The AlphaBay Jewish Community Center Bomb Threat of the Week Service

/13 Comments/in , /by

Back in April, the Department of Justice announced it had identified the perpetrator of at least some of the series of threats against targets that had terrified the Jewish community between January and March: Michael Ron David Kadar, an Israeli-American 18-year old, had allegedly placed at least 15 calls to different Jewish Community Centers and other targets this year. While it received less attention, DOJ also charged Kadar with swatting calls targeting secular schools in Georgia going back to August 2015.

The fact that Kadar, an Israeli Jew, was behind sowing terror throughout the Jewish community defied assumptions that the threats were motivated out of anti-Semitism. After all, why would a Jew seek to terrorize other Jews?

Except — as documents tweeted out by GWU’s Seamus Hughes yesterday make clear — the reality may be quite different.

Back in April, the FBI obtained a search warrant to search certain accounts on AlphaBay, the dark web marketplace taken down in July. It reveals that Israeli police seized a thumb drive in their search of Kadar’s room showing “THE ARCHIVE OF TARGETS.” Documents from the archive corresponded to the hoaxes launched against Jewish targets.

It then explains that an AlphaBay vendor working under the name Darknet_Legend — apparently run by Kadar — offered a “unique emailing service for all of you, I email bomb threats to schools on your request.” Emailed bomb threats cost $30 each, plus an extra $15 if you wanted to frame someone in particular for the hoax.

In June, a prosecutor asked the magistrate to unseal the earlier search warrant to facilitate the arrest of the person believed to have paid for at least one of the JCC bomb threats.

That ongoing investigation has identified a suspect believed to have ordered and paid for at least [sic] of the bomb threats made by Kadar. The FBI and local authorities in California intend to pursue criminal charges against the suspect. If they are successful in doing so, the local authorities may need this warrant and/or it may be producible in discovery.

On July 17, the magistrate unsealed that warrant.

While it’s not yet clear who the CA target was or what has happened to him or her since June, it appears that Kadar only carried out the threats, at $30 a pop, for someone else.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Rick Ledgett’s Straw Malware

/5 Comments/in , , /by

For some reason, over a month after NotPetya and almost two months after WannaCry, former Deputy DIRNSA Rick Ledgett has decided now’s the time to respond to them by inventing a straw man argument denying the need for vulnerabilities disclosure. In the same (opening) paragraph where he claims the malware attacks have revived calls for the government to release all vulnerabilities, he accuses his opponents of oversimplification.

The WannaCry and Petya malware, both of which are partially based on hacking tools allegedly developed by the National Security Agency, have revived calls for the U.S. government to release all vulnerabilities that it holds.  Proponents argue this will allow for the development of patches, which will in turn ensure networks are secure.  On the face of it, this argument might seem to make sense, but it is actually a gross oversimplification of the problem, would not have the desired effect, and would in fact be dangerous.

Yet it’s Ledgett who is oversimplifying. What most people engaging in the VEP debate — even before two worms based, in part, on tools stolen from NSA — have asked for is for some kind of sense and transparency on the process by which NSA reviews vulnerabilities for disclosure. Ledgett instead poses his opponents as absolutists, asking for everything to be disclosed.

Ledgett then spends part of his column claiming that WannaCry targeted XP.

Users agree to buy the software “as is” and most software companies will attempt to patch vulnerabilities as they are discovered, unless the software has been made obsolete by the company, as was the case with Windows XP that WannaCry exploited.

[snip]

Customers who buy software should expect to have to patch it and update it to new versions periodically.

Except multiple reports said that XP wasn’t the problem, Windows 7 was. Ledgett’s mistake is all the more curious given reports that EternalBlue was blue screening at NSA when — while he was still at the agency — it was primarily focused on XP. That is, Ledgett is one of the people who might have expected WannaCry to crash XP; that he doesn’t even when I do doesn’t say a lot for NSA’s oversight of its exploits.

