Pierluigi Paganini July 29, 2012

Article published on The Malta Indipendent

by Ron Kelson – Vice Chair ICT Gozo Malta Project, Pierluigi Paganini – Director and CISO of Bit4ID, Italy and Benjamin Gittins – CTO Synaptic Laboratories Ltd.

Mobile phones were once the status symbols of high-flying business executives. Today, mobile phones have become an essential part of our day-to-day lives. We often forget how indispensable they are to us, or how much they reassure us… that is until we can’t contact a business colleague, or one of our children, instantly. As mobile phones evolved from their clunky “brick” form factor to today’s featherweight devices, they have progressively dazzled us with improved functionality, multi-media wizardry, Internet connectivity and ease of use. It’s hard to imagine modern life without one…

As the price of owning and using phones has decreased, the number of people dependent upon them has grown. Activation is easy: just provide the telco your credit card details, passport and/or your National ID card details.

As the functionality of mobile phones increased, they became more convenient and valuable to us. Slowly, and subconsciously, they became an integral extension of our persons. Mobile phones follow us around everywhere, know our business and personal network (phone numbers and email addresses) and manage our event diaries. If left on, they track our location 24 hours a day, seven days a week by systematically recording our position, through triangulation or by logging which cell stations within range of our phone.

Many of us have placed our unquestioning trust in these fantastic consumer devices (and the mobile phone operators that provide us services). Salespeople have reassured us that our mobile phone calls are encrypted, yet GSM security schemes are trivially breakable in practice. We have been lulled by decades of television advertising into feeling safe enough to openly communicate our most personal thoughts and feelings through these devices to our loved ones and family. As we surf the Web, we are increasingly exposing our individual habits and personal tastes…

With today’s technology, and thanks to the technical assistance (“lawful interception”) provided by mobile phone carriers, it is trivial for any government to capture:

1. every mobile phone holder’s physical location 24/7,
2. every text message sent and received, and
3. every phone call made in their country.

Governments can choose to store all these activities in a large database for the duration of the mobile phone owner’s natural life (100+ years). More than just the ability to recall any data they want on any person, they can perpetually mine this database for any changes in behaviour of any civilian, or group of civilians. After doing a quick search on “big data” and then “data mining” you will be ready to visit http://jeffjonas.typepad.com/ and read Jeff’s expert analysis on just how grave the situation is.

How secure are the interception technologies used to implement this Total Information Awareness / Panopticon-like strategy?

Search for “Can they hear me now?” by Matt Blaze and “U.S. Enables Chinese Hacking of Google” by Bruce Schneier, on Google, for the opinions of two information security experts.

How secure are government networks from unauthorised third party access?

According to Debora Plunkett, Director of the Information Assurance Directorate of the US National Security Agency,

“There is no such thing as secure any more.”

According to James R. Clapper, Director of US National Intelligence, in his statement to the US House Permanent Select Committee on Intelligence (February 2012):

“We assess that trusted insiders using their access for malicious intent represent one of today’s primary threats to US classified networks.” … “We judge that evolving business practices and information technology will provide even more opportunities for FIS (foreign intelligence services), trusted insiders, hackers, and others to collect sensitive US economic data.”

Dr James S. Peery, director of the Information Systems Analysis Center at US Sandia National Laboratories, testified before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities (21 March 2012).

“I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway.”

With the introduction of smart phones, malware presents unique opportunities for governments to dramatically increase their ability to monitor civilian targets. Surveillance malware can be used to turn on the smart phone’s microphone (and video camera) and transmit that data to government servers over the mobile phone network.

How extensive is government monitoring?

No civilian is authorised to know. Some governments in the EU, such as the UK government, have laws and practices that allow the government to collect and use intelligence in legal cases without disclosing their sources or methods. Chapter 8 of the Crown Prosecution Service’s Disclosure Manual includes: “the ability of the law enforcement agencies to fight crime by the use of covert human intelligence sources, undercover operations, covert surveillance, etc” and “the protection of secret methods of detecting and fighting crime”.

What is particularly disturbing is that this is exactly the same strategy used by the Military. Ch. 17, Rec. 45, of the Unclassified Report of the US Defence Science Board Task Force on the use of Biometrics in Defence states:

“Often, it is wise to protect, sometimes even to disguise, the true and total extent of national capabilities in areas related directly to the conduct of security-related activities. This is a classic feature of intelligence and military operations; … [W]e must seek to preserve the security of what the intelligence community calls ‘sources and methods’ …”.

