On 21 July 2015 at 11:00, Jared Koyier via Security <security@lists.my.co.ke

wrote:

The biggest question is whether people responsible for CyberSecurity in government have the resources and technical capacity. Good example is the recent embarrassing hackingteam exposure in which one of the officers in the NSIS is captured seeking international help in defacing a simple blog.

Just for the record, here is the email transcript where Kenyan State House operatives were allegedly seeking EXTENAL help to hack Kenya websites https://www.wikileaks.org/hackingteam/emails/?q=kensi.org&mfrom=&mto=&title=... a and this his how Nation reported the story: http://mobile.nation.co.ke/news/NIS-WikiLeaks-Hacking-Team-Surveillance/-/19... Of Interest is sometimes back, a Kenyan government agency was giving orders that all websites should be hosted locally. From the Hacking Team fiasco, we can clearly see why the government wants websites to be hosted locally. So that they can just physically seize the computer box instead of having to employ Hackers from Russia to do the dirty job for them. I am surprised Civil Society actors have not come out very strongly to question this move of internal hacking by government. After Snowden, we saw how Civil Society in US came out very strongly to protest the violation of basic rights by the State. The US government had to apologize for the embarrassing revelations, and try to cover it's back. Of course the argument I hear this days is there is no government that does not do cyber espionage. Only that some governments are more adept in their skills than others. Regards ______________________ Mwendwa Kivuva, Nairobi, Kenya "There are some men who lift the age they inhabit, till all men walk on higher ground in that lifetime." - Maxwell Anderson

@Hosea, could not have put it more appropriately On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks < skunkworks@lists.my.co.ke> wrote:

Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...

London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.

Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- Best Regards, Stephen Munguti. +254720425104

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <

skunkworks@lists.my.co.ke> wrote:

...

...

Then the trending issue of the day. Equitel. Safaricom had taken Equity

to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...

...

London-based GSMA, the global association of telecoms operators using

the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

...

Of course we all know Safaricom failed miserably in stopping Equity

from progressing with its plans.

...

Now the thin sim is here, and Equitel has said it will encrypt all data

to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

...

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

--

Best Regards, Stephen Munguti.

+254720425104

--

Best Regards, Stephen Munguti.

+254720425104

As a potential end user I would be skeptical to move to equitel purely based on noises from media. As a technical user I would wait for a proof of concept of the said risk... On Tue, Jul 21, 2015 at 2:20 PM, Mwendwa Kivuva via Security < security@lists.my.co.ke> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <

skunkworks@lists.my.co.ke> wrote:

...

...

Then the trending issue of the day. Equitel. Safaricom had taken

Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...

...

London-based GSMA, the global association of telecoms operators using

the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

...

Of course we all know Safaricom failed miserably in stopping Equity

from progressing with its plans.

...

Now the thin sim is here, and Equitel has said it will encrypt all

data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

...

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

--

Best Regards, Stephen Munguti.

+254720425104

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

-- *-------------------------------------* *Kind Regards**;* *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets* *Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy. *"Secure Business Technology"* ------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:* This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

Hehe..based on the fact that the paradigm is shifting from internet of things to internet of everything the cyber threat is basically on everything that we consume as digital consumers. With most of embedded systems having hard-coded backdoors which developers know of but "pray" no one knows, its clear that very soon we might give in to the risks. The I.P and GSM being flawed on the core but we continue using them. On Tue, Jul 21, 2015 at 3:07 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:

@Fredrick,

The US intelligence is able to tap mobile phones in this manner, or so I heard. I am thinking that's were the technology first appeared. This may be as a result of watching too many movies

On Tue, Jul 21, 2015 at 3:00 PM, fredrick Wahome <frewah85@gmail.com> wrote:

...

As a potential end user I would be skeptical to move to equitel purely based on noises from media. As a technical user I would wait for a proof of concept of the said risk...

