Does it drive anyone else nuts when they throw in something related to the main article like this
"Security researchers also found that the threat actor attacked hotels, engineering companies, and law firms in Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom."
but that isn't in the main article and they don't say where they got that information from?
It used to be the US government worked to secure American communications. But between these backdoors and the NSA losing control of exploits thanks to the Shadow Brokers, they do more now to undermine American security than protect it.
No, Intel agencies have always been too powerful and Truman saw it when disbanding the OSS (Office of strategic services) after WWII. Then, he begrudgingly created the CIA to compete in the cold war.
They've always undermined American security so they could have more information and power.
> It used to be the US government worked to secure American communications.
When was this? As far as I remember (but I'm not that old to be honest), it seems to mostly been about the US government making sure the government has secure communications, while the rest get to fend for themselves.
Fend for themselves, and if they don't cooperate with the wishes of the TLAs they get legal trouble nobody could possibly afford. And if you end up in the secret FISA courts, you basically can't get legal representation because it's secret, or ever really talk about it. Also there's no real oversight for this stuff because it's that secret.
I know there’s a mechanism for 3 letter agencies to get a warrant allowing them to break into insecure hardware owned by US citizens and companies, to patch said vulnerability.
The FBI did that recently[1]
[1] https://www.malwarebytes.com/blog/news/2024/02/fbi-removes-m...
Both statements are simultaneously true.
The goal is to protect the physical and institutional USA (and equivalent for other countries' intel agencies); this requires making sure there's no successful conspiracies, from within or without, to destroy it; this requires all the things we here all agree are bad for digital security, including the security necessary to running e.g. electronic banking ledgers or votes.
I don't have any actual solutions here, that's just a description of the problem space as I understand it to be.
There's a bunch of US agencies sponsoring Tor, presumably to undermine hostile governments, even though there's also US agencies trying to subvert it.
You misunderstood "American security" to mean "security of Americans" instead of the intended meaning "security of the American regime"
you are not wrong, but this has always been the case, from the earliest times. Similar problems with the institution of the military. It calls for moving past the initial indignation, and engaging somehow.. otherwise you get the government you deserved, as they say.
^ this guy is about to learn about the crypto wars.
From the article: "if hackers gained access to service providers’ core routers, it would leave them in a powerful position to steal information..."
Sorry for the newbie question, but isn't most internet traffic end-to-end encrypted, these days? So what information would the hackers, or for that matter the "lawful intercept" system , have been able to steal? I do see how accessing routers would let intruders launch malwares, spoof other sites for phishing attacks, etc.
TLS encryption means absolutely nothing. The very system of using certificate authorities is flawed by design. NSA has no trouble performing MITM. Go search 'NSA FLYING PIG'.
https://www.cnet.com/tech/tech-industry/nsa-disguised-itself...
Yeah but I imagine the ice is getting thin. Sure, use of key pinning on the web failed - but for instance banking apps commonly use it. Once monitoring Certificate transparency logs gets more traction, things like that could get noticed.
How does the use of certificate pinning mean anything when a FISA court can demand the keys and issue a gag order to prevent public disclosure?
On top of what you mentioned, they would have access to significant metadata, unencrypted traffic, and it is worth assuming that government agencies have the resources to acquire certificates and MITM high value information.
> have the resources to acquire certificates and MITM high value information.
Isn't that mitigated by certificate transparency?
For WebPKI yes it should be.
Meta data of how many packets are going between two parties, when its going, and who else is getting the data at the same time. It is like the pizza traffic story at 10 pm.
in case that wiretap system related to telephony, etc - plain voice data can be obtained
I hate how numb I have gotten to data breaches due to the incompetence of these companies. All of the major US cellular networks have all been hacked to a certain degree.
The article didn't say but I'm guessing the target could of been JSI Telecom. I knew some people that worked for JSI ~10 years ago and the US govt used their platform in a handful of organizations.
Original WSJ story (unpaywalled): https://archive.is/RqwMQ
Well, that's what happens when you deliberately compromise your own infrastructure with "lawful intercept" back doors.
The CCP doesn't need the backdoor. The US intelligence agencies have to do the whole masquerade of freedom and liberty.
Sounds like another government-approved leak to a compliant corporate media outlet by 'anonymous sources'. I don't know why the relevant government agencies don't just issue a press release unless they're unusually embarrassed by this apparent security failure. The other possibility is the story is no more true than all those 'anonymous source' leaks about Iraq's (nonexistent) chemical, biological and nuclear weapons programs from two decades ago.
