Shostack + Friends Blog Archive

 

The Greek Wiretapping Scandal

handset.jpgThe Athens Affair” is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven’t?

Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered.

Hah-ha! I have an angle! Longtime readers will be shocked to discover that this…is a security breach we’re talking about. And I’m fascinating by security breaches, especially when we get to talk about them. Now, Greek law doesn’t require disclosure, and as Chris pointed out in “Data on Data Breaches,” small breaches are less likely to hit the press than big ones. So we’re pretty lucky to know about this. We’re even luckier that this caught the eye of the legislature, and details came out, which the authors read through, and analyzed and summarized for us.

More seriously, I’d like to respond to this line in the IEEE Spectrum article:

It’s also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.

Excuse me? Major network penetrations are exceedingly uncommon? I’ll accept that documented evidence of major network penetrations, or of attacks this sophisticated* are uncommon. However, absence of evidence is not evidence of absence.

This is, I think, an important point. The story we see is fascinating, but we lack context. Listening to people at security conferences, claims of major network penetrations are exceptionally common. Now, I’ll fully admit that the sweep-it-under-the-rug club would have you believe that everything is fine. Me, I think we need more evidence, more data, and more context. We’re starting to get it through privacy breach laws.

* By ‘this sophisticated,’ I’m referring to the (apparent) creation of a custom rootkit for Ericsson phone switches.

One comment on "The Greek Wiretapping Scandal"

  • Over on FC, I discuss this all the time. The reason is that when we build FC systems, we have to by rights include the threat of major internal takeover, whereas other security systems can avoid the threat as “at too high a layer.”
    Hence, e.g., I’ve gone to some extent to document the SWIFT breach, which was a major breach of a financial system. There is lots of evidence and documentation and also other claims floating around … but unfortunately a fuller and factual account will be extrapolated from leaks and claims, as the USG insists that it is a national security issue (primarily so as not to embarrass the Europeans, so the USG is really saying it is an international insecurity issue).

Comments are closed.