Hacks, Leaks, Investigations, Evidence – Leaps…

The Dimocrats are still pushing the meme that “Russia Hacked the USA Election!!!!”.

This suffers from the bold and obvious lie that you can NOT hack an election. Computers can be hacked. So right out the gate, they offend common sense. So we dig. Such is the way of giant Neon “Dig Here!” signs.

So grant them a bit of slack in their rope. Maybe they are just incredibly sloppy thinkers and are using that as ‘short hand’ for “Hacked the DNC and used that to change the election.” OK… that, then, leads to an examination of what the DNC had, what evidence of a hack was found, and how to finger Russia with it.

Others have already examined the actual election process, backend servers, and voting machines and found nothing. Not even the Democrat vote diddling (though there were a few heavily democratic precincts that seemed to have a democrat overvote for Hillary…). So I’m not going to be looking at the VOTE, or the voting process, as those have been vetted by others.

A note on Hacking vs Cracking: In proper jargon use, breaking into a system is a “Crack”. Hacking can just be writing some quick and dirty code for your employer to get the job done. Sadly, in common use, Hacking has become a synonym for Cracking, so I’ll use the common “hack” and “hacking” below. But you know it isn’t right, ok? ;-)
(Pedants of the world unite!)…

But First:

What is the link between {stuff} taken from the DNC and “influence the election”?

The {stuff} was a long list of historical emails. Similarly, to conflate two unrelated issues…, the Madam Clinton Emails were a very long historical set.

A critical point about both sets of emails: NO ONE HAS CLAIMED THEM FAKE.

We were not regaled with endless hours of pleading Democrats and hangers on sobbing about how wronged they were by this faked up bag of lies. We were not faced with Democrats on the House and Senate Floor speaching and ranting for hours about the Evil Of Fraudulent Emails. No, we were met with silence on the issue of provenance and purity. All the ranting was about possession of private emails.

So, down in the very belly of this beast, the core complaint is not that someone is slandering them with fraud. No, the core complaint is that someone has let the truth be seen.

So the horrible evil Oh My God! HORROR!! at the core of the complaint is that the Truth damaged the Democrats and shifted the election.

And the truth shall set you free… Congratulations President Trump, and thanks for the freedom…

So, Dear Democrats, some helpful advice:

1) Do not put evidence of crimes, corruption, media coordination and influence pedaling in your email.

2) Do not expect email to evaporate once sent. Expect it to be forever.

3) Do not expect email to be private. It is subject to subpoena, to leaking, to hacking, to carelessness, to a vindictive spouse or staff member, or even just a janitor reading a screen you left unlocked. Oh, and it is also subject to the evil “Reply All” button…

4) DO learn to use encrypted email. While not perfect, it does tend to keep email archives free from interlopers and it does keep the contents secret from all the hands that carry it from you to recipient. (Subpoena can still force the password from you, and Agencies with $Billion budgets can still crack many ciphers, and there is always the risk of a Brute “Mafia” like “offer you can’t refuse”… But for 99% of risks, it’s the answer. I suggest PGP based open source mail handlers. At all costs, avoid Microsoft and any other PRISM influenced products.)

The Nature Of The Emails

This is a modest, but important point. I’m again going to conflate DNC emails with Hillary emails.

In both cases, relatively long histories were dumped. To me, this shouts “Insider” more than “hack”. Why?

A typical email server doesn’t keep an archive of email going back years. It fills them up and crashes the machine, especially in large shops. The email server is a transfer agent.

Pick up here, drop off there. IFF email goes to other organizations, it may pass through many ‘hands’ on the way. Your desktop. Your server. Your ISP (Internet Service Provider), perhaps another intermediary transfer agent (like USA ISP to International Carrier to EU ISP), to the recipients ISP, to their email server, to their desktop.