Ledgett then goes on to claim that WannaCry was a failed ransomware attack, even though that’s not entirely clear.

At least he understands NotPetya better, noting that the NSA component of that worm was largely a shiny object.

In fact, the primary damage caused by Petya resulted from credential theft, not an exploit.

The most disturbing part of Ledgett’s column, however, is that it takes him a good eight (of nine total) paragraphs to get around to addressing what really has been the specific response to WannaCry and NotPetya, a response shared by people on both sides of the VEP debate: NSA needs to secure its shit.

Some have made the analogy that the alleged U.S. government loss of control of their software tools is tantamount to losing control of Tomahawk missile systems, with the systems in the hands of criminal groups threatening to use them.  While the analogy is vivid, it incorrectly places all the fault on the government.  A more accurate rendering would be a missile in which the software industry built the warhead (vulnerabilities in their products), their customers built the rocket motor (failing to upgrade and patch), and the ransomware is the guidance system.

We are almost a full year past the day ShadowBrokers first came on the scene, threatening to leak NSA’s tools. A recent CyberScoop article suggests that, while government investigators now have a profile they believe ShadowBrokers matches, they’re not even entirely sure whether they’re looking for a disgruntled former IC insider, a current employee, or a contractor.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

[snip]

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

[snip]

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

At least some of Shadow Brokers’ tools were stolen after Edward Snowden walked out of NSA Hawaii with the crown jewels, at a time when Rick Ledgett, personally, was leading a leak investigation into NSA’s vulnerabilities. And yet, over three years after Snowden stole his documents, the Rick Ledgett-led NSA still had servers sitting unlocked in their racks, still hadn’t addressed its privileged user issues.

Rick Ledgett, the guy inventing straw man arguments about absolutist VEP demands is a guy who’d do the country far more good if he talked about what NSA can do to lock down its shit — and explained why that shit didn’t get locked down when Ledgett was working on those issues specifically.

But he barely mentions that part of the response to WannaCry and NotPetya.

The Kronos Needle in the AlphaBay Haystack

/12 Comments/in /by

To set up a future post (see my earlier posts here and here), I want to show how remarkable it is that the Feds decided to prosecute Marcus Hutchins, a guy who allegedly contributed code to a piece of malware sold in June 2015 for $2,000 on AlphaBay, out of all the illicit sales they might have chosen to prosecute in the month after taking the site down.

First, let’s look at the Alexandre Cazes indictment, sworn by a Fresno Grand Jury on June 1, 2017, 41 days before the Hutchins indictment. It lists the following illicitly sold goods.

  • Redacted month 2015, redacted vendor sells a false driver license to an undercover officer in CA
  • Redacted month 2015, redacted vendor sells an ATM skimmer to an undercover officer in CA
  • Redacted month 2015, redacted vendor sells an ATM skimmer to an undercover officer in CA
  • December 29, 2015, vendor CC4L sells marijuana to MG, an undercover officer, which is mailed from Merced to Buffalo
  • Redacted short month date 2016, redacted vendor sells marijuana to an undercover officer, which is mailed from Los Angeles to a redacted city
  • Redacted month 2016, redacted vendor sells a false driver license to an undercover officer in CA
  • Redacted month 2016, redacted vendor sells a false driver license to an undercover officer in CA
  • Redacted month 2016, redacted vendor sells a false driver license to an undercover officer in CA
  • May 16, 2016, vendor A51 sells heroin to an undercover officer, which is mailed from Brooklyn to Fresno
  • May 24, 2016, vendor A51 sells heroin to an undercover officer, which is mailed from Brooklyn to Fresno
  • October 20, 2016, vendor BSB sells heroin and fentanyl to an undercover officer, which is mailed from San Francisco to Fresno
  • Redacted (short month) date 2017, redacted vendor sells meth to an undercover officer, which is mailed between two CA cities

The sale of a piece of malware for $2,000 on June 11, 2015 would be earlier than most of those listed in the indictment that brought AlphaBay’s operator down. And while there are several ATM skimmers listed (a violation of 18 USC 1029) there is no malware listed (in two of Hutchins’ charges listed as violations of 18 USC 1030, the CFAA statute).

