GCHQ Used Fake Slashdot Page To Install Malware To Hack Internet Exchange
from the is-nothing-sacred? dept
Back in September, it was reported that the UK's equivalent of the NSA, GCHQ, had gleefully hacked Belgacom, the Belgian telco, using a "quantum insert" to plant malware on the computers of key engineers at the company. At the time, it was described as follows:According to the slides in the GCHQ presentation, the attack was directed at several Belgacom employees and involved the planting of a highly developed attack technology referred to as a "Quantum Insert" ("QI"). It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides.Over the weekend it appears that Der Spiegel published a further report by Laura Poitras on this hacking, which revealed that the spoofed websites used to install this malware were none other than Slashdot and Linkedin. Interesting choices.
Update: Nicholas Weaver explains what happened in much more detail. It's not a fake page, but a packet injection attack.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: gchq, malware, man in the middle, quantum insert, slashdot, surveillance
Companies: belgacom
Reader Comments
Subscribe: RSS
View by: Time | Thread
interesting
I wonder if this reflects your general knowledge of law. You can't sue the Federal Government (for causes other than those specifically mentioned in the Federal Tort Claims Act, which is reserved for negligence by government employees) under a thousand-year-old doctrine called "Sovereign Immunity." Which every law student learns about in year one.
You particularly can't sue law enforcement for damages created by law enforcement activities. Go ahead, check Lexis/Nexis--you won't find a case.
Those who take legal claims made on this site seriously should keep this in mind next time around...
http://www.nolo.com/legal-encyclopedia/suing-government-negligence-FTCA-29705.html
https://e n.wikipedia.org/wiki/Sovereign_immunity
https://en.wikipedia.org/wiki/Sovereign_immunity_in_the_Unite d_States
[ link to this | view in chronology ]
Re: interesting
[ link to this | view in chronology ]
Re: interesting
BUT the larger points are: DON'T TRUST ANYTHING ON THE NET TO BE REAL. -- AND THE MICROSOFT MONOPOLY FACILITATES SPYWARE. (If only by its buggy common "features". And all other major OSs do too: they're designed to.) -- Far larger than security agency menace is rampant malware, almost NONE of which is ever hunted down by the agencies that could. Right now there's a particularly obnoxious ransomware which locks files, and it'd be easy for security agencies to trace the payments, but do they? Hell no.
[ * Mike's phrase used when excusing Google for its wifi data gathering spying. ]
[ link to this | view in chronology ]
Re: Re: interesting
As for security agencies tracing the payments...wouldn't that fall under the purview of law enforcement? If my computer gets ransomware, I don't call the nearest spy agency, I call the cops.
[ link to this | view in chronology ]
Re: Re: Re: interesting
But market share in the desktop world is still heavily in MS's favor. Apple as a PC maker is still miniscule.
The total number of computer 'devices' has exploded and MS has had little of that growth, but their 'core' market for personal computers (pcs/laptops) hasn't changed a whole lot.
[ link to this | view in chronology ]
Re: Re: Re: Re: interesting
I retract my claims, given the evidence on hand.
[ link to this | view in chronology ]
Re: Re: Re: interesting
[ link to this | view in chronology ]
Re: interesting
[ link to this | view in chronology ]
Re: interesting
[ link to this | view in chronology ]
Re: interesting
There are ways to make points without being an insufferable asshole.
Here, let me give you an example. Given the statement above, I *could* reply as follows:
But, of course, that would be really obnoxious and uncalled for. Instead, I'd suggest an approach like the following one:
Which solution did you choose?
[ link to this | view in chronology ]
Re: Re: interesting
But you chose to be "an insufferable asshole" and don't actually counter the point.
Further, when I've complained here about actually being threatened with physical violence by one of your fanboys, besides my screen name being falsely used, besides the generally hostile environment here, YOU'VE DONE NOTHING, not even the most general statement that's not tolerated here. You take the position that you're not responsible for such comments, just dodging. But when some AC (and you know who it is by looking at IP etc), makes a valid point that pricks your arrogant little bubble, you go into schoolmarm mode -- and then just blather.
