Exposed – Jean-Jacques Quisquater on Alleged NSA-GCHQ Hack

Jean-Jacques Quisquater on Alleged NSA-GCHQ Hack

Thanks to Jean-Jacques Quisquater.

 


Comments about “NSA-GCHQ Allegedly Hack Cryptographer Quisquater”

More info written by Jean-Jacques Quisquater.

This text was updated on February 6, 2014 in the afternoon (Belgian time).

Since February 1st 2014 many papers appeared in the newspapers and on internet concerning  the hack of the personal portable computer of Jean-Jacques Quisquater (JJQ). See

http://www.pcworld.com/article/2093700/prominent-cryptographer-victim-of-malware-attack-related-to-belgacom-breach.html
http://www.theregister.co.uk/2014/02/03/nsa_gchq_accused_of_hacking_belgian_smartcard_crypto_guru/
http://yro.slashdot.org/story/14/02/03/1239223/crypto-legend-quisquater-targeted—but-nsa-may-not-be-to-blame

Unfortunately many of these papers suffer from approximations and extrapolations and some of them are wrong.

The following text is intended to clarify the context of the attack as much as possible as the investigations are not complete at this stage.

In short:

-Facts: Yes, this portable computer was attacked. We don’t know for sure the vector of the attack in use. According to the Belgian Federal Police the attack of this computer is strongly related to the attack of Belgacom in Belgium allegedly hacked by NSA-GCHQ.

The only found vector of attack is related to an email spoofing a linkedin email mentioning a name close to a name known by JJQ. From this email, JJQ opened a link  to a profile of the mentioned person and JJQ immediately understood it was a spoof and closed his computer in one second. The computer was later extensively scanned by several malware detectors without result. Possibly another vector of attack was used but there is no trace of it.

-Data available on the computer: There was no sensible data on the computer. The main part of  the JJQ’s work is the design of (formal) methods related to cryptography and computer security and this activity is twofold:

   – Methods related to the academic world finally anyway published in conferences, journals, patents and standards. Privacy concerning reviews of scientific papers is important to write these reviews without external pressure, the content is nevertheless not critical.   – Activities related to sensible data of companies always follow a very strict procedure which lead to a very strong level of security
(the use of safes, only in company rooms, dedicated computers without connection, destruction of all the data at the end of the study). Therefore no sensible information related to companies is available on this personal computer.

Companies are only using the practical ideas of JJQ in the spirit of the main principle of Kerckhoffs (« only the key is secret ») and
of Shannon (« The enemy knows the system »).

-The purpose of the attack:  we don’t know. Maybe the cryptography research is under surveillance, maybe some people hope to find some interesting information or contact, maybe there is another goal we will never know.

More precisely:

– September 16, 2013: the Belgian newspaper De Standard announced an attack of Belgacom (main communication operator in Belgium) by the NSA (links in Dutch):

http://www.standaard.be/cnt/dmf20130915_00743233
http://www.standaard.be/cnt/dmf20130916_00743534

– September 16, 2013 (same day in the afternoon): Jean-Jacques Quisquater received an email spoofing a linkedin email,
opened a link to a profile of somebody he was thinking he knows, saw immediately it was a spoof and closed in one second
his computer. The computer was strongly scanned by several malware detectors without result.

JJQ comments: It is not sure that this attack was working and is related to the main attack against the computer but the dates are matching. Other people were also attacked in Belgium. We don’t know the vector of the “winning” attack (phishing, injection packet
through Quantum Insert, … ?).

– September 20, 2013: Der Spiegel announced an attack of Belgacom by GCHQ using tools from NSA, from the files of Snowden: see

http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgian-telecoms-firm-a-923406.html

– November 8, 2013: the Federal Police contacted JJQ to discuss with him.

– November 12, 2013: meeting with people from the Federal Police. They announced that the computer was strongly attacked by a targeted attack (it means an attack where there is only one target: it is nearly impossible to detect it). The attack was directly related to the Belgacom attack. The used malware is very clever, very difficult to detect, impossible to remove using currently available antivirus. In fact the malware was only active when outside the personal home. The communications between the malware in the computer and the servers at Belgacom are encrypted: so only metadata are possibly usable for the investigations. It is thus also impossible that any large content from the computer was communicated. No confidential information (commercial or not) was on this computer.

– December 2, 2013: The attack was confirmed and is still under investigation. Later it was learnt that the malware is likely a variant of the malware miniduke:

https://www.securelist.com/en/blog/208194129The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_Micro_Backdoor

This version of the malware is not detected by any currently available antivirus.

– January 28, 2014: A journalist from De Standaard (Belgian newspapers) contacted JJQ in order to have a meeting because somebody spoke to the journalist about an hacked well-known Belgian cryptographer speaking French (clearly JJQ). This hacking was presented as directly related to the hacking of Belgacom.

– January 30, 2014: During the meeting the journalists announced that De Standaard will publish a paper about this story on next Saturday.

– Saturday February 1st, 2014: Publication of their story by De Standaard: http://www.standaard.be/cnt/dmf20140201_011 (translation in English) and the buzz began. JJQ then answered questions from the Belgian TVs RTBF and RTL.

There are also a lot of information about targeted attacks in:

http://www.symantec.com/security_response/publications/threatreport.jsp

Also read this paper from RAID 2012 (the research conference about intrusions):

http://link.springer.com/chapter/10.1007%2F978-3-642-33338-5_4

 


 


 

Advertisements