang!

[GoddersUK]

Also the Gemalto internal network is not a series of tubes!:

It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

I'll definitely be filing that one on the list of creative computing analogies!

Nothing to see here, move along, move along...

[Noryungi]

Yeah, sure, Gemalto, as if we are going to believe you, you bunch of wussies.

Here is how it probably went. Cut to Gemalto HQ, and a bunch of crypto and forensic geeks working overnight, going through all the server logs with a fine comb, trying to figure out what really happened, surrounded by cans of Cola and half-eaten pizzas.

Suddenly a phone ring. Pointy-haired manager picks up the phone.

- (PHB) : "Hmmm? Oh, sure Sir, we are making good progress, we may have found... What? Oh."

(Long silence, someone is talking to PHB in hushed, urgent tone)

- (PHB) : "Yes, I understand, sir, but...", (much more quietly, almost whispering) "Oh, that contract too? You mean, every US carrier? Every single one of them? And most UK ones as well?"

(More talking on the phone)

- (PHB): "Yes sir! Right away sir!".

PHB hangs up the phone and slowly turns to the geeks, who have been watching him intently, sensing something is very wrong. PHB swallows hard, trying to look cool.

- (PHB): "Er... Ahem... Thanks for all your hard work, chaps, but upper management has given the all-clear. Nothing really happened and everything is fine. You can all go home now. No, it's OK, the taxi ride home, the drinks and the pizzas are all on me. You will all get a big fat bonus for all the extra hours, with our sincerest thanks."

Meanwhile, somewhere in a US telco HQ:

- (Different PHB): "Hi, Admiral Rogers? How are you doing? Good, good, thank you. Listen, about this SIM thing -- yeah, that one -- it's all set. I got in touch with ____ and ____ at Gemalto and they wisely decided nothing had really happened. Yes, a couple of Brits did, too, along with, you know, ____ and ____. Yeah, him too, believe it or not. (Laughter) So, all of this to say, you guys should be in the clear, nothing ever happened, blah blah blah. Sure. Nah, no biggie, always ready to help. No, no problem at all. You are welcome. Nah, don't worry about it, I'll let you know, say hello from me to ____ and ____, OK? Thanks, bye".

And that, Ladies and Gentlemen, is probably how it happened.

Re:Nothing to see here, move along, move along...

Yes, that is the correct interpretation.
There is no way in FUCK that those secret documents aren't a massive breach and raping of Gemalto.
And Gemalto is playing totally silent and all "hack, what hack, everything's cool over here, in fact we were just having tea, would you like some".
The got cracked bigtime, and all FVEY and cell CORPS called them up and said "hey, umm, this never happened".
They probably also said "hey, about those keys... they're pretty cool, like we can monitor and oppress the world with them... so keep on sending them to us... here's a contract and a get out of jail free card to help you with that"
THAT'S how this went down.
What a bunch of BULLSHIT.

Re:We were burgled but they didn't take anything..

[NatasRevol]

PR written directly by the NSA.

"dem haxx0rz didn't do nuttin' on our netwurkz"

Using scare words strongly indicates not knowing wtf you're talking about. Goes well with not knowing what really happened on your own networks. Good show, security specialists.

Pretty much doesnt matter

No one will believe them, they're business is likely destroyed completely.

yes they hacked us

[beefoot]

Yes, they hacked us and didn't get the encryption keys. They then asked for the encryption keys nicely the next day, we gave it to them :-)

Re:Let NSA+GCHQ buy Gemalto since their own their

[AmiMoJo]

There is no consistency at all. The US has said more than once that real-world military force is a reasonable response to state sponsored cyber attacks, yet we don't see cruise missiles headed for GCHQ or a tactical ICBM targeting NSA headquarters.

Instead other countries will develop their own cyber offence capabilities and start fighting back. It's already open season on US companies thanks to the actions of the NSA. If a US company is involved in any kind of infrastructure it can expect to have relentless attacks from foreign powers. We are on the brink of WW3, except that it won't be a traditional war fought with bombs and guns, it will by a cyber war where the lights keep going out and banks collapse as their accounts are drained and depositors pull out. Your computer, your router, your phone are all just tools that will be conscripted into foreign armies to attack your country, if they have not already been p0wned by your own cyber military looking to hide themselves.

Nope. They missed it.

Standard operating procedure for many network incursions is to do a DDOS attack to distract the IT/Security people while the real penetration is going on, hidden by terabytes of traffic.

