[kictanet] [Security Forum] [Skunkworks] #KeIGF15 Online Discussions Day Two: Cyber Security and Trust

Tue Jul 21 16:52:07 EAT 2015

Yes Stephen,
I meant thin sims and their security.
Just saw some article comparing the two main mobile money services and I
understand Equitel also has (normal) SIMS.

2015-07-21 16:48 GMT+03:00 Stephen Munguti <kamitu.sm at gmail.com>:

> I think we should separate the issue of Equitel from the issue of Thin
> sims. Equitel also has a normal sim even though its the first to introduce
> the thin sims into kenya
>
> On Tue, Jul 21, 2015 at 4:34 PM, Grace Mutung'u (Bomu) <nmutungu at gmail.com
> > wrote:
>
>> Very interesting turn the discussion has taken. Understandably, Equitel
>> is something to watch as it could disrupt the market. many hope it will.
>> Are techies here telling us that the security of using Equitel SIM  cannot
>> be guaranteed unless there are strict internal controls?
>> Does this mean we already need laws for what is quite a novel application
>> in Kenya? And how does ethics as mentioned by Jaco come in here if at all?
>>
>> 2015-07-21 16:17 GMT+03:00 Lesley Leposo via Security <
>> security at lists.my.co.ke>:
>>
>>> Cool Steve.
>>>
>>> Now from a policy and regulation standpoint, the fundamental isssue (by
>>> far) is that….
>>>
>>> A *proprietary* technology is being deployed by a public utility/service.
>>>
>>> There are always major risks with going “proprietary” vs.
>>> standardized/open/open-source.
>>>
>>>
>>> On Jul 21, 2015, at 4:11 PM, Stephen Munguti <kamitu.sm at gmail.com>
>>> wrote:
>>>
>>> @ fredrick,
>>>
>>> I don't think the issue is with Equitel (given that they have normal sim
>>> cards in use), I think the issue is the thin sim
>>>
>>> @lesley
>>>
>>> noted
>>>
>>> On Tue, Jul 21, 2015 at 3:52 PM, fredrick Wahome <frewah85 at gmail.com>
>>> wrote:
>>>
>>>> They would not have prevented thin SIM adoption but they would have
>>>> played some politics using science. For now lets hope that Mwangi is going
>>>> to disrupt this market and deliver us from monopolization.
>>>>
>>>> On Tue, Jul 21, 2015 at 3:36 PM, Stephen Munguti via Security <
>>>> security at lists.my.co.ke> wrote:
>>>>
>>>>> @lesley,
>>>>>
>>>>> The key issue is the data exchange between the Safaricom SIM card and
>>>>> the phone (this has nothing to do with the Safaricom Servers), bearing in
>>>>> mind that there exists a third party between the Safaricom SIM and the
>>>>> Phone
>>>>>
>>>>> On Tue, Jul 21, 2015 at 3:28 PM, Lesley Leposo <leposo at unoasystems.com
>>>>> > wrote:
>>>>>
>>>>>> Everyone is griping about the keys (i.e. triplets and session keys
>>>>>> derived from that).
>>>>>> I think someone needs to be very specific about the security threat
>>>>>> involved here and both players aren’t revealing much.
>>>>>>
>>>>>> IMHO, there are at least 3 areas where security threats can emerge:
>>>>>>
>>>>>> 1) Normally EAP-SIM would be used to authenticate the client/phone
>>>>>> vs. the telco server (Safaricom in this case).
>>>>>> The valuable information in this case would be the SIM triplets (and
>>>>>> derived session key). Hence, this baseline EAP-SIM needs to be protected
>>>>>> (Safaricom knows how this is done).
>>>>>> If it isn’t, then we already have a problem that’s not due to
>>>>>> thin-siim.
>>>>>>
>>>>>> 2) For the thin-sim, another EAP-SIM negotiation between the
>>>>>> client/phone vs. the overlay sever (Equity in this case).
>>>>>> The valuable information again would be the thin-SIM triplets (and
>>>>>> derived session key). Hence this overlay EAP-SIM needs to be protected in a
>>>>>> manner that Safaricom can’t even see it… this is totally in the domain of
>>>>>> how Equity has designed their network and their provisioning. (e.g. by
>>>>>> encrypted negotiation & tunnelling directly between the client/phone and
>>>>>> the Equity server).
>>>>>>
>>>>>> 3) For the handsets, they would have to make sure that the telco
>>>>>> applications can’t snoop or inject traffic/data into each other’s walled
>>>>>> garden - there are 2 walled gardens in this case. The walled garden
>>>>>> includes the sim triplets (and derived session key) along with each telco
>>>>>> network routes, policies, arp-cache and tcp/ip connections. There exists a
>>>>>> possibility of threats due to backwards incompatibility (with phones that
>>>>>> can’t fully manage these walled gardens). Perhaps this is what Safaricom is
>>>>>> complaining about?
>>>>>>
>>>>>> On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security <
>>>>>> security at lists.my.co.ke> wrote:
>>>>>>
>>>>>>
>>>>>> > @mwendwa,
>>>>>> >
>>>>>> > Its possible for the owner of the network of the thin sim to be
>>>>>> privy to information that only the host network sim should be having. It
>>>>>> all comes back to someone internal at Equitel having the proper technical
>>>>>> skills and motivation to use the same
>>>>>>
>>>>>> Stephen,
>>>>>> Then we have a major problem right there. I would not like Safaricom
