Greek spies plant rootkit in a phone exchange
July 16, 2007
via Techworld.com
A highly sophisticated spying operation that tapped into the mobile phones of Greece’s prime minister and other top government officials has highlighted weaknesses in telecommunications systems that still use decades-old computer code.
The spying case, where the calls of around 100 people using Vodafone’s network were secretly tapped, remains unsolved and is still being investigated. Also complicating the case are question marks over the suicide in March 2005 of a top engineer at Vodafone Group in Greece in charge of network planning.
A look into how the hack was accomplished has revealed an operation of breathtaking depth and success, according to an analysis on IEEE Spectrum Online, the website of the Institute of Electrical and Electronics Engineers.
The case includes the “first known rootkit that has been installed in an [phone] exchange,” said Diomidis Spinellis, an associate professor at the Athens University of Economics and Business, who wrote the report with Vassilis Prevelakis, an assistant professor of computer science at Drexel University in Philadelphia.
A rootkit is a special programme that buries itself deep into an OS for some malicious activity and is extremely difficult to detect.
The rootkit enabled a transaction log to be disabled and allow call monitoring on four switches made by Telefonaktiebolaget LM Ericsson within Vodafone’s equipment. The software enabled the hackers to monitor phone calls in the same way as law enforcement agencies would do, but without the normal required court order. The software allowed for a second, parallel voice stream to be sent to another phone for monitoring.
The intruders covered their tracks by installing patches on the system to route around logging mechanisms that would alert administrators that calls were being monitored. “It took guile and some serious programming chops to manipulate the lawful call-intercept functions in Vodafone’s mobile switching centres,” the authors wrote.
The secret operation was finally discovered around January 2005 when the hackers tried to update their software and interfered with the way text messages were forwarded, which generated an alert. Investigators found hackers had installed 6,500 lines of code, an extremely complex coding feat.
“The size of the code is not something that somebody could hack in a weekend,” Spinellis said. “It takes a lot of expertise and time to do that.”
The investigation, which included a Greek parliamentary inquiry, netted no suspects, partly because key data was lost or was destroyed by Vodafone, the authors wrote. It is not known if the hack was an inside job.
Vodafone may have been able to discover the scheme sooner through statistical call analysis that could have linked the calls of those being monitored, to calls to phones used to monitor the conversations, they wrote. Carriers already do that sort of analysis, but more for marketing than security reasons.
But the defense against rogue code, viruses and rootkits is complicated because of the way the telecom infrastructure has developed. “Complex interactions between subsystems and baroque coding styles (some of them remnants of programmes written 20 or 30 years ago) confound developers and auditors alike,” the report said.
The lighter side of Oracle Vs SAP
March 28, 2007
Via The JD EDwards Advisor
Allow me to offer some allegations from Oracle’s lawsuit that would demonstrate, if they are true, how stupid TomorrowNow’s employees were. According to Oracle…
- Most of the download requests came from an IP address that is located in Bryan, Texas (TomorrowNow’s hometown) and is part of SAP’s network. Very bright!
- Some of the illegal downloads came from URL’s that had TomorrowNow’s name in them, such as http://hqitpc01.tomorrownow.com.
- In many of the sessions on Customer Connection, the perpetrators downloaded hundreds of files at a time. Using one customer ID from an Oracle customer that was switching to TomorrowNow, someone downloaded an average of 1,800 items a day for four days straight. Now that wouldn’t arouse any suspicion…would it?
- In many cases, the downloaders provided obviously fake information. That included phone numbers such as “777-777-7777″ and email addresses like test@testyomama.com.
- To top it off, the perpetrators logged into Customer Connection using multiple userids and passwords that they had gathered from multiple companies. However, they logged in from the same IP address. Hmmm…now when would Oracle software users such as Abbott Labs, Bear Stearns, Merck, and Smithfield Foods all log in to Customer Connection from the same IP address?