Now look at the overall numbers FBI boasted for AlphaBay when it announced its takedown on July 20, nine days after the indictment targeting Hutchins.

AlphaBay reported that it serviced more than 200,000 users and 40,000 vendors. Around the time of takedown, the site had more than 250,000 listings for illegal drugs and toxic chemicals, and more than 100,000 listings for stolen and fraudulent identification documents, counterfeit goods, malware and other computer hacking tools, firearms, and fraudulent services. By comparison, the Silk Road dark market—the largest such enterprise of its kind before it was shut down in 2013—had approximately 14,000 listings.

The operation to seize AlphaBay’s servers was led by the FBI and involved the cooperative efforts of law enforcement agencies in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, along with the European law enforcement agency Europol.

“Conservatively, several hundred investigations across the globe were being conducted at the same time as a result of AlphaBay’s illegal activities,” Phirippidis said. “It really took an all-hands effort among law enforcement worldwide to deconflict and protect those ongoing investigations.”

Of the 40,000 vendors charged within a month of takedown, of the 250K drug listings and the 100K fraudulent services listings, the guy who sold Kronos once for $2,000 (whom Tom Fox-Brewster thinks might be a guy named VinnyK) — and by virtue of American conspiracy laws, Hutchins — were among the first 20 or so known to be charged for using AlphaBay.

Admittedly, we’re seeing EDCA’s sales in Cazes’ indictment because they had the lead on the overall takedown. Perhaps EDWI has 1,000 more malware buys it will get around to charging, as soon as its perpetrators decide to come to the US, as Hutchins did.

But put in this light, it looks even more remarkable how quickly they got around to arresting to the alleged co-conspirator of a guy who sold a piece of malware.

MalwareTech’s FBI-Induced Tour to Milwaukee, WI

/19 Comments/in /by

On Friday, WannaCry hero Marcus Hutchins (AKA MalwareTech) was granted bail by a Las Vegas judge; he will pay his bail on Monday, then have to travel, without a passport to show TSA, to Milwaukee for a court appearance Tuesday (I’m contemplating hopping the ferry for the hearing).

I’d like to focus on the venue, how it is that a British malware researcher came to be charged in Flyover USA for the crime of making malware.

Thomas Brewster-Fox wrote an important piece on Friday trying to figure out what a lot of people have been asking: what is Kronos, which a lot of researchers never really heard of. He notes that the malware was a bust in the criminal malware market.

The reduced price hints at another truth about Kronos: it was largely a failure amongst serious cybercriminals. There was early anticipation in 2014 it could go big, as prolific and profitable as one of its forbears, the banking malware known as Zeus. In an email to your reporter from RSA’s Daniel Cohen in 2014, he wrote: “Waiting to see whether Kronos turns into something. At this point it’s just a post on a forum, no sample or binary yet. It could be an interesting development if it does, as it would point to more movement away from the Zeus code.”

In the last 24 months, according to IBM global executive security advisor Limor Kessem, the Trojan emerged with a hefty $7,000 price tag in mid-2014, but actual attacks didn’t launch until the third and fourth quarter of 2015, when the company saw some Kronos malware campaigns hitting UK banks. “But after that timeframe, have not seen much more activity from the malware,” Kessem told Forbes.

“The very last time we saw Kronos activity was a small campaign in November 2016, when Kronos infected a very small number of machines mostly in Brazil, the UK, Japan, and Canada. At that particular time, we did not see fraudulent activity from Kronos, but rather, believe it was used a loader for other malware.

Importantly, IBM global executive security advisor Limor Kessem names the few places where the malware has been deployed: Some UK banks in the last two quarters of 2015 and then, in altered form and function, in a “very small number of machines” in Brazil, UK, Japan, and Canada.

So: UK, Brazil, UK, Japan, and Canada.

