IIRC, something similar happened in the 1980's/90's with the phone landlines.
The FBI/DEA made an anonymous toll-free tip line for people to call with tips on the cartel activity. The cartel was able to get the phone records for people who called the tip line through bribes, extortion, or violence to the telco employees. They identified the people who called the tip lines, and then one-by-one eliminated them all.
makeitdouble · 12h ago
This happens in Mexico, but the level of access they got is pretty staggering IMHO:
> The hired hacker [...] was able to use the [attache's] mobile phone number to obtain calls made and received, as well as geolocation data, associated with the [attache's] phone."
> the hacker also used Mexico City's camera system to follow the [attache] through the city and identify people the [attache] met with
bilbo0s · 12h ago
It is kind of interesting that military, law enforcement and intelligence types wouldn't simply assume going in that well funded adversaries have these sorts of capabilities.
It's like the advice I would give to anyone, assume anything you put into a networked digital device, your voice, text, gps trails, oven temperature, anything.. is public, with an unknown publish date. Full stop. Plan your organization's operations in accordance with that assumption.
trod1234 · 9h ago
The military understands COMSEC well, but they are slow moving and the threat landscape is made unnecessarily intractable by relying on private industry who are willing to lie about security guarantees with few if any repercussions.
The issues we are having today are also the direct consequential result of collection in those treasure troves of security exploits; instead of fixing them, and their subsequent leaking.
Technically speaking for most common devices and software today, an AS# level attacker can transparently terminate encryption early to MITM with no indicator of compromise.
They can also disrupt interrupt driven communications with similar level of access (where a communication is strategically not sent without either parties awareness of the occurrence except as indirect after-action backscatter).
Princeton wrote a paper on it related to Tor back in 2014 iirc (the Raptor attack or something like that). The structure can easily be applied to more than just Tor, and that level of access would be quite valuable to well funded adversaries.
The incentives toward profit and power along with lack of liability for security, prevent many of the mfg companies involved from having effective security.
I can't remember where but there was a comment in either a talk or -con presentation where someone said the paper suggests TLS fails completely to these type of attacks; and there has been some speculation online as to if there is a connection between this and why leaked guidelines from various places say to never trust TLS.
The lack of security as an outcome can be seen as caused by government regulation mandates for the ISP industry, as thoroughly called out in this talk:
You can find it available on youtube if they no longer have the direct link on the site.
Security has always had an issue with usability being compromised as security requirements increase. Organizations can't really compete on an even field with their competitors if the competitors have a technological edge because they happen to not be being attacked.
moose333 · 11h ago
Sounds like the hacker got access to call logs and tower pings, but probably didn't hack the actual phone. I'm assuming FBI-issued cell phones are pretty hard to break into, Mexican cell service providers probably less so
neilv · 12h ago
I'll propose an additional recommendation:
"5. Reduce the UTS threat by outlawing most domestic surveillance capitalism. Including having severe criminal penalties for companies found illegally capturing, compiling, retaining, selling, sharing, or leaking what has been designated as rightfully private data."
trod1234 · 8h ago
There are already severe criminal penalties, the issue is its impossible to enforce except in retrospect in most cases. The attack surface is extremely porous because of money-printing with the government as a customer and every major company lining up to the trough.
For an example, its quite well known you can do a lot with an off the shelf SDR.
Technically those receivers can capture cell phone signals and other data passively. It would be almost trivial to set up an overlay network in target regions, its not much harder than putting together a local LAN/point to point connection.
There is no indicator its happening because its not active. This also applies to collectors that operate on TEMPEST principles (i.e. the emissions from your device displays).
Active MITM poses worse outcomes, but not strictly needed for these things. Encryption prevents most of this, if its secure but security comes from the visible industry, and visible industry lags behind where the landscape actually is.
There are companies and nations who put satellites in orbit that collect this data who may offer it as a service. Technically you can passively collect any raw signals with an appropriate length of wire for an antenna so there isn't much of a manufacturing bottleneck authorities could exploit.
Without immediate and existential level of consequence, no criminal penalty will ever be enough. Incarceration isn't an existential consequence.
The laws in effect only keep the honest people honest, and equally punish honest people for pointing out the emperor has no clothes.
The FBI/DEA made an anonymous toll-free tip line for people to call with tips on the cartel activity. The cartel was able to get the phone records for people who called the tip line through bribes, extortion, or violence to the telco employees. They identified the people who called the tip lines, and then one-by-one eliminated them all.
> The hired hacker [...] was able to use the [attache's] mobile phone number to obtain calls made and received, as well as geolocation data, associated with the [attache's] phone."
> the hacker also used Mexico City's camera system to follow the [attache] through the city and identify people the [attache] met with
It's like the advice I would give to anyone, assume anything you put into a networked digital device, your voice, text, gps trails, oven temperature, anything.. is public, with an unknown publish date. Full stop. Plan your organization's operations in accordance with that assumption.
The issues we are having today are also the direct consequential result of collection in those treasure troves of security exploits; instead of fixing them, and their subsequent leaking.
Technically speaking for most common devices and software today, an AS# level attacker can transparently terminate encryption early to MITM with no indicator of compromise.
They can also disrupt interrupt driven communications with similar level of access (where a communication is strategically not sent without either parties awareness of the occurrence except as indirect after-action backscatter).
Princeton wrote a paper on it related to Tor back in 2014 iirc (the Raptor attack or something like that). The structure can easily be applied to more than just Tor, and that level of access would be quite valuable to well funded adversaries.
The incentives toward profit and power along with lack of liability for security, prevent many of the mfg companies involved from having effective security.
I can't remember where but there was a comment in either a talk or -con presentation where someone said the paper suggests TLS fails completely to these type of attacks; and there has been some speculation online as to if there is a connection between this and why leaked guidelines from various places say to never trust TLS.
The lack of security as an outcome can be seen as caused by government regulation mandates for the ISP industry, as thoroughly called out in this talk:
https://cyphercon.com/portfolio/exposing-the-threat-uncoveri...
You can find it available on youtube if they no longer have the direct link on the site.
Security has always had an issue with usability being compromised as security requirements increase. Organizations can't really compete on an even field with their competitors if the competitors have a technological edge because they happen to not be being attacked.
"5. Reduce the UTS threat by outlawing most domestic surveillance capitalism. Including having severe criminal penalties for companies found illegally capturing, compiling, retaining, selling, sharing, or leaking what has been designated as rightfully private data."
For an example, its quite well known you can do a lot with an off the shelf SDR.
Technically those receivers can capture cell phone signals and other data passively. It would be almost trivial to set up an overlay network in target regions, its not much harder than putting together a local LAN/point to point connection.
There is no indicator its happening because its not active. This also applies to collectors that operate on TEMPEST principles (i.e. the emissions from your device displays).
Active MITM poses worse outcomes, but not strictly needed for these things. Encryption prevents most of this, if its secure but security comes from the visible industry, and visible industry lags behind where the landscape actually is.
There are companies and nations who put satellites in orbit that collect this data who may offer it as a service. Technically you can passively collect any raw signals with an appropriate length of wire for an antenna so there isn't much of a manufacturing bottleneck authorities could exploit.
Without immediate and existential level of consequence, no criminal penalty will ever be enough. Incarceration isn't an existential consequence.
The laws in effect only keep the honest people honest, and equally punish honest people for pointing out the emperor has no clothes.