[ link to this | view in chronology ]
Re: Re: Re: interesting
Care to provide proof of someone making a believable direct threat to your person? If you quote my line about wishing I was like Atticus Finch, that was me merely expressing a fantasy, not a statement that I was actively going to go out and shoot you.
No-one on this site (besides Mike, whom if I recall correctly, has said in the past he has a very strong suspicion) knows who you are. We will never know who you are, nor do we care to know who you are. Without that very important piece of information, it is impossible for a rational human being to believe that there real legitimate threats made against you. Then again, you're not rational are you?
[ link to this | view in chronology ]
Re: Re: Re: interesting
Blue is upset because he thinks Mike is muscling in on his modus operandi.
BTW I think your assessment of Mike's comment is wrong anyways.
[ link to this | view in chronology ]
Re: interesting
Wouldn't that be a fine "fuck you" - either governments axe investor-state dispute resolution nonsense or they get smacked for being naughty.
[ link to this | view in chronology ]
Any re-direct can do this.
Point is that you can't trust anything which is generated by computers. -- Nor ANY mega-corporation! You can't trust that Google is supplying what you want or letting you see all the availabe information. Google can censor invisibly by only showing what it wants you to see, as major "news" networks have done for decades. We're at just the start of The Matrix. -- And by the way, don't take either pill because BOTH are from an untrustable source!
[ * Note down here because incidental to main point: Search any term and hover to see the link: it'll be google.com plus the site and a large number of characters, enough to uniquely identify your browser and the search term. -- BUT, here's a key trick: when I tested this incidentally in a modern Firefox, Google.com was stripped from the copied link! That may be why some of you believe it isn't true. But apparently Firefox is in cahoots enough to specially process Google's re-directs. -- Just test it yourself, IF you can see the actual links when hovering over link on a Google search page.]
[ link to this | view in chronology ]
Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Any re-direct can do this.
Just grab NoScript (if you have firefox) and check how many sites include googleanalitics and googleapis.
It's fucking everywhere. Worse: it is often essential for functionality. This site is a prime example: you can't even read "reported" comments without unblocking googleapis.
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Re: Re: Any re-direct can do this.
Ghostery reports 14 cookies.
RequestPolicy blocks the following 17 third-party sites:
- google.com
- ajax.googleapis.com
- postrelease.com
- facebook.net
- rp-api.com
- s3.amazonaws.com
- reddit.com
- flattr.com
- google-analytics.com
- twitter.com
- quantserve.com
- doubleclick.net
- exponential.com
- amazon.com
- reinvigorate.net
- scorecardresearch.com
- akamai.net
... and I allowed only the following two:
- gravatar.com
- imgur.com
Now, first of all... really, Techdirt? 19 third-party sites need to know that I accessed this page? NINETEEN? Each with their own tracking and vulnerabilities? I get flattr - if I had an account there, I'd enable access. Other than that... you're basically broadcasting your user base to half the 'net :(
Anyway, site works almost perfectly without all those connections. I can't click to view down-modded comments, which does seem to require googleapis (blocking cookies with Ghostery doesn't mean anything for the access itself), but no great loss there.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Any re-direct can do this.
Of your 19 in total (for Request Policy) I do not get
- akamai
- s2-amazonaws.com
(I suspect this is because you have an amazon cookie)
But I do see (which you didn't list)
- chartbeat.com
- sharethis.com
- wibiya.com
So my RequestPolicy sees 20 items
(I too allow imgur and gravatar)
Ghostery reports 15 cookies / tracking
Actual cookies = zero. Cookie Controller is set to block all DOM, cookies except for about 10 sites where I allow either a cookie or a session one - that's it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Any re-direct can do this.
So TD is just a dirty piece of shit spyware and Google's ass boy !!!
(I actually suspected it from the start you know !! )
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
(not using noscript here at work, but do at home, and don't recall *not* being able to read 'hidden' comments...)
