Cyberespionage and cryptography: protecting
information in the Information Technology era
June 2015
Marco Pozzato
CTO PrivateWave Italia S.p.A.

Once upon a time...
In old ages
●
Paper and envelops
●
Horses or vehicles
Espionage was:
●
expensive and time consuming → no mass scale
●
invasive and visible

3rd
Millennium
Nowadays
● Voice: landline and mobile
● Asynchronous messaging: SMS, email
● Instant Messaging: whatsapp, facebook
Communications are:
● digital → espionage is transparent and undetectable
● pervasive → mass wiretapping is cheap

Mobile Networks Are Insecure
●
GSM is broken!
●
Cracked in 2011 with 20$ hardware
●
UMTS is theoretically flawed, practically secure
●
Phones are dual mode → a jammer forces
them to GSM protocol

Threats
Privacy, Business and national security
threats:
●
Government espionage
●
Mass surveillance
●
Industrial espionage
Secure Voice & Text Communications

Choose Secure Communication Solution
●
Define Risk Context
●
Who are my attackers?
Which factors affects decision?

Technologies & Networks
●
Data Over Voice (DoV) codec → impractical
●
Circuit Switched Data (CSD) → phased out
●
TETRA → expensive devices and poor network
coverage
Solution is
Secure
Voice
over
Internet
Protocol

Usability and Devices
● Secure Phone: hard security
●
Blackberry OS 5/6/7: push email
●
Iphone: cool device
●
Android: power users and geeks
●
Blackberry 10: security & EMM
Users want their beloved smartphone and apps

Software VS Hardware
● HW with Crypto SD card
–
Expensive
–
No SD card trend in new devices
–
Not replaceable
● SW only
–
Cheap
–
Flexible
–
Easily replaceable

Architecture

Architecture - Wiretapping
● Software as a Service in cloud
●
Provider is responsible
● On premise
●
Customer owns communication
infrastructure

Communications Protocols
● Proprietary
●
Geopolitical Standards
●
SCIP
●
SNS
● Internet Open Standards
●
SIP/TLS
●
SRTP
●
SDES
●
ZRTP

Vulnerability assessment
●
Made by third party company
●
Different methodologies