On Tue, Jul 21, 2015 at 2:20 PM, Mwendwa Kivuva via Security < security@lists.my.co.ke> wrote:

...

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <

skunkworks@lists.my.co.ke> wrote:

...

...

Then the trending issue of the day. Equitel. Safaricom had taken

Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...

...

London-based GSMA, the global association of telecoms operators

using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

...

Of course we all know Safaricom failed miserably in stopping Equity

from progressing with its plans.

...

Now the thin sim is here, and Equitel has said it will encrypt all

data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

...

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

--

Best Regards, Stephen Munguti.

+254720425104

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

*-------------------------------------* *Kind Regards**;*

*Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890 <%2B254725264890>Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets*

*Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

*"Secure Business Technology"*

------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:*

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

-- *-------------------------------------* *Kind Regards**;* *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets* *Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy. *"Secure Business Technology"* ------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:* This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

I think with the ample time and resources at Safaricom disposal before this issue was ruled in Equity favor, from business perspective they would have demonstrated a POC rather than requesting for GSMA which is made up of people who can be compromised to give their word. That way many potential customers would have believed Safcom and shy away. On Tue, Jul 21, 2015 at 3:23 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:

@fredrick,

GSM is intentionally flawed in the core to allow for LI (lawful interceptions). The thin sim from my movie knowledge is used to avoid LI and still intercept information assuming that the person in question has connections in the provider network that would inform him that his phone has been LIed

On Tue, Jul 21, 2015 at 3:17 PM, fredrick Wahome <frewah85@gmail.com> wrote:

...

Hehe..based on the fact that the paradigm is shifting from internet of things to internet of everything the cyber threat is basically on everything that we consume as digital consumers. With most of embedded systems having hard-coded backdoors which developers know of but "pray" no one knows, its clear that very soon we might give in to the risks. The I.P and GSM being flawed on the core but we continue using them.

On Tue, Jul 21, 2015 at 3:07 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:

...

@Fredrick,

The US intelligence is able to tap mobile phones in this manner, or so I heard. I am thinking that's were the technology first appeared. This may be as a result of watching too many movies

On Tue, Jul 21, 2015 at 3:00 PM, fredrick Wahome <frewah85@gmail.com> wrote:

...

As a potential end user I would be skeptical to move to equitel purely based on noises from media. As a technical user I would wait for a proof of concept of the said risk...

On Tue, Jul 21, 2015 at 2:20 PM, Mwendwa Kivuva via Security < security@lists.my.co.ke> wrote:

...

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

> > On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks < skunkworks@lists.my.co.ke> wrote: >> >> Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... >> >> London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system. >> >> Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans. >> >> Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions? >> >> Regards >> >> >> _______________________________________________ >> skunkworks mailing list >> skunkworks@lists.my.co.ke >> ------------ >> List info, subscribe/unsubscribe >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke > > > > > -- > > Best Regards, > Stephen Munguti. > > +254720425104

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

*-------------------------------------* *Kind Regards**;*

*Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890 <%2B254725264890>Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets*

*Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

*"Secure Business Technology"*

------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:*

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

--

*-------------------------------------* *Kind Regards**;*

*Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890 <%2B254725264890>Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets*

*Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

*"Secure Business Technology"*

------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:*

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

-- *-------------------------------------* *Kind Regards**;* *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets* *Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy. *"Secure Business Technology"* ------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:* This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