Assuming that the above are correct (after all JD Edwards is closely related to Oracle so they have a pro-Oracle bias):
This cannot be serious! The tech level in this attack is ridiculous! In typical geek fashion I will assume that it was one of the typical clueless IT manager types that performed the “attack” as any person having been on the net for a couple of years or more knows how to (even semi-effectively) cover her tracks. I am not a lawyer so I cannot presume how TomorrowNow will get away with this one but I still can believe it. The immaturity level of the “attack” can give food to some paranoid conspiracy theories (I mean come on SAP, you can afford a decent techie to retrieve the require info for you). So without further ado here are some other not so serious explanations about the incident:
- TomorrowNow got hacked. Perhaps a drive by incident, perhaps a (drum roll) Oracle coordinated attack to discredit their opponent. So the attack was Oracle -> TomorrowNow->Oracle
- TomorrowNow in order to cut costs (so middle level execs can play more mini golf)decided to employ 15 year old or less than script kiddies.Under command of management (which in some cases have a directly comparable mental level), they decided to do some recon about their main business opponent. Whoohoo, this proxy thing surely is working man!!!!!!
- The whole issue was forged by a bored Oracle employee using ed. Such was the punishment decided upon him for saying “you know, for simpler installations I am big MySQL fan, perhaps we must re-evaluate the complexity of our product for the SOHO market”.”FORGE” *whip crack*
- Under a grant from MPAA/RIAA, Oracle provided warez links that deceptively pointed to their documentation under the moniker “Hot Teen Ebony Asses pt DCXLVI: The return of the hung well Chinaman” and for “WINDOWS VISTA SOURCE CODE LEAKED !!!111!!!1!!11!!!”. So given warez puppie population was duped into framing their employer!
Feel free to think some more of your own and always keep in mind the Occam Razor (simplest explanation is almost always the most possible).
Via news.com
SAP responded Friday to allegations raised by Oracle that SAP’s wholly owned subsidiary, TomorrowNow, illegally accessed its rival’s customer support and maintenance site. “SAP will not comment other than to make it clear to our customers, prospects, investors, employees and partners that SAP will aggressively defend against the claims made by Oracle in the lawsuit,” SAP said in a statement. “SAP will remain focused on delivering products and services–including those from TomorrowNow–that ensure success for our customers.”
TomorrowNow, a third-party support and maintenance company, provides service to Oracle’s PeopleSoft and J.D. Edwards customers. Oracle alleges TomorrowNow accessed its maintenance and support Web site, using log-on and passwords of former, or soon-to-be former, Oracle support and maintenance customers.
So, where is the WWE-like response? This is tame! It is like paying the price of admission for a loud action flick like 300 and getting to see Leonidas and Xerxes reconciling their differences over a cup of tea, after pondering about the futility of war. Perhaps they have a policy of not commenting on legal events while they are in progress but come on! Where is the typical “We have nothing to do with this whatsoever so up yours?”. I mean come on! Turn the other cheek might be the Christian thing to do but (as SCO found out to its dismay) some corporate lawyer are actually well-paid comedians who conjure lawsuits for their comedic value. However, no real comedy/violence value for this one, let’s all hope that the action and name calling will pick up shortly
Links to original articles:
Oracle’s 44-page complaint in pdf form(obviously, requires Acrobat Reader)
(I was too tired from the Army to do a decent post so I owe you one shortly 
)
Oracle sues SAP for hacking, data theft
March 25, 2007
, SecurityFocus 2007-03-22
Database and enterprise software firm Oracle filed a lawsuit on Thursday against German application maker SAP claiming that the European firm pilfered an enormous number of documents and software from Oracle’s customer-only support systems.
“ SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts. Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers. ”
The lawsuit, filed after the close of SAP’s European business day, alleged that the German software maker and its subsidiaries used the usernames and passwords of former–and soon-to-be-former–Oracle customers to download more than 10,000 support documents between September 2006 and January 2007. In some cases, the activity appeared as a “systematic pattern of sweeping” Oracle’s database just days before a customer’s support contract was about to expire, downloading information for products that the customer did not have deployed.
Oracle traced the suspect activity to the Texas-based offices of customer support subsidiary SAP TN (formerly, TomorrowNow), which SAP purchased in January 2005. The company had provided support services for customers of PeopleSoft, an enterprise software maker that Oracle acquired earlier the same month. In its court filing, Oracle charged that SAP TN used the access to Oracle’s system to clone its support database and offer discounted services to former Oracle customers.