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
But Google Apis must be enabled for many sites.
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Any re-direct can do this.
Note that the other reply accepts it, just says "so don't use Google", and here's my tagline for that:
The phony deal that evil people (and gullible fools) try to force on us: You can't have the benefits of technology unless give up all privacy.
02:32:29[c-025-2]
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
No. That is not how it's done. You make the claim, you do the work of backing it up. Why should I bother verifying what you said? I have absolutely no motivation to do so.
[ link to this | view in chronology ]
Re: Re: Re: Re: Any re-direct can do this.
He did.
In science, you come up with a hypothesis, run an experiment and then post the results, together with the steps to reproduce the experiment and the results, which was what ootb did.
That you don't feel inclined to test the hypothesis yourself because it might reveal that you are "wrong" is another issue entirely.
Regardless, he is speaking the truth. I figure Google does it to track what links you hovered over, or maybe just so they can show you the useless preview image.
Dunno what he is jabbering about with regards to Firefox, though.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Any re-direct can do this.
The scientific method says you notice a phenomena, you conduct tests, then you come up with a conclusion. There's more steps such as publishing your research, but those are the three most basic steps. "I saw something, I conducted tests, I concluded that the tests say XYZ".
OOTB started with the conclusion first, then worked backwards from there. He didn't explain very well what method he used (he just said search, but search where? Google.com's search box?). Did he post screenshots or video? No. All I have is a wall of text of a guy making a claim about Google and expecting everyone else to do the legwork of verifying what he says.
Lastly...assuming he meant searching on Google.com, I did a search for dog. I hovered my cursor over each of the search results. In the bottom left corner of my browser, only one of them did indeed have the google URL, none for cat, none for house. My own research was completely different to OOTB's claims of "Search any term and hover to see the link: it'll be google.com plus the site".
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Any re-direct can do this.
Newsflash for the dullards, law is not science !!!
and:
learn what the scientific method is before you try to explain it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Any re-direct can do this.
Not really. He made a claim, but didn't provide evidence of his results. It's a popular troll tactic - make a claim, force others to do the work to prove it wrong, then claim people are lying/not doing it right if they get different results.
Notice how he not only doesn't supply any supporting evidence that what he said happens actually occurs, but he's vague enough about the details (e.g. he says "modern Firefox, not Firefox version 25.0, doesn't say whether he's using a standard install or there's eany extensions installed, etc.), presumably to allow wiggle room if he's proven wrong.
"Dunno what he is jabbering about with regards to Firefox, though."
Me neither, which makes replicating his claims rather difficult, don't you think?
"Regardless, he is speaking the truth. I figure Google does it to track what links you hovered over, or maybe just so they can show you the useless preview image."
Maybe he's telling the truth (yes, there is a hash value between google.com and the search term), but that neither means there's any nefarious reason behind the value nor that he';s forced to use Google in any way.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Any re-direct can do this.
http://www.google.com/url?q=http://en.wikipedia.org/wiki/Firefox&sa=U&ei=nASBUvS_L 8am=0CEUQFjAL&usg=AFQjCNHuxTHvg
It's a re-direct. I've removed some of the extra to try and un-unique it, cause I expect it encodes much.
But if you're not capable of finding this, that's your problem.
By the way, "PaulT", tell me how to avoid Google everywhere.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
Fucking dumbass.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
What about the tracking using javascript -- any scrap of data they can get -- to uniquely identify you? Care to field THAT question? How about googleapis? Do you KNOW anything about how the commercial tracking systems work? It's a bit trickier than just dodging the search page, fool.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
Noscript. All that needs to be said.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
Second, why are you even using Google to search for things in the first place? It seems bizarre to me, given that you have such an extreme hatred for Google.
You can avoid google everywhere by blocking access to their servers. This is easily done using your hosts file. You can find plenty of easy instruction all over the net.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
If what you mean by "copy the URL" is "right-click on the link and select 'Copy Link Location' or the equivalent", that will just get you the Google-redirect URL.
