Monday, January 9, 2017

So, about that "the Russians hacked the emails" story

I went and read the government report so that you don't have to.  The report claims that the Russians hacked the DNC (the title of the report is "Russia-Hack-Report.pdf" so there's no question).

First, some computer security background from a very long and detailed analysis:
For Hillary we have a Hacker in custody who said he [hacked] it, where there is evidence he did it, where a law enforcement agency caught him in the act and where he was hauled in by the FBI. He said it was a trivial hack technique based on knowing personal details to make a custom dictionary (names, family and pet names, addresses, place of birth, etc.) then using it in a Dictionary Attack on some folks or in a “I forgot my password / Tell me your last name and DOB and I’ll send it to you.” spoof. There is also evidence (weak, but extant) that many TLAs (Three Letter Agencies) and other actors had hacked into her home brew server by other means.
Given what I’ve heard of the set-up, it would be a nearly open book to anyone with skilz. First off, it was built on PRISM infested equipment (so the NSA was in, and potentially the CIA), second, it was Microsoft, so if you didn’t patch daily, you were hacked with known zero-days, and if you DID patch daily, you were hacked by ‘non-fixable’ hacks. 
So at this point, we can largely dispose of Hillary’s Hack. It was an open book to all comers and at least one was Romanian (and sharing with friends) and not Russia.  However, I’d say it was almost certain that at some time a Russian intrusion happened. The name of the server was obvious. The location insecure. The operating system and protective layers a joke. Frankly, I’d expect them to be “in” the same day they first looked at it. Which means something like 8 years ago. So why didn’t things leak then?
Because the Russians Are Not Stupid. A fundamental of spycraft is you don’t expose sources and methods, you use them to collect intel for your use, not publication. I suspect they enjoyed a near real time email feed from the Secretary Of State for years, in silence. This argues for email dump to be someone other than them. My personal muse would be an NSA guy, aghast at what was in evidence. Like a Snowden, but not willing to give up the $1/4 Million salary… He (or she…) would have all the requisite skilz to pull it off and leave no finger prints, access to PRISM, and lots of neat toys to work with. Though more likely would be the underpaid I.T. guy Hillary had set it up who was making a backup one day and dropped a load… But I digress.
The bottom line on Hillary is we know she kept a full copy (found on Huma’s Laptop with the Wiener…) and that it was around until she had her lawyers erase it. We know it surfaced in full at the time the laptop went to the FBI, and in parts before that. We know at least one of her hackers was found (though he had likely not leaked it) and that he said he had a doomsday copy for safety. He wasn’t a very good hacker, so that shows lots of good ones walked right in and snagged copies. Assigning source of any Hillary leaks is going to be an exercise is “ME ME MEE!!! PICK MEEE!” with a dozen hands up in the room…
For the DNC:
We know Podesta fell for a phish. That, alone, is enough. Yet we also have evidence that the box wasn’t that well run and secured, and ample evidence that the privilege escalation path once in was easy. Privilege escalation is when you get in with weak powers, you find ways to raise your powers. Moving from “user” to “admin” to “root”.
How many others fell for a phish? How many other bugs, holes, unpatched zero-days? Was it PRISM? Were they on Microsoft? (Almost certainly…though I haven’t bothered to verify).
Once you are this far into the pants-down party, you know you will never know which of the hundreds of actors trying to get in, made it in. You may never even know how many made it.
So the starting point is that the systems were compromised, and almost certainly compromised by several different intruders, all of whom but one (Guccifer) remain unnamed in the unclassified report claiming that the Russians did it.  In other words, there is no uncertainty as to the compromise other than who did it, and enormous uncertainty as to that.

And so, on to the report.  It is a 27 page PDF, so it's actually a quick read.  It's quicker even than you might think based on its thickness when you consider that 18 pages are things like cover sheets, table of contents, background about the investigation (Yay FBI! Yay Intelligence Community!), discussions about how they don't disclose sources and methods, a long discussion of open source Russian media (especially RT television programming), and "This page intentionally left blank".

So there are only 4 pages that you need to read.  Three are "Summary/findings", and so do not have anything got back up their claims.  The meat of the report, therefore, are the pages numbered 2-5.  From a computer/network security perspective, these are entirely unpersuasive that the Russians (and more specifically, Vladimir Putin) was behind the hacks.  Here are the topics that those pages discuss:

  • Putin ordered campaign to influence US election (likely true, although may not have been Putin himself)
  • Russian campaign was multifaceted (you'd certainly think so)
  • Cyber espionage has been going on against US political organizations (well, duh)
  • Public disclosures of Russian-collected data says that the GRU (Russian Military Intelligence) ran the "Guccifer 2.0" persona and gave the data to Wikileaks.  No evidence is given to support this.
  • Russian intrusions into State and local electoral boards did not access vote tallying computers.
  • Russia has a propaganda effort and uses Russian media (especially RT) to get its message out (again, duh)
  • Influence effort was "boldest yet" in US (whatever)
  • Election operation signals "new normal" in Russian influence efforts (whatever)
And so of the eight topics discussed in the 5 pages that are the meat of the report, the only one that counts is "The GRU ran the Guccifer 2.0 collection effort and gave the data to Wikileaks".  There's simply no way to verify this because they don't give us their sources and methods.  Basically, it's "trust us".

