GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware

An anonymous reader writes "Ars Technica reports how a Snowden leak shows British spy agency GCHQ spoofed LinkedIn and Slashdot so as to serve malware to targeted employees. From the article: 'Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.'"

HTTPS on Slashdot

[tepples]

I wonder if it would have been as easy for GCHQ to get away with it if HTTPS on Slashdot weren't a subscriber-only perk. Facebook and Twitter have gone all HTTPS all the time; why can't Slashdot? If ads are the problem, Google recently opened AdSense to HTTPS sites.

Re:HTTPS on Slashdot

[NicBenjamin]

You do realize that the UK already has an obscene amount of data on it's people?

Londoners in particular, can be tracked individually by the police if they so choose. I don't think they even need a warrant. In theory they could decide they wanted to find out what some random hot chick does every day, and they'd be able to follow her everywhere she went for as long as she was in London.As long as she's in public she's on one of their cameras. For most people (ie: the ones who don't discuss their illegal activities by text message or email) that's a lot more threatening then anything that either GHCQ or the NSA could do on the internet. If you add in some stuff on their use of cell phone towers you get some things that are as threatening in theory, but in practice they won't become that big a deal. And it's not a big deal for pretty much the same reason the cameras aren't a big deal:

Analyzing that much data takes a lot of analysts. The Stasi employed one half of one percent of East Germany's population. To get that many analysts in the UK you'd need 300,000 of them. You only have 200k in your active duty military (altho with reserves that goes to 380k). With computers you could probably automate a some stuff, but as databases get more complex you a) need more database gurus to make sure the data/hardware/etc. all stays working, and b) need to have a lot of actual people looking at your results who are smart enough to notice garbage. You're still gonna need a literal British Army (~130k) of analysts. You only have 500k or so people employed in the Civil Service.

Yeah if you fuck up and break the law, you're truly fucked. They have everything. If you look like you broke the law the data could be great or (in rarer cases) it could really suck. There's a lot of it, so if you're innocent something probably shows you're innocent. Even if the cops hate you your barrister should get access to the data, and if he doesn't suck you will probably get off. If your barrister sucks, and the cops/prosecutors charge you anyway the data will make you look very guilty.

Re:Victims were alerted

[ArcadeMan]

They're watching what you're doing on your computer via their hidden cameras over there.

Re:hey, GCHQ employees

[Joining+Yet+Again]

It makes me sad.

My (long ago retired) father ended up as a relatively senior civil servant for his home country, working abroad and dealing with, to put it generally, import&export. Now he was once asked by his government if he would exploit the contacts he'd formed and cooperate in passing certain useful information to them as and when required. He refused.

I'm sure he'd have enjoyed greater job security in his latter years if he'd cooperated, but he did what was right - ultimately for him too, because being open and honest means a more relaxed life, where you are free to build what you want and speak about what you want.

Even if - and let's say your a stellar maths grad - you're given the most comfortable desk, access to the best machines and the company of a small subset of brilliant minds, your work won't go to improving human scholarship if you work for a secret service. It'll be kept under lock and key, deployed for the whim of the politicians of the day and their masters. And yes, you'll be indoctrinated with the mantra of every civil servant - "I'm not allowed an opinion because I'm only following orders". But that's only acceptable if your orders can ultimately be scrutinised by the general public on behalf of whom you are working.

And if you just enjoy playing god, well, go into the City, or start up your own business. If you're that good, then you can perform in plain sight, can't you?

Re:hey, GCHQ employees

[NettiWelho]

And when they say they dont do domestic data gathering you shouldn't trust them. NSA was already caught wiht its hand in the cookie jar.

Re:hey, GCHQ employees

[cold+fjord]

You know what? I agree with you.

That is why it is so important to stamp out signs of genuine oppression and actual thuggish behavior immediately when they are identified, and have good oversight over the rest. That is why I find the indifference on Slashdot to the admitted political oppression engaged in by the IRS to be so appalling. People here moan, scream, and wail about oppression this and that when it involves the intelligence agencies. But when it involves the IRS, which unlike the NSA really does have considerable formal power to make the lives of individual Americans hell, which genuinely does have dossiers on almost everyone in America and various other people from around the world, expects you to send them a report at least annually, engages in its own internet surveillance, and now will be charged with overseeing American health insurance and apparently records, hardly anybody seems to care. That goes for the various Canadians, Europeans, and others that speak with an "American voice" of outrage about the intelligence agencies and many other policy questions, as well as the actual Americans that claim they are for "freedom" no matter now many dead bodies are created. It's like talking to someone that claims he greatly loves his family and would protect them to the death, goes ballistic if someone looks cross eyed at his sister, but upon seeing his brother and mother being gang raped simply utters "meh" and walks away. I can think of a number of explanations for that, but few of them are flattering. At the very least it looks like distorted thinking regarding computer-centric issues.

As to the intelligence agencies proper, yes, I think that much of that data, such as the phone metadata, should be purged periodically if it is going to be kept at all. My recollection from some story was that they were supposed to keep it for no more than 5-7 years. If it is going to be kept at all I would like to see it in a separate organization either within or outside of NSA that would be responsible for ensuring proper privacy protections were applied, including proper purging, as well as reporting on its use. I would also like to see more and better congressional oversight, possibly involving the GAO. I'm sure that other nations could put similar arrangements in place.

Intelligence agencies are a potential danger to a democracy, but also a critical part of defending them. They must be watched and governed adequately so that they don't pose an undue risk, but not so tightly that they become ineffective and leave the nation at risk. History generally isn't kind to nations caught unaware. Sometimes they even cease to be. We haven't reached the end of history yet, so they will be needed for many years to come.

Re: SSL

[thetagger]

Linkedin does not use SSL consistently and it's vulnerable to downgrade attacks. People are discussing this in several fora and Twitter at the moment.

How do you know Snowden has released *ALL* info ?

[Taco+Cowboy]

... Snowden is no more principled than McCain or an investment banker. He released ALL of the intelligence information he gathered at the NSA ...

I am intrigued !

How do you know Edward Snowden has released _*ALL*_ the information he had gathered at the NSA ?

How do you know Edward Snowden does not keep some files to himself, files that pack even *MORE* fire power than what he has released so far ?

As a poker player, I never release my trump card early in the game.

I don't know if Edward Snowden plays poker or not, but judging from what he has done since his days as a security guard ... I suspect the guy has even more juicy things in the pipeline

Re:How do you know Snowden has released *ALL* info

[ahabswhale]

Snowden stated that he's released all of the information he had The only thing that is restricting the release of information at this point is the journalists that he released it to. Those journalists have already said that they haven't even released the really juicy stuff yet. That's pretty impressive, if it's true, considering the significant revelations already made.

Re:It's not that simple ...

[shadowofwind]

At least half of the people I know are Chinese, most of them in their early 40's or so who came over in the 90's. You're the first one I've knowingly encountered who seems to have any clue about this sort of thing. Though its a gross oversimplification, I tend to view Chinese and eastern European immigrants as the inheritors of western civilization in the US, since the rest of us seem to have given up on it. Their kids are going to be powerful in another 40 or 50 years. Yet my Chinese friends generally don't seem to have a clue about political and cultural history, they're all about money and taking care of their families. In some ways they know a lot less than I do even about Chinese cultural history. I've toyed with the idea of trying to teach a class on it at the local weekend Chinese school, aimed at parents. Not that they would necessarily be interested or that my preaching would accomplish anything.