If what you mean by "copy the URL is "highlight the green-text URL displayed underneath the actual link", although that will work in some cases, there are many cases where it won't. If the actual URL is "too long" to fit in the width of the search-results column, the green-text URL will be displayed with some middle part of the URL elided by an ellipsis.
I spent a good deal of time looking for a way around this problem, specifically so that I could once again "Copy Link Location" and get the actual URL of the search result rather than a redirector. I eventually ended up with a Greasemonkey script for the purpose; nothing else seemed to get the job done.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Any re-direct can do this.
In which browser? Which version? Are you copying a standard link or are you looking at sponsored ad links?
Why don't you simply answer the questions posed to you rather than trying to avoid direct queries? I suppose it's unusual for you to answer direct questions in the first place so there's that...
"It's a re-direct. I've removed some of the extra to try and un-unique it"
In other words "I've removed half of what I was whining about and changed the context of my results, so even if someone can prove they get something different to what I claim, I'll still make the same assertions"
Is that about right?
"By the way, "PaulT", tell me how to avoid Google everywhere."
Start by not using Google as your search engine, so that you don't have to post barely coherent whining about how their search results appear. Then, use tools to block their Javascript. Nobody's forcing you to visit sites that utilise Google as their ad platform, etc...
If you find this difficult, there's an off switch on your router. For the sake of everybody on the internet, I suggest you use it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Any re-direct can do this.
And as nicely defended up there: just stated what I found, and it's possible for anyone to test it... If I could remember which was testing, it'd help. Believe was PCLinuxOS 2013.04.
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
...said "tagline" having nothing to do with what you just said, and is equally applicable to any company other than the one you post paranoid rants about. Plus, the fact that you can choose to stop using Google any time you wish still stands.
If you don't like the technology, please stop using it. You clearly don't understand it anyway, since you fail miserably at both logical and factual tests that anyone can apply to your rants.
[ link to this | view in chronology ]
Re: Re: Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Re: Re: Re: Any re-direct can do this.
http://www.techdirt.com/articles/20131111/01080925194/gchq-used-fake-slashdot-page-to-insta ll-malware-to-hack-internet-exchange.shtml#c438
Ain't it amazing how the Google defenders come out with denials and ad hom when it's easily available for anyone to test?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Any re-direct can do this.
You are not. To you, Google is the Internet, it's responsible for all of the evils in the world, no matter the fact it's just a corporation, it's mainly a search engine, it doesn't have the ability to lock people up etc.
We get it. Google is scary. So is Bing and Yahoo, who, despite being search engines, you never call out. No, to you, Google is the sole evil corporate entity, because it's the ONLY ONE YOU CONSTANTLY BLATHER ON ABOUT.
[ link to this | view in chronology ]
Re: Any re-direct can do this.
[ link to this | view in chronology ]
Re: Any re-direct can do this.
For crying out loud, isn't Firefox open source? Don't you think someone would notice if they put special Google code in there?
Google has some weird Javascript where a link on the search results page actually starts as a normal link, but changes the link to the Google redirect as soon as it detects a "mousedown" event. If you have something that disables Javascript in whatever version of Firefox you were using, that might explain why you didn't get the redirection link.
If you ask me, it's a bit dishonest to change a link on someone mid-click, but it's not exactly in my top ten complaints about Internet sites either.
[ link to this | view in chronology ]
GCHQ watches Mumsnet
It's not, it's theRegister, it's Slashdot, it's Mumsnet, or Techdirt.
[ link to this | view in chronology ]
2 questions
1/ How do GCHQ justify hacking a Belgium telecom company? (other than the standard vague "ZOMG TERRORISTS!!!")
2/ Did they really bother to limit redirecting "specific visitors", or would they have considered it a bonus to install malware on several thousand other computers while targeting what they want?
[ link to this | view in chronology ]
Re: 2 questions
2. Given to an 'intelligence' agency, 'too much data' is a non-existent phrase unless prefaced with 'there's no such thing as...' yeah, the odds that they only went after specific targets once the system was breached... probably not too high.
