Mediapart has learnt how a hacker has, in a regular manner over recent months and using what he described as “ridiculous” basic computer equipment, succeeded in breaking into the confidential email accounts of six Members of the European Parliament (MEPs), four of their assistants, two party group representatives, and two members of the parliament’s IT and security services.
The hacker said the intrusion was limited solely to incoming email, deliberately ignoring outgoing emails and other confidential files which he could also have accessed.
Contacted by Mediapart, the press relations department of the European parliament declined to comment on the issues raised in this article before it was published.
The hacker, whose identity is deliberately withheld, claims to have acted to demonstrate the vulnerability of the parliament’s software system, and to place IT security and protection of privacy on the political agenda of future European elections due to be held across the continent in May next year.
At the heart of the demonstration is the exposure of flaws in the Microsoft Exchange system used by the parliament, a system developed by the Washington-based software firm founded by Bill Gates and Paul Allen in 1975 and which equips numerous public administrations and institutions around the world with computer operating systems.
Mediapart has consulted the information accessed by the hacker in what he described as an operation of “child’s play”. The email accounts he targeted were those of the following MEPs:
Markus Pieper, German MEP, representative of the German Christian Democrats, or CDU, party and member of the European People's Party group.
Jean-Jacob Bicep, French MEP, representative of the French EELV alliance and member of the Greens/European Free Alliance group.
Maurice Ponga, French MEP, representative of the conservative UMP party and member of the Group of the European People's Party.
Constance Le Grip, French MEP, representative of the French conservative UMP party and member of the European People's Party group.
Ana Gomes, Portuguese MEP, representative of the Portuguese Socialist Party and member of the European Socialist Party.
Aldo Patriciello, Italian MEP, representative of the Italian Union of Christian and Centre Democrats and member of the European People's Party group.
The parliamentary assistants whose accounts he accessed were:
Sonia Léa Rouahbi, assistant to MEP Jean-Jacob Bicep.
Ivan Forte, assistant to MEP Aldo Patriciello.
Alexandra Carreira, assistant to MEP Ana Gomes.
Perrine Orosco, assistant to MEP Maurice Ponga.
The two party workers whose accounts he intruded into were:
Mélanie Vogel, of the Green group.
Céline Bayer, of the Socialist and Democrats Progressive Alliance
Also hacked were two of the European Parliament’s IT and security services, Dimitrios Symeondis and Antonio Inclan.
“It was child’s play,” the hacker told Mediapart. “With a basic laptop equipped with WiFi, and a few bits of knowledge that everyone is capable of finding on the internet, anyone could do the same.”
The hacker set up the operation in a public space close to the European Parliament and its visiting MPs in Strasbourg. The most technically complex stage involved ensuring that nearby mobile phones communicated via the hacker’s laptop WiFi to connect onto the internet.
A large number of smartphones used by MEPs are equipped with a Microsoft mobile data synchronization application (or app) called Active Sync. This regularly connects with the parliament’s email server to check for, and to send, new messages. The app records the mobile phone user’s login and password. If it encounters a problem, and notably a hacking attempt, a message appears on the mobile phone but, to a hacker’s advantage, the text lacks simple clarity. According to the hacker, many people tap ‘OK’ without paying attention to it. “That allows the laptop in the middle to decode the communications at its own level, before re-coding them and sending them to the real server,” the hacker explained.
Enlargement : Illustration 2
Thus, by being placed between the mobile phone and the Microsoft Exchange server, an intruder need simply wait for an imprudent person to tap ‘OK’ to the warning message to subsequently collect the logins and passwords of all those targeted, giving the intruder access to all of their account; this includes sent and received emails, but also personal agendas. With what the hacker described as “a bit of effort”, an intruder could also access documents stored on personal accounts within the European Parliament’s own network.
Mediapart first enterred into contact with the hacker several weeks ago. Before that contact, most of his demonstration of the vulnerability of the parliament’s system had been completed, and he was the seeking to alert the media to the operation.
Mediapart has established the veracity of his operation, in conditions which the respect of the protection of journalists’ sources prevents us from revealing. Mediapart has decided not to publish contents of the emails he had access to in respect of the rights to personal privacy of those concerned; the issue of general interest at the heart of the revelations concerns the current lack of security that threatens the proper functioning of public institutions.