>>>>>> to disown any responsibility on their part when my security is compromised
>>>>>> because I used thin sim. Therefore any security conscious users would not
>>>>>> dare jeopardize their transactions by using thin sim. The question then is,
>>>>>> how many of us care about their transaction security?
>>>>>>
>>>>>>
>>>>>>
>>>>>> >>
>>>>>> >> On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <
>>>>>> skunkworks at lists.my.co.ke> wrote:
>>>>>> >>>
>>>>>> >>> Then the trending issue of the day. Equitel. Safaricom had taken
>>>>>> Equity to court and sounded a big warning on the use of thin sim.
>>>>>> http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-to-users-of-Equity-s-thin-SIM/-/539550/2462110/-/cqwoby/-/index.html
>>>>>> >>>
>>>>>> >>> London-based GSMA, the global association of telecoms operators
>>>>>> using the GSM technology, wrote to the Kenyan authorities warning of the
>>>>>> risks that use of the slim SIM cards pose to the integrity of the mobile
>>>>>> telecommunications platforms.The GSMA said the overlay SIM (which is
>>>>>> embedded between a normal SIM card and the device) has the potential of
>>>>>> harvesting and revealing sensitive data passing the system.
>>>>>> >>>
>>>>>> >>> Of course we all know Safaricom failed miserably in stopping
>>>>>> Equity from progressing with its plans.
>>>>>> >>>
>>>>>> >>> Now the thin sim is here, and Equitel has said it will encrypt
>>>>>> all data to and from the thin sim. Can experts in this area assure us that
>>>>>> the use of thin sims will not affect the integrity of M-Pesa transactions?
>>>>>> >>>
>>>>>> >>> Regards
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> _______________________________________________
>>>>>> >>> skunkworks mailing list
>>>>>> >>> skunkworks at lists.my.co.ke
>>>>>> >>> ------------
>>>>>> >>> List info, subscribe/unsubscribe
>>>>>> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>>>>> >>> ------------
>>>>>> >>>
>>>>>> >>> Skunkworks Rules
>>>>>> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>>>>> >>> ------------
>>>>>> >>> Other services @ http://my.co.ke
>>>>>>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> --
>>>>>> >>
>>>>>> >> Best Regards,
>>>>>> >> Stephen Munguti.
>>>>>> >>
>>>>>> >> +254720425104
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > --
>>>>>> >
>>>>>> > Best Regards,
>>>>>> > Stephen Munguti.
>>>>>> >
>>>>>> > +254720425104
>>>>>>
>>>>>> _______________________________________________
>>>>>> Security mailing list
>>>>>> Security at lists.my.co.ke
>>>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards,
>>>>> Stephen Munguti.
>>>>>
>>>>> +254720425104
>>>>>
>>>>> _______________________________________________
>>>>> Security mailing list
>>>>> Security at lists.my.co.ke
>>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>>
>>>> *-------------------------------------*
>>>> *Kind Regards**;*
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite:
>>>> www.secunets.com <http://www.secunets.com/>Cell: +254725264890Email:
>>>> fred at secunets.com <fred at secunets.com>**Facebook: secunetstech*
>>>> *Twitter: @secunets*
>>>>
>>>> *Skype: secunets.technologiesExperts in: *Domain Registration, Web
>>>> Hosting, Open Source Solutions, Information Security & Training, Digital
>>>> Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.
>>>>
>>>> *"Secure Business Technology"*
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------
>>>> *SECUNETS TECHNOLOGIES DISCLAIMER:*
>>>>
>>>> This email message and any file(s) transmitted with it is intended
>>>> solely for the individual or entity to whom it is addressed and may contain
>>>> confidential and/or legally privileged information which confidentiality
>>>> and/or privilege is not lost or waived by reason of mistaken transmission.
>>>> If you have received this message by error you are not authorized to view
>>>> disseminate distribute or copy the message without the written consent of
>>>> Secunets Technologies and are requested to contact the sender by telephone
>>>> or e-mail and destroy the original. Although Secunets Technologies takes
>>>> all reasonable precautions to ensure that this message and any file
>>>> transmitted with it is virus free, Secunets Technologies accepts no
>>>> liability for any damage that may be caused by any virus transmitted by
>>>> this email.
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Best Regards,
>>> Stephen Munguti.
>>>
>>> +254720425104
>>>
>>>
>>>
>>> _______________________________________________
>>> Security mailing list
>>> Security at lists.my.co.ke
>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security
>>>
>>
>>
>>
>> --
>> Grace L.N. Mutung'u
>> Nairobi Kenya
>> Skype: gracebomu
>> Twitter: @Bomu
>>
>> <http://www.diplointernetgovernance.org/profile/GraceMutungu>
>>
>>
>
>
> --
>
> Best Regards,
> Stephen Munguti.
>
> +254720425104
>

-- 
Grace L.N. Mutung'u
Nairobi Kenya
Skype: gracebomu
Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20150721/7693487b/attachment.htm>