Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer

from the sneaky-sneaky dept

Tue, Feb 4th 2014 3:42am — Mike Masnick

Last year, we wrote about the NSA and GCHQ hacking into Belgian telco Belgacom using a "quantum insert" via man-in-the-middle attacks using "fake" Slashdot and LinkedIn pages. It has now come out that Belgian prosecutors are looking into reports that one of those attacks was directed at well-known Belgian cryptographer, Jean-Jacques Quisquater. According to David Meyer at GigaOm:

The Universite catholique de Louvain professor apparently fell victim to a “quantum insert” trick that duped him into thinking he was visiting LinkedIn to respond to an emailed “request” when he was actually visiting a malware-laden copy of a LinkedIn page.

“The Belgian federal police (FCCU) sent me a warning about this attack and did the analysis,” Quisquater told me by email. As for the purpose of the hack: “We don’t know. There are many hypotheses (about 12 or 15) but it is certainly an industrial espionage plus a surveillance of people working about civilian cryptography.”

Of course, looking into it doesn't mean very much at this point. There had been serious concerns about how the NSA and GCHQ used the attacks on Belgacom to then bug systems at the EU Parliament in Brussels. Whether or not they'll do something in response to "just" hacking a cryptographer remains to be seen -- but it should remind basically everyone in the world that the NSA/GCHQ don't seem to have any hesitation about hacking just about anyone.

Update: As noted in the comments, there are good reasons to believe this was not the work of the NSA/GCHQ, but potentially other government attacks...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: belgium, cryptographer, gchq, hacking, jean-jacques quisquater, nsa, surveillance

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 4 Feb 2014 @ 2:38am

Now that they lost their credibility and thus their opening to insert backdoors in the crypto standards all that is left is to collect damning info on cryptographers to blackmail them or hijack their lives entirely so they'll be impaired in their ability to contribute with cryptography. No?

When the tyrant can't rule in disguised kindness it will revert to blunt, evil force.
[ link to this | view in chronology ]
Just Sayin', 4 Feb 2014 @ 5:22am

or maybe
He was just one of about a billion people who got the same sort of scam mail... attempts at fishing like that show up in mail all the time. Faking being a popular website and sending a somewhat relevant link to the person is only slightly above script kiddie level.
[ link to this | view in chronology ]
[deleted], 4 Feb 2014 @ 5:22am

Seem Justin Bieber is of no consolation to NSA anymore. They manage to outdo him and remain in the front page news on a daily basis.

I am yet to see defenders amongst general public (beside from criminals concerned).

Business model with no Plan B sinking, and yet, they refuse to reinvent themselves. I am curious to see how far they will sink.
[ link to this | view in chronology ]
Anonymous Coward, 4 Feb 2014 @ 6:03am

and the UK government keeps on about the illegal downloading that happens there and how it's censoring of the Internet is justified because of the numbers (totally unknown by anyone, unfortunately) of children being caught in sex exploitation and, the entertainment industries failure to step up to the plate and join the rest of the world for distributing media and the numbers of crimes that take place in the make-believe world of Cameron! unbelievable!!
[ link to this | view in chronology ]
Nicholas Weaver (profile), 4 Feb 2014 @ 8:18am

Please correct, this is likely NOT the NSA...
A far better report is from TechWeek Europe.

Two very important points:

The initial attack was phishing based. The NSA doesn't need to phish, instead they just use direct packet injection instead.

The malcode appears to be a MiniDuke variant.

We don't know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.

Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ.
[ link to this | view in chronology ]
Laroquod (profile), 4 Feb 2014 @ 9:46am

What kind of a cryptographer clicks links to a well-known site received via *email* instead of opening a browser and typing the address in manually? The fact that he fell prey to the simplest and most easily avoided attack in the world does not speak very well for Mr. Quisquater. I'm going to give him the benefit of the doubt by speculating that maybe his expertise is not in the area of malware, and advise him to take the most basic, remedial course on how remain secure, online.
[ link to this | view in chronology ]
- Nicholas Weaver (profile), 4 Feb 2014 @ 9:49am
  
  Re:
  I'd ask the opposite: What kind of person, who sees mail with a link from
  
  a: Company that routinely sends such mail
  
  b: Matches semantically with such mail
  
  c: Would be something they'd want to view
  
  would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 4 Feb 2014 @ 12:52pm
    
    Re: Re:
    I absolutely wouldn't. It's internet safety 101, something that people have been trying to drill into everyone's heads since approximately forever.
    
    Never open an email attachment without checking with the sender that they meant, no matter how well you know the sender -- and if you're asking via email, don't hit the "reply" button to do it.
    
    Never click on links embedded in emails, even if you know the sender. Ever. Copy them into your browser instead.
    
    Yes, it absolutely sucks that this sort of thing is necessary, but that doesn't change the fact that it's necessary.
    
    In this particular case, blaming the user is not entirely invalid. The guy is a security professional, and presumably is aware of at least the most basic rules of internet security. That he didn't follow them is a failure on his part. That doesn't excuse the behavior of the criminals at all -- just saying that this guy should have known better.
    [ link to this | view in chronology ]
  - Laroquod (profile), 8 Feb 2014 @ 7:32am
    
    Re: Re:
    If you click on such links, then you are a fool. I never do and that is the main reason that I have never been hacked. In fact, if your *only* security measure were to not click on links to well-known sites sent to you via email, then you probably would not even need an antivirus (although you should install one, anyway).
    
    Blame the user is absolutely the correct mantra here, since it is the ONE PHILOSOPHY that will result in NO INFECTIONS FOR THE USER once that user realises that he/she is at fault for putting faith in a plaintext medium with zero security.
    [ link to this | view in chronology ]
Anonymous Coward, 4 Feb 2014 @ 11:21am

Qubes-OS would have prevented it
[ link to this | view in chronology ]
Anonymous Coward, 4 Feb 2014 @ 11:23am

Qubes-OS would have prevented it
Qubes-OS.org could have prevented the malware from gaining a foothold at the professor's computer.

With Qubes-OS it's easy to open links in a throw-away Virtual Machine.

Stop blaming people. Start to use proper protection.
[ link to this | view in chronology ]
- John Fenderson (profile), 4 Feb 2014 @ 12:56pm
  
  Re: Qubes-OS would have prevented it
  Sandboxing in VMs does give you a lot of protection, and I recommend it. But it's nothing like a panacea -- there are numerous attacks that can escape the VM. They just require a little more skill and effort (for now).
  
  One of the dangers of taking security measures is that people think the security measures means that they can engage in risky behavior again. That's never actually true, and this effect is why history is riddled with examples of security and safety measures actually leading to less security and less safety.
  [ link to this | view in chronology ]
@b, 9 Feb 2014 @ 5:02pm

look down this rabbit hole
The term "quantumInsert" voids all comments about email & copy-pasting links.

This is a man-in-the-middle attack. The victim's browser is asking for the VALID dot com and being delivered a FAKE (the injection) faster than the valid dot com can deliver (hence quantum). How? Attack system involves victim's telco/ISP.

Click through the links if you're curious.

So if this (state) technique targeted your browser, you'd also be duped. You couldnt tell fake from real.

Lastly, with your browser compromise "they" can snoop your host OS, and use day-zero exploits to take over (root) your machine.
[ link to this | view in chronology ]