
UK spies continue “quantum insert” attack via LinkedIn, Slashdot pages - gabemart
http://arstechnica.com/tech-policy/2013/11/uk-spies-continue-quantum-insert-attack-via-linkedin-slashdot-pages/
======
archgoon
For those who, like me, were baffled by the term "Quantum Insert", here's a
Schneier article that describes the meaning of the term:

[https://www.schneier.com/blog/archives/2013/10/how_the_nsa_a...](https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html)

In short, Quantum Insert, (rather QUANTUMINSERT), is essentially a Man in the
Middle attack, where the NSA (or GHCQ in this case) injects code (potentially
zero days) into the response to the http request. The network of servers that
perform the injection and interception is apparently codenamed QUANTUM, and
has nothing to do (to our knowledge) with Quantum Computing or Quantum
Cryptography.

~~~
nly
I don't understand why timings are critical to the operation of the system.
Wouldn't packet filtering + transparent proxying work just as effectively? Is
this a TCP sequencing attack of some kind?

~~~
akjj
Presumably they don't have the capability to filter or modify packets passing
through the exchange. So when they see target's computer opening a connection,
they have to generate a reply faster that reaches the computer before
LinkedIn's server replies.

~~~
omh
But if they don't have the capability to modify packets, wouldn't the original
LinkedIn packet get through as well? Perhaps the OS might ignore it, but it
seems like it would show up in some cases.

~~~
Udo
I would assume the original packets get dropped as duplicates at the router
level, but if they do get through to the end user's computer there would be a
way of detecting that this attack is underway.

~~~
dalore
Routers operate on the Internet Protocol layer (level 3), which have no state
(or anything considered a duplicate). TCP is a layer above (level 4) and that
has sequence ids.

~~~
Udo
I'm skeptical that there is no infrastructure in place to prevent this, but if
you're right, it really _should_ be possible to make a home router plugin
(for, say, OpenWRT) to detect this spoofing. This plugin could then be used to
gather data on how prevalent this attack is, which would be quite interesting.
Because as I see it, there is really no reason to believe this is just used
for Tor exclusively.

~~~
dalore
It's easily detectable. You could put a firewall rule to mark it and log it to
syslog as this can happen at the kernel level. You will although get lots of
false positives as you get duplicate sequence ids anyway in the normal course
of things as things timeout and resend connections they think are lost.

------
grey-area
The more I read about these attacks, the more I wonder if these spies consider
themselves completely above the law.

Which law would govern or moderate their behaviour here in spying on
politicians and companies in allied countries? Where are the boundaries, or is
anyone of interest a potential target? Is all data fair game for GCHQ/NSA?

~~~
lignuist
I'm pretty sure that some of them are aware that they are criminals, but
probably the power of the money is stronger than the power of their ethics.

~~~
eriksank
There is simply too much money to be made in knowing where someone lives and
in what bank accounts, 401k, and IRA accounts his net worth is stored. This
person will not just die, my friend. _This person will be died._

------
jamhan
Here's a link to the article (in German) on Der Spiegel website (not
magazine): [http://www.spiegel.de/netzwelt/netzpolitik/britischer-
gchq-n...](http://www.spiegel.de/netzwelt/netzpolitik/britischer-gchq-nutzt-
gefaelschte-linkedin-seiten-a-932714.html)

Here's an English version:
[http://www.spiegel.de/international/europe/british-spy-
agenc...](http://www.spiegel.de/international/europe/british-spy-agency-gchq-
hacked-belgian-telecoms-firm-a-923406.html)

------
onedev
Why is LinkedIn always in some sort of security snafoo? It seems like it's
always them.

Of course it's probably also my selective memories.

~~~
draugadrotten
> Why is LinkedIn always in some sort of security snafoo? It seems like it's
> always them.

Target Awareness - many users of LinkedIn are not aware they could be targets

Target Identity - people usually browse LinkedIn with a single identity which
can rather easily be linked to a real person, making targeting easier.

Network effect - Target connections to the real target which may be cautious
and/or heavily protected

etc

~~~
leoc
Maybe a relatively high proportion of interesting, high-value targets too.

~~~
csmuk
Or perhaps it's just easier to find the people you want?

------
VLM
""nine salaried employees” of the Organization of Petroleum Exporting
Countries (OPEC), the global oil cartel."

So they get those guys via /.? Well I guess with the recent demise of
theoildrum.com, they've gotta go somewhere.

~~~
Zigurd
At least the OPEC guys are paying attention. No search results on LinkedIn for
OPEC as current company.

~~~
Amadou
I don't use linkedin, but that doesn't seem right:

[http://www.linkedin.com/title/opec](http://www.linkedin.com/title/opec)

~~~
Zigurd
I searched on OPEC as the current or former employer. None of these, as far as
I can tell, are actually employed by OPEC. One is a liason from the Iran
national oil ministry with a private profile, so the name isn't revealed in
the search.

~~~
Amadou
Without an account I can only see the first 5 of the ~300 hits. But Yasser
Mufti looks like an OPEC employee to me, he's listed as the chairman of the
board of governors. Maybe he's technically on Aramco's payroll, but I think
that would be nitpicking since OPEC is funded by member companies.

