British Intelligence Responds To Slashdot About Man-in-Middle Attack

Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog.

Heh.

[girlintraining]

All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Re:Heh.

[s.petry]

The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!

Re:Heh.

[lorinc]

It's funny to see people finally realize that the world we're headed to is very similar to that of East Germany, with the slight difference that you won't be assured to have a house, a job and food every day. Probably these points were not among the good things to retain from the Commies, whereas global surveillance was.

Re:Heh.

[s.petry]

I never mentioned "secrets", like your example of trial evidence, I said "secret" as in know outside knowledge of ruling/decision. If the rulings are all secret, oversight is impossible. It's not just the US FISA courts that make "secret" rulings, but the UK has numerous secret courts as well.

We have had a similar discussion before. I _agree_ that some things should not be public knowledge. Plans for making weapons, locations of CIA houses, lists of operative names, etc.. are all fine to be restricted from the public. We don't need those to be available to have discussion on mass surveillance. The public should be aware of the Government plans to scoop all data from everyone everywhere using ever possible means including those that are considered illegal by their respective countries laws.

For example, if you start dumping all of the traffic from a site you could (and perhaps would depending on the target) go to jail based on numerous wiretapping laws related to computers. The list of laws is extensive, I'll suggest you get a book on CEH, CISSP, etc.. that explain those all of those laws. If the Government is going to break all of those laws, that should be a matter of public knowledge and debate. Not the agents names, and maybe not even the agency doing the work. The actions are what is important.

I mean, the government's using circular logic, and that's wrong. But the people raging against it are using equally broken logic. And there's perfectly good discussion not happening because everyone flung themselves to the polar extremes. Why?

I don't agree with there only being two extremes, and I don't agree that the majority of the discussion about mass surveillance is using broken logic. Most of the discussion against it has been using law which is not circular. The Government debate for mass surveillance is mostly that they don't have to follow the law, which is also not circular logic.

Re:Heh.

[Heed00]

They have to know that it's necessary at some level...

If by "it" you mean some sort of surveillance that's targeted, based on suspicion and granted on a case by case basis by an oversight (court, law, etc.) body that's just not a rubber stamp factory, then yes -- but I haven't really seen anyone argue against that, so I don't know where you are getting the notion of a false dichotomy.

Unless by "it" you mean "suspicionless mass surveillance" -- in which case, no, it is not necessary at some level.

Re:Heh.

[interkin3tic]

What irks me is people's reactionary "teh guv'ment's tryin' to take away mah freedomz!" to every discussion presented about government surveillance and/or intelligence activities. They have to know that it's necessary at some level, but they reduce this wide breadth of space from no surveillance to police society to a binary. I don't understand why so many people engage in black and white thinking when the problem so obviously isn't as clear cut as the overwhelmingly vast majority of people argue it is.

I'd suggest the overreaction is caused by the government's actions. Looking at the level of lying going on with NSA, and how many abuses the war on terror has been used to justified, I can't fathom how anyone would make a "lets not throw the baby out with the bathwater." They've justified an overreaction toward the side of freedom rather than security. I think at this point it's only safe to assume the worst of the government.

It seems pretty black and white to them. There seem to be alarmingly few voices inside the government expressing concern over moving to a police state. Those few that do seem to be expelled through groupthink, see Snowden and Manning for examples. Even very high government officials who voiced opposition were subject to backlash. Ashcroft decided stellar wind went too far. Bush sent people to harass him in the hospital trying to get him to cave. The attorney general, they did this to. And Bush went around him anyway. There seems to be no line the government isn't willing to cross.

Partisan politics as of late have also convinced me that the only way to fight determined zealots is with equally determination in the opposite direction. When you try to be reasonable with such stubbornness, you don't arrive at a middle ground that's a good balance for all, you end up being pushed backwards more and more. So if the government is willing to go full throttle towards police state, the only response is for us to go full throttle... whatever the opposite is. No state secrets. Ever. Oh, that will potentially endanger people? I'm dubious. There's two giant oceans between us and most people who would harm us, we have enough military might to literally kill everyone on earth, and anyone who would attack us is too dumb to cause any real damage. Moreover, we've faced bigger threats before without spying on everyone. You can't tell me we need the NSA spy program to defeat a bunch of islamic cultists but we DIDN'T need it to defeat the Nazis or get through the Cold War.

