April 29, 2024

The mountain of shit theory

Uriel Fanelli's blog in English

Fediverse

Meloni and Layer 8

Uriel Fanelli 0 Comments

On the famous phone call between Meloni and the two Russian comedians, the press is fussing over what happened and the necessary or imaginary levels of protection (which the press itself invents at the moment), forgetting one very simple thing. It wasn't the two comedians who called Meloni, it was Meloni who called the two comedians.

A dozen years in the telco world makes me aware of the telephone protections assigned to VIPs. For example, you might think about infiltrating an agent into some telco call center, and using the call center's access to learn data about the VIP himself. It wouldn't work: as soon as a normal call center tried to access some numbers, a control center would be alerted. Then no.

Generally politicians and heads of state have a telephone that is in a CUG, (Closed User Group), which is not generally reachable from the telephone network, but only by collaborators. These collaborators work like Jonathan Shift's "blisterers" (you will have read Gulliver's Travels): to get to the prime minister you have to go through them, who at most make you call back or forward the call.

These are procedures that have existed for years and years, so the idea that two comedians calling from Russia could reach Meloni's phone must be discarded.

But then how did communication arise?

Here we are at a security problem, on a layer called "Layer 8". In the theory of networks (therefore also telephone networks) reference is often made to a scheme made up of "layers". The reference OSI scheme has, in fact, 7 layers.

But then what is layer 8? Layer 8 is an imaginary layer, in the sense that it is not made of electronics, made up of people working around a system. What does it mean? It means that computers are operated by people, who can make decisions.

For example, if you call a certain number of call centers, to help your elderly mother with her telephone contract, the call center should categorically oppose any action. However, if you explain that you are calling in the name/instead of your very elderly mother, SOME operators may fall for it and help you, and explain to you what is wrong with your mother's contract.

In that case, you have reached data that you were NOT supposed to reach, that is, you have compromised the security system, with what is called a "layer 8 attack", which was previously referred to more generically as "social engineering".

You didn't compromise computer systems or exploit software bugs, what you did was exploit the unpredictable characteristic of human interactions.

And you got information that in theory you had no right to access.

Are there methods to stop these attacks? Yes, but they do not depend on the control of communications: the flaw is not in the communications, the flaw is in the people.

Let's try to reason using the ITIL dictionary: to arrive at a person follow a process. The process is done by functions, ideally a guy in an office doing a specific thing.

The average belief is that if we insert a safety function into the process, then we will have solved the problem. In reality, the problem was seen to have been mitigated , but not resolved. Why'?

Because if we increase the number of functions, the number of people increases, and the attack surface increases. Let me explain better: you call the call center and manage to convince an operator that you are really the children of your elderly mother. The operator then passes it on to his colleague. The problem for "colleagues" is that they will be led to think that your identity has already been verified.

Consequently, acting by increasing the number of blisters around the king does NOT increase the safety of the king, but only makes it more difficult to talk to him. Of course, if it is more difficult to talk to him it is also more difficult to defraud him, but we must understand that in order to reign the king must still talk to someone.

So stop saying that the protection systems have failed: it's true, but all the solutions that begin with "xyz would have been enough" refer to things that have already been tried in the world of IT security, and it has been observed that they mitigate the problem, but never completely solve it .

In the case in question, let's say, Meloni was induced to call the comedians back from her phone. It wasn't someone who got to her, or rather: they got there through another channel. Apparently someone began to send emails, which were received by some of the Prime Minister's "blisterers", until through these attacks a vesher was convinced that the Prime Minister would have done very well to call the two comedians.

Someone writes that you could understand the "Slavicness" of the two by listening to their English accent. This is partially true, in the sense that speaking with many nations I noticed that the "LL" of the Slavs is also common to the Israelis. I guess it's related to Israeli demographics, but if you think you can tell a Russian from an Israeli by their English accent, you're probably screwed. In terms of accent, when they speak English it is difficult to distinguish Israelis from Slavs, as well as Scots and Irish, for example. As for biometrics, it's weak.

In any case, if you persistently call and bombard a receptionist, using email and voice calls at the same time, the receptionist will probably at some point be convinced that you really are someone: the receptionist will decide that putting you in direct contact is unsafe (true ), but you can pass the message on to the prime minister, then she will decide whether to call back.

The trouble is that the prime minister will be convinced that, if she has passed the filter of the receptionist, or of the function she has to supervise, the credentials are valid. The prime minister's trouble is that she talks to so many people. And so there are lots of people who call his staff saying "I'm the axillary under-minister of the republic of Coglionistan, yesterday at the peace congress the Premier told me to call her on this number".

In a complex staff, with absences and therefore handover of responsibility from guy to his deputy, simulating something like this can work. And the prime minister will call back the axillary sub-minister of the coglionistan".

The most common answer to this problem is that the solution is simple (spoiler: no, it is not): it is enough that the secret services, or in general a certain function of the process that serves to speak to the prime minister, also controls outgoing calls.

Very good, but this means that the secret services effectively isolate the prime minister. The prime minister only talks to those who want the services, receives calls only from those who want the services, and since he could convince himself through any source that he should call so-and-so, it will also be necessary to check his sources of information.

We get the situation that the Trump presidency experienced in the Bannon period. To understand, I'll give you an extreme (and comical) example:

Moral: proposing that the prime minister's communications be isolated and controlled makes sense, only if you have a lot of trust in those who control the communications. But really a lot.

In general all security problems are a trade-off, between the resulting security and the level of incapacitation they require. If you work in a large company, the company proxy often blocks a page, or you cannot download the thing you need for security reasons.

This incapacitation arises because the safety benefits are believed to outweigh the harm of incapacitation.

In general, therefore, the real problem in all this, the weak point in the chain, was Giorgia Meloni. In general, we know that in any complex system made up of humans there is the possibility of carrying out layer 8 attacks.

The problem, at this point, is the endpoint. Whether Meloni really believes, or not, that it makes sense to tell a guy from the African Union (which also exists) things that shouldn't come out of his office.

From Meloni's point of view, if she gets the proposal to call Tizio from the African Union, Tizio exists and the African Union exists and is important. Perhaps after 10, 15 years of government the experience is such that we know that the African Union is as important as a swinging couples' club in Mantua.

The problem, however, is that even if it were important, it would make even more sense to give them information such as "we are tired of Ukraine" or "when I talk to other European leaders they don't even answer the phone".

I don't know why they don't answer the phone, when it comes to meetings the professional rule is "no agenda, no wait", in the sense that the meeting takes place if we have first agreed on what we are talking about. If you have no arguments, avoid asking for a meeting.

But the point is that we return to a problem that had already been noticed, and that I had pointed out in the past, for example here:

https://keinpfusch.net/le-basi-e-il-progetto-cagnara/

That is, the prime minister lacks the basics. The fundamentals.

And against this, there is nothing you can do about it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Create a website and earn with Altervista - Disclaimer - Report Abuse - Privacy Policy - Customize advertising tracking