The Good Ol’ Days

Do you remember the good old days? Back when political parties didn’t team up with foreign powers on multiple occasions to use illegally obtained material for personal gain?

[Aaron] Nevins confirmed to the [Wall Street] Journal that he told hacker Guccifer 2.0 to “feel free to send any Florida based information” after learning that the hacker had tapped into Democratic Congressional Campaign Committee (DCCC) computers last summer. From the DCCC, Guccifer 2.0 released internal assessments of Democratic congressional candidates, known as “self-opposition research,” to GOP operatives using social media. Nevins told the Journal that, after receiving the stolen documents from the hacker, he “realized it was a lot more than even Guccifer knew that he had.” The stolen DCCC documents also contained sensitive information on voters in key Florida districts, breaking down how many people were considered dependable Democratic voters, undecided Democrats, Republican voters and the like. Nevins made a war analogy, describing the data he received to Guccifer 2.0 as akin to a “map to where all the troops are deployed.”

After Nevins published some of the material on the blog, using his own pseudonym, Guccifer 2.0 sent a link of the information to close Trump associate Roger Stone — who is currently under federal investigation for potential collusion with Russia.

What the Journal story does indicate, however, is that a GOP operative who presented himself as working with Mike Flynn, a top Trump adviser with numerous dodgy Russian ties himself, actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government. Once he obtained a stash of unverified emails presented as the deleted Clinton emails, this operative then suggested the hackers release the cache to WikiLeaks one month after the DNC WikiLeaks dump and a month before the Podesta WikiLeaks dump.

*sigh*, I sure miss those days.

Russian Hacking Videos

In the last part of my series on the DNC hack, I mentioned that I watched a seminar hosted by Crowdstrike on how it was done. Some Google searching didn’t turn up much at first, but it did reveal other videos from Crowdstrike and other security firms. I’m still shaking my head at the view counts of some of these; shouldn’t reporters have swarmed them?

Ah well. If you’d like to see how these security companies viewed the DNC hack, here are some videos to check out.

[Read more…]

Russian Hacking and Bayes’ Theorem, Part 4

Ranum’s turn! Old blog post first.

Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.

Here’s the Joint Analysis Report which has been the focus of so much ire, as well as a summary paragraph of what the US intelligence agency is trying to sell:

Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.

They aren’t using IP addresses or attack signatures to sell attribution, they’re pooling all the analysis they can get their hands on, public and private. It’s short on details, partly for reasons I explained last time, and partly because it makes little sense to repeat details shared elsewhere.

I agree with most experts that the suggestions given are pretty useless, but that’s because defending against spearphishing is hard. Oh, it’s easy to white list IP access and lock down a network, but actually do that and your users will revolt and find workarounds that a network administrator can’t monitor.

The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy.

I dunno, there’s a fair bit of creativity involved in trickery. You need to do some research to figure out the target’s infrastructure (so you don’t present them with a Gmail login if they’re using an internal Exchange server); research their social connections (an angry email from their boss is far more likely to get a response); find ways to disguise the URL displayed that neither a human nor browser will notice; construct an SSL certificate that the browser will accept; and it helps if you can find a way around two-factor encryption. The amount of programming is minimal, but so what? Computer scientists tend to value the ability to program above everything else, but systems analysis and design are arguably at least as important.

I wouldn’t be surprised to learn of a 12-year-old capable of expert phishing, any more than I’d be surprised that a 12-year-old had entered college or ran their own business or successfully engineered their own product; look at enough cases, and eventually you’ll see something exceptional.

By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.

And yes, the state of computer security is fairly abysmal. Poor password choices (if people use passwords at all), poor algorithms, poor protocols, and so on. This is irrelevant, though; the fact that house break-ins are easy to do doesn’t refute the evidence that someone burgled a house.

Hey, that was quick. Next post!

Hornbeck left off two possibilities, but I could probably (if I exerted myself) go on for several pages of possibilities, in order to make assigning prior probabilities more difficult. But first: Hornbeck has left off at least two cases that I’d estimate as quite likely:

H) Some unknown person or persons did it
I) An unskilled hacker or hackers who had access to ‘professional’ tools did it
J) Marcus Ranum did it

I’d argue the first two are handled by D, “A skilled independent hacking team did it,” but it’s true that I assumed a group was behind the attack. Could the DNC hack be pulled off by an individual? In theory, sure, but in practice the scale suggests more than one person involved. For instance,

That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. […]

SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.

That SecureWorks report expands on who was targeted.

In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.

Even that glosses over details, as that list also includes Colin Powell, John Podesta, and William Rinehart. Also bear in mind that all these people were phished over roughly nine months, sometimes multiple times. While it helps that many of the targets used Gmail, when you add up the research involved to craft a good phish, plus the janitorial work that kicks in after a successful attack (scanning and enumeration, second-stage attack generation, data transfer and conversion), the scale of the attack makes it extremely difficult for an individual to pull off.

