Friday, September 28, 2007

Phone Tapping: Athens Affair and "Hello, Garci" Connection

The recently revived "Hello, Garci" probe by the Philippine Senate had the testimony by retired T/Sgt Doble that MIG21 (some sort of a "dirty tricks" department of the Intelligence service of the Armed Forces of the Philippines or ISAFP) had "moles" inside the largest mobile phone operator that enabled them to conduct the wiretapping.

Expectedly, the telco denied the claims of Doble saying equipment like GSM Interceptors are expensive and that sale of those prized equipment are highly restricted. Sale of those equipment is highly-regulated government to government deals, but what about the black market? I believe, though, that any telco doesn't have a business need to buy those pricey wiretapping boxes.

However, news reports that NTC inspected the premises of Smart and Globe and found no evidence was just a show. I doubt if those NTC guys really knew what to looking for similar to ignorant security guards armed with "magic sticks," "magic mirrors," and "magic metal detectors."

The telcos's denial, something expected, that after an internal investigation, nothing has been found to corroborate Doble's claims of a mole inside the telco. But be wary still that no company, in their right mind, will confirm such claims even if it's true since it's a very risky move that usually results in erosion of company integrity and lost customer confidence. That's the reason why internal security breaches and fraud are not reported to law enforcement people-- we all know that media has the power to turn a victim into a suspect. (In technical terms, detected, amplified, transmitted, distorted, but never rectified information)

Last year, a phone tapping scandal in Greece (and subsequent blame game) where mobile phones of around 100 people including the Greek prime minister, perpetrated by Vodafone Greece insider(s) who installed illegal software at the Mobile Switching Center (MSC), the heart of the GSM system, to tap mobile phone calls. The hack splitted the conversations of target phone numbers to the other cellphones (using prepaid numbers) in the pseudo-conference call to eavesdrop and record the conversation. What's mindboggling was the sophistication and stealth displayed by the attackers in carrying out the hack.

A more detailed and well-written paper written by IEEE is available here.

Perhaps this method was also the one employed by telco insiders, as claimed by Doble, where the insiders made the phone number, alleged to be that of Garci, a member of a conference call, undetected by telco systems administrators and Information security guys, and definitely too stealthy to be seen by NTC inspectors.

The response of Verifone in the Athens affiar, was also pathetic where application logs were not retained and logbook entries destroyed preventing proper forensic investigation.

Coming from a practitioner of Information Security, detecting insider fraud is really not easy since you're dealing with "trusted" systems administrators who knew the system well, but many safeguards can be put in place to prevent and detect such serious breaches.

Related Stories:

Phone Tapping Scandal in Greece
Vodafone Public Relations in the Phone Tapping Storm
Wikipedia article

Monday, September 24, 2007

How to Secure Gmail: Switch to HTTPS

Incidents of Big Brotherish behavior seem to be present here in the Philippines where some individuals resort to wiretapping, illegal monitoring and unlawful interception.

To those not in the know, Internet browsing using plain HTTP is transmitted in the clear allowing snooping and wiretapping to be performed. Switching to HTTPS by enabling SSL encryption will eliminate the risk.

This is a quick guide to avoid other people from snooping your gmail inbox since by default, Gmail only encrypts the account login and not the contents during transmission allowing miscreants to read email in transit.

Simply follow the procedure to deter snooping by miscreants:

Requirements: Firefox browser with Customize Google add-on

1. Download and install Firefox browser
2. Fire up Firefox browser after installation
3. Visit Customize Google add-on page and click the Install Now link to download and install the add-on. You'll be required to restart Firefox
4. After restart, click Tools to display the dropdown menu and select the CustomizeGoogle Options.
5. Select Gmail on the list then click Secure(switch to https) checkbox. You may also select the remove ads and related pages

Note this will only provide encryption from your PC to Gmail's mail server. It will not protect the path between Gmail servers up to the recipient's PC unless the recipient is also using secure Gmail or any SSL-enabled emails.

Wednesday, September 19, 2007

e-Courts and Cybercrime in the Philippines

This a quite late reaction to the Inquirer news on
E-Courts pushed for cybercrimes recently.

E-Courts are really needed in this country to handle the relentless onslaught of cybercrimes but what's more urgent is the utter lack of a cybercrime bill that wasn't approved due to the usual politicking by the so called lawmakers too busy on many trivial things or just too plain stupid to understand the urgency of the bill.

I've experienced working with various law enforcement agencies handling cybercrimes, particularly the NBI's cybercrimes unit and the CIDG's equivalent arm and I can say the capabilities of the law enforcers also need to be upgraded or else the uber-pricey forensics equipment donated by the US government will just amount to a pile of wortless junk.

There's also a deplorable ignorance of the law of some judges. I remember one time we had to file a case in Manila involving Internet piracy using the RA 8792 or the E-Commerce Law and the fiscal and the judge didn't know about it. Good thing we brought with us a copy so they can review.

Such ignorance of people who ought to know the law!

Monday, September 03, 2007

Wowowee's Wilyonaryo "Technical Glitch"

Not a fan of both Eat Bulaga nor Wowowee but I didn't like what i saw a few days ago on TV:

ABS-CBN described this fiasco as a "technical glitch" as if people will believe them. Having two numbers present in the box just showed the host can choose either to display a winning 2 or the losing 0.

I just joked about this in the office that ABS-CBN has no Quality Assurance function-- game moved into production unpolished that even the user i.e. Willie Revillame (now Willie Revile-Me) made a big mistake on national television.

That "Technical Glitch" will be remembered for a long time...while showbiz gossip mongers feast on the issue.