And so, back to the second link in this post which discusses how things work in the real world:
Really good hackers get in with a set of warz, immediately start changing any log files and IDS systems to erase evidence of the attack, and exfiltrate what is highly interesting, erase those logs, then lay low with long duration backdoor kit. If possible, picking up additional bits over long periods of time. This is a skill set that takes years to understand, so I’m not going into it here. If you want to know more, attend one of the many hacker conferencesfor a few years. 
Excellent hackers leave indirection evidence that is hard to find (so either you don’t find it and don’t know you were hacked or if you DO find it, since it was hard to find, think yourself sooo smart it must be real…) and deflect any search elsewhere. IMHO, that’s the hardest to properly find. All the real evidence was erased, and what you are working from is the McGuffin. (Thing in a story line everyone is searching to find, that may not be real. See The Maltese Falcon as example.)
So what we know publicly about the investigation is that it was a postmortem, it found some forensic evidence, that evidence was an old Russian warz, and thus the conclusion is:
“Russia Did It!”
The flaws in this are many.
The BIGGEST flaw
You don’t know how many hacks happened. It may well be that the Russians hacked in 6 or 8 years ago and have been sniffing data ever since. That does not at all prevent an Admin dumping a tape and leaking it. It does not at all prevent a Chinese team sucking out the data and erasing their tracks. It does not at all prevent an NSA guy from dropping a USB drive on Wikileaks. It does not at all prevent the local ISP Night Shift Operator, who is bored silly, from piping a router feed of email to their laptop as it goes by and collecting a set (though good ISPs have systems to prevent that). It does not at all prove that only Russia is to blame for the hack / leak, and not some Fat Bastard in the basement of his Mom’s house using downloaded Russian warz (commonly available) to do the hack.
Assigning the Data Public Dump to the Russian Hack is a leap of faith.
Assigning the hack with Russian Warz to Russia proper is a leap of faith.
Assigning the Data Exfiltration to the Russian Warz is a reasonable, but still, leap of faith.
Now there may be classified evidence that is compelling but which is suppressed to protect sources and methods.  These wouldn't be IP address metadata from NSA, because the hop into Russia will almost certainly not be the final leg (indeed, it might be a hop before one to China,or Israel, both of whom have excellent cyber exploit capabilities).  It might be CIA intel from inside the Russian government, but that is unlikely to have detailed information on GRU technical operations (or maybe it does, in which case it's very classified and nobody will tell us about this, maybe ever).

And so we're back to trust us.  That's pretty weak.

My take is that several state actors certainly hacked Hillary's email server for years and years, and silently read all her communications.  Probably more than one state actor penetrated the DNC email system for several years.  It's plausible than an insider leaked the DNC emails - some BertieBro IT Admin type who saw how the sausage was being made and who was smart enough to cover his tracks while pointing clues towards Russia.

Bottom line, this is a tale told by an idiot; full of sound and fury and signifying nothing.  We know that something happened, but we don't know who did it, and what they say in the report doesn't change that.

If you're interested in the topic, I recommend that you click through to this analysis, and particularly the conclusion.


SiGraybeard said...

Thanks for all this, Borepatch - your analysis and the link to Chiefio.

In my mind, there are two takeaways that are also worth noting. 1) (as Chiefio notes) there is not a single bit of outcry that the emails leaked are false, and there's plenty in there to be really concerned about, and 2) Hillary did things that would get anyone else arrested and very likely put in Federal prison.

If they truly care about the ruling class not being seen as, well a ruling class above the law, they need to do something about that. The Department of Injustice is the most fetid pool in the whole swamp they talk about draining. This whole thing is "laws are for thee and not me".

Borepatch said...

Can't argue with either of those, Graybeard.

Jester said...

Thanks for the breakdown in terms that I can more easily understand though I was encouraged that I at least from a novice was pretty spot on with my assessment of this.

Graybeard hit it on the head and even the supporters of the democrats have nothing but memes and chafe to throw up in the air about this. Most of these types were the Bernie supporters. Hey Clinton did X, Y and Z. "But she was hacked!" Yes, possibly something happened by someone but would you care to address your support of someone that was doing these things? "Trump and putin are da mechahitler! Trump is so much more worsererer than she is because she got hacked!"