Everyone is griping about the keys (i.e. triplets and session keys derived from that). I think someone needs to be very specific about the security threat involved here and both players aren’t revealing much. IMHO, there are at least 3 areas where security threats can emerge: 1) Normally EAP-SIM would be used to authenticate the client/phone vs. the telco server (Safaricom in this case). The valuable information in this case would be the SIM triplets (and derived session key). Hence, this baseline EAP-SIM needs to be protected (Safaricom knows how this is done). If it isn’t, then we already have a problem that’s not due to thin-siim. 2) For the thin-sim, another EAP-SIM negotiation between the client/phone vs. the overlay sever (Equity in this case). The valuable information again would be the thin-SIM triplets (and derived session key). Hence this overlay EAP-SIM needs to be protected in a manner that Safaricom can’t even see it… this is totally in the domain of how Equity has designed their network and their provisioning. (e.g. by encrypted negotiation & tunnelling directly between the client/phone and the Equity server). 3) For the handsets, they would have to make sure that the telco applications can’t snoop or inject traffic/data into each other’s walled garden - there are 2 walled gardens in this case. The walled garden includes the sim triplets (and derived session key) along with each telco network routes, policies, arp-cache and tcp/ip connections. There exists a possibility of threats due to backwards incompatibility (with phones that can’t fully manage these walled gardens). Perhaps this is what Safaricom is complaining about?

On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security <security@lists.my.co.ke> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:

...

Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... <http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-to-users-of-Equity-s-thin-SIM/-/539550/2462110/-/cqwoby/-/index.html>

London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.

Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks <http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks> ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> ------------ Other services @ http://my.co.ke <http://my.co.ke/>

--

Best Regards, Stephen Munguti.

+254720425104

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

They would not have prevented thin SIM adoption but they would have played some politics using science. For now lets hope that Mwangi is going to disrupt this market and deliver us from monopolization. On Tue, Jul 21, 2015 at 3:36 PM, Stephen Munguti via Security < security@lists.my.co.ke> wrote:

@lesley,

The key issue is the data exchange between the Safaricom SIM card and the phone (this has nothing to do with the Safaricom Servers), bearing in mind that there exists a third party between the Safaricom SIM and the Phone

On Tue, Jul 21, 2015 at 3:28 PM, Lesley Leposo <leposo@unoasystems.com> wrote:

...

Everyone is griping about the keys (i.e. triplets and session keys derived from that). I think someone needs to be very specific about the security threat involved here and both players aren’t revealing much.

IMHO, there are at least 3 areas where security threats can emerge:

1) Normally EAP-SIM would be used to authenticate the client/phone vs. the telco server (Safaricom in this case). The valuable information in this case would be the SIM triplets (and derived session key). Hence, this baseline EAP-SIM needs to be protected (Safaricom knows how this is done). If it isn’t, then we already have a problem that’s not due to thin-siim.

2) For the thin-sim, another EAP-SIM negotiation between the client/phone vs. the overlay sever (Equity in this case). The valuable information again would be the thin-SIM triplets (and derived session key). Hence this overlay EAP-SIM needs to be protected in a manner that Safaricom can’t even see it… this is totally in the domain of how Equity has designed their network and their provisioning. (e.g. by encrypted negotiation & tunnelling directly between the client/phone and the Equity server).

3) For the handsets, they would have to make sure that the telco applications can’t snoop or inject traffic/data into each other’s walled garden - there are 2 walled gardens in this case. The walled garden includes the sim triplets (and derived session key) along with each telco network routes, policies, arp-cache and tcp/ip connections. There exists a possibility of threats due to backwards incompatibility (with phones that can’t fully manage these walled gardens). Perhaps this is what Safaricom is complaining about?

On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security < security@lists.my.co.ke> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <

skunkworks@lists.my.co.ke> wrote:

...

...

Then the trending issue of the day. Equitel. Safaricom had taken

Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t...

...

London-based GSMA, the global association of telecoms operators using

the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

...

Of course we all know Safaricom failed miserably in stopping Equity

from progressing with its plans.

...

Now the thin sim is here, and Equitel has said it will encrypt all

data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

...

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

--

Best Regards, Stephen Munguti.

+254720425104

--

Best Regards, Stephen Munguti.

+254720425104

---

Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

-- *-------------------------------------* *Kind Regards**;* *Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com>Cell: +254725264890Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets* *Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy. *"Secure Business Technology"* ------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:* This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

Cool Steve. Now from a policy and regulation standpoint, the fundamental isssue (by far) is that…. A *proprietary* technology is being deployed by a public utility/service. There are always major risks with going “proprietary” vs. standardized/open/open-source.