According estimates made by whistleblower William Binney, a former director of the US NSA’s World Geopolitical and Military Analysis Reporting Group), the US NSA alone has assembled 20 trillion “transactions” − phone calls, emails and other forms of data − just from Americans (April, 2012). Binney says:

“The point is, the data that’s being assembled is about everybody. And from that data, they can then target anyone they want.” Thomas Andrews Drake, a former senior executive of the US NSA and whistleblower, said: “When you open up the Pandora’s box of just getting access to incredible amounts of data, for people that have no reason to be put under suspicion, no reason to have done anything wrong, and just collect all that for potential future use or even current use, it opens up a real danger − and to what else what they could use that data for, particularly when it’s all being hidden behind the mantle of national security.” Recall the US FBI’s COINTELPRO programme in the 1950s and 1960s, which targeted non-violent civil-rights groups, and the recent activities of the US government against whistleblowers exposing crimes within government. Also search Google for “How the west built Iran’s lawful intercept functionality”. We can safely assume that other democratic governments are enthusiastically following the precedent set by the United States.

Government agencies are not the only organisations interested in the personal data stored on, or transmitted through, your mobile phone. Self-styled cyber criminals are now jumping on the bandwagon to reap benefits previously enjoyed only by government and intelligence agencies.

In fact, the cyber security industry recently observed an exponential growth of malware designed to attack smart phones, steal sensitive information, and exploit that data in successful attacks, such as against mobile banking transactions. Today, the “Malware report” from Kindsight Security Labs estimates that one out of every 140 devices on mobile networks is infected with malware.

In the last three months, the cyber security industry has measured a 300 per cent increase in malware targeted for mobile phones (and tablets) running the Android Operating System. In the Trend Labs Quarterly Security Roundup “Security in the Age of Mobility” report, the Trend Micro security firm focused on mobile threat incidents related to the first quarter of 2012. The following is a quote from the Trend Micro’s report: “The Android platform is the most dangerous platform today, with more than 5000 new malicious apps available. These malicious apps are made available for download through the Android Market store and unofficial software distribution channels. Downloading Android applications from unofficial channels is several times more dangerous than through the official Android Market store. The official Android Market store has the ability to remove malware once detected, reducing the chances of you downloading it.

“However, unofficial distribution channels have no such security controls working in your favour. The Android Market is considered LESS secure than Apple’s application store because the Android Market has LESS restrictions when it comes to registering as a software developer. Apple’s more rigorous vetting process holds developers MORE accountable, which encourages malware vendors to target Android devices where they are less likely to be held accountable for their actions. Of course, Apple users can choose to circumvent Apple’s security controls by ‘jail-breaking’ their phone and expose themselves to similar and worse types of malware problems…”

One of the more interesting types of mobile phone attacks that exist on both Android Devices and Apple’s iOS devices is the ‘Data Stealer’ attack. The UK’s The Sunday Times published a news article that studied the behaviour of approximately 70 widely-used mobile phone applications. “Twenty-one transmitted the phone number, six sent out email addresses, six shared the exact co-ordinates of the phone and more than half passed on the handset’s ID number.” The survey found that the data was sent to countries outside the EU such as China, Israel, India and America. Just how many (mobile phone and desktop) applications are leaking your personal data behind your back, nobody knows…

The sorry state of affairs is that both State and non-State actors are cashing in on vulnerabilities and weaknesses in the design and implementation of today’s (smart) mobile phones. In the past (and even today), some governments discourage or proscribe strong security in mobile phone standards and devices. The US DARPA’s “Plan X” (2012) seeks to explicitly track and exploit weaknesses in all electronic devices connected to the Internet.

What is clear is that when governments and organisations do not act to protect the legitimate interests of all stakeholders, the average civilian will continue to be exposed and exploited. The question is:

Do you continue to consent to this type of behaviour against you, your loved ones, and your community?

Pierluigi Paganini, Security Specialist CISO Bit4ID Srl, is a CEH Certified Ethical Hacker, EC Council and Founder of Security Affairs (http://securityaffairs.co/wordpress)

Ron Kelson is Vice Chair of the ICT Gozo Malta Project and CEO of Synaptic Laboratories Limited.

Ben Gittins is CTO of Synaptic Laboratories Limited.

David Pace is project manager of the ICT Gozo Malta Project and an IT consultant

ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded in 2011 by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu links to free cyber awareness resources for all age groups. To promote Maltese ICT, we encourage all ICT professionals to register on the ICT GM Skills Register and keep abreast of developments, both in cyber security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace on dave.pace@ictgozomalta.eu .