Wednesday, July 11, 2007

Fun Intrusion Story

Here is an enlightening account of a major intrusion investigation of a cell phone network in Greece.

Fun excerpts:

"Major network penetrations of any kind are exceedingly uncommon."

Ha-ha. Change that to "PUBLIC KNOWING ABOUT major penetrations ...", puh-leeeease.

"It remained undetected until 24 January 2005, when one of Vodafone's telephone switches generated a sequence of error messages indicating that text messages originating from another cellphone operator had gone undelivered."

IDS? IPS? Anti-malware? MSSP? Haloooo... See a pattern here? :-)
Do you know what actually cause this and led to detection? Bugs in the actual malware!!!

"Koronias told them that rogue software used the lawful wiretapping mechanisms of Vodafone's digital switches ..."

Ha-ha, somehow I am not surprised ... Are you?

"But in early 2003, Vodafone technicians upgraded the Greek switches to release R9.1 of the AXE software suite. That upgrade included the RES software, according to a letter from Ericsson that accompanied the upgrade."

Extraneous software strikes again, even on a phone switch ...

"A call to another cellphone will be re-encrypted between the remote cellphone and its closest base station, but it is not protected while it transits the provider's core network."

Did you know that? It is kinda obvious, but I've seen many folks who think "cell phone = encrypted"

"The challenge faced by the intruders was to use the RES's capabilities to duplicate and divert the bits of a call stream without using the dialog-box interface to the IMS, which would create auditable logs of their activities. "

Log-related! Does you application log the UI actions or the backend actions? Think about it!

"It's impossible to overstate the importance of logging."

He-he, no comment!

"[ ...] we can only speculate about various approaches that the intruders may have followed to carry out their attack. That's because key material has been lost or was never collected. [...] This upgrade wiped out the access logs and, contrary to company policy, no backups were retained."

Are YOU committing other logging mistakes as well?

"Traces of the rogue software installation might have been recorded on the exchange's transaction logs. However, due to a paucity of storage space in the exchange's management systems, the logs were retained for only five days ..."

Same here :-)

verall, go read the full story!

Dr Anton Chuvakin