On Jul 21, 2015, at 4:11 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:

@ fredrick,

I don't think the issue is with Equitel (given that they have normal sim cards in use), I think the issue is the thin sim

@lesley

noted

On Tue, Jul 21, 2015 at 3:52 PM, fredrick Wahome <frewah85@gmail.com <mailto:frewah85@gmail.com>> wrote: They would not have prevented thin SIM adoption but they would have played some politics using science. For now lets hope that Mwangi is going to disrupt this market and deliver us from monopolization.

On Tue, Jul 21, 2015 at 3:36 PM, Stephen Munguti via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>> wrote: @lesley,

The key issue is the data exchange between the Safaricom SIM card and the phone (this has nothing to do with the Safaricom Servers), bearing in mind that there exists a third party between the Safaricom SIM and the Phone

On Tue, Jul 21, 2015 at 3:28 PM, Lesley Leposo <leposo@unoasystems.com <mailto:leposo@unoasystems.com>> wrote: Everyone is griping about the keys (i.e. triplets and session keys derived from that). I think someone needs to be very specific about the security threat involved here and both players aren’t revealing much.

IMHO, there are at least 3 areas where security threats can emerge:

1) Normally EAP-SIM would be used to authenticate the client/phone vs. the telco server (Safaricom in this case). The valuable information in this case would be the SIM triplets (and derived session key). Hence, this baseline EAP-SIM needs to be protected (Safaricom knows how this is done). If it isn’t, then we already have a problem that’s not due to thin-siim.

2) For the thin-sim, another EAP-SIM negotiation between the client/phone vs. the overlay sever (Equity in this case). The valuable information again would be the thin-SIM triplets (and derived session key). Hence this overlay EAP-SIM needs to be protected in a manner that Safaricom can’t even see it… this is totally in the domain of how Equity has designed their network and their provisioning. (e.g. by encrypted negotiation & tunnelling directly between the client/phone and the Equity server).

3) For the handsets, they would have to make sure that the telco applications can’t snoop or inject traffic/data into each other’s walled garden - there are 2 walled gardens in this case. The walled garden includes the sim triplets (and derived session key) along with each telco network routes, policies, arp-cache and tcp/ip connections. There exists a possibility of threats due to backwards incompatibility (with phones that can’t fully manage these walled gardens). Perhaps this is what Safaricom is complaining about?

...

On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:

...

Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... <http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-to-users-of-Equity-s-thin-SIM/-/539550/2462110/-/cqwoby/-/index.html>

London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.

Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks <http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks> ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> ------------ Other services @ http://my.co.ke <http://my.co.ke/>

...

...

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

--

------------------------------------- Kind Regards;

Fredrick Wahome Ndung'u Team Leader Secunets Technologies Ltd Website: www.secunets.com <http://www.secunets.com/> Cell: +254725264890 Email: fred@secunets.com <mailto:fred@secunets.com> Facebook: secunetstech Twitter: @secunets Skype: secunets.technologies Experts in: Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

"Secure Business Technology"

------------------------------------------------------------------------------------------------------------------------------------------------ SECUNETS TECHNOLOGIES DISCLAIMER:

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

@stephen regarding device capabilities… Conceptually, my single-sim phone, would have to work like a dual-sim phone in many respects… right? 2ndly, an app (even system application) on the phone typically initiates interaction with SIM through some protected phone OS API. So an equitel application would need to access equitel SIM API only, and the same for Safaricom app. 3rdly, all airtel apps should be bound to the interface associated with the airtel service, same goes for safaricom. e.g. - an equitel app should not be able to snoop/tcpdump the safaricom traffic and vice versa. - an equitel app should not be able to inject rogue traffic into the safaricom network and vice versa.