Not the US, as far as Kessem notes.

And in fact, the most commonly cited victim, the UK, is where Hutchins is from! Yet among the things the British National Cyber Security Centre — the folks who worked closely with Hutchins as he saved a bunch of NHS hospitals from being shut down due to the WannaCry malware — has been really circumspect about since Hutchins’ arrest is what the case is doing over here in the States.

We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.

So why are we seeing this case in the US — in Milwaukee, of all places?!?! — rather than in the UK where some of its few victims are?

The indictment against Hutchins includes just two actions he is alleged to have taken personally.

Defendant MARCUS HUTCHINS created the Kronos malware. (¶4a)

[snip]

In or around February 2015, defendants MARCUS HUTCHINS and [redacted] updated the Kronos malware. (¶4d)

All the other overt actions described in the indictment were done by Hutchins’ as yet unknown (even to him, per reports!) and still at-large co-defendant. That includes this action:

On or about June 11, 2015, defendant [redacted] sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency. [emphasis mine]

Most the other charges — counts three through six — cite that June 11 sale. So it’s that sale, in which Hutchins was not alleged to be involved and the alleged perpetrator of which hasn’t yet been arrested, that seems to be the core of the crime.

This Beeb article, by far the most detailed accounting of Hutchins’ arraignment, provides these details.

Prosecutors told a Las Vegas court on Friday that Mr Hutchins had been caught in a sting operation when undercover officers bought the code.

They claimed the software was sold for $2,000 in digital currency in June 2015.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

“He admitted he was the author of the code of Kronos malware and indicated he sold it,” said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant – who has yet to be arrested – where the security researcher complained of not receiving a fair share of the money.

From this, it might be safe to assume that some law enforcement officer, possibly working undercover in the Eastern District of WI, bought a bunch of shit off AlphaBay in 2015, including a copy of (a version of) the Kronos malware. The purchase (and the version of code) wasn’t sufficiently interesting last year to arrest Hutchins when (I believe) he came for the Las Vegas cons.

Nor was it interesting enough to the UK, where some of Kronos’ few victims are, to prosecute the sale (which, because conspiracy laws are not as broad as they are here in the US, might not have reached Hutchins in any case, and certainly wouldn’t have exposed him to decades of incarceration).

But this year, in the days after the Alpha Bay seizure (and several months after Hutchins helped to shut down WannaCry), prosecutors presented that $2000 sale to a grand jury in ED WI, after which an arrest warrant was sent out to Las Vegas, just in time to arrest Hutchins on his way out of the country, after most the unruly hackers had departed from Las Vegas.

Arresting Hutchins only as he left — and playing whack-a-mole moving him from one detention center to another — gave authorities the opportunity to interview Hutchins without an attorney, where — prosecutor Dan Cowhig claims, Hutchins “made a confession,” — not that he “created the Kronos malware,” which is what the indictment alleges, but instead that he “was the author of the code of Kronos malware.” That “confession” sounds like the kind of thing an overly helpful person might explain if asked to explain this tweet in circumstances where he didn’t have a lawyer.

So here’s what may be going on.

In the aftermath of the AlphaBay seizure, authorities in the US decided to wade through what they could charge from past purchases off the marketplace, and either remembered or stumbled on this remarkably minor sale. Perhaps because of Hutchins’ fame, or perhaps because someone is unhappy about Hutchins’ fame, it was prioritized in a way it otherwise would not have been. And, as always, the US used convenient travel as a way to nab foreign alleged hackers to pull into America’s far more onerous than its allies criminal justice system.

It’s not even clear, however, that that explains the Milwaukee venue. Recall that DOJ first charged Pyotr Levashov (and therefore first deployed its now legally sanctioned Rule 41 warrant) for the Kelihos botnet in Alaska, even though he’ll be tried in CT if he’s ever extradited to the US. The FBI reorganized the way they investigate cyber crimes in 2014 (no longer tying the investigation to the geography of the crime) and with Rule 41 and international crimes, they’ll be able to do so far more in the future. But at least with Levashov, there were victims referenced in the complaint, whereas here, the only act that may have taken place in ED WI is that purchase, if it even did.

