The Swedish telecom network may be vulnerable to impacts from targeted attacks as eavesdropping from a foreign power. A consulting company in India has been given unique access to central servers at TeliaSonera. DN can reveal sensitive password is mailed unencrypted.
Today’s News today can show serious weaknesses in the Swedish telecom infrastructure. It’s about fixed telephony used by almost 3.9 million subscribers. In addition to standard residential and business uses including Swedish government, ie government, fixed telephony.
TeliaSonera is still responsible, in practice, largely for the copper network through its subsidiary Skanova. Then a few years back parts of the maintenance of the underlying IT systems outsourced to a consulting company in India.
Swedish company hires consultants in low-wage countries is not uncommon. The special feature of this case is that the staff in India have deep and direct access to several central computers in Sweden. This includes operating systems, such as telephone switches and DSLAM’s, which are the systems that control the ADSL connection (broadband over copper network), on the station side.
The consultancy company also has access to the Swedish nummerportabilitetssystemet regulating subscribers to switch between telephone companies.
Dagens Nyheter sources, that has good visibility of TeliaSonera’s IT security, says that consultants relatively easy, for example, could be:
• To monitor calls by redirecting a number so that it goes through another number.
• Turn out the entire Swedish telecommunications system or create chaos that can take time to clear up.
• Change to a number purporting to be different than it is.
• Turning off the alarm that uses the telephone network.
The servers consultants in India joins are physically in Sweden. The first connects up through to remotely connect to a Windows computer. Then they connect to the computers, for example via a program called SSH, which is used to control servers. Both the username and password are often sent unencrypted by e-mail, according to DN’s sources.
To emailing sensitive data is very inappropriate, according to cyber security expert Leif Nixon. It is particularly inappropriate if it happens to people who are in other countries because the traffic is likely to be taken up by foreign intelligence services.
– To send passwords in clear text in the email should be “big no-no” for an operator says Leif Nixon.
In Snowden documents show that the US intelligence community NSA and its British counterpart GCHQ has shown great interest in telecommunications.
According to DN’s sources, there are programs in systems in Sweden that logs all actions carried out, but the consultants have in some cases also empowered to clear these logs. In some cases, usernames in systems not related to specific persons, which would hamper an investigation.
DN, together with the sources sat down at a computer and got to see how the system looks “under the hood”. We have also seen examples where Password is sent unencrypted over email.
Hakan Remaining Power, Security Manager at TeliaSonera, do not think it matters if the systems are administered from Sweden or abroad.
– We have strict agreement that regulates the security requirements with all our suppliers. They are subject to the same safety requirements as we have for our own employees.
There is a case by case basis by which systems subcontractors should have access to. Remaining Power does not want to go into what systems are available from abroad, for example, if a foreign consultancy firms are authorized to intercept calls.
How do you see that the password is mailed unencrypted?
– There is nothing I know of has occurred. To e-mail password is a violation of our security policies. This is serious. Passwords should never be sent in clear text. It must not happen, says Håkan Remaining Power.
Post and Telecom Agency has oversight responsibility for telecom operators. The authority wanted on Thursday defer to provide comments.
– It is difficult to say at present whether you have done right or wrong. When it comes to password management is of course important that Telia act. There are regulations that passwords should be handled in a safe manner and that the person shall have received the required training. There should be a great privilege management, says Staffan Lindmark.
No comments:
Post a Comment