On Jul 21, 2015, at 4:28 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:

@lesley,

Though I am not clear on how the phones capabilities will come in given that the overlay sim is acting as a bridge between the the first sim card (Lets say the Safaricom SIM) and the phone.

On Tue, Jul 21, 2015 at 4:17 PM, Lesley Leposo <leposo@unoasystems.com <mailto:leposo@unoasystems.com>> wrote: Cool Steve.

Now from a policy and regulation standpoint, the fundamental isssue (by far) is that….

A *proprietary* technology is being deployed by a public utility/service.

There are always major risks with going “proprietary” vs. standardized/open/open-source.

...

On Jul 21, 2015, at 4:11 PM, Stephen Munguti <kamitu.sm@gmail.com <mailto:kamitu.sm@gmail.com>> wrote:

@ fredrick,

I don't think the issue is with Equitel (given that they have normal sim cards in use), I think the issue is the thin sim

@lesley

noted

On Tue, Jul 21, 2015 at 3:52 PM, fredrick Wahome <frewah85@gmail.com <mailto:frewah85@gmail.com>> wrote: They would not have prevented thin SIM adoption but they would have played some politics using science. For now lets hope that Mwangi is going to disrupt this market and deliver us from monopolization.

On Tue, Jul 21, 2015 at 3:36 PM, Stephen Munguti via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>> wrote: @lesley,

The key issue is the data exchange between the Safaricom SIM card and the phone (this has nothing to do with the Safaricom Servers), bearing in mind that there exists a third party between the Safaricom SIM and the Phone

On Tue, Jul 21, 2015 at 3:28 PM, Lesley Leposo <leposo@unoasystems.com <mailto:leposo@unoasystems.com>> wrote: Everyone is griping about the keys (i.e. triplets and session keys derived from that). I think someone needs to be very specific about the security threat involved here and both players aren’t revealing much.

IMHO, there are at least 3 areas where security threats can emerge:

1) Normally EAP-SIM would be used to authenticate the client/phone vs. the telco server (Safaricom in this case). The valuable information in this case would be the SIM triplets (and derived session key). Hence, this baseline EAP-SIM needs to be protected (Safaricom knows how this is done). If it isn’t, then we already have a problem that’s not due to thin-siim.

2) For the thin-sim, another EAP-SIM negotiation between the client/phone vs. the overlay sever (Equity in this case). The valuable information again would be the thin-SIM triplets (and derived session key). Hence this overlay EAP-SIM needs to be protected in a manner that Safaricom can’t even see it… this is totally in the domain of how Equity has designed their network and their provisioning. (e.g. by encrypted negotiation & tunnelling directly between the client/phone and the Equity server).

3) For the handsets, they would have to make sure that the telco applications can’t snoop or inject traffic/data into each other’s walled garden - there are 2 walled gardens in this case. The walled garden includes the sim triplets (and derived session key) along with each telco network routes, policies, arp-cache and tcp/ip connections. There exists a possibility of threats due to backwards incompatibility (with phones that can’t fully manage these walled gardens). Perhaps this is what Safaricom is complaining about?

...

On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:

...

Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... <http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-to-users-of-Equity-s-thin-SIM/-/539550/2462110/-/cqwoby/-/index.html>

London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.

Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks <http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks> ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> ------------ Other services @ http://my.co.ke <http://my.co.ke/>

...

...

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

--

------------------------------------- Kind Regards;

Fredrick Wahome Ndung'u Team Leader Secunets Technologies Ltd Website: www.secunets.com <http://www.secunets.com/> Cell: +254725264890 Email: fred@secunets.com <mailto:fred@secunets.com> Facebook: secunetstech Twitter: @secunets Skype: secunets.technologies Experts in: Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

"Secure Business Technology"

------------------------------------------------------------------------------------------------------------------------------------------------ SECUNETS TECHNOLOGIES DISCLAIMER:

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

--

Best Regards, Stephen Munguti.

