GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware

An anonymous reader writes "Ars Technica reports how a Snowden leak shows British spy agency GCHQ spoofed LinkedIn and Slashdot so as to serve malware to targeted employees. From the article: 'Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.'"

Do as I say, not as I do

[Hamsterdan]

If I or any /. reader were to do the same, a pretty harsh sentence would await us.

Re:HTTPS on Slashdot

Given that the spooks have almost certainly compromised all the major Certificate Authorities and can issue their own certificates at-will, I'm going to go with "No, it wouldn't make the slightest bit of difference".

Re:hey, GCHQ employees

[NettiWelho]

The Gestapo, KGB, and Stasi were mainly agencies of internal political repression, although the KGB also spied outside the country as well. Since the targets of surveillance were apparently outside the UK, it isn't really the same. That doesn't mean you can't find it disagreeable.

Even if the anglosphere currently isn't openly corporate fascist that doesn't mean it wont be 5, 10, 15 or 20 years down the road. If they have years worth of supposedly private communiques from people thats is like Stasi's wet dream where the people being repressed write their own profile, willingly.
Once the thugs are in power they are not gonna delete that data, they are going to use it.

Re: SSL

[Jakeula]

SSL didn't seem to help LinkedIn. They use ssl and they successfully spoofed that.

Re:hey, GCHQ employees

1) There are foreign threats.
2) Our spies are principally spying on foreigners.
3) ????

The conservatives in all our countries are relying on to you stupidly assume that our spies are principally spying on foreign threats. But foreigners are not the same as foreign threats. If the GCHQ spies on Americans, and the NSA spies on Brits, then it's a closed loop. And we know that is happening.

The whole thing is all a big open question with lots of cloud hanging over it.

Re:hey, GCHQ employees

[NettiWelho]

Sending malware counts as a crime, not legal surveillance.

If the victims knew the identities of the perpetrators they would be eligible for extradition under the standing treaties.

Re:hey, GCHQ employees

[Joining+Yet+Again]

The concern is not whether spying activity is at home or abroad - any such distinction can be defeated with recriprocal agreements. The issue is that the targetting was of administrators at Internet exchanges.

And you're worried about Iran putting pressure on OPEC? Deal with your lack of domestic energy security. You had 40 years to wake up, but instead you sold everything off to mostly foreign concerns. Spying on OPEC is just doing dirty work for these businesses to ensure they profitably receive their fuels.

Re:HTTPS on Slashdot

[AHuxley]

Re https ,br> Thats what smart people have been warning about for years. Once the nets basic cryptography is a junk standard thanks to gov - anyone can be anything online and its all perfectly trusted..
The ex staff, fired staff, mercenary, contractor - they all take the complex skill set with them and sell it.
Other govs, firms, foreigners with cash, faith groups with cash... thats why junk crypto is so useless - all the interesting people can pay to learn about the 'net' and always know to avoid it or create complex legends.
All the random silly people using terms and words they copy and past from other open news sites just get to fill gov databases tracking .com
Over time the UK will have a massive East German like database filled with many quotes and people. Did the rows of East German files alter the politics and mil of East Germany? i.e. great for tracking workers comments, people protesting outside churches.

Re:hey, GCHQ employees

[Spamalope]

And when they say they dont do domestic data gathering you shouldn't trust them. NSA was already caught wiht its hand in the cookie jar.

Semantics; Assuming it's not a baldfaced lie, they can 'partner' with the NSA then 'share resources' and they've got their hands on the results of domestic spying while only having encouraged and facilitated it themselves.

In the US, courts have ruled that corporate spying on individuals is legal so 'privatizing' the actual data gathering launders it into legality under this time honored principle: 'What are you gonna do about it, you're powerless'.

Rogue governments !!

[Taco+Cowboy]

The term "Rogue" is used to denote "dishonest and/or unprincipled".

They used to put USSR, China, North Korea under the "Rogue Government" category.

Both the governments of the United States of American and that of Great Britain have proven to be DISHONEST _and_ UNPRINCIPLED !

IMHO, it's time we should include the government of the United States and that of United Kingdom under the "Rogue Government" category.

And btw, if you see the performance of John McCain, especially how he tried to blame Edward Snowden, you would understand how ludicrously pathetic American politicians have become ...

... McCain also said he was convinced that Snowden gave all of his information to Russia ...

As an American, I am beyond furious ...

Re:Rogue governments !!

[Nerdfest]

McCain is a first class weasel to begin with. I remember watching one of the presidential debates, ranting about how the government had paid 40K$ or something for a lightbulb, not mentioning that it was for a planetarium projector.

It's not that simple ...

[Taco+Cowboy]

And if you just enjoy playing god, well, go into the City, or start up your own business. If you're that good, then you can perform in plain sight, can't you?

Speaking from experience here ... it's not that simple

I started to plan for my escape from China way back in the late 1960's because of the social madness created by Mao back then.

Thongs of mindless assholes with red armband parading on the street, waving that little red book and plunged the Chinese society into total darkness.

Those of us with brains knew that the things coming from Mao were bullshit, but those without brains who embraced Mao's bullshit outnumbered us 1000 to 1.

So we ran, and ran, and finally I got to Hongkong.

From Hongkong I ended up in the United States, and at that time, the U. S. of A. was a paradise, a place where brainy people get to do whatever they want to do without having fear of official repression.

Some 40 odd years have passed, and the United States is turning into just like Mao's China ...

Everything coming from Washington D.C. is pure bullshit, and the things I have noticed right now is that the mindless fucktards who bought into Washington D.C.'s bullshit are outnumbering those who know better.

While the society in the United States of American haven't plunged into darkness yet, there is no certainty that it won't.

