GCHQ Created Spoofed LinkedIn and Slashdot Sites To Serve Malware

An anonymous reader writes "Ars Technica reports how a Snowden leak shows British spy agency GCHQ spoofed LinkedIn and Slashdot so as to serve malware to targeted employees. From the article: 'Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.'"

Victims were alerted

when the quality of the comments section significantly improved.

Re:Victims were alerted

[girlintraining]

Whose watching?

The grammar police. We've had our eyes on you for some time.

hey, GCHQ employees

[Joining+Yet+Again]

I know you're reading this.

You're smart. Smart enough to be able to work out who I am, probably without much trouble.

Why don't you do something productive?

Re:hey, GCHQ employees

[NettiWelho]

The Gestapo, KGB, and Stasi were mainly agencies of internal political repression, although the KGB also spied outside the country as well. Since the targets of surveillance were apparently outside the UK, it isn't really the same. That doesn't mean you can't find it disagreeable.

Even if the anglosphere currently isn't openly corporate fascist that doesn't mean it wont be 5, 10, 15 or 20 years down the road. If they have years worth of supposedly private communiques from people thats is like Stasi's wet dream where the people being repressed write their own profile, willingly.
Once the thugs are in power they are not gonna delete that data, they are going to use it.

Re:hey, GCHQ employees

[Joining+Yet+Again]

It makes me sad.

My (long ago retired) father ended up as a relatively senior civil servant for his home country, working abroad and dealing with, to put it generally, import&export. Now he was once asked by his government if he would exploit the contacts he'd formed and cooperate in passing certain useful information to them as and when required. He refused.

I'm sure he'd have enjoyed greater job security in his latter years if he'd cooperated, but he did what was right - ultimately for him too, because being open and honest means a more relaxed life, where you are free to build what you want and speak about what you want.

Even if - and let's say your a stellar maths grad - you're given the most comfortable desk, access to the best machines and the company of a small subset of brilliant minds, your work won't go to improving human scholarship if you work for a secret service. It'll be kept under lock and key, deployed for the whim of the politicians of the day and their masters. And yes, you'll be indoctrinated with the mantra of every civil servant - "I'm not allowed an opinion because I'm only following orders". But that's only acceptable if your orders can ultimately be scrutinised by the general public on behalf of whom you are working.

And if you just enjoy playing god, well, go into the City, or start up your own business. If you're that good, then you can perform in plain sight, can't you?

Re:hey, GCHQ employees

[Spamalope]

And when they say they dont do domestic data gathering you shouldn't trust them. NSA was already caught wiht its hand in the cookie jar.

Semantics; Assuming it's not a baldfaced lie, they can 'partner' with the NSA then 'share resources' and they've got their hands on the results of domestic spying while only having encouraged and facilitated it themselves.

In the US, courts have ruled that corporate spying on individuals is legal so 'privatizing' the actual data gathering launders it into legality under this time honored principle: 'What are you gonna do about it, you're powerless'.

Re:hey, GCHQ employees

[cold+fjord]

You know what? I agree with you.

That is why it is so important to stamp out signs of genuine oppression and actual thuggish behavior immediately when they are identified, and have good oversight over the rest. That is why I find the indifference on Slashdot to the admitted political oppression engaged in by the IRS to be so appalling. People here moan, scream, and wail about oppression this and that when it involves the intelligence agencies. But when it involves the IRS, which unlike the NSA really does have considerable formal power to make the lives of individual Americans hell, which genuinely does have dossiers on almost everyone in America and various other people from around the world, expects you to send them a report at least annually, engages in its own internet surveillance, and now will be charged with overseeing American health insurance and apparently records, hardly anybody seems to care. That goes for the various Canadians, Europeans, and others that speak with an "American voice" of outrage about the intelligence agencies and many other policy questions, as well as the actual Americans that claim they are for "freedom" no matter now many dead bodies are created. It's like talking to someone that claims he greatly loves his family and would protect them to the death, goes ballistic if someone looks cross eyed at his sister, but upon seeing his brother and mother being gang raped simply utters "meh" and walks away. I can think of a number of explanations for that, but few of them are flattering. At the very least it looks like distorted thinking regarding computer-centric issues.

As to the intelligence agencies proper, yes, I think that much of that data, such as the phone metadata, should be purged periodically if it is going to be kept at all. My recollection from some story was that they were supposed to keep it for no more than 5-7 years. If it is going to be kept at all I would like to see it in a separate organization either within or outside of NSA that would be responsible for ensuring proper privacy protections were applied, including proper purging, as well as reporting on its use. I would also like to see more and better congressional oversight, possibly involving the GAO. I'm sure that other nations could put similar arrangements in place.

Intelligence agencies are a potential danger to a democracy, but also a critical part of defending them. They must be watched and governed adequately so that they don't pose an undue risk, but not so tightly that they become ineffective and leave the nation at risk. History generally isn't kind to nations caught unaware. Sometimes they even cease to be. We haven't reached the end of history yet, so they will be needed for many years to come.

Spoofed slash dot was easy to spot

[OzPeter]

There were no dupes, and all TFS's had perfect spelling and grammar.

HTTPS on Slashdot

[tepples]

I wonder if it would have been as easy for GCHQ to get away with it if HTTPS on Slashdot weren't a subscriber-only perk. Facebook and Twitter have gone all HTTPS all the time; why can't Slashdot? If ads are the problem, Google recently opened AdSense to HTTPS sites.