+254720425104

I think we should separate the issue of Equitel from the issue of Thin sims. Equitel also has a normal sim even though its the first to introduce the thin sims into kenya On Tue, Jul 21, 2015 at 4:34 PM, Grace Mutung'u (Bomu) <nmutungu@gmail.com> wrote:

Very interesting turn the discussion has taken. Understandably, Equitel is something to watch as it could disrupt the market. many hope it will. Are techies here telling us that the security of using Equitel SIM cannot be guaranteed unless there are strict internal controls? Does this mean we already need laws for what is quite a novel application in Kenya? And how does ethics as mentioned by Jaco come in here if at all?

2015-07-21 16:17 GMT+03:00 Lesley Leposo via Security < security@lists.my.co.ke>:

...

Cool Steve.

Now from a policy and regulation standpoint, the fundamental isssue (by far) is that….

A *proprietary* technology is being deployed by a public utility/service.

There are always major risks with going “proprietary” vs. standardized/open/open-source.

On Jul 21, 2015, at 4:11 PM, Stephen Munguti <kamitu.sm@gmail.com> wrote:

@ fredrick,

I don't think the issue is with Equitel (given that they have normal sim cards in use), I think the issue is the thin sim

@lesley

noted

On Tue, Jul 21, 2015 at 3:52 PM, fredrick Wahome <frewah85@gmail.com> wrote:

...

They would not have prevented thin SIM adoption but they would have played some politics using science. For now lets hope that Mwangi is going to disrupt this market and deliver us from monopolization.

On Tue, Jul 21, 2015 at 3:36 PM, Stephen Munguti via Security < security@lists.my.co.ke> wrote:

...

@lesley,

The key issue is the data exchange between the Safaricom SIM card and the phone (this has nothing to do with the Safaricom Servers), bearing in mind that there exists a third party between the Safaricom SIM and the Phone

On Tue, Jul 21, 2015 at 3:28 PM, Lesley Leposo <leposo@unoasystems.com> wrote:

...

Everyone is griping about the keys (i.e. triplets and session keys derived from that). I think someone needs to be very specific about the security threat involved here and both players aren’t revealing much.

IMHO, there are at least 3 areas where security threats can emerge:

1) Normally EAP-SIM would be used to authenticate the client/phone vs. the telco server (Safaricom in this case). The valuable information in this case would be the SIM triplets (and derived session key). Hence, this baseline EAP-SIM needs to be protected (Safaricom knows how this is done). If it isn’t, then we already have a problem that’s not due to thin-siim.

2) For the thin-sim, another EAP-SIM negotiation between the client/phone vs. the overlay sever (Equity in this case). The valuable information again would be the thin-SIM triplets (and derived session key). Hence this overlay EAP-SIM needs to be protected in a manner that Safaricom can’t even see it… this is totally in the domain of how Equity has designed their network and their provisioning. (e.g. by encrypted negotiation & tunnelling directly between the client/phone and the Equity server).

3) For the handsets, they would have to make sure that the telco applications can’t snoop or inject traffic/data into each other’s walled garden - there are 2 walled gardens in this case. The walled garden includes the sim triplets (and derived session key) along with each telco network routes, policies, arp-cache and tcp/ip connections. There exists a possibility of threats due to backwards incompatibility (with phones that can’t fully manage these walled gardens). Perhaps this is what Safaricom is complaining about?

On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security < security@lists.my.co.ke> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

> > On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks < skunkworks@lists.my.co.ke> wrote: >> >> Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... >> >> London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system. >> >> Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans. >> >> Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions? >> >> Regards >> >> >> _______________________________________________ >> skunkworks mailing list >> skunkworks@lists.my.co.ke >> ------------ >> List info, subscribe/unsubscribe >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke

...