When the controlling regime got desperate ~ (Mao's reign at that time was in danger of collapsing from within, motivating Mao in his encouragements to the mindless assholes with red armbands creating social havoc), ~ they will do anything to remain in charge.

And if (and when) the regime which is reigning over Washington D.C. (democrats _ and_ republicans) is in danger of collapsing, there is NO TELLING what they would do.

To make the matter worse ... they have a lot of very powerful tools Mao couldn't even begin to dream of 50 years ago.

I am an American now, and I am looking at my adopted country, the United States of America, with the same dismay as Mao's China, back in the 1960's.

Re:It's not that simple ...

[Common+Joe]

Only an American would be naive. Disclaimer: I am American.

You should meet my wife. She's 100% German and moved to the United States only when we got married. She was over 30 at the time. When we met several years before our marriage, her speech and written word was flawless even then. Her accent morphs to whatever English speaking country she is in. She is freakin' talented. He says her nightmare is speaking with an American, a Brit, and a Australian at the same time because she wouldn't know which accent to use. It bears repeating again: I can attest that her American accent and use of language is flawless. Her written prose is flawless.

I corrected her English only once. She then corrected me. I consulted a dictionary to prove her wrong and it turns out she was right. She kicks my ass in English -- and I'm the native speaker. Now, with that said, there are two things you need to know. Her profession is translation so she was trained. She comes from a family of translators and interpreters. The other thing you should know is that she isn't the only one with these kinds of talents that I've met. I am now learning German and one of the guys in my class speaks native Spanish, good Romanian (his wife is Romanian), and pretty good English (of which I can attest). His German abilities completely outstrip mine.

I don't normally rail against someone... especially someone with a 4 digit ID, but I'm telling you that you need to get off the computer and get more face-to-face time with other people. There are people who walk around you and just because you think they speak American doesn't mean that they are American or even from North America. Right now, I'm living in a foreign country and I'm in the linguistic circles because of my wife. I am exposed to a lot of really talented people out there. Some of them are not even formally trained like my wife.

I suggest you apologize to Taco Cowboy -- another 4 digit ID, I might add. He was saying something important and it's not the first time I've personally seen him post something like this. This is very personal thing for him to open up to people -- especially on Slashdot like this. I surmise he hurts on the inside to watch what is happening to America -- a country he obviously loves. Then to have someone like you come along, act like an asshole, and call him a liar is just a horrendous insult to someone like him.

I had to learn the hard way that I'm not the most talented person in this world. No matter how good I get in whatever I pursue, there is always going to be a lot of people who are a whole lot better than I am. Grow a pair, apologize to Taco Cowboy, and learn that others don't have the same limitations you have.

Re:Internet...broken?

[WaffleMonster]

Time to start from scratch, and start a large-scale redesign of the Internet and its protocols, to try and better secure users from surveillance/attacks?

In my view the most dire issue facing the network right now is handful of content companies owning majority of network traffic. People have to run their own servers and get involved with the network again. There is no meaningful technological solution for aggregation of power in the hands of a few media companies caused by laziness and lack of engagement. Those with the skills need to work to make it more accessible to those without the time or inclination to learn.

Tor and other fringe security protocols/networks won't cut it, and getting people to use very-user-unfriendly encryption tools won't happen - nothing short of a mammoth redesign

The structure of the current net at IP layer and below is architecturally about right as far as I'm concerned. 100% untrusted, 100% untrustworthy. All the network needs to do is forward packets with some degree of assurance they will be delivered.. the rest is up to us users.

far surpassing the resources/scale of the IPv6 changeover, is going to come anywhere close to repairing the damage.

I think if we're smart about it IPv6 becomes a huge part of the solution. Whatever the future of the net and accompanying protocol soup look like maintaining a network of peers where any one can talk to anyone else is the most powerful tool we have to avoid oppressive tendencies of various less than perfect governments.

There's no going back now - it's already too late to salvage what we have, because it has already been completely and irrecoverably 'owned' - the NSA broke the Internet.

If you were talking specifically SMTP or SSL CA's I would agree with you. More generally all is not lost and all does not need to be replaced.

Javascript

[Jah-Wren+Ryel]

If there was ever indisputable proof that Slashdot needs to maintain javascript-free functionality in slashcode, this is it. If it were viable to use slashdot with javascript disabled, this sort of impersonation attack would be a lot harder to pull off because NoScipt would have protected from drive-by nsa-ware infections hoisted on the slashdot impersonator site.

Unfortunately, its been years since it was reasonable to use slashdot without javascript. Even if you still use the old style interface, there are too many corners where javascript has crept into the design in a mandatory way rather than just as an enhancement.

Re:hey, GCHQ employees

[pitchpipe]

In the US, courts have ruled that corporate spying on individuals is legal so 'privatizing' the actual data gathering launders it into legality under this time honored principle: 'What are you gonna do about it, you're powerless'.

This is a phrase that needs definition so we can better fight against it:

Data Laundering: The government circumventing the illegal search and seizure provisions of the constitution through the use of private corporations vast databases of information on all citizens.

This always elicits the response,"If you don't like $Corps policy of getting tax dollars to spy on you to circumvent the constitution, don't use them." When every corporation is a one way mirror on all of our lives to the government, this no longer becomes feasible. Unless you want to live like the Uni bomber.

powerful, you should write this up properly

[raymorris]

I've read a similar post you made before. You have a powerful point to make, and you make it well.
It would be a service to the country you loved, and freedom in general, if you spent an hour or two to write that up "properly", to spend a few minutes editing it to say exactly what you want to say. I could see such an article being shared quite a bit via social networking, blogs etc.

Time to go HTTPS only Slashdot

[Kjellander]

Really. I mean it. It is not that hard.