Together with its simplicity, one of the most disturbing aspects of the intrusion operation is that it attacks mobile phones that are connected to a WiFi source, and can therefore be carried out not just in Strasbourg, but anywhere in the world.
Documented flaws that open 'back doors'
In the case of the demonstration in Strasbourg, the hacker deliberately limited his intrusion to that of the received emails of the 14 people he targeted. He did not copy any other files or personal information. He said his motive in exposing the weakness of the system was above all a political one, that of placing the issue of IT security high on the agenda of next year’s elections for the European Parliament.
“On the one hand there are citizens who, today, know almost nothing about what goes on in the wings of these institutions, of the links between the political and economic worlds, and on the other, we have almost omniscient intelligence agencies which, thanks to their espionage, can decide the future of a political figure or have influence on decisions,” the hacker argued. “If it is possible, with such ridiculous equipment, to get into the communications networks of politicians tasked with deciding European policies, what should be thought of our democratic process? It is these very basics that are called into question.”
Despite all the past and recent revelations about US-led mass surveillance programmes, the danger of day-to-day intrusion into confidential computer-based information appears to remain unrecognised by many institutions. The hacker involved in the demonstration of the faults within the European Parliament’s system said he wanted to “shake them up a bit”, to “improve awareness” and sound an alarm over what he called “catastrophic behaviour” towards security issues by a number of elected politicians, while also drawing attention to what he considered the ill-founded choice of using Microsoft systems.
The hacker’s demonstration in Strasbourg comes at a particularly sensitive time for the European Parliament. Following the information leaked by computer analyst whistleblower Edward Snowden about the US National Security Agency mass surveillance operations, the parliament set up a Committee of Inquiry into the extent of surveillance of EU citizens, and which has held numerous hearings over recent weeks.
On November 11th, it questioned representatives of Google, Facebook and Microsoft, notably about revelations by The Washington Post on October 30th that the NSA had intruded the principle communications links connecting Google and Yahoo data centres around the world, in a programme codenamed MUSCULAR. “By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans,” the paper reported.
During the hearings, British Labour Party politician and MEP Claude Moraes referred to the NSA’s MUSCULAR programme in his questioning of Dorothee Belz, Microsoft vice-president for Legal and Corporate Affairs in the EMEA regions. "Generally, what I can say today is server-to-server transportation is generally not encrypted," she said. "This is why we are currently reviewing our security system."
In a report on that hearing, the website of Wired magazine cited Sam Smith, a technology expert with Privacy International, a British NGO dedicated to defending privacy rights, as saying the unencrypted data could hypothetically relate to any of Microsoft's cloud services, from Hotmail and Outlook.com email accounts to Xbox Live, Office 365 and also SkyDrive cloud storage.
It is not for the first time that the security of Microsoft products and their use by public institutions have been called into question. Several experts have for years sounded the alarm over the lack of vigilance regarding Microsoft, which is criticized for leaving ‘back doors’ in its software that can be used for intrusions. “To choose Microsoft is quite simply tantamount to offer the keys to the Americans,” commented Eric Filiol, a former coding and encryption specialist for the French intelligence agency, the DGSE, and now an expert consultant on IT security. “Amid the height of the Prism scandal, we can’t take umbrage that the Americans are spying on us by using the tools of the enemy,” he added. “If, for example, you take Skype, which belongs to Microsoft, you do it from France. But their servers are based in the United States. So if the NSA wants to access one conversation or another, it suffices for them to ask and Microsoft, under the Patriot Act, is required to give them the keys. What’s more, we know that technically there are things hidden. These are black boxes, and furthermore legal black boxes.”
There exists a considerable amount of information about the so-called ‘back doors’ that the US authorities reportedly require American firms to include in their products sold abroad. As early as 2001, the French parliament referred to the issue in a report by its defence commission on the global signals intelligence network Echelon mounted by the US, Britain, Canada, Australia and New Zealand, following revelations in the late 1990s about how the network intercepted private and commercial communications. The French parliamentary commission’s rapporteur, MP Arthur Paecht, wrote that specialists from the French army’selectronic armament centre (CELAR) based in Rennes had demonstrated to him “the existence of flaws or hidden functions in certain software”.