> > > > > -- > > Best Regards, > Stephen Munguti. > > +254720425104

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

--

*-------------------------------------* *Kind Regards**;*

*Fredrick Wahome Ndung'uTeam LeaderSecunets Technologies LtdWebsite: www.secunets.com <http://www.secunets.com/>Cell: +254725264890Email: fred@secunets.com <fred@secunets.com>**Facebook: secunetstech* *Twitter: @secunets*

*Skype: secunets.technologiesExperts in: *Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

*"Secure Business Technology"*

------------------------------------------------------------------------------------------------------------------------------------------------ *SECUNETS TECHNOLOGIES DISCLAIMER:*

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

-- Grace L.N. Mutung'u Nairobi Kenya Skype: gracebomu Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu>

-- Best Regards, Stephen Munguti. +254720425104

IMHO 1) the thin-sim and ordinary-sim vendors need to be compliant (with some GOK controls designed to increase security & quality of both disjointed & combined operation). 2) phones would also have to be ‘secure thin-sim compliant’. 3) the operators need to be regulated to ensure fair-play (and penalise anti-competitive behaviours like cyberattacks, throttling or black-holing)… ala net neutrality. All these policies and regulation must be done with input/feedback from techies.

On Jul 21, 2015, at 4:34 PM, Grace Mutung'u (Bomu) <nmutungu@gmail.com> wrote:

Very interesting turn the discussion has taken. Understandably, Equitel is something to watch as it could disrupt the market. many hope it will. Are techies here telling us that the security of using Equitel SIM cannot be guaranteed unless there are strict internal controls? Does this mean we already need laws for what is quite a novel application in Kenya? And how does ethics as mentioned by Jaco come in here if at all?

2015-07-21 16:17 GMT+03:00 Lesley Leposo via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>>: Cool Steve.

Now from a policy and regulation standpoint, the fundamental isssue (by far) is that….

A *proprietary* technology is being deployed by a public utility/service.

There are always major risks with going “proprietary” vs. standardized/open/open-source.

...

On Jul 21, 2015, at 4:11 PM, Stephen Munguti <kamitu.sm@gmail.com <mailto:kamitu.sm@gmail.com>> wrote:

@ fredrick,

I don't think the issue is with Equitel (given that they have normal sim cards in use), I think the issue is the thin sim

@lesley

noted

On Tue, Jul 21, 2015 at 3:52 PM, fredrick Wahome <frewah85@gmail.com <mailto:frewah85@gmail.com>> wrote: They would not have prevented thin SIM adoption but they would have played some politics using science. For now lets hope that Mwangi is going to disrupt this market and deliver us from monopolization.

On Tue, Jul 21, 2015 at 3:36 PM, Stephen Munguti via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>> wrote: @lesley,

The key issue is the data exchange between the Safaricom SIM card and the phone (this has nothing to do with the Safaricom Servers), bearing in mind that there exists a third party between the Safaricom SIM and the Phone

On Tue, Jul 21, 2015 at 3:28 PM, Lesley Leposo <leposo@unoasystems.com <mailto:leposo@unoasystems.com>> wrote: Everyone is griping about the keys (i.e. triplets and session keys derived from that). I think someone needs to be very specific about the security threat involved here and both players aren’t revealing much.

IMHO, there are at least 3 areas where security threats can emerge:

1) Normally EAP-SIM would be used to authenticate the client/phone vs. the telco server (Safaricom in this case). The valuable information in this case would be the SIM triplets (and derived session key). Hence, this baseline EAP-SIM needs to be protected (Safaricom knows how this is done). If it isn’t, then we already have a problem that’s not due to thin-siim.

2) For the thin-sim, another EAP-SIM negotiation between the client/phone vs. the overlay sever (Equity in this case). The valuable information again would be the thin-SIM triplets (and derived session key). Hence this overlay EAP-SIM needs to be protected in a manner that Safaricom can’t even see it… this is totally in the domain of how Equity has designed their network and their provisioning. (e.g. by encrypted negotiation & tunnelling directly between the client/phone and the Equity server).