Similar reasoning applies to an unskilled person/group using professional tools. The multiple stages to a breach would be easy to screw up, unless you had experience carrying these out; the scale of the phish demands a level of organisation that amateurs shouldn’t be capable of. Is it possible? Sure. Likely? No. And in the end, it’s the likelihood we care about.

Besides, this argument tries to eat and have its cake. If spearphishing attacks are so easy to carry out, the difference between “unskilled” and “skilled” is small. Merely pulling off this spearphish would make the attackers experienced pros, no matter what their status was beforehand. The difference between hypotheses D and I is trivial.

There’s even more unconscious bias in Hornbeck’s list: he left Guccifer 2.0 off the list as an option. Here, you have someone who has claimed to be responsible left off the list of priors, because Hornbeck’s subconscious presupposition is that “Russians did it” and he implicitly collapsed the prior probability of “Guccifer 2.0” into “Russians” which may or may not be a warranted assumption, but in order to make that assumption, you have to presuppose Russians did it.

Who is Guccifer 2.0, though? Are they a skilled hacking group (hypothesis D), a Kremlin stooge (A), an unknown person or persons (H), or amateurs playing with professional tools (I)? “Guccifer 2.0 did it” is a composite of existing hypothesis subsets, so it makes more sense to focus on those first then drill down.

I added J) because Hornbeck added himself. And, I added myself (as Hornbeck did) to dishonestly bias the sample: both Hornbeck and I know whether or not we did it. Adding myself as an option is biasing the survey by substituting in knowns with my unknowns, and pretending to my audience that they are unknowns.

Ranum may know he didn’t do it, but I don’t know that. What’s obvious to me may not be to someone else, and I have to account for that if I want to do a good analysis. Besides, including myself fed into the general point that we have to liberal with our hypotheses.

I) is also a problem for the “Russian hackers” argument. As I described the DNC hack appears to have been done using a widely available PHP remote management tool after some kind of initial loader/breach. If you want a copy of it, you can get it from github. Now, have we just altered the ‘priors’ that it was a Russian?

This is being selective with the evidence. Remember “Home Alone?” Harry and Marv used pretty generic means to break into houses, from social engineering to learn about their targets, surveillance to verify that information and add more, and even crowbars on the locks. If that was all you knew about their techniques, you’d have no hope of tracking them down; but as luck would have it, Marv insisted on turning on all the faucets as a distinctive calling card. This allowed the police to track down earlier burglaries they’d done.

Likewise, if all we knew was that a generic PHP loader was used in the DNC hack, the evidence wouldn’t point strongly in any one direction. Instead, we know the intruders also used a toolkit dubbed “XAgent” or “CHOPSTICK,” which has been consistently used by the same group for nearly a decade. No other group appears to use the same tool. This means we can link the DNC hack to earlier ones, and by pooling all the targets assess which actor would be interested in them. As pointed out earlier, these point pretty strongly to the Kremlin.

I don’t think you can even construct a coherent Bayesian argument around the tools involved because there are possibilities:

  1. Guccifer is a Russian spy whose tradecraft is so good that they used basic off the shelf tools
  2. Guccifer is a Chinese spy who knows that Russian spies like a particular toolset and thought it would be funny to appear to be Russian
  3. Guccifer is an American hacker who used basic off the shelf tools
  4. Guccifer is an American computer security professional who works for an anti-malware company who decided to throw a head-fake at the US intelligence services

Quick story: I listened to Crowdstrike’s presentation on the Russian hack of the DNC, and they claimed XAgent/CHOPSTICK’s source code was private. During the Q&A, though, someone mentioned that another security company claimed to have a copy of the source.

The presenters pointed out that this was probably due to a quirk in Linux attacks. There’s a lot of variance in which kernel and libraries will be installed on any given server, so merely copying over the attack binary is prone to break. Because of this variety, though, it’s common to have a compiler installed on the server. So on Linux, attackers tend to copy over their source code, compile it into a binary, and delete the code.

You can see how this could go wrong, though. If the stub responsible for deleting the original code fails, or the operators are quick, you could salvage the source code of XAgent.

“Could.” Note that you need the perfect set of conditions in place. Even if those did occur, and even if the source code bundle contains Windows or OSX source too (excluding that would reduce the amount of data transferred and increase the odds of compilation slightly), the attack binary for those platforms usually needs to be compiled elsewhere. Compilation environments are highly variable yet leave fingerprints all over the executable, such as compilation language and time-stamps. A halfway-savvy IT security firm (such as FireEye) would pick up on those differences and flag the executable as a new variant, at minimum.