I highly doubt sophisticated agents like the NSA/GCHQ would not use this tactic as well, masquerading as conventional malware/spearfishing, and then leaving sophisticated harddrive firmware compromises that Gemalto could not detect to finish the job later on.

Re:Let NSA+GCHQ buy Gemalto since their own their

[phayes]

Of course. When the NSA hacks into german or french targets, c'est un scandale for euro politicians / journalists. When the the DGSE or the BSA is shown to have used the same techniques, well that's just normal.

On matters such as these

[fustakrakich]

Watch for this guy. He can really draw a crowd. In fact, that could be his job, noting every response. Spies are everywhere.

:-) He didn't like being called out, not that he was really hiding or anything.

Stupid.

They don't need the keys!

If they get the code that was used in them, or manage to change the code locally, it will impact all new products released.

Re:Let NSA+GCHQ buy Gemalto since their own their

North Korea hacks Sony => Cyber-Terrorism
USA & Great Britain hacks Gemalto => Patriotic-Duty

That's not the full table:

North Korea hacks Sony => Cyber-Terrorism, from Sony's perspective
North Korea hacks Sony => Patriotic-Duty, from NK persp.
USA & Great Britain hacks Gemalto => Patriotic-Duty, UKUSA persp.
USA & Great Britain hacks Gemalto => Cyber-Terrorism, from Gemalto's persp.

absence of evidence is not evidence of absence

Just because they didn't find any evidence that the encryption keys were stolen doesn't mean they weren't.

Known unknowns

[WaffleMonster]

The failure is business models requiring secrets to be burnt into hardware by manufacturer.

When customer takes delivery they should be responsible for installing keys.

Otherwise events like RSA FOB compromise or the proverbial safe company with stolen customer and combination lists will continue.

The only defense against mass exploit is decentralization. Not only does it make prospect of "0wn1ng th3 w0rld" less likely it keeps you from presenting a massive target to extremely well funded adversaries.

Re:Known unknowns

Does this mean that AT&T is a party that you can trust?

Re:We were burgled but they didn't take anything..

[I4ko]

Well, My home was burgled (lock was unlocked and locked) and all that was taken were two flash drives. A few books were also moved. I had hard times convincing the police to even file a report.

Business continuity

If they admit the lost the keys to the kingdom, then the kingdom is dead.

all they can do is deny, or their business will go bankrupt.

Who to believe ?

[GuB-42]

Every time there is the slightest hint of the NSA doing something bad, especially if it is somehow related to Snowden, everyone here seem to believe it without question. However, every time there is a response saying that it may not be as bad as it seems, there are cries of LIES.

I'm not saying that intelligence agencies don't lie and that big corporations don't try to downplay serious problems but critical thinking goes both ways. For example, why focus on the keys, even in the office network, there are plenty of interesting stuff from accounting and employee data to network architecture and source code.

Re:Let NSA+GCHQ buy Gemalto since their own their

[Etherwalk]

North Korea hacks Sony => Cyber-Terrorism
USA & Great Britain hacks Gemalto => Patriotic-Duty

Of course Gemalto will say anything they can to limit economic damage, but without proper and transparent oversight of secret agencies they is no way to validate any claim by Gemalto that their 3G/4G SIM secrets were not stolen.

The best course of action is for Gemalto to simply be bought out official by the NSA and GCHQ, since they already own their asses, oops I mean assets.

North Korea hacked Sony in order to (1) punish economically and reputationally and possibly (2) create fear.

The USA and GCHC hacked Gemalto in order to (1) conduct signals intelligence operations, meaning eavesdrop. To Spy, in other words.

Spying isn't terrorism--it's deceit that every country in the world is expected to engage in to further its own policies and protect its interests.

North Korea's act probably wasn't technically terrorism either, because there is no evidence that they intended it to create fear in a target population rather than just economic and reputational harm. But it was closer to terrorism, because it was designed to cause harm to a large group of people.

Re: We were burgled but they didn't take anything.

Wtf? Why would you even admit that without AC.

So what about CDMA?

[camg188]

Does this mean that CDMA is more secure than GSM?

Re: Let NSA+GCHQ buy Gemalto since their own their

Uhhhhh, yup.

Newflash: that's how patriotism and nationalism works.

Those folks at Gemalto? Not American citizens, therefore they do not have constitutional rights and are fair game for NSA hacking.

Seems pretty cut and dried to me.