“In short, to try to ‘keep the pressure on Oracle,’ SAP has been engaged in a systematic program of unfair, unlawful, and deceptive business practices that continues to this day,” Oracle stated in the filing. “Through its legitimate and illegal business practices, SAP has taken Oracle’s Software and Support Materials and apparently used them to insinuate itself into Oracle’s customer base, and to attempt to convert these customers to SAP software applications.”
SAP was still analyzing the claims in the lawsuit and could not comment on the specific allegations, a company spokesperson stated in an e-mail to SecurityFocus.
“We have just been notified of the lawsuit, and have taken note of Oracle’s news release and what is on its Web site,” said spokesman Steve Bauer. “We are still reviewing the matter, and, until we have a chance to study the allegations, SAP will follow is standard policy of not commenting on pending litigation.”
Attacks on information systems for competitive intelligence has increasingly become a problem. In 2005, government and corporate information-security specialists detected a number of targeted attacks aimed at fooling knowledgeable employees. The number of attacks, many appearing to come from China, has only risen in the past 18 months.
Oracle and SAP have had a knock-down rivalry brewing ever since Oracle bought PeopleSoft and became a serious competitor to SAP, said Judith Hurwitz, president of analyst firm Hurwitz & Associates.
“Clearly these guys are going after each other pretty ferociously,” Hurwitz said. “For SAP to buy a company to undercut Oracle’s maintenance pricing … It clearly was to get access and knowledge of Oracle’s customer base, that is clearly why SAP bought them.”
Oracle’s lawsuit alleges that the purchase did not deliver enough. The 37-employee SAP TN focused mainly on sales and not on technical development, the filing claims. Instead, the company allegedly used the usernames and passwords of customers that the firm had lured away from Oracle to download a variety of technical materials.
“SAP employees used the log-in IDs of multiple customers, combined with phony user log-in information, to gain access to Oracle’s system under false pretexts,” Oracle stated in the filing. “Employing these techniques, SAP users effectively swept much of the contents of Oracle’s system onto SAP’s servers.”
In late 2006, Oracle noticed “huge, unexplained spikes” in the number of its customers that had kept searching for more information after receiving the initial results of a search. Moreover, the renewed search attempts occurred within seconds of each other, suggesting that the actions had been automated, not performed by a human.
“Oracle soon discovered that many of these ‘customers’ had taken massive quantities of Software and Support Materials beyond their license rights, over and over again,” the court filing states.
The conclusion caused Oracle to embark on an investigation into what was happening. The company allegedly found that the unauthorized access to its network originated from SAP’s computers, not from the customers whose credentials were used. Credentials assigned to electronics maker Honeywell, pharmaceutical giant Merck and industrial technology firm SPX were all used to access Oracle’s system, the software company stated.
Oracle’s lawsuit repeatedly points to wording in software and service license agreements that stipulate that the customer support material is proprietary and only for use by the firm’s customers.
The lawsuit makes eleven claims under the Computer Fraud and Abuse Act, economic espionage laws and regulations against unfair competition. The court filing does not specify what damages or penalties are sought by Oracle.
————————————————————————————————————————
First of all, I do not see how this is related to “hacking”. Using a client’s login details and creating a dummy user is not the epitome of penetration testing art. Now as far as I can tell SAP is not a dirt-poor, cheap company operating from a ghetto basement using a stolen WiFi link. Being one of the largest software corporations, surely they can afford to buy an Oracle solution or two and then peruse the related documentation at will (or perhaps take it even further and reverse engineer the hell out of competitor’s programs), hire and debrief a couple of Sr Engineers (human assets were always a crucial part of intelligence) and whatnot, being “sleazy” but staying well within the law. Using soon-to-be-former Oracle customer accounts and then downloading documentation directly into their servers? Come on, there are a ton of ways to anonymize traffic and since they are committing “hacking” (the article’s wording, not mine, mind you), they must know that if they get caught red-handed there are many things at stake (including valuable corporate image). My assumptions are that there is perhaps a rogue element within SAP, as from a senior managerial perspective, this move is suicide. The fact that this appears to be a low tech level attack (once again, it is not like SAP cannot afford a highly technical yet ammoral person), stengthens this motion further. Perhaps a couple of bored techies under the command of a middle level manager at best? It just does not make sense. Anyway, this will be a subject that I will keep my eyes on.
