The following is an OSInt example of Israeli Telecom SIGInt capabilities. In this case the information source is a reporter for Al Jazeera. The telecom breech was in Lebanon.

http://www.aljazeera.com/indepth/features/2011/11/201111295498547664.html

How OSInt can work

From this open source news report, we can derive several things as a OSInt case study. Namely a good bit about Israeli telecom penetration of Lebanon, a little bit about Israeli operational security with its case officers, and a tad about Israeli recruiting intel assets.

Here is what is claimed:

A senior telecom engineer Rabaa, was approached by Israeli case officers posing with a front of a international recruiting organization in 2001. he may not have been aware of who he was working for to permit the Israeli intelligence to gather some useful HUMInt about Lebanese telecom capabilities. Note that the interview occurred in a neutral country

Rabaa was then probably converted to an intel asset for the Israelis but then failed a polygraph test, it is implied the Israelis gave up interest at this point in 2002.

Three years later Israeli intelligence approaches him again. The explanation of why is not provided. Perhaps he was promoted?  Then for 5 years he is an intel asset for the Israelis providing information on the sourthern part of the Telecom network , backbone specs, a complete list of employees in the company, and other info. This was done out of Lebanon at meetings around the world. This implies that Israeli case officers have been told their operational security has found meetings in Lebanon too risky. Not a big surprise.

During Rabaa’s term, his case officers encouraged him to keep the telecom equipment standardized to keep their intel efforts simplified.

There is a mention of a second journalist that should be investigated further. This may provide more OSInt, and vetting of the story. But if it is the source of Al Jazeera, external corroboration would be needed.

“”He was gathering everything you could ever imagine about the Lebanese cellular network,” Hassan Illeik, a journalist with the Lebanese daily Al Akhbar, who has been closely following the issue of Israeli infiltration, told Al Jazeera. “

A computer programer, Marwan Taher, is explaining the implications to Al Jazeera. Who is he? Does he have papers published? What is his role and affiliation?

This mention means a Deep Web search should be done on this issue with the mentioned sources, both reporter, newspaper, and programmer.

Other Telecom security breach capabilities are mentioned, but not attributed.

“Methods of infiltration include the tampering of BTS towers, either physically or remotely; using firewall equipment manufactured by Israeli companies, which allows Israel to install backdoors and access for remote log-ins.”

“Last year, Lebanese engineers checked all of these points and uncovered a large amount of Israeli equipment just on the border oriented specifically to the backbone of the Lebanese network.”

“During the 2006 war, engineers at Alfa noticed unusual activity in their servers; the log, which records who logged into the system, both remotely and locally, would restart itself on a daily basis, without any command ordering it to do so. Furthermore, the log would reboot itself before registering where the command originated from. According to Illeik, “the engineers in Alfa were seeing this happen in front of their eyes, and couldn’t do anything to stop it”.”

Sascha Meinrath, director of the New America Foundation’s Open Technology Initiative, told Al Jazeera that it is “quite feasible” to access a mobile operating centre remotely, thus able to install backdoors, install software to monitor or manipulate phone calls.

Well, well, now we have some evidence how deep and how long the security breach has been on the Lebonese telecom.

A new name, so another deep web search needs to be done on Sasche Meinrath. Secularity expert? Intel connections? Etc…

“We know that it is relatively simple to do real-time surveillance of text messaging and even block texts based upon key words as a third party,” he (Meinrath) said. “Part of the problem is that we are still learning about just how insecure GSM [technologies for second generation cell networks] systems actually are, and there are almost no meaningful mandates from regulators and legislators to make them meaningfully secure.”

So now we are made aware of fundamental insecurities in the underlying technology of GSM. Need to corroborate this elsewhere.

“Intelligence officials discovered that when they switched off the tampered phones, two lines would disappear from the network, and when switched on again, two lines would reappear, even though only one SIM card was actually installed in the phone.

The purpose of “twinning” is to allow third parties to remotely access the data records of the phone, trace its location and eavesdrop on conversations in the vicinity of the phone, regardless of whether the phone is switched on or off.”

This tells us that from control of the telecom, you can monitor, clone, and pull data from the target phone. Very useful to intel agencies.

There is other interesting tidbits to pull from this article. If corroborated, they become findings and with some analysis become useful.  But the message to be driven home here, its that via open sources,  valuable intel can be gathered even on targets who try to stay in the shadows.