Now multiply that by 4 Billion folks sending email, by a dozen a day, by 365, by years… Stew heavily in Nigerian Prince and Work From Home SPAM in the dozens per person per day, then season lightly with a half dozen email addresses per person (home, work, sock puppet for high class things, sock puppet for illicit things, …) Rapidly you are talking more disk space than even the NSA can cough up. (Though they are trying…)

Now most of those steps have folks desperate to just move the mail along, and then forget it. Each desktop is at the whim of the owner, but I’m sure many are familiar with the I.T. Department nag to “clean up your email folders”. Frankly, part of why I’m so slothful about servicing email now is how much of my life was spent doing it for money… Shoveling e-shit into the compost pile… Electronic stable boy.

Now for many of the originators, there is now SARBOX to worry about. For Companies and Lawyers it specifies a long retention interval. ( 5 to 7 years depending). Network Appliance makes a nice big file archiving appliance for just that purpose. Similarly, many Government Agencies are subject to legal retention requirements. This is very very poorly served by DIY (Do It Yourself) management on the desktops. For SARBOX, even if the Chief Information Officer didn’t order the loss (or even if he ordered the loss NOT to happen) he gets prison for failure to comply. So folks use those nice NetAp devices at the central email server. Even the System Admin can’t erase them.

But that kind of archive is usually “center of the empire” and very well guarded. Locked down very tightly and surrounded by layers of protection. I’ve never heard of one of them being hacked. ( I’m sure, somewhere, it has happened, but the rate is so low as to not rise to awareness). Furthermore, the ‘evidence of the hack’, is on peripheral boxes. Desktop machines and one or two poorly guarded servers. This necessarily implies that either the DNC and Hillary had among the sleaziest, poorest security, and ‘walk in friendly’ configurations on the planet AND were being used for Email Archives (which, in the case of Hillary, looks to be true…) or The Hack wasn’t getting the archives…

At this point the DNC and Hillary Email diverge.

For Hillary we have a Hacker in custody who said he did it, where there is evidence he did it, where a law enforcement agency caught him in the act and where he was hauled in by the FBI. He said it was a trivial hack technique based on knowing personal details to make a custom dictionary (names, family and pet names, addresses, place of birth, etc.) then using it in a Dictionary Attack on some folks or in a “I forgot my password / Tell me your last name and DOB and I’ll send it to you.” spoof. There is also evidence (weak, but extant) that many TLAs (Three Letter Agencies) and other actors had hacked into her home brew server by other means.

Given what I’ve heard of the set-up, it would be a nearly open book to anyone with skilz. First off, it was built on PRISM infested equipment (so the NSA was in, and potentially the CIA), second, it was Microsoft, so if you didn’t patch daily, you were hacked with known zero-days, and if you DID patch daily, you were hacked by ‘non-fixable’ hacks.
https://chiefio.wordpress.com/2016/11/06/grab-bag-november-5th/

AtomBomb – The Unfixable Bug:

https://soylentnews.org/article.pl?sid=16/10/30/064253

Bold bits by me.

AtomBomb: The New Zero-Day Windows Exploit Microsoft Can’t Fix?

Celestial writes:

There’s a new zero-day Microsoft Windows exploit in the wild by the name of AtomBomb, and Microsoft may not be able to fix it.

Ensilo security researchers have discovered a new zero-day exploit in Windows that attackers can make use of to inject and execute malicious code. The researches call the exploit AtomBombing because of its use of a Windows function called Atom Tables.

What’s particularly interesting about the exploit is that it does not rely on security vulnerabilities in Windows components but native Windows functions. This means, according to the researchers, that Microsoft won’t be able to patch the issue.

So at this point, we can largely dispose of Hillary’s Hack. It was an open book to all comers and at least one was Romanian (and sharing with friends) and not Russia. However, I’d say it was almost certain that at some time a Russian intrusion happened. The name of the server was obvious. The location insecure. The operating system and protective layers a joke. Frankly, I’d expect them to be “in” the same day they first looked at it. Which means something like 8 years ago. So why didn’t things leak then?

Because the Russians Are Not Stupid. A fundamental of spycraft is you don’t expose sources and methods, you use them to collect intel for your use, not publication. I suspect they enjoyed a near real time email feed from the Secretary Of State for years, in silence. This argues for email dump to be someone other than them. My personal muse would be an NSA guy, aghast at what was in evidence. Like a Snowden, but not willing to give up the $1/4 Million salary… He (or she…) would have all the requisite skilz to pull it off and leave no finger prints, access to PRISM, and lots of neat toys to work with. Though more likely would be the underpaid I.T. guy Hillary had set it up who was making a backup one day and dropped a load… But I digress.

