Who to believe?
Released documents of agencies concerned or company whose share price will go down the toilet if public trust in them is shattered.
Decisions, decisions.
SIM card manufacturer Gemalto has given more details of what it understands is behind the reports that GCHQ and the NSA got their mitts on the encryption keys for its SIM cards. As we reported earlier, the company says it detected intrusions and prevented them, and that at no time were the systems which held information on the …
Huge crypto vendor in total denial about the state of its own security. They clearly proven untrustworthy by word and action. This is actually worse than the DigiNotar attack and the company should be fed to the fishes the same way.
They're in denial about the SIM attack, who could trust any of their other crypto products ever again?
The Danish Government and the Danish Financial Sector will keep trusting because it is the easiest for them to "not know ..." or "not be able to imagine ...", in fact, the leadership are probably paid their millions exactly for being ignorant, blind and stupid. Which is nice - for them - and not so nice for everyone else.
Gemalto products are used for the hardware version of NemID, the single sign-on facility for everything that everyone must now use, and the chippery in biometric passports.
But hey - as the Danish prime minister says: "I think we will be happy about it (the ubiquitous mass surveillance) in the long run!"
If NSA/GCHQ can't crack 'em then they should be closed down as incompetent. If they can and use them without warrant then they should be shut down.
As for Gemalto - they wouldn't have a clue. NSA/GCHQ do have a reasonably 65+ years track record of doing the impossible without the target noticing.
To be honest my money is on Gemalto not knowing what the fuck has happened, like some punch drunk journeyman getting up off of the canvas, and are hoping that all this bullshit will save their company. A company whose business relies utterly on trust in their security practices. The fact they started by denying everything then changing tact does not bode well for them. I predict there will be some contract renegotiations by major clients including the Aussie comms that all use them.
It'd also be almost TV drama-like if the NSA couldn't hack them but did hack their nearest rival and were planting doubts in order to send customers to the vulnerable vendor.
I'll go with the simplest option though.
Or maybe Snowden is earning money for hiimself......
All he has to do is post a scare story about a tech company and its share price crashes. What chance he was paid to do so by a competitor or hostile purchaser? How long before we see a stock market bid for Gemalto?
Snowden - and his utterings - have become a very valuable commercial commoditty
The Intercept said it.
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
https://firstlook.org/theintercept/2015/02/25/gemalto-doesnt-know-doesnt-know/
Try again.
I figured that their manufacturing process would involve the blank cards being sent to a secure facility that is fully air-gapped from everything. That facility would then program the cards, encrypt the keys, then burn them to CD/DVD. The CD would then be sent along with the SIM cards themselves to the cell company while the encryption key to decrypt the drive would be sent securely (Preferably in a tamper-evident, sealed envelope carried by a bonded courier).
I would also figure that with how cheap storage is, they would have the system that writes the keys boot off of a Live-CD like environment and rebooted for each batch, that way if someone does compromise the machine, they could only get the keys for the current batch of cards. Previous keys would be archived on a copy of the CD sent to customer, but stored in a secure facility.
With a government involved, it doesn't even need to involve a *corrupt* employee - just some government credentials. "Police" investigators come in late one night, show the minimum-wage security guys a search warrant and tell them there's a suspicion somebody's been using the work computers for child abuse images/terrorism/money laundering, and they just need to run a forensic scan of the target storage device - mustn't tell anybody just yet, in case it compromises the investigation... Or, of course, plant their own agent(s) as the guards themselves: a pretty trivial job for any government agency.
If somebody comes to my office with proper law enforcement ID and a warrant, I'm not going to jail to keep them out: would you? (Come to think of it, WTF should we do in that case? Trying to call the boss might legitimately be refused, tipping someone off about a search could mean an obstruction charge...)
I think it is easy for us to become anesthetised to the Snowden releases, so it bears a summary to remind ourselves. My shortlist, please correct ;-)
1) All the materials were given to journalists, so what is released is editorial.
I think we all know the materials made ES an assassination target, so getting rid of them was his best option. The media are doing reasonably well releasing the information.
2) There are far too many legal barriers to trust any companys word for their products. So the big ones like Google, FB, Apple, Microsoft etc maybe fuming their business is taking a hit, have an uphill struggle with the currently legal environment.
Probably the biggest fallout from the Snowden releases is that we cannot trust that which we cannot verify independently. Cell phones are a touch creepy though...
I'm counting on the mathematics to save us.
P.
Gemalto does not dispute that the NSA were sniffing around for quite some time?
However, within a matter of days they are absolutely certain that the NSA couldn't have stolen anything worth protecting years ago?
Right. Got ya. Maybe that's good enough a statement for stock traders...
"The Imitation Game" is a great movie but but it was only a movie. To get the real story you have to read stuff like the Turing Papers which aren't anything like as entertaining. The math might be a bit arcane but the takeaway is easy to understand -- cracking Enigma was not a matter of breaking codes so much as finding, understanding and exploiting weaknesses in the overall system, weaknesses exposed typically by operator error or laziness, to figure out the settings for the machine.
The executives at Gemalto need to study this history. Enigma was not only a well designed encryption machine but the Germans also had a very well designed procedure for using it. They even had a team looking out for procedural lapses. The only thing they did wrong is that the just didn't appreciate the scale of the Bletchley Park operation -- when you get code cracking on an industrial scale any weakness, no matter how small, is more than enough to compromise the entire system.
We should assume that SIM cards can be compromised. There was obviously a reason why the Secret Service made Obama give up his iPhone for a not-so-cool custom Blackberry when he became President.
"There was obviously a reason why the Secret Service made Obama give up his iPhone for a not-so-cool custom Blackberry when he became President."
Tidbit: Obama's device is, among other special customizations, a older BBOS device on Verizon's network - in other words - no SIM card. :D