[ link to this | view in chronology ]
Re: Re: 2 questions
"... uh, because that's the threshold for us to have some sort of vague legal justification for doing what we wanted..."
"So you really just made it up then?"
"...uh... no comment?"
"Yeah, thought so."
[ link to this | view in chronology ]
since there hasn't been any further news or reports from that investigation, i assume it was just as big a load of lies and bullshit as the first 'investigation' that was carried out a few weeks earlier?
anyone that actually believed any of the 3 'heads' concerned have more chance of getting the truth out of a dead terrorist! there is no way on Earth they were going to do anything except lie from start to finish! they have been well tuned by the NSA as to what to say so as to get through that investigation and be able to carry on with the same shit, just as the NSA is doing! they even used the same lies about how the UK (USA) has been put in mortal danger because of Snowden. the only danger has been that the public now know even more than before that the governments are going to do what they like, say what they like and be allowed to get away with it. the only way there would have been more honest results would to have had public interest groups run the whole investigation!
[ link to this | view in chronology ]
Re:
He said their use of PRISM queries wasn't illegal based on the evidence he had seen (of 197 leads and the warrants against Brits that had led to them). That's a very narrow claim, and only applies to queries on that system (the 'official legal one') that goes to the US and causes a legal request to Google or Yahoo or whatever, and thus require a legalish warrant under RIPA signed by a minister.
In effect he said the tiny legal bit is tiny and legal.
http://www.theguardian.com/world/2013/jul/17/prism-nsa-gchq-review-framework-surveillance
So for example, you are a Brit, in Britain. You visit theregister.co.uk, the server for elReg is in London.
That is British to British traffic completely routed inside the UK.
Yet you are spied on by GCHQ because all the fluff on the page (ads, twitter, fb, feeds etc.) comes from servers abroad, and GCHQ makes an effort to collect all of that, even though they know this is illegal for them to monitor that traffic.
They claim they don't need a warrant because they tap it offshore (but we suspect those offshore taps are onshore just tapping the cable as it heads offshore).
In this example, that traffic was Brits & Belgians visiting Slashdot and they used it to target Belgacom netadmins with malware.
Belgacom hack is of course not legal and is an extraditable offence in Europe (I read the penalty is up to 6 years in jail).
Anything done on the 'bulk' collection rule that spies on Brits is clearly a violation. Anytime they got NSA to spy on Brits and hand that data to GCHQ, is a violation. Getting an agent to do your bidding does not make your hands clean.
Snoopers charter was never passed.
Rifkin is the 'light regulation' that GCHQ boasted about to the NSA. Nobody expects any meaningful improvement from him. Just PR.
[ link to this | view in chronology ]
Re: Re:
I made two comments and I see the icon has changed as if my IP address has changed. This is just a test to see if I get the same blue icon.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Civil maybe but no prosecutor will touch it criminally.
[ link to this | view in chronology ]
What about techdirt?
It still can't protect against MITM attacks from someone who has compromised a CA, but that's presumably a small number.
[ link to this | view in chronology ]
Sounds like an act of terrorism to me, or at the very least, an act of industrial espionage!
This is why I don't use javascripts, flash plugins, adobe pdf plug ins, cookies (both 1st and 3rd party), or iFrames.
Basically, because of these government sponsored terrorist organizations, almost every single function of my web browser is intentionally disabled.
That's the price I pay for my global war on government sponsored terrorism.
I would expect acts of terror like this from China. It's extremely shocking to see "supposedly" civilized countries, such as the US and UK, resorting to acts of government sponsored terrorism.
[ link to this | view in chronology ]
Not FAKE slashdot, but packet injection...
How it worked is they saw their victim visit LinkedIn or Slashdot, identified them based on their account, and then shot an exploit at them using packet injection. So there was no "fake" slashdot page, just an injected exploit packet.
[ link to this | view in chronology ]