It’s spooks vs. geeks in LinkedIn, Slashdot hacks

Updated your LinkedIn profile lately? Are you sure it was LinkedIn? You may want to reconsider. You should also think twice about what you’ve been saying lately on Slashdot, too.

Today Der Spiegel reported that the British secret service has been targeting engineers working at European telecom exchanges using spoofed LinkedIn and Slashdot pages. Their intent: To quietly take over the engineers’ systems, steal their passwords, and gain access to billions of messages that pass over these exchanges.

[ For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter and follow Cringely on Twitter. | Check out InfoWorld TechBrief, your source for quick, smart views on the news you’ll be talking about — subscribe today. ]

As InfoWorld’s Serdar Yegulalp writes:

Why hack into roaming exchange providers? Such outfits, like Begium’s Belgacom, are treasure troves of data about mobile voice and data connections across Europe — an obvious plum for picking by any intelligence agency. Belgacom provides Internet and telecom for all of the EU’s official institutions, so it wouldn’t be surprising to learn that American spy efforts in Europe (like the surveillance of German Chancellor Angela Merkel’s cellphone) have been aided by such hacks.

Yegulalp adds that this is a common target for Russian cyber gangs and other criminals. Remember when you used to be able to tell the difference between the good guys and the bad ones?

Quantum without solace

The British spies apparently took advantage of an NSA system called Quantum. Bruce Schneier has a thorough explanation of how it works, but the tl;dr version goes like this: Superfast computers sitting in privileged positions on the Internet backbone intercept your HTTP requests before they can reach their actual destination and send back fake pages. The page may look, smell, and taste like your LinkedIn profile, but a tasty little malware treat hidden inside lets the spooks take over your computer and record your keystrokes.

The NSA and GCHQ don’t send these “enhanced” pages to just anyone. That would be counterproductive — they’d be drowning in even more irrelevant data than they already are, and they’d increase the risk of a tech-savvy user figuring out what they were doing.

Instead, the spooks pick their spots. In other words, they need to spy on you a little, to determine if you’re worth spying on, before they decide to spy on you a lot.

In one case, noted Der Spiegel, British spies came across a computer expert working for one of these global exchanges in India and decided to make him a target.

The top-secret document shows how extensively the British intelligence agents investigated the life of the innocent employee, who is listed as a “target” after that.

A complex graph of his digital life depicts the man’s name in red crosshairs and lists his work computers and those he uses privately (“suspected tablet PC”). His Skype username is listed, as are his Gmail account and his profile on a social networking site. The British government hackers even gained access to the cookies on the unsuspecting victim’s computers, as well as identifying the IP addresses he uses to surf the web for work or personal use.

In short, GCHQ knew everything about the man’s digital life, making him an open book for its spies.

Shake that fake

How do you know your LinkedIn profile has been spoofed by the NSA?

• General Keith Alexander has endorsed you for Poison Pills, Dead Drops, and Ninja Killing Techniques.
• When you click the “Who’s viewed your profile” link it says, “We could tell you, but then we’d have to kill you.”
• The People You May Know list includes Jason Bourne, Maxwell Smart, and some guy named Bond.
• Glenn Greenwald just sent you a networking request.

Sussing out Slashdot spoofs is much simpler: If you’ve been posting comments on Slashdot for more than five minutes and no one’s called you an idiot, you’re clearly on a fake page.

Targets acquired

All kidding aside, here’s the larger, more serious point: When NSA and GCHQ talk about “targets,” they’d like you to think they’re talking about terrorists and their friends. Quite frankly, nobody is likely to shed a tear over the spooks doing their jobs and taking down the bad guys before anyone gets hurt.

The rationale has always been, yes, some innocent people might get swept up along with the bad ‘uns, but a) this is rare, b) we do everything we can to minimize that risk, and c) adult supervision is nearby to make sure nothing gets out of hand.

This time, the targets aren’t potential terrorists. They aren’t part of a massive haystack of anonymous users that needs to combed to find a few bad needles. They aren’t world leaders surrounded by teams of security. They’re working stiffs who happen to have jobs in sensitive positions where they hold the keys to a kingdom that’s of particular interest to the Surveillance Powers That Be.

They’re engineers. They’re innocent. And the spooks don’t care.

Slashdot reached out to GCHQ for an explanation as to why it was spoofed. The response bristled with arrogance:

All GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.

Translation: We asked ourselves for permission and decided it was OK.

Trust never sleeps

It would be incredibly naïve to assume these spoof attacks were limited to LinkedIn or Slashdot, or happened only to particular people at a handful of companies. It would be equally naïve to assume the only victims here are the individuals who got spied on, their employers, and services like LinkedIn and Slashdot whose legitimacy is in tatters.

When the spooks can target anyone anywhere, using any service for any reason, nothing we do online can be trusted. The basic legitimacy of the Internet itself is in question.

Is that Gmail page legit or a cunningly crafted fake? How about your Facebook account? What about the page you’re reading right now? You could strap on every security tool you can find and turn your PC into a fortress, yet still never be sure that none of them have been compromised.

How do you really know?

What methods do you use to protect yourself on the Net? Weigh in below or email me: cringe@infoworld.com.

This article, “It’s spooks vs. geeks in LinkedIn, Slashdot hacks,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.