Even if it does endanger some people, I can live with that on my conscience better than I can live with allowing big brother to develop.

https?

So, when is Slashdot going to turn on https and stop the attack vector?

Re:https?

[Gravis+Zero]

So, when is Slashdot going to turn on https and stop the attack vector?

the real question is when will the internet switch to an uncompromised encryption scheme.

Re:https?

[ColdWetDog]

No need. All you have to do is insert some unicode in your post or response. If it renders correctly either 1) Hell just froze over or 2) You've been pawned.

Re: @slashdot: use https per default!

[Antony+T+Curtis]

Using HTTPS is not the solution when the only thing people see is that some trusted certificate was used. If a trusted Certificate Authority was compromised or issued `fake' certificates for government spy agencies, the target wouldn't know that a MITM attack has occurred because the little green icon is showing just fine.

However, if we had something like a GPG content encoding, if the site hasn't already been trusted by the user, red flags will immediately be showing.

Like as like not, with the proliferation of CAs which exist, MITM attacks are easier than ever because people have been conditioned to trust HTTPS.

Re:Really? British intelligence went after slashdo

[drinkypoo]

I have a hard time believing that someone convinced them this site was worthwhile.

That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

Re:Really? British intelligence went after slashdo

[Captain+Hook]

Really? British intelligence went after slashdot?

No, the target were Belgium Telco workers.

GCHQ needed a way to insert malicous scripts on the workers PC in order to gain a foothold on the Belgium Telcoms networks. The way they did that was to run a man-in-the-middle attack on the sites that those workers were going to visit.

Re: @slashdot: use https per default!

[heypete]

True, but it would prevent the insertion of malicious packets (the "Quantum Insert" technique they describe in the various articles). Invalid SSL/TLS packets would simply be discarded and it would not be possible to insert malicious packets into the encrypted, MACed datastream.

Yes, MITM would be possible but Slashdot could implement certificate pinning (either through having browsers like Chrome have the cert details baked-in, or having users use something like Cert Patrol for Firefox) to make this harder. It's not foolproof, but it would certainly make this type of attack considerably more difficult and easier to detect.

Re:Really? British intelligence went after slashdo

[s.petry]

If we can't see what they do I have no trust in them.

If you can see what they do then so can the people they are trying to spy on. That is self-defeating.

Wrong, simply wrong. 20 years ago a warrant was required. We did not need to know the target name, but could see the judges name that signed the warrant and the agency or office name associated with the wiretap. Most importantly we could see and scrutinize the compelling arguments for the warrant. Without giving up agent names, this allowed oversight. Judge A approving every warrant would have been questionable, and probably removed from the bench. Judge B that had approvals and denials would still not be off the hook, but we could see what was being done without the detail that would have jeopardized officers.

Today, there is no oversight. Looking at a nearly rubber stamp approval without knowing judges names, or having power to remove them from the bench, what can the public do? Nothing, obviously. The only thing we have is overall request and approval numbers. Maybe every single request submitted is valid, maybe not. We don't see the compelling arguments for warrants, we just know that 99.99% of them are approved. Knowing the numbers of approved does not allow oversight.

If they are capable of what we "know", they are capable of attempting to silence critics.

"Capable of" and "intend to" are completely different questions, as well as matters of legal interest.

Nice word twisting, let me rephrase more carefully. "We know some of the illegal activities that the Government has been involved in, acting in secrecy. There is no reason to assume that they are not acting in other illegal ways. The only way to clear them is to open everything up."

Re: @slashdot: use https per default!

[dgatwood]

The problem is that certificates change regularly. What you really want is public key pinning, where you are warned if the public key changes, without regard to what CA signed it—not just the key fingerprint, either—the entire key. After all, you have the server's public key. Why would you ever start trusting a different public key for the same server?

AFAICT, there are only two valid to reasons rekey a server: if the key gets compromised (which, being a serious security problem, should be publicly disclosed on your server in some way) or because you're upgrading to a larger key. In the latter case, you should ideally sign the new key with the old key so that it is verifiable, and the browser should ignore that the old key is not trusted for key signing when it is only being used as a secondary signature for verifying a key change.

Re: @slashdot: use https per default!

[Andy+Dodd]

In addition to this, if you recall some of the recent Lavabit disclosures, we know that large Internet companies have been forced to provide their private SSL certs via secret court orders.

If the NSA/GCHQ have a site's private certs, they can MITM you without you knowing.