The bottom line on Hillary is we know she kept a full copy (found on Huma’s Laptop with the Wiener…) and that it was around until she had her lawyers erase it. We know it surfaced in full at the time the laptop went to the FBI, and in parts before that. We know at least one of her hackers was found (though he had likely not leaked it) and that he said he had a doomsday copy for safety. He wasn’t a very good hacker, so that shows lots of good ones walked right in and snagged copies. Assigning source of any Hillary leaks is going to be an exercise is “ME ME MEE!!! PICK MEEE!” with a dozen hands up in the room…

For the DNC:

We know Podesta fell for a phish. That, alone, is enough. Yet we also have evidence that the box wasn’t that well run and secured, and ample evidence that the privilege escalation path once in was easy. Privilege escalation is when you get in with weak powers, you find ways to raise your powers. Moving from “user” to “admin” to “root”.

How many others fell for a phish? How many other bugs, holes, unpatched zero-days? Was it PRISM? Were they on Microsoft? (Almost certainly…though I haven’t bothered to verify).

Once you are this far into the pants-down party, you know you will never know which of the hundreds of actors trying to get in, made it in. You may never even know how many made it.

Now in this case the server was better run than Hillary’s (but still had issues) and we know it was compromised by a very simple and direct path (so likely other paths exist and other compromises happened).

BUT, in all these cases we know two things about the nature of the emails:

1) They were undisputed as truth.

2) They were a long history.

That last item argues for one of two cases:

a) Folks were packratting email online. For Hillary known true.

b) The server was an archive (typically not true, but sometimes done even if poor practice).

Which leads to another bit of advice for the Democrats: IFF you keep an email archive, keep it on a USB drive in a locked vault, not on-line. If it doesn’t NEED to be online, don’t PUT it online.

The long historical mail set is modest evidence for “leak” over “hack” as the leaker has access to the archives, even if protected, while the hacker must break through many layers (and pass many detectors in a good shop) to get to them. Then the leaker just copies to a thumb drive at high speed while the hacker must ‘exfiltrate’ or copy outbound the huge data volume over days to weeks and not be noticed. It is remotely possible that the hack happened 8 years ago and the emails were exfiltrated and accumulated over that period without being detected.

So the very nature of the email dump (archives) argues for “leaker” over “hacker”. Doesn’t prove it, but points that way. Just something to tuck in the investigation hat while looking at the rest of the process.

Leaks

Leaks happen when someone inside decides they just can’t stand it any more and their allegiance shifts from “to the patron” to one of two things:

1) Money. Sadly, many folks can be bought.

2) Morality. Morals vary, so which morality is variable.

Once we had a security sweep of a very secret building and project. At that time, the hired expert also gave a tutorial on risks. The one that I didn’t know, and floored me, was the “insider bought” risk. We were asked “What do you think the going price is to be compromised?” I guessed based on the expectation that I’d never be able to work again in the industry, and would need enough to continue the present life style indefinitely after legal costs and pegged it about $2 Million. (In an annuity, that would be about enough) The answer? $1000 to $2000. Now even if you inflate that to today and call it (way over inflated) $10k, that’s trivial money for LOTS of actors and agents. That was the going rate to get hands on copies of backup tapes.

Morality is actually a much higher barrier, as most folks driven by it are greatly pained to get over that hump of betrayal. It is far easier to do nothing, and suffer the angst of moral indignation than take action and suffer the angst of seeing yourself as a betrayer of trust and thus immoral yourself.

Examining the DNC and Hillary, it’s pretty clear that the physical security was so-so at best, and who knows what the staff level of vetting was. That puts #1 as an easy approach. Pay a janitor $10k to swap his badge for the day. Pay a ‘just above minimum wage’ night operations person $10k to run a command. Hard to protect against that, and harder to catch.