[http://www.bloomberg.com/news/2013-09-25/saudi-arabia-
opec-g...](http://www.bloomberg.com/news/2013-09-25/saudi-arabia-opec-
governor-mufti-said-to-leave-by-end-of-2013.html)

------
brown9-2
So a member of Congress laments poor Congressional oversight of the US
intelligence community.

How about trying to do something about it?

~~~
dmix
He proposed firing the head of the NSA, Keith Alexander, as the solution.

Because in politics changing the leaders at the top is always the solution
(that the public is sold) to fixing the large broken systems beneath it.

~~~
pyre
Not that Keith Alexander should retain his job though... It's just not a
comprehensive solution to the problem.

~~~
a3n
It is if the problem is to get the public to STFU and forget. Which it usually
is, to people of McCain and Alexander's ilk.

And by the way firing Alexander would be almost liking giving a cop paid
vacation for shooting someone. He was going to retire in a few months anyway,
and if he was to be fired he would almost certainly retain his very, very good
military retirement.

And then he'll work as a do-nothing name on the masthead consultant at some
private equity or think tank.

------
SideburnsOfDoom
Let's hear how this targeting of engineers from specific European telecoms
firms could _somehow_ be an anti-terror measure!?

~~~
a3n
Because they aren't the ultimate targets. They're trying to get their
credentials, access and capabilities, so they can then go after whoever
they're really interested in without having to ask, bribe or compel the
company.

Open question whether their ultimate targets are terrorists or "everybody."

~~~
eriksank
Everybody with enough financial net worth to make sure he does not just die
but _will be died_. Strange transactions on your accounts, my friend. The
balance is almost gone. _Is that why you have had an accident?_

~~~
dinkumthinkum
You're saying this stuff all over the place. Do you live n a conspiracy
theory? This "will be died" stuff is kind of odd ...

------
Amadou
I think it is safe to say that, like the vast majority of known browser
exploits, the injection mechanisms here also relied on javascript as a
necessary component.

Thus this is another example of the potential risks to your users when
designing websites that are noscript-unfriendly.

FYI, NoScript is the 4th most popular add-on for firefox.

[https://addons.mozilla.org/en-
US/firefox/extensions/?sort=us...](https://addons.mozilla.org/en-
US/firefox/extensions/?sort=users)

------
rdl
Seems like there is an opportunity for as art and honorable network device
(cpe like a router, maybe also doing normal router/firewall, but maybe a
standalone IDS) which, in combination with network services, can detect and
optionally report this kind of molestation of packets to the user and maybe
the community. DNS is the vector for many of these, and that is easy.

------
frank_boyd
To sum it up: This allows these people:

\- to take over computers without leaving any trace

\- to control public opinion by falsifying any information served (i.e. news)

\- to conduct mass surveillance by a) tracking any use of the computer, b) by
activating integrated cameras, c) by activating integrated microphones

Very, very nice work indeed, if you aim to destroy democracy and thereby
society.

------
Eye_of_Mordor
Snowden has basically exposed the UK/US contempt for basic human rights and
the systems that support them. How can we be free while these monsters are
operational? They must shut down immediately and taken away for trial in every
country whose laws they have violated...

------
confluence
I love how utterly useless our intelligence agencies have become in the face
of even the most basic encryption. Encrypt things at rest and on the fly with
mutating keys and you defeat them. It's actually quite reassuring.

------
w_t_payne
So does this mean that engineers are legitimate targets for NSA/GCHQ?

~~~
ihsw
Nobody is ever an illegitimate target.

------
bro666
I'm more interested in the inserted malware code package itself -- and how
widespread it is among LinkedIn accounts -- than a routine MITM by GCHQ known
to be sitting with permission on the internet backbones of BT (REMEDY Remedy),
Verizon Business (DACRON), and Vodafone Cable (GERONTIC), Global Crossing
(PINNAGE), Level 3 (LITTLE), Viatel (VITREOUS) and Interoute (STREETCAR).

Der Spiegel says they have located a Mach engineer in India on the receiving
end of QI. Hopefully he had the sense to unplug from the internet before the
malware could get wiped.

I wonder if GCHQ re-used some code from Flame. Might be some work here for
Kapersky Labs.

------
acd
How do you know if LinkedIn look a like spam mails was a quantum trying to
insert malicious code? I have gotten similar targeted look a like LinkedIn
links.

------
user24
Oh wow, they're targeting specific (innocent) employees and serving malware
infected versions of LinkedIn and /.?!?!?!??! wow.

------
nuII
not surprising

------
eriksank
That is how they end up stealing your bitcoins too. All of these QUANTUM
INSERT computers have now been targeted at getting hold of your wallet keys.
Your money will be gone.

Staying in the banking system will not help either. The sum of the balances of
your holdings in the banking system forms a bounty on your head.

They know who you are. They know where you live. And they damn well know how
much money there is to be made _in dying you_.

You will not die. _You will be died_.

Do not hold any monetary values anywhere without them knowing where it is,
because that amounts to money laundering, you criminal terrorist!

~~~
nknighthb
Your comment history before today appears at a glance to be unremarkable. What
exactly happened 11 hours ago to turn you into a raving lunatic?

~~~
tedunangst
Wrote a check that bounced? Loan application turned down?