All that said, the venue is a far less interesting question than whether the FBI really has evidence tying Hutchins to intending his code to be used for malware, or if they’ve just made a horrible mistake.

Three Things: Mas Gas, Las Vegas and Sass

/19 Comments/in , , , /by

I’m not even going to touch the massive stream of news out of Washington over the last 24 hours, from the Washington Post piece featuring ‘leaked’ transcripts of Trump’s whack doodle conversations with Mexico’s and Australia’s presidents to the impaneled grand jury and subpoenas. Plenty of other material not getting adequate air time.

Speaking of air time, hope you have a chance to catch Marcy on Democracy Now. She spoke with Amy Goodman about the confirmation of Chris Wray as FBI Director as well as former Fox News contributor Rod Wheeler’s lawsuit against Fox News.

Onward…

~ 3 ~

Venezuela’s state-run oil producer PDVSA is cutting oil sales to U.S. refining unit Citgo Petroleum. At the same time it is increasing shipments of oil to Russia’s largest oil producer, Rosneft. Venezuela is using its oil to pay down a $1.6 billion loan extended to PDVSA last year. Rosneft has loaned an even larger sum of money in the not-too-distant past, but the terms aren’t known; payments in oil as well as a hefty minority stake in Citgo were believed to be included in negotiations.

The threat to U.S. gasoline supply: though at lower levels than a decade ago, Venezuela is the third largest supplier of oil to the U.S.

Citgo has, however, been shifting its purchasing wider afield than just PDVSA:

Citgo last year started sending gasoline and other fuels to Venezuela in exchange for a portion of its crude supply. But Citgo has increased the volume of U.S. oil it refines, and has also has also expanded its crude import sources.
[…]
U.S. President Donald Trump’s administration has promised strong economic sanctions against Venezuela’s government after a Constituent Assembly was elected last week in what United States called a “sham” vote. The new body will have power to rewrite the constitution and abolish the opposition-led Congress.

If those sanctions were to constrain Venezuela’s oil shipments to the United States, Citgo could be ahead of its competitors in finding new supply sources.

The public will feel at the pump whatever happens to Citgo and other gasoline producers. Gasoline prices are already $0.16-0.24 per gallon higher than they were last year.

Who is profiting from this?

~ 2 ~

I’ve been thinking about the tagline, “What happens in Vegas, stays in Vegas” right about now after the arrest of Marcus Hutchins, a.k.a. MalwareTechBlog following Defcon’s end in Las Vegas. You’ve probably read Marcy’s piece already (catch up if you didn’t); since she published her post the information security community has been digging into Hutchins’ past and stewing about why/what/how.

Some speculate this was an aggressive recruitment effort; this might explain why the U.K. didn’t arrest him before he left for Defcon. Or did the U.K. and the U.S. agree not to spook any Defcon attendees by stopping Hutchins before he arrived in Vegas? Responses by U.K. authorities are annoyingly banal:

A spokesman for the Foreign and Commonwealth Office said: “We are in touch with local authorities in Las Vegas following reports of a British man being arrested.”

The UK’s National Crime Agency said: “We are aware a UK national has been arrested but it’s a matter for the authorities in the US.”

Others speculate he was framed as the target of revenge by someone caught up in Alphabay’s seizure. How does shutting down WannaCry fit into this scenario?

I don’t have a favorite theory right now. All I know is that WannaCry’s heat map sticks in my craw.

One thing which should come out of this situation is a dialog about coding, malware, and intent; the infosec community is having that discussion now, but it needs to be wider. If a white hat codes malware in part or whole to investigate capabilities, they are only separated from criminal malware producers/sellers/distributors by intent. How does law enforcement determine intent?

