NSA also targets hard drives

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: Tel:+44 +44(0)1865 1865 843239 843973 Web: www.networksecuritynewsletter.com Publisher: GregDeborah Valero Logan Publishing Director: E-mail: [email protected] Editor: Steve Mansfield-Devine Editor: Mansfield-Devine E-mail:Steve [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Senior Editor: Sarah Gordon International Editoral Advisory Board: International Advisory Board: Dario Forte, Edward Editoral Amoroso, AT&T Bell Laboratories; Dario Forte, Edward Amoroso, AT&T BellJon Laboratories; Fred Cohen, Fred Cohen & Associates; David, The Fred Cohen, Fred Cohen & Communications; Associates; Jon David, The Fortress; Bill Hancock, Exodus Ken Lindup, Fortress; BillatHancock, ExodusLongley, Communications; Lindup, Consultant Cylink; Dennis QueenslandKen University Consultant at Cylink; Queensland University of Technology; TimDennis Myers, Longley, Novell; Tom Mulhall; Padget of Technology; TimMarietta; Myers, Novell; Mulhall; Padget Petterson, Martin EugeneTom Schultz, Hightower; Petterson, Martin Marietta; Eugene Hightower; Eugene Spafford, Purdue University; WinnSchultz, Schwartau, Inter.Pact Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas Production Support Manager: Lin Lucas E-mail: [email protected] E-mail: [email protected] Subscription Information Subscription Information An annual subscription to Network Security includes 12 An annual issues and subscription online accesstoforNetwork up to 5 Security users. includes 12 issues and online access for up to 5 users. Prices: Prices:for all European countries & Iran 1351 1112 forfor allall European & Iran and Japan US$1512 countriescountries except Europe US$1244 countries except Europe and Japan ¥179 300 for for all Japan ¥147 525 foruntil Japan (Prices valid 31 December 2015) (Prices valid until 2015)from the date Subscriptions run 31 for March 12 months, To subscribe send payment to the address above. payment is received. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: Email: [email protected], http://store.elsevier.com/product.jsp?isbn=13534858 or via www.networksecuritynewsletter.com Subscriptions 12 months, dateGlobal payment is Permissions mayrun befor sought directly from from the Elsevier Rights received. postage paid at Rahway, 07065, Department,Periodicals PO Box 800, Oxford isOX5 1DX, UK; phone:NJ+44 1865 USA. Postmaster send853333, all USA email: address corrections to: Network 843830, fax: +44 1865 [email protected]. You Security, 365 Blair Road, Avenel, NJthrough 07001,Elsevier’s USA home page may also contact Global Rights directly (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions be sought directly Global & permission’.may In the USA, users may from clear Elsevier permissions and Rights make Department, PO Box Oxford OX5 1DX, UK;Inc., phone: +44 1865 payments through the 800, Copyright Clearance Center, 222 Rosewood 843830, fax: +44 1865 853333, email: [email protected]. You Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 may 4744, also contact Global Rights directly throughLicensing Elsevier’sAgency home Rapid page 750 and in the UK through the Copyright (www.elsevier.com), selecting 90 firstTottenham ‘Support &Court contact’, then ‘Copyright Clearance Service (CLARCS), Road, London W1P & permission’. In (0)20 the USA, permissions and Other make 0LP, UK; tel: +44 7631users 5555;may fax: clear +44 (0)20 7631 5500. payments through the Copyright Clearance Center, Inc., 222 Rosewood countries may have a local reprographic rights agency for payments. Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 Derivative Works 750 4744, and in reproduce the UK through Licensing Subscribers may tablesthe ofCopyright contents or prepareAgency lists ofRapid artiClearance Service (CLARCS), 90 Tottenham Court Road, W1P cles including abstracts for internal circulation within theirLondon institutions. 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Permission of the Publisher is required for resale or distribution outside countries may have a local reprographic rightsisagency for for payments. the institution. Permission of the Publisher required all other Derivative Works derivative works, including compilations and translations. Subscribers may reproduce tables of contents or prepare lists of artiElectronic Storage or Usage cles including for internal circulation within theirelectronically institutions. Permission of abstracts the Publisher is required to store or use Permission of contained the Publisher is required resale orany distribution any material in this journal,for including article or outside part of the article. institution. Permission of above, the Publisher for all other an Except as outlined no partisofrequired this publication may derivative works, including compilations and translations. be reproduced, stored in a retrieval system or transmitted in any form Electronic Storage or Usage or by any means, electronic, mechanical, photocopying, recording or Permission without of the Publisher is required to store or Publisher. use electronically otherwise, prior written permission of the Address any materialrequests contained this journal, any article or part at of permissions to:inElsevier Scienceincluding Global Rights Department, an article. Except as outlined above, no part of this publication may the mail, fax and email addresses noted above. be reproduced, stored in a retrieval system or transmitted in any form Notice or by any means,is electronic, photocopying, or No responsibility assumed bymechanical, the Publisher for any injury recording and/or damotherwise, without prior written permission of theliability, Publisher. Address age to persons or property as a matter of products negligence permissions Global Rights Department, at or otherwise,requests or fromto: anyElsevier use orScience operation of any methods, products, the mail, fax or andideas emailcontained addresses in noted instructions the above. material herein. Because of Noticeadvances in the medical sciences, in particular, independent rapid No responsibility is assumed the Publisher for anybe injury and/or damverification of diagnoses andbydrug dosages should made. Although ageadvertising to persons or property a mattertoofconform productstoliability, all material is as expected ethicalnegligence (medical) or otherwise, or fromin any or operation of any methods, products, standards, inclusion this use publication does not constitute a guarantee instructions or ideas in theof material herein. of or endorsement of the contained quality or value such product or ofBecause the claims rapid of advan the medical sciences, in particular, independent made it byces its in manufacturer. verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 12987