On the morality front, there was so much incredibly offending material in the emails that lots of folks would be morally offended by it. I could easily see a higher end Systems Admin type doing maintenance on the system, seeing something pass by that offends, taking a look for more, and having an OMG! moment. Now these folks would also be good enough to make sure they left no finger prints themselves, and, if needed, leave behind fake ones of a ‘hack’. Heck, for many folks in this class, it becomes a game of sport to do it so well nobody can tell. There are whole conferences for this kind of stuff, with “White Hats” doing their best to block “Black Hats” and with everyone having a grand old time sharing methods and warez. (tools). IF it was done by an insider admin of medium to high skill, you would likely never know and it would be fingering someone else.

Substantially all security is set up to keep bad guys out and assumes insiders are good guys. There are ways to set up security that doesn’t assume that, but outside a few paranoid companies (justifiably paranoid) and some government agencies, that typically isn’t done. Setting all kinds of credentials and levels of access and such is a royal PITA (Pain In The…) and you are asking the folks setting it up to do it to make their own lives harder… so it usually is only done in large shops where those are two different groups of folks.

IF the leak was an insider with technical skills, it would be damned hard to distinguish it from an outside hack IFF (If and only If) you knew it happened at all.

Investigations and Evidence

Near as I can tell, all the investigations have been after the fact. None of them “in the act”. This is a huge point.

With an active hack in progress, you can watch packets on the network in real time. Where do they go? What is in them? What personal style is acting? What tools show up, what do they look like in operations, what log files and such do they erase? It is usually possible to at least find the first link back (the exit node) of the attack. Sometimes you can ‘crawl upstream’ and find more redirection nodes. IF you are very good and very lucky and / or the attack lasts a long time, you can sometimes get all the way back to the originating node. At the same time, you can log ALL the actions real time, sending logs to a system NOT under attack and NOT subject to modification of the evidence.

Sidebar: We once caught an attack on our honey pot (at Apple) due to a paper syslog printer. At the time, it was ‘trendy’ to put all logs on disk to ‘save paper’. I insisted we keep our ratcha-ratcha TTY printing out 128 column green paper… Well, a night operator, tasked with maintaining that paper, noticed something on the printout (as we hired smart operators, not dumb paper changers) and called in the admin staff. The result was we caught an attack in progress that was clueful enough to have doctored the syslog FILE and remove any evidence of their entry… but they couldn’t get into the locked, remote, high security computer room and manually erase the paper. (Later we went to all electronic logs… on a WORM drive aka optical disk that could not be erased.) I’m certain the DNC and Hillary had nothing like that set up.

For a postmortem forensics review, much of that information is gone. You have log files that have likely been erased or doctored. You have what is left on the disks, that can also be doctored if not erased. You might have some logs of network activity. And, IFF you have an IDS / IPS (Intrusion Detection System / Intrusion Prevention System), you will have whatever data you configured it to collect (assuming IT was not hacked and compromised… which is why I like to put their OS on a CD ROM and their logs to write once media…) Now that can be a lot of information, or it can be a very little, or it can be completely WRONG information.

Really good hackers get in with a set of warz, immediately start changing any log files and IDS systems to erase evidence of the attack, and exfiltrate what is highly interesting, erase those logs, then lay low with long duration backdoor kit. If possible, picking up additional bits over long periods of time. This is a skill set that takes years to understand, so I’m not going into it here. If you want to know more, attend one of the many hacker conferences for a few years.

Excellent hackers leave indirection evidence that is hard to find (so either you don’t find it and don’t know you were hacked or if you DO find it, since it was hard to find, think yourself sooo smart it must be real…) and deflect any search elsewhere. IMHO, that’s the hardest to properly find. All the real evidence was erased, and what you are working from is the McGuffin. (Thing in a story line everyone is searching to find, that may not be real. See The Maltese Falcon as example.)

So what we know publicly about the investigation is that it was a postmortem, it found some forensic evidence, that evidence was an old Russian warz, and thus the conclusion is:
“Russia Did It!”

The flaws in this are many.