3) For the handsets, they would have to make sure that the telco applications can’t snoop or inject traffic/data into each other’s walled garden - there are 2 walled gardens in this case. The walled garden includes the sim triplets (and derived session key) along with each telco network routes, policies, arp-cache and tcp/ip connections. There exists a possibility of threats due to backwards incompatibility (with phones that can’t fully manage these walled gardens). Perhaps this is what Safaricom is complaining about?

...

On Jul 21, 2015, at 2:20 PM, Mwendwa Kivuva via Security <security@lists.my.co.ke <mailto:security@lists.my.co.ke>> wrote:

...

@mwendwa,

Its possible for the owner of the network of the thin sim to be privy to information that only the host network sim should be having. It all comes back to someone internal at Equitel having the proper technical skills and motivation to use the same

Stephen, Then we have a major problem right there. I would not like Safaricom to disown any responsibility on their part when my security is compromised because I used thin sim. Therefore any security conscious users would not dare jeopardize their transactions by using thin sim. The question then is, how many of us care about their transaction security?

...

...

On Tue, Jul 21, 2015 at 1:52 PM, Mwendwa Kivuva via skunkworks <skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke>> wrote:

...

Then the trending issue of the day. Equitel. Safaricom had taken Equity to court and sounded a big warning on the use of thin sim. http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-t... <http://www.businessdailyafrica.com/Corporate-News/Safaricom-sounds-warning-to-users-of-Equity-s-thin-SIM/-/539550/2462110/-/cqwoby/-/index.html>

London-based GSMA, the global association of telecoms operators using the GSM technology, wrote to the Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms.The GSMA said the overlay SIM (which is embedded between a normal SIM card and the device) has the potential of harvesting and revealing sensitive data passing the system.

Of course we all know Safaricom failed miserably in stopping Equity from progressing with its plans.

Now the thin sim is here, and Equitel has said it will encrypt all data to and from the thin sim. Can experts in this area assure us that the use of thin sims will not affect the integrity of M-Pesa transactions?

Regards

_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke <mailto:skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks <http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks> ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> ------------ Other services @ http://my.co.ke <http://my.co.ke/>

...

...

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

--

Best Regards, Stephen Munguti.

+254720425104 <tel:%2B254720425104>

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

--

------------------------------------- Kind Regards;

Fredrick Wahome Ndung'u Team Leader Secunets Technologies Ltd Website: www.secunets.com <http://www.secunets.com/> Cell: +254725264890 Email: fred@secunets.com <mailto:fred@secunets.com> Facebook: secunetstech Twitter: @secunets Skype: secunets.technologies Experts in: Domain Registration, Web Hosting, Open Source Solutions, Information Security & Training, Digital Forensic Investigations, Web 2.0 Applications & I.C.T Consultancy.

"Secure Business Technology"

------------------------------------------------------------------------------------------------------------------------------------------------ SECUNETS TECHNOLOGIES DISCLAIMER:

This email message and any file(s) transmitted with it is intended solely for the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information which confidentiality and/or privilege is not lost or waived by reason of mistaken transmission. If you have received this message by error you are not authorized to view disseminate distribute or copy the message without the written consent of Secunets Technologies and are requested to contact the sender by telephone or e-mail and destroy the original. Although Secunets Technologies takes all reasonable precautions to ensure that this message and any file transmitted with it is virus free, Secunets Technologies accepts no liability for any damage that may be caused by any virus transmitted by this email.

--

Best Regards, Stephen Munguti.

+254720425104

_______________________________________________ Security mailing list Security@lists.my.co.ke <mailto:Security@lists.my.co.ke> http://lists.my.co.ke/cgi-bin/mailman/listinfo/security <http://lists.my.co.ke/cgi-bin/mailman/listinfo/security>

-- Grace L.N. Mutung'u Nairobi Kenya Skype: gracebomu Twitter: @Bomu

<http://www.diplointernetgovernance.org/profile/GraceMutungu <http://www.diplointernetgovernance.org/profile/GraceMutungu>>