Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer
from the sneaky-sneaky dept
Last year, we wrote about the NSA and GCHQ hacking into Belgian telco Belgacom using a "quantum insert" via man-in-the-middle attacks using "fake" Slashdot and LinkedIn pages. It has now come out that Belgian prosecutors are looking into reports that one of those attacks was directed at well-known Belgian cryptographer, Jean-Jacques Quisquater. According to David Meyer at GigaOm:The Universite catholique de Louvain professor apparently fell victim to a “quantum insert” trick that duped him into thinking he was visiting LinkedIn to respond to an emailed “request” when he was actually visiting a malware-laden copy of a LinkedIn page.Of course, looking into it doesn't mean very much at this point. There had been serious concerns about how the NSA and GCHQ used the attacks on Belgacom to then bug systems at the EU Parliament in Brussels. Whether or not they'll do something in response to "just" hacking a cryptographer remains to be seen -- but it should remind basically everyone in the world that the NSA/GCHQ don't seem to have any hesitation about hacking just about anyone.
“The Belgian federal police (FCCU) sent me a warning about this attack and did the analysis,” Quisquater told me by email. As for the purpose of the hack: “We don’t know. There are many hypotheses (about 12 or 15) but it is certainly an industrial espionage plus a surveillance of people working about civilian cryptography.”
Update: As noted in the comments, there are good reasons to believe this was not the work of the NSA/GCHQ, but potentially other government attacks...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: belgium, cryptographer, gchq, hacking, jean-jacques quisquater, nsa, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
When the tyrant can't rule in disguised kindness it will revert to blunt, evil force.
[ link to this | view in thread ]
or maybe
[ link to this | view in thread ]
I am yet to see defenders amongst general public (beside from criminals concerned).
Business model with no Plan B sinking, and yet, they refuse to reinvent themselves. I am curious to see how far they will sink.
[ link to this | view in thread ]
[ link to this | view in thread ]
Please correct, this is likely NOT the NSA...
Two very important points:
The initial attack was phishing based. The NSA doesn't need to phish, instead they just use direct packet injection instead.
The malcode appears to be a MiniDuke variant.
We don't know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.
Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
a: Company that routinely sends such mail
b: Matches semantically with such mail
c: Would be something they'd want to view
would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email.
[ link to this | view in thread ]
Qubes-OS would have prevented it
[ link to this | view in thread ]
Qubes-OS would have prevented it
With Qubes-OS it's easy to open links in a throw-away Virtual Machine.
Stop blaming people. Start to use proper protection.
[ link to this | view in thread ]
Re: Re:
Never open an email attachment without checking with the sender that they meant, no matter how well you know the sender -- and if you're asking via email, don't hit the "reply" button to do it.
Never click on links embedded in emails, even if you know the sender. Ever. Copy them into your browser instead.
Yes, it absolutely sucks that this sort of thing is necessary, but that doesn't change the fact that it's necessary.
In this particular case, blaming the user is not entirely invalid. The guy is a security professional, and presumably is aware of at least the most basic rules of internet security. That he didn't follow them is a failure on his part. That doesn't excuse the behavior of the criminals at all -- just saying that this guy should have known better.
[ link to this | view in thread ]
Re: Qubes-OS would have prevented it
One of the dangers of taking security measures is that people think the security measures means that they can engage in risky behavior again. That's never actually true, and this effect is why history is riddled with examples of security and safety measures actually leading to less security and less safety.
[ link to this | view in thread ]
Re: Re:
Blame the user is absolutely the correct mantra here, since it is the ONE PHILOSOPHY that will result in NO INFECTIONS FOR THE USER once that user realises that he/she is at fault for putting faith in a plaintext medium with zero security.
[ link to this | view in thread ]
look down this rabbit hole
This is a man-in-the-middle attack. The victim's browser is asking for the VALID dot com and being delivered a FAKE (the injection) faster than the valid dot com can deliver (hence quantum). How? Attack system involves victim's telco/ISP.
Click through the links if you're curious.
So if this (state) technique targeted your browser, you'd also be duped. You couldnt tell fake from real.
Lastly, with your browser compromise "they" can snoop your host OS, and use day-zero exploits to take over (root) your machine.
[ link to this | view in thread ]