The BIGGEST flaw:

You don’t know how many hacks happened. It may well be that the Russians hacked in 6 or 8 years ago and have been sniffing data ever since. That does not at all prevent an Admin dumping a tape and leaking it. It does not at all prevent a Chinese team sucking out the data and erasing their tracks. It does not at all prevent an NSA guy from dropping a USB drive on Wikileaks. It does not at all prevent the local ISP Night Shift Operator, who is bored silly, from piping a router feed of email to their laptop as it goes by and collecting a set (though good ISPs have systems to prevent that). It does not at all prove that only Russia is to blame for the hack / leak, and not some Fat Bastard in the basement of his Mom’s house using downloaded Russian warz (commonly available) to do the hack.

Assigning the Data Public Dump to the Russian Hack is a leap of faith.

Assigning the hack with Russian Warz to Russia proper is a leap of faith.

Assigning the Data Exfiltration to the Russian Warz is a reasonable, but still, leap of faith.

Until and unless you get more evidence to support those leaps, you are stuck at this point right out the gate.

Further Flaws:

Now you continue to investigate. You use those leaps to direct your search for more information and evidence. But you simply can not depend on them.

At this point, in support of the Assertion Russia Did It: The NSA and other TLAs have access to pre-hacked from the factory PRISM program warz that we just can’t see. They may well have recorded all the data flow in transit from Hillary and the DNC servers as it went to Russia and just didn’t have the staff to look at it until now. (The problem with collecting everything is that you can look at nearly nothing…) They may well have hacked the hackers and have inside intel that they did it, but can’t divulge that publicly without compromising their hack. Welcome to “Spy vs Spy”. Yet you can NOT just take the word of the CIA or NSA. The CIA is by definition in the disinformation business. The NSA typically is in the ‘be silent’ business, but when they do speak, it is rarely unvarnished. (They once advised a better cypher box -grid of numbers – for DES IIRC – only years later was it found that this helped protect a then newly discovered attack algorithm. Basically the NSA new years before about that hack, but could not and would not tip the hand.)

So just at the first step, we can only know “The Russians likely were in the box and had the data too”. But can’t assign causality to the dump, and can’t even say for sure it wasn’t someone using known old Russian hacks that anyone can download from the internet. (Only tracking the traffic as it left would really tell you that. Finding a Russian assigned IP hard coded into the hack would only prove the hacker was leaving it as a false flag until they turn it on again and change the IP or that they pwned (took over) a router along the way and routed that IP to their box, likely via a VPN).

Now what we SEE in public is just the assertion that these old Russian warz left a ‘fingerprint’ on the machine, so it must be the Russians. Hardly convincing and at best a Noob level of analysis. I dearly hope they have a lot more real evidence behind the curtain and are just not sharing it as they aren’t stupid.

We don’t know that any Russian Destination for the hack was Russian Government. Now maybe the NSA has some way to show where the packets went, and can finger them, but the public intel doesn’t show that. Even if you believe a Russian IP address in the hack actually got to Russia, you can’t know where in Russia it went after that nor who was sitting at the terminal (nor if the router at that end routed the packets back to lower New Jersey…) That’s why you route hacks though places that are not cooperative with USA / EU TLAs. Russia doesn’t send the NSA their router log files.

As I pointed out before, I used a Romanian VPN to bounce my IP off of Romania just to get past geography restrictions on watching a news broadcast. Took me all of 5 minutes to set up, and on an Android Tablet no less. Not exactly hacker kit. Want to know who was watching that news? It points to Romania. Beyond that, you need to get a Romanian search warrant for their server and / or routers… except they advertise that they don’t keep logs… Now that’s for use by The General Public for things like watching TV. What do you think professional hackers do? Hmmm?

Were I doing this hack, I’d use the best tools available, then dirty the trail with evidence of someone else doing it (likely China, but their kit leaves little behind, so easier to do Russia) and route packets through a non-cooperating jurisdiction. Presently, that’s Asia… (Ecuador has promise, but not much traffic to hide in and they are ‘picky’ about foreigners…)

Think it is hard to get a Russian VPN? Here’s the result of a duckduckgo search. I’ve bolded one bit:

Russian VPN – Secure VPN Service For Russia | Golden Frog
Russian VPN Service Secure Your Connection With Russia’s Fastest VPN. Fast and easy VPN access from anywhere in the world; Unlimited server switching and IP addresses

[Search domain http://www.goldenfrog.com] goldenfrog.com/vyprvpn/russia-vpn
Russia VPN | Russian VPN Service to Get a Russia IP Address
Russian VPN service. In Russia and around the world, Internet users are becoming more aware of the risks they run every time they go online over an unsecured network.

