[smb at cs.columbia.edu: serious threat models]

[coderman]

some additional details on this interesting tap,,,

On 2/3/06, Tyler Durden <camera_lumina at hotmail.com> wrote:
> ...
> >if you knew what you were doing it would be straightforward to insert
> >a promiscuous device on the LAN or add a process on the unix host used
> >by the softswitch that listened for incoming calls from a given set of
> >MIN's and one way conference these calls to a third party*.  if you
> >had access to a current version of the softswitch software itself for
> >modification it would be even easier (most companies license sources
> >and tailor or customize the software to run these switches so it's not
> >quite as simple as a generic drop in replacement).
> >
> >it took "a professional" to do this, sure, but the number of people
> >skilled enough to pull this off is not a small number.
>
> I actually strongly suspect Vodaphone cooperation in this.
>
> "Seeding" a remote software upgrade to a switch like this is extremely
> difficult if you're coming in from another vendor's gear. Right now I
> believe they would've had to gain physical access and install the software
> in person, otherwise they'd have to go through the local Greek NOC.

looks like it was indeed an inside job (and of the vodafone tech's
mysteriously committed suicide after the tapping was exposed? hmmm)

basically they hooked their spyware into the CALEA like features which
come standard in any commercial softswitch implementation and used it
to capture and relay conversations to the pool of a dozen or so pre
paid wireless phones.  [note that CALEA isn't that complicated; it's
simply a one way conference resource attached to a specific
span/channel that is relayed to eve.]

funny how vodafone is trying to avoid any responsibility by
highlighting the fact an ericsson insider wrote the code, while
conveniently failing to mention it was a vodafone tech who put it in
place. :)

http://www.ana.gr/anaweb/user/showplain?maindoc=4037837&maindocimg=4036819&service=10

"""
The CEO of Vodafone Greece George Koronias told a Parliamentary
investigation on Thursday that Vodafone had at no time purchased the
software used to carry out the illegal phone taps through its digital
systems, while stressing that the people responsible had to have
extremely high technical expertise and a deep knowledge of Ericsson's
programming environment.

During his testimony, Koronias stressed that Vodafone had "not
requested, not ordered and not received" the legal low-phone
interception programme developed by Ericsson, which the phone-tappers
had managed to activate in order to monitor the roughly 100 mobile
phones that were under surveillance.

He said that the low-phone interception programme was added to
Ericsson systems at the request of its customers after the September
11 attacks, but underlined the costly service had not been purchased
by Vodafone.

Koronias also emphasised that the Greek mobile-phone provider had
never been officially aware of the inactive low-phone interception
software's presence in its systems, but only the supplier Ericsson.

At the same time he pointed out that Vodafone, as a provider, would
not be given access to the source code for the software. Ericsson did
not provide this to its customers and the software was operated only
Ericsson's authorised staff, he said.

Asked who might have made the 'rogue' software, Koronias said that it
would have to be someone with intimate knowledge of Ericsson's
programming environment that could write directy in assembly language,
which operators were not able to do.

"The complexity of the programme points to someone with extremely high
expertise," Koronias said, while clarifying that Vodafone's staff did
not possess this level of skill.
...
Regarding the death of Vodafone staff member Costas Tsalikidis,
Koronias said that he had brought this to the attention of the
ministers and the Supreme Court prosecutor, placing himself and the
company at their disposal, because it had coincided with the discovery
of the 'ghost' software and informing the government.

In a re-opened investigation into Tsalikidis' death that is now
underway, meanwhile, first-instance court prosecutor Ioannis Diotis on
Thursday heard testimony from the coroner Giorgios Dilernia who
examined the body at the time and the head of the coroners' service
Philippos Koutsaftis.

Dilernia said the 39-year-old's death had clearly been caused by
hanging, while both coroners agreed on a verdict of suicide and said
that disinterment of the body would not bring about any result.

Tsalikidis was found hanged in March 2005, just days after the company
discovered the 'ghost' software in its systems and informed the
government. A police investigation at the time had attributed the
death to suicide but this has been questioned by the family,
especially in the light of later developments and the revelations
about the phone-tapping scandal.
"""