SSL

[dido]

I suppose using HTTPS would have helped even a little, if Slashdot ever bothered to do so. The victims might have noticed that the certificates changed, even if they did check out, most especially if they used HTTPS Everywhere. They couldn't just foist off an SSL cert for Slashdot signed by some other CA (or even the same CA) then: the SSL Observatory would have noticed the change in the certificate the way SSH notices that public keys to servers you connect to change. Unless of course Slashdot gave its (non-existent) private keys to GCHQ, in which case all bets are now off. Why browser SSL doesn't automatically cache certs the way SSH does and warn if there's a change that doesn't involve certificate expiry or revocation is something that isn't quite clear to me.

Re: SSL

[Jakeula]

SSL didn't seem to help LinkedIn. They use ssl and they successfully spoofed that.

Re:Don't Panic!

[maxwell+demon]

Yeah, the NSA version is here. ;-)

Rogue governments !!

[Taco+Cowboy]

The term "Rogue" is used to denote "dishonest and/or unprincipled".

They used to put USSR, China, North Korea under the "Rogue Government" category.

Both the governments of the United States of American and that of Great Britain have proven to be DISHONEST _and_ UNPRINCIPLED !

IMHO, it's time we should include the government of the United States and that of United Kingdom under the "Rogue Government" category.

And btw, if you see the performance of John McCain, especially how he tried to blame Edward Snowden, you would understand how ludicrously pathetic American politicians have become ...

... McCain also said he was convinced that Snowden gave all of his information to Russia ...

As an American, I am beyond furious ...

Re:Rogue governments !!

..Why are there CCTV cameras everywhere in Britain?

Err, there aren't.

Look, you (pl) keep throwing this one up, I'm in Britain, and the nearest 'state' CCTV cameras to my current location are a mile and a half away, and I stay in a major town. The nearest CCTV camera to my home location is approx 1,300 feet away (as the Google Earth ruler flies..) and it's pointed at a bloody 'Doo hut'.

My place of employ?, internally we've cameras everywhere (and I run 4-8 of them), the industrial estate we're located on is surrounded by a ring of the buggers, guess what?, none of the fucking things work (and they haven't done so now for a number of years..7+ years now).

Yes, Britain in parts (hello London, Glasgow, any other 'metropolitan' area and the major road networks) may have an inordinate number of CCTV cameras, but they're not 'everywhere in Britain' and not any more so than any other country.

If you truly want an example of Panopticon levels of CCTV surveillance, try Monaco.

It's not that simple ...

[Taco+Cowboy]

And if you just enjoy playing god, well, go into the City, or start up your own business. If you're that good, then you can perform in plain sight, can't you?

Speaking from experience here ... it's not that simple

I started to plan for my escape from China way back in the late 1960's because of the social madness created by Mao back then.

Thongs of mindless assholes with red armband parading on the street, waving that little red book and plunged the Chinese society into total darkness.

Those of us with brains knew that the things coming from Mao were bullshit, but those without brains who embraced Mao's bullshit outnumbered us 1000 to 1.

So we ran, and ran, and finally I got to Hongkong.

From Hongkong I ended up in the United States, and at that time, the U. S. of A. was a paradise, a place where brainy people get to do whatever they want to do without having fear of official repression.

Some 40 odd years have passed, and the United States is turning into just like Mao's China ...

Everything coming from Washington D.C. is pure bullshit, and the things I have noticed right now is that the mindless fucktards who bought into Washington D.C.'s bullshit are outnumbering those who know better.

While the society in the United States of American haven't plunged into darkness yet, there is no certainty that it won't.

When the controlling regime got desperate ~ (Mao's reign at that time was in danger of collapsing from within, motivating Mao in his encouragements to the mindless assholes with red armbands creating social havoc), ~ they will do anything to remain in charge.

And if (and when) the regime which is reigning over Washington D.C. (democrats _ and_ republicans) is in danger of collapsing, there is NO TELLING what they would do.

To make the matter worse ... they have a lot of very powerful tools Mao couldn't even begin to dream of 50 years ago.

I am an American now, and I am looking at my adopted country, the United States of America, with the same dismay as Mao's China, back in the 1960's.

How do you know Snowden has released *ALL* info ?

[Taco+Cowboy]

... Snowden is no more principled than McCain or an investment banker. He released ALL of the intelligence information he gathered at the NSA ...

I am intrigued !

How do you know Edward Snowden has released _*ALL*_ the information he had gathered at the NSA ?

How do you know Edward Snowden does not keep some files to himself, files that pack even *MORE* fire power than what he has released so far ?

As a poker player, I never release my trump card early in the game.

I don't know if Edward Snowden plays poker or not, but judging from what he has done since his days as a security guard ... I suspect the guy has even more juicy things in the pipeline

powerful, you should write this up properly

[raymorris]

I've read a similar post you made before. You have a powerful point to make, and you make it well.
It would be a service to the country you loved, and freedom in general, if you spent an hour or two to write that up "properly", to spend a few minutes editing it to say exactly what you want to say. I could see such an article being shared quite a bit via social networking, blogs etc.

Re:How do you know Snowden has released *ALL* info

[ahabswhale]

Snowden stated that he's released all of the information he had The only thing that is restricting the release of information at this point is the journalists that he released it to. Those journalists have already said that they haven't even released the really juicy stuff yet. That's pretty impressive, if it's true, considering the significant revelations already made.