“For some years,” he wrote, “these technological flaws have been exposed by researchers and specialists. They are all the more formidable in that they come from products of American origin which represent close to 80% of the world market.”
Paecht said the existence of these “flaws” were recorded in a report entitled “Security of information systems: dependence and vulnerability’, commissioned by the strategic affairs delegation of the French defence ministry and authored by Admiral Jean Marguin. The report was addressed to the French government in early February 2000.
In face of such warnings, the continued use of Microsoft systems by French and European institutions appears surprising. Furthermore, the members of the French parliament’s defence commission’s panel established to investigate the Echelon revelations included France’s current president, François Hollande, his current Prime Minister Jean-Marc Ayrault and defence minister Jean-Yves Le Drian.
'Despite everything, people couldn't care less'
The European Commission has also been equipped, ever since 1993, with Microsoft systems, despite having publicly engaged itself to favouring the adoption of free software that is not controlled by firms (see more here and here. As revealed by Computer Weekly in September 2011, following a sixth consecutive purchase agreement between the EC and the US firm, “Microsoft will have dominated the desktop computing environment of European institutions for 20 years without allowing a single rival to compete for the business”. It reported that the then-latest deal with Microsoft “concerned approximately 50 million euros of software licences for 36,000 PCs and their supporting infrastructure across 42 European institutions, including the European Parliament and Court of Justice”.
In 2008, French computer magazine PCinPact revealed that Microsoft had proposed to two French ministries a so-called “open bar” contract under which a catalogue of software is made available over a four-year period at a before-tax cost of 100 euros per computer. The contract, to which Mediapart has gained access, was signed by the defence ministry on February 24th 2009 without invitation to any open public competition. The deal concerned 188,500 computer stations, representing a total value of almost 19 million euros.
The revelation of the deal prompted angry reaction from associations dedicated to promoting free software. In 2010, one of them, the 'Francophone association of free software users’, Aful, wrote to French MPs to alert them to what it considered a dangerous decision. “Is it strategically wise to hand a foreign company a hold on the entire information systems of the Minisrty of Defence, indispensable to the exercise of its missions?” the letter asked.
Another association for the promotion of free software, called April, contacted the French Commission for Access to Administrative Documents, the CADA, for access to documents related to the defence ministry contract with Microsoft. It received a response this October, when it gained access to three reports.
One of them, dated 2008 and prepared by a working group of French army experts, noted that “given the high risks and increased cost with regard to the current system, the working group advises against the engagement in the form of a global contract, except for limiting it to peripheral office automation”.
When I learnt of the existence of this contract, as a former military person, I jumped up, » commented Eric Filiol. “As I wrote at the time, there are several ways of betraying your country, and there’s one. There is not even the need for spying anymore, not even any further need for prism. We offer them our data. In the United States, for example, public administrations are prohibited from using technology that isn’t American.”
So just why do political deciders continue to give such a controversial firm the keys to such sensitive networks? “First of all there is the enormous clout of lobbyists,” said Isabelle Attard, an MP in France’s lower house, the National Assembly, member of the EELV Green party and who is active in defending free software production. “At the beginning of this current parliament, I was myself invited by Microsoft to one of their showrooms.” But she also accused political decision-makers of a “total ignorance” of such technological questions. “When we raise these issues, most of our colleagues don’t take us seriously, or don’t see the interest,” she said. “I get told ‘Isabelle, you’re exaggerating’, or even, ‘You’re paranoid’, even on the socialist benches. We recently tried to do a count of those elected representatives who felt concerned by the issue, and we found just ten or 12 MPs from all political sides.”
“Today, lots of public administrations are dependent upon one firm,” continued Attard, “whereas free software is independence, sustainability and security.”
Frédéric Couchet, chief representative of April, argued that the issue has become political. “The public authorities are financed by our taxes and free software should be an element of public service, he said. “I hope that it will be one of the themes of the European elections. But unfortunately, digital matters are not viewed as a key issue for society. You get the impression that, despite everything that is revealed, people couldn’t care less.”
-------------------------
English version by Graham Tearse