If we're not going to accept Seymour Hersch's anonymously-sourced claim that the US Navy was involved in the destruction of the Nordstream pipelines, why accept this claim at face value either? For an example of reporting of a major hacking incident not reliant on anonymous government sources, see the OPM hack:
https://www.nytimes.com/2015/06/05/us/breach-in-a-federal-co...
Notably, the WSJ source report doesn't include any mention of reporters attempting to get official statements from the relevant US government agencies and being rebuffed. That smells like plausible deniability of the kind involved in the bogus Iraq WMD leaks.
Tech imitates life. Hyenas specialized in chasing lions away from their prey.
So maybe surveilling everything everywhere at all times has its downsides, TLAs?
Happily, this kind of attack would not compromise secure communication with government mandated "secure intercept" technology, because of magic fairy dust reasons :-/
Targeting wiretapping infrastructure may be a viable attack, but with how few details are available to the public, it's hard to estimate the impact. Just because a wiretapping platform was hacked doesn't mean any data was gathered, and if it really was, we don't know what kind of data.
Thanks to mobile networks, information can be anything from live internet traffic to live location information of cars and phones. However, I suspect if someone did a hack that juicy, carrier SOCs would've noticed immediately. This type of infrastructure isn't exactly hooked up to a public IP address somewhere.
>However, I suspect if someone did a hack that juicy, carrier SOCs would've noticed immediately.
We're talking real deal nation-state actors targeting an industry where for the last few decades the only downside of being breached is having to say "oh oops, sorry" and maybe providing a year of credit monitoring. Security is something taken just seriously enough to avoid a ruling of negligence, but no more.
It is very optimistic to assume that carriers would immediately notice a breach by threat actors this sophisticated.
> This type of infrastructure isn't exactly hooked up to a public IP address somewhere.
Without going into details, consider that sometimes they are, even with very large providers that you think should know better. Law enforcement’s got to get to them somehow.
And much of the documentation for these systems is publicly available. Search for your favorite enterprise company and for “lawful intercept”.
I was going to comment basically this. Everything you could possibly want to know about how LI systems work is documented by the vendors online. It’s really just network interfaces that forward intercepted traffic to aggregators.
The thing about CSPs is their core business is edge routing. A majority of their core assets are going to be internet connected routers, and you’d actually be able to collect more data by owning some of those. The additional information you can get from LI (and the reason you often need a clearance to work on LI systems) is information about who law enforcement are running intercepts on.
Also, LI is just a regulatory cost centre for CSPs. It’s hilarious (or scary, depending on your perspective) how poorly those systems are maintained, and how often the break.
> This type of infrastructure isn't exactly hooked up to a public IP address somewhere.
It's getting from point A to point B, and probably not via sneakernet. The details will make it more or less secure, but I'd be shocked if it's going through anything other than public internet pathways.
> This type of infrastructure isn't exactly hooked up to a public IP address somewhere.
Snort.
I would just assume there's a cloud provider that handles all of the wiretapping services for both or all carriers. There's a single-point-of-failure for everything else nowadays anyway. Look at what happened with Crowdstrike, or Solarwinds, or any number of other big single-source providers. Nobody wants to maintain it in house, with predictable results.
there is nothing like this. the closest thing to it is something called TTP (trusted third party), that works as intermediary between telco and law enforcement agencies. they perform wiretap order processing, setups actual wiretaps, collect/bundle and ship away to agencies wiretapped information. but there is a bunch of them and you (telco) don't have to use them
They probably dont have a public ip but just spearfish a network engineer at these ISPs and you'll have access to the devices performing the legal intercept.
<< few details are available to the public, it's hard to estimate the impact.
Would it not be a good indicator that it may not be a great idea to begin with?
<< carrier SOCs would've noticed immediately.
I want to believe that. I do. But the longer I live in corporate, the more I think that we are experiencing a serious competency problem across the board.
ehh.. LI on routers has been (at least on one major vendor) designed to not be visible to end operators in the course of normal operation. there are ways to see it, but it involves either the actual LI mechanism or some esoteric debugs. And it probably wouldn't be obvious to SOCs if the implemented LI was legit or not.
So, the question of competence or otherwise may be mooted by virtue of simply not having proper visibility.
Fair point. I do not know enough in that area to argue further.
in fqct, iirc, it might be even illegal to know what wiretaps are running on the system unless you are the one who process warrant or implement the wiretap. and in case wiretap falls under fisa, than this is classified information and a whole different can of worms