Slashdot Mirror

← Back to Stories (view on slashdot.org)

British Intelligence Responds To Slashdot About Man-in-Middle Attack

Posted by samzenpus on from the what-do-you-have-to-say dept.

Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog.

7 of 256 comments (clear)

  1. Heh. by girlintraining · · Score: 5, Insightful

    All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight

    The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Heh. by s.petry · · Score: 5, Insightful

      The Stasi said the same thing in East Germany. But that's circular logic: We're authorized to do this because we authorized it.

      Exactly! They claim that they use laws to control what they snoop, and have oversight. When the laws are "secret", the courts are "secret", and the oversight is internal how much should we trust them? None at all!

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    2. Re:Heh. by lorinc · · Score: 5, Interesting

      It's funny to see people finally realize that the world we're headed to is very similar to that of East Germany, with the slight difference that you won't be assured to have a house, a job and food every day. Probably these points were not among the good things to retain from the Commies, whereas global surveillance was.

      --
      Video of some good progressive thrash music
  2. https? by Anonymous Coward · · Score: 5, Insightful

    So, when is Slashdot going to turn on https and stop the attack vector?

  3. Re:Really? British intelligence went after slashdo by drinkypoo · · Score: 5, Interesting

    I have a hard time believing that someone convinced them this site was worthwhile.

    That's because you're letting your ego get in the way. This isn't about you. This is about one or more specific targets that they believed or suspected were slashdot users.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re: @slashdot: use https per default! by dgatwood · · Score: 5, Interesting

    The problem is that certificates change regularly. What you really want is public key pinning, where you are warned if the public key changes, without regard to what CA signed it—not just the key fingerprint, either—the entire key. After all, you have the server's public key. Why would you ever start trusting a different public key for the same server?

    AFAICT, there are only two valid to reasons rekey a server: if the key gets compromised (which, being a serious security problem, should be publicly disclosed on your server in some way) or because you're upgrading to a larger key. In the latter case, you should ideally sign the new key with the old key so that it is verifiable, and the browser should ignore that the old key is not trusted for key signing when it is only being used as a secondary signature for verifying a key change.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Re: @slashdot: use https per default! by Andy+Dodd · · Score: 5, Insightful

    In addition to this, if you recall some of the recent Lavabit disclosures, we know that large Internet companies have been forced to provide their private SSL certs via secret court orders.

    If the NSA/GCHQ have a site's private certs, they can MITM you without you knowing.

    --
    retrorocket.o not found, launch anyway?