Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer
from the sneaky-sneaky dept
Last year, we wrote about the NSA and GCHQ hacking into Belgian telco Belgacom using a “quantum insert” via man-in-the-middle attacks using “fake” Slashdot and LinkedIn pages. It has now come out that Belgian prosecutors are looking into reports that one of those attacks was directed at well-known Belgian cryptographer, Jean-Jacques Quisquater. According to David Meyer at GigaOm:
The Universite catholique de Louvain professor apparently fell victim to a “quantum insert” trick that duped him into thinking he was visiting LinkedIn to respond to an emailed “request” when he was actually visiting a malware-laden copy of a LinkedIn page.
“The Belgian federal police (FCCU) sent me a warning about this attack and did the analysis,” Quisquater told me by email. As for the purpose of the hack: “We don’t know. There are many hypotheses (about 12 or 15) but it is certainly an industrial espionage plus a surveillance of people working about civilian cryptography.”
Of course, looking into it doesn’t mean very much at this point. There had been serious concerns about how the NSA and GCHQ used the attacks on Belgacom to then bug systems at the EU Parliament in Brussels. Whether or not they’ll do something in response to “just” hacking a cryptographer remains to be seen — but it should remind basically everyone in the world that the NSA/GCHQ don’t seem to have any hesitation about hacking just about anyone.
Update: As noted in the comments, there are good reasons to believe this was not the work of the NSA/GCHQ, but potentially other government attacks…
Filed Under: belgium, cryptographer, gchq, hacking, jean-jacques quisquater, nsa, surveillance
Comments on “Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer”
Now that they lost their credibility and thus their opening to insert backdoors in the crypto standards all that is left is to collect damning info on cryptographers to blackmail them or hijack their lives entirely so they’ll be impaired in their ability to contribute with cryptography. No?
When the tyrant can’t rule in disguised kindness it will revert to blunt, evil force.
or maybe
He was just one of about a billion people who got the same sort of scam mail… attempts at fishing like that show up in mail all the time. Faking being a popular website and sending a somewhat relevant link to the person is only slightly above script kiddie level.
Seem Justin Bieber is of no consolation to NSA anymore. They manage to outdo him and remain in the front page news on a daily basis.
I am yet to see defenders amongst general public (beside from criminals concerned).
Business model with no Plan B sinking, and yet, they refuse to reinvent themselves. I am curious to see how far they will sink.
and the UK government keeps on about the illegal downloading that happens there and how it’s censoring of the Internet is justified because of the numbers (totally unknown by anyone, unfortunately) of children being caught in sex exploitation and, the entertainment industries failure to step up to the plate and join the rest of the world for distributing media and the numbers of crimes that take place in the make-believe world of Cameron! unbelievable!!
Please correct, this is likely NOT the NSA...
A far better report is from TechWeek Europe.
Two very important points:
The initial attack was phishing based. The NSA doesn’t need to phish, instead they just use direct packet injection instead.
The malcode appears to be a MiniDuke variant.
We don’t know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.
Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ.
What kind of a cryptographer clicks links to a well-known site received via *email* instead of opening a browser and typing the address in manually? The fact that he fell prey to the simplest and most easily avoided attack in the world does not speak very well for Mr. Quisquater. I’m going to give him the benefit of the doubt by speculating that maybe his expertise is not in the area of malware, and advise him to take the most basic, remedial course on how remain secure, online.
Re: Re:
I’d ask the opposite: What kind of person, who sees mail with a link from
a: Company that routinely sends such mail
b: Matches semantically with such mail
c: Would be something they’d want to view
would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email.
Re: Re: Re:
I absolutely wouldn’t. It’s internet safety 101, something that people have been trying to drill into everyone’s heads since approximately forever.
Never open an email attachment without checking with the sender that they meant, no matter how well you know the sender — and if you’re asking via email, don’t hit the “reply” button to do it.
Never click on links embedded in emails, even if you know the sender. Ever. Copy them into your browser instead.
Yes, it absolutely sucks that this sort of thing is necessary, but that doesn’t change the fact that it’s necessary.
In this particular case, blaming the user is not entirely invalid. The guy is a security professional, and presumably is aware of at least the most basic rules of internet security. That he didn’t follow them is a failure on his part. That doesn’t excuse the behavior of the criminals at all — just saying that this guy should have known better.
Re: Re: Re:
If you click on such links, then you are a fool. I never do and that is the main reason that I have never been hacked. In fact, if your only security measure were to not click on links to well-known sites sent to you via email, then you probably would not even need an antivirus (although you should install one, anyway).
Blame the user is absolutely the correct mantra here, since it is the ONE PHILOSOPHY that will result in NO INFECTIONS FOR THE USER once that user realises that he/she is at fault for putting faith in a plaintext medium with zero security.
Qubes-OS would have prevented it
Qubes-OS would have prevented it
Qubes-OS.org could have prevented the malware from gaining a foothold at the professor’s computer.
With Qubes-OS it’s easy to open links in a throw-away Virtual Machine.
Stop blaming people. Start to use proper protection.
Re: Qubes-OS would have prevented it
Sandboxing in VMs does give you a lot of protection, and I recommend it. But it’s nothing like a panacea — there are numerous attacks that can escape the VM. They just require a little more skill and effort (for now).
One of the dangers of taking security measures is that people think the security measures means that they can engage in risky behavior again. That’s never actually true, and this effect is why history is riddled with examples of security and safety measures actually leading to less security and less safety.
look down this rabbit hole
The term “quantumInsert” voids all comments about email & copy-pasting links.
This is a man-in-the-middle attack. The victim’s browser is asking for the VALID dot com and being delivered a FAKE (the injection) faster than the valid dot com can deliver (hence quantum). How? Attack system involves victim’s telco/ISP.
Click through the links if you’re curious.
So if this (state) technique targeted your browser, you’d also be duped. You couldnt tell fake from real.
Lastly, with your browser compromise “they” can snoop your host OS, and use day-zero exploits to take over (root) your machine.