~ 1 ~

Your opinion is constantly shaped by the media you consume. Some consumers aren’t conscious of this shaping; neither are some producers.

And some producers know it but are just plain jerks.

A very important way in which opinion is shaped is by the perspective presenting a viewpoint. If only the members of one-half of the population ever gets a chance to present a perspective, consumers’ opinions are narrowed by that same factor. This is why gender equity in media is critical; if you’re only hearing men you’re not getting but part of the picture.

WIRED magazine knows that gender equity in content is important, but their last issue contained only male-written content. As a twisted tribute to the women who helped produce the issue, WIRED stuck a colophon listing important females.

Including a dog.

Really? The women of WIRED are on the same footing as a pet?

Somebody/ies at WIRED need a kick in the sass; I don’t give a fig if half the staff is female if the content itself is all-male. I’m going to do my best this next month not to cite WIRED.

Don’t think for a moment this is just WIRED, either. The VIDA Count measures annually gender equity in literary arts. There’s progress though slow.

~ 0 ~

That’s a wrap on this open thread. Let’s hope with Tiny Hands McGolfer on vacation that news slows a bit as we enter this weekend. I’m not holding my breath though. Behave.

FBI Busts the Guy Who Saved the World from NSA’s Malware

/23 Comments/in /by

Yesterday, the FBI arrested Marcus Hutchins as he was leaving Las Vegas after Black Hat/Defcon.

Hutchins is best known as the malware researcher, MalwareTechBlog, who inadvertently saved the world from NSA’s repurposed hacking tools by registering what has been assumed to be the sand boxing domain, effectively turning it into a killswitch.

But the government accuses him of making the Kronos banking malware sold on AlphaBay. In an indictment signed July 11 (6 days after AlphaBay got seized and), the government asserts simply that Hutchins made the malware. Motherboard first reported the arrest.

It also accuses him of conspiring with a co-defendant whose name is redacted, going back to July 2014, of selling it.

There’s a lot of skepticism about this indictment in the infosec community, in part because no one took Hutchins for a black hat, though others point to a past identity under which he may have engaged in carding. Plus, the timing is curious. The press release for the arrest notes “the Kronos banking Trojan … was first made available through certain internet forums in early 2014.”

On July 13, 2014, Hutchins put out an ask for a sample of the malware.

That’s also the day the indictment describes an advertising video first being posted to AlphaBay on how Kronos worked.

In remarkably timed news, between 3:10 and 3:25 AM UTC this morning (8 PM last night Mountain Time), someone emptied out all the WannaCry accounts.

Three Things: Killing Oil, Too Money, Kaspersky’s World

/32 Comments/in , , /by

Too much going on here today but the existing threads are getting too deep and a couple are drifting off-topic. Here’s three quick things to chew on and an open thread.

~ 3 ~

The marketplace will bring death to oil long before the government. (Bloomberg). But will governments — US and oil-producing countries alike — get in the way of alternative energy in spite of the market demanding more alternatives to fossil fuels? With this trend away from combustion engines pressing on them, fossil fuel producers are shifting toward increased LNG for use in electricity production; this only shifts CO2 creation from vehicles to power plants. Will the market put an end to that, too?

~ 2 ~

There’s too much money out there if Delta can order multiple planes configured for all-first class service. I just spoke with a friend earlier today about round-trip fares from a major Midwest airport to major cities in Europe; they were quite high even with a departure date more than a month out, and higher than they had seen in a while. Fuel prices haven’t increased that much over the last year; low oil prices are threatening pipelines as financing construction costs more than the return on oil. Somewhere between slack fuel prices, firm fares and demand, Delta’s making enough money to build these let-them-eat-cake planes.

One could argue that if buyers have the money they can have whatever they want — except that taxpayers finance the infrastructure including essential safety regulatory system which will now protect the few and not the many while increasing congestion. Too money — somebody needs to pay more taxes to support the infrastructure they’re using.