And as time went on, the two code bases would diverge as either XAgent’s originators or the lucky ducks with their own copy start modifying it. Eventually, it would be obvious one toolkit was in the hands of another group. And bear in mind, the first usage of XAgent was about a decade ago. If this is someone using a stolen copy of APT28/Fancy Bear’s tool, they’ve either stolen it recently and done an excellent job of replicating the original build environment, or have faked being Russian for a decade without slipping up.

While the above is theoretically possible, there’s no evidence it’s actually happened; as mentioned, despite years of observation by at least a half-dozen groups capable of detecting this event, only APT28 has been observed using XAgent.* None of Ranum’s options fit XAgent, nor do they fit APT28’s tactics either; from FireEye’s first report (they now have a second, FYI),

Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.

APT28 malware, in particular the family of modular backdoors that we call CHOPSTICK, indicates a formal code development environment. Such an environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.

And as a reminder, APT28 aka. Fancy Bear is one of the groups that hacked into the DNC, and is alleged to be part of the Kremlin.

Ranum does say a lot more in that second blog post, but it’s either similar to what Biddle wrote over at The Intercept or amounts to kicking sand at Bayesian statistics. I’ve covered both angles, so the rest isn’t worth tackling in detail.

  • [HJH: On top of that, from what I’m reading APT28 prefers malware-free exploits, which use existing code on Windows computers to do their work. None of it works on Linux, so its source code would never be revealed via the claimed method.]

Sometimes, Bugs are Inevitable

Good point:

“Hacking an election is hard, not because of technology — that’s surprisingly easy — but it’s hard to know what’s going to be effective,” said [Bruce] Schneier. “If you look at the last few elections, 2000 was decided in Florida, 2004 in Ohio, the most recent election in a couple counties in Michigan and Pennsylvania, so deciding exactly where to hack is really hard to know.”

But the system’s decentralization is also a vulnerability. There is no strong central government oversight of the election process or the acquisition of voting hardware or software. Likewise, voter registration, maintenance of voter rolls, and vote counting lack any effective national oversight. There is no single authority with the responsibility for safeguarding elections.

You run into this all the time when designing systems. One or more of the requirements are a dilemma, pitting one need against another. Ease-of-use vs. security, authentication vs. anonymity, you know the type. Fixing a bug related to that requirement may cause three more to pop up, and that may not be your fault. The US election system is tough to hack, because it’s a patchwork of incompatible systems; but it’s also easy to hack, because some patches are less secure than others and the borders between patches lack a clear, consistent interface. Solving this sort of problem usually means trashing the system and starting from scratch, with a long, extensive consultation session.

Oh yeah, and an NSA report provides evidence that Russia hacked some distance into US voting systems. The Intercept also outed their source, the reporters somehow forgot that all colour printers output a unique stenographic code while printing. That doesn’t speak highly of them, the practice is decades old, and they should have know this as the Intercept was founded on sharing sensitive documents.

[HJH 2017-06-19: A minor update here.]

The Most Hacked President

The current US President is a beginner’s class in hacking. Let’s rewind back to the end of January.

Lost amid the swirling insanity of the Trump administration’s first week, are the reports of the President’s continued insistence on using his Android phone (a Galaxy S3 or perhaps S4). This is, to put it bluntly, asking for a disaster. President Trump’s continued use of a dangerously insecure, out-of-date Android device should cause real panic. And in a normal White House, it would.

A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world. The best available Android OS on this phone (4.4) is a woefully out-of-date and unsupported. The S4, running 5.0.1, is only marginally better. Without exaggerating, hacking a Galaxy S3 or S4 is the type of project I would assign as homework for my advanced undergraduate classes.

I know, that one’s a bit old, but it nicely bookends more recent reporting.

We also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Va. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.

The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.

“Those networks all have to be crawling with foreign intruders, not just [Gizmodo and] ProPublica,” said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.

Worried that your Pringles can will rat you out? Not to worry, planting a pineapple is easy-peasy.

At the White House, visitors must undergo a rigorous background screening before they’re let in the door. Agents scan every visitor’s full name, birth date, Social Security number, city of residence and country of birth.

But at Mar-a-Lago, gaining entry doesn’t require that degree of disclosure. Guests entering the club go through multiple security checkpoints staffed by the Secret Service looking for weapons or other immediate threats. But there’s only one requirement to produce a photo ID, and the club itself does not ask guests to provide their names or other information when they enter through the main wrought-iron gated door.

The club also serves as a venue for ticketed public events. Hosts for the slate of political and charity dinners booked at the president’s part-time home from now to the end of the club’s season in May told POLITICO the only request for information about attendees has come from the club itself. And all they’re asked to provide is a name, not additional information that can be used for Secret Service background checks in the event the president is in residence.

I’m a bit shocked no-one has tried blackmailing Trump yet. Maybe there are too many people jockeying for that honor? The WiFi networks probably look like a Spy vs. Spy comic by now.