[Search domain http://www.le-vpn.com] le-vpn.com/vpn-russia/
Russia VPN Service – Free And Paid Russian VPN For PC/Mac/iPhone
Using our Russia VPN service you can view sites that are available only for Russian IPs, unblock Skype, access poker/gambling/adult sites anonymously.

[Search domain http://www.supervpn.net] supervpn.net/russia-vpn.html
ThreatConnect follows Guccifer 2.0 to Russian VPN Service
ThreatConnect determines Guccifer 2.0 is using the Russia-based Elite VPN service to communicate and leak documents directly with the media.

[Search domain http://www.threatconnect.com] threatconnect.com/blog/guccifer-2-all-roads-lead-russia/
Russian VPN – get an IP address in Russia – Simple VPN service
Russian VPN. Connect to the Internet with an IP address in Russia. Access Russia-only sites and services from anywhere in the world.

[Search domain zenvpn.net] zenvpn.net/en/vpn-locations/russia/
Best Russia VPN Service – vpncoupons.com
If you are looking for a VPN service to use in Russia to unblock content from overseas or security measures, you can’t go wrong with the following choices:

So anyone can be “from Russia”, and it looks like Guccifer has been found to use them. So the guy we KNOW was arrested for doing the Hillary Hack, and how admitted to many many more, was known to use a Russian redirection node. Golly… (I’ll leave it for you to connect the dots…)

In short, the publicly available information about the Hillary and DNC “hacks” is grossly insufficient to finger the Russian Government. We have a confessed hacker for Hillary (and a list of others he did) who used a Russian cover. We know the hack warz used are publicly and widely available. We DON’T know what happened in real time. We DO know that postmortem forensics on the boxes will be subject to all sorts of False Flag efforts. We DO know that there could easily be (most likely were) many actors who gained access to the DNC and Hillary servers as they were wide open and known good attack targets.

We also know if the NSA has more, they are not going to talk.

So the Public simply can not know what actually happened and certainly can’t know who did it.

In Conclusion

Were I to guess:

I’d guess the Russian Government was “in” from the start, exfiltrated emails, but kept it all for themselves. That’s what they do.

I’d guess Guccifer got in, got caught, and spilled the beans about having hacked these folks.

I’d guess that China was in, leaving no fingerprints, as that is what they do and if Russia got in with old warz, China can walk in with their current stuff (that includes pre-hacking the firmware of some chips widely used. I’ve been part of a recovery effort on one such.)

I’d guess Israel was in, as they would be watching what China, Russia, and Hillary were doing.

I’d guess the NSA was recording it all, but looking elsewhere most of the time. I’d speculate that maybe one of their folks took a peek and was horrified and did a ‘leak’ as a very possible scenario.

That much is pretty much certain, but speculative. After that, there are many other actors who are “up for the job” and may have gathered intel from Hillary and / or the DNC. By their actions, the DNC and Hillary look to be owned by {The House Of Saud | Some Muslim Group}. So a modest speculation on a place to investigate would be their intelligence agencies. I’d also look for evidence the UK got in (though they would say nothing and leak nothing, but are very good and curious..) or that the EU got in (maybe why the DNC and Hillary work so hard to make us look like the EU and what Soros wants… he has enough money to buy the information with his coffee money for one day…)

In short, once you know a phish worked on the DNC and that Guccifer hacked Hillary, it means the door was wide open for folks who are actually good at hacking and they could stroll in whenever they wanted. And they wanted.

So I expect the reality is that somewhere in that long list of actual actors in the box, someone saw an opportunity or an offense, and acted on it. And, once again, what did they do?
They let the Truth be known.
Oh, the humanity… /sarc;

Subscribe to feed