~ 1 ~

Kaspersky Labs is releasing around the globe a free version of their antivirus software (Reuters). It won’t replace the paid version of their AV software, providing only very basic protection. I’m not using it, though, for two reasons: if it’s like Kaspersky’s existing free tool, it will send messages back to the parent company about infections it finds — and possibly more. Congress and the U.S. intelligence community may have concerns about Kaspersky Lab’s vulnerability to the Russian government; I’m more concerned about Kaspersky Lab having been breached at least once in 2015, compromising data in their systems. Your mileage may vary; use under advisement.

~ 0 ~

That’s it for now. This is an open thread. Behave.

P.S. The fight against attacks on the health care system isn’t over. Call your senator at (202) 224-3121. Other tools for your use in this post.

The Long-Delayed Jeff Sessions Reveal

/61 Comments/in , , , /by

Today (or yesterday — I’ve lost track of time) the WaPo reported what has long been implied: there’s evidence that Jeff Sessions spoke to Russian Ambassador Sergey Kislyak about campaign-related stuff, contrary to his repeated sworn comments.

At first, I thought this revelation might relate to Richard Burr’s assertion that Devin Nunes made up the scandal about which Obama officials had unmasked the identity of Trump officials who got sucked up in intercepts of Russians.

“The unmasking thing was all created by Devin Nunes, and I’ll wait to go through our full evaluation to see if there was anything improper that happened,” Burr said. “But clearly there were individuals unmasked. Some of that became public which it’s not supposed to, and our business is to understand that, and explain it.”

After all, one of the things the Senate Intelligence Committee would do to clear Rice is figure out who unmasked the identities of Trump people. And there’s at least circumstantial evidence to suggest that James Clapper unmasked Jeff Sessions’ identity, potentially on the last day of his tenure.

But Adam Entous, one of the three journalists on the story (and all the stories based on leaks of intercepts) reportedly said on the telly they’ve had the story since June.

Which instead suggests the WaPo published a story they’ve been sitting on since Sessions’ testimony.

The WaPo story cites the NYT interview in which Trump attacked Sessions for his poor answers about his interactions with Kislyak.

Trump, in an interview this week, expressed frustration with Sessions’s recusing himself from the Russia probe and indicated that he regretted his decision to make the lawmaker from Alabama the nation’s top law enforcement officer. Trump also faulted Sessions as giving “bad answers” during his confirmation hearing about his Russian contacts during the campaign.

Officials emphasized that the information contradicting Sessions comes from U.S. intelligence on Kislyak’s communications with the Kremlin, and acknowledged that the Russian ambassador could have mischaracterized or exaggerated the nature of his interactions.

Many people took this interview as an effort on Trump’s part to get Sessions to resign.

And the WaPo goes on to note that the disclosure — by these same journalists — of Mike Flynn’s conversations with Kislyak led to his resignation.

Kislyak was also a key figure in the departure of former national security adviser Michael Flynn, who was forced to leave that job after The Post revealed that he had discussed U.S. sanctions against Russia with Kislyak even while telling others in the Trump administration that he had not done so.

And all of a sudden, we get this confirmation that Sessions has been lying all along.

Don’t get me wrong: I’d be happy to see Jeff Sessions forced to resign. But if he does, Trump will appoint someone more willing to help the cover up, someone who (because he wouldn’t have these prevarications about conversations with the Russian Ambassador and therefore won’t have to recuse) will assume supervision of Robert Mueller.

So while I’m happy for the confirmation that Sessions lied, I have real questions about why this is being published now.

On Trump’s Impenetrable Cyber Security Unit to Guard Election Hacking

/30 Comments/in , /by

Man oh man did Vladimir Putin hand Trump his ass in their meeting the other day. While most the focus has been on Trump’s apparent refusal to confront Putin on the election hack (which Trump is now trying to spin — pity for him he excluded his credible aides who could tell us how it really went down or maybe that was precisely the point).

But I was more interested in Putin and Sergei Lavrov’s neat trick to get Trump to agree to a “joint working group on cybