Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Insecurity in Finnish parlament (computers)
From: James Tucker <jftucker () gmail com>
Date: Mon, 27 Dec 2004 02:59:28 +0000

I don't have the time or inclination to teach you myself. Please go
and learn some more about dealing with radio frequency attacks on
modern networks.

Racal and Vodafone developed a network called PAKNET or WIDANET
depending when the system was sold and in which country. Either way,
the system is a wireless packet switched radio network that uses no
built in encryption. The network is commonly used for point of sale
device communication with acquiry companies. Just because the
communications stream has not been encrypted (or an encryption has
been cracked) does not mean that it is readable by an attacker. Paknet
attacks are in development now, but only as statistical measures. The
only other way to attack the network is with allot of equipment or by
having control of a main network base station. (An un-configured
station alone is of little use). Practical attacking of GSM over the
air is also very difficult for similar (although not so extreme)

Man in the middle attacks against GSM networks is not simply as easy
as 'getting a base station'. I will not be continuing this discussion
until you show some knowledge of the practicality of what you are
suggesting with regard to radio hacking. TETRA also operates in a
similar manner and is hard to attack over the air for the same reason.
The area you need to understand is RF modulation.

The two most common SSH clients save the server keys after first
connection; you seem to not know this or not understand/appreciate it.
You are bashing a technology because it may be poor when used by
idiots. This is true of any technology, so please if you are going to
make a general statement, make it general.

Physical access to Finish government laptops/computers. I have no
reason to care if you have or have not had access to these machines.
For all of your security 'understanding' you seem to have made no
mention of the fact that these 'people you know' who have given you
such information are by their actions opening a bigger security
liability than anything the software can do. Software you can fix,
human habit is much harder. For example, what if many young Finish
hackers decided to stay clear of government installations due to fear
and now have the confidence thanks to your disclosure. I realise that
you attempted to contact the department on the matter, but moving such
things to the public eye is unnecessary. Full Disclosure with regard
to software is important in ensuring that we are sufficiently informed
to do all that we can to secure our systems. Advertising weak systems
is simply making other peoples lives worse. Yes you contacted them,
but did you not try to contact local politicians who may be able to
present the government with a report (i.e. go another level up in the
government hierarchy?).

Do you expect people to jump when you point them to a site which
contains the opening line: "I am 26-year guy, currently living in
Turku, Finland. I have been involved  with software, computers and
Internet for many years, although I don't do programming nor work in
the IT-industry."
I am not at all surprised that the government chose to ignore your
message to them.

On Sun, 26 Dec 2004 08:16:56 -0800, Markus Jansson
<markus.jansson () hushmail com> wrote:
Hash: SHA1

On Sun, 26 Dec 2004 06:34:24 -0800 James Tucker
<jftucker () gmail com> wrote:
The only charge appropriate for this case would be
what is informally known as a 'gag order' and will
require that you disprove under a court of law all
statements made by Mr Jansson. In fact, you
will have to prove that Mr Jansson's comments are
causing you loss of revenue or damaging the overall
reputation of your organisation through
false claims.

Heh, I dont believe there are such laws here in Finland. If we
where talking about private enterprise or individual person, it
would be possible if its clear that Im lying and causing great

Items 1 to 9 on the list would suggest physical
access to a device, this is likely to have been
contradictory to law.

Perhaps, if you think that *I* got access by using illegal means.
Then, ofcourse, someone would have to prove that and if they dont,

It is also possible, that he has had only limited
access to one particular device, this would not be
conclusive and may not be a true representation of
the state of affairs of all devices owned
by the Finnish government.

It is unlikely that all the computers have the same security holes
for many reason, but I have gotten confirmations from several
computers/users that atleast most of the issues I have described
exist in most, if not all, computers.

Item 10 negates the likelihood of physical access,
this would contradict the above and would seem to
make the story inconsistent.

Maybe I didnt (if I did infact myself) have means to access
everything in those computers...  ;)

Item 12 describes a well known problem, however
this cannot be fixed by the users of the system.

Oh yes, they could and should move from TeliaSonera to Elisa for
example, that uses secure COMP-128-3 and A5/3. Its been years and
years since this security hole was shown first so they have had
plenty of time, but they just dont give a drek (both in TeliaSonera
and in our parlament).

Furthermore item 12 describes a scenario which simply is not
realistic. Whilst the encryption algorithms in use may be
crackable in near real time on a modern computer,

A5/1 is crackable IN REAL TIME.

dissection of the modulation scheme and isolation of a single
device is most certainly NOT possible with a single laptop.

Ofcourse you need few additional tools for that, but the point is,
that the security of the system is broken.

Most likely there are no civilians in Finland with the
resources to actually carry out the attack described.

Some civilians do have. However, Finnish people are so uninterested
in politics that they really would bother. ;)  But other goverments
and intelligence agencies would surely be interested and willing to
wiretap and listen.

Item 13 has more implications than have been considered
and would require more than a little insider knowledge
to pull off the attack.

Perhaps. The issue is, that it can be done and they should protect
themselfes against it.

In terms of civilian liability this method of attack is absolutely
absurd. It would require co-ordination from several places and a
significant knowledge of existing infrastructure surrounding that
geographical location.

That sort of information is easily obtained. No co-ordination is
really required, just put up a false GSM base station next to our
parlament building with a strong enought signal and voila!

Such hard work is rarely necessary, as it
would make more sense to just knock out the
government worker and steal their laptop
With a good getaway plan this would take far less
time, and not cost hundreds of thousands of dollars.

True, that attack is more potential especially since the laptop
HDD:s are not encrypted (as they should).

We are discussing government security here, but if
there is something occurring that would concern the
NSA or MI5/6 then encrypting your GSM comms will
be the least of your security concerns.

I was under the impression that NSA etc. spy for their living
anything they can. I bet members of parlaments and their assistants
are very good targets.

Firstly it would appear that Mark is a common

Argumentum ad hominem. Red herring.

Having taken part in quite unscientific objections
with members of Greenpeace for a start.

Argumentum ad hominem. Red herring.

Tetra security for example is
claimed to be useless on his site, but once again
his lack of understanding of Radio Frequency
eavesdropping shows a clear lack of knowledge
in this area.

Red herring.
Useless blahblahblah. Please clarify. Give proper arguments. As I
sayed, TETRA might be backdoored for NSA as sayed by EU, and TEA
algorithms are not open and tested for security, so there is no
point on trusting them. Please tell me what is incorrect in those
two arguments of mine.

Another clear example of his sensationalist
attitude without proper understanding or thought
is in his discussion of SSH security, where
he claims that authentication keys are useless
because they cannot be known trusted during the
first connection instance (or maybe he
just hasn't realised you should save the keys
during a build??).

Argumentum ad hominem. Red herring.
Dont try to put words into my mouth. I clearly say in my
pages:"Unless you can receive the publickey or the fingerprint of
the publickey used in some secure manner." And this is absolutely

Common reports of Man in the Middle attacks being
possible are not understood either.

Red herring.
Not only possible but very real and easy to do.

As shown by the idiosyncratic inclusion of a
key fingerprint on the same page as his PGP
key links (for added security!?). If someone
wanted to sit in the middle, would they not
change both the key and the fingerprint reported?

Argumentum ad hominem. Red herring.
My key is available from various locations, and so is the

There are so many 'bits' that you simply could not
filter all of them using standard electronics.

Red herring.
Actually it sayes in my Finnish pages "they might know about it",
just translation error.

What you might want to do is provide substantial evidence
though, in order to not end up in lawsuits.

Contact members of our parlament or their assistants and ask them.
I have.

Markus Jansson
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]