Pre-press/Printed by Pre-press/Printed by Mayfield Press Press (Oxford) (Oxford) Limited Mayfield Limited

2

Network Security

…Continued from front page Gemalto which produces around two billion SIM cards a year for around 450 mobile network operators. One slide boasted that the agencies believed “we have their entire network”. The object of the attack was the 128-bit Ki encryption key contained in every SIM card, which encrypts calls. Because the key is hardcoded there is no forward secrecy so, once it is obtained, calls recorded previously can be cracked.

“Getting compromised by a targeted GCHQ/NSA operation isn’t negligent, but underestimating the implications of it is” The 2010 document leaked by Snowden suggests that the agencies’ hacking activities were very successful. In one three-month period alone (Dec 2009 to Mar 2010) the agencies obtained over 106,000 keys linked to identified SIM cards, and the document suggested stepping up operations. Gemalto was very quick – some people think too quick – to give assurances and play down the attack. Just six days after the incident became public knowledge, the firm issued a statement saying that “an operation by NSA and GCHQ probably happened” but that, “the attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys”. This, of course, ran counter to the NSA’s and GCHQ’s own (secret) claims. Many security specialists were surprised at Gemalto’s assurances after such a short time, as such investigations usually take months and the attacks claimed by the NSA took place in a large proportion of the 85 countries in which Gemalto operates. “Gemalto is surprisingly confident that it now knows exactly the scope of the GCHQ/NSA penetration that it didn’t detect in the first place,” tweeted Matt Blaze, associate professor of computer and information science at the University of Pennsylvania. “Getting compromised by a targeted GCHQ/NSA operation isn’t

negligent, but underestimating the implications of it is.” It’s also notable that this investigation has taken place years after the infiltrations into the firm’s networks occurred – and these were hacking activities by highly sophisticated attackers that might be expected to leave no trace. Some commentators suggested that Gemalto might be attempting to steady the nerves of its investors. The firm also has contracts with a number of government customers. Although there have been some protests, the reaction has been largely muted given that these were attacks by Western nations against a private organisation going about its lawful business.

NSA also targets hard drives

K

aspersky Labs has released details of research that suggests the NSA has been planting spyware into hard disk firmware for at least the past 14 years.

More than a dozen top brands – including Seagate, Western Digital, IBM, Toshiba, Samsung and Maxtor – have been implicated. Reuters later said its sources, including ex-NSA employees, confirmed the story. According to Kaspersky, the malware – known as nls_933w.dll – was the product of The Equation Group, operating within the NSA, which had access to the firmware source code. These activities are believed to have targeted tens of thousands of Windows computers being used by telecommunications providers, governments, militaries, utilities and mass media organisations in more than 30 countries. There is evidence that the Equation Group cooperated with those responsible for the Stuxnet and Flame trojans. Kaspersky discovered the firmware infections because a handful of the hundreds of domain names used by the Equation Group had been allowed to lapse. Kaspersky bought the names and used them to create a sinkhole, so that infected machines started to contact the firm’s servers. There is more information available here: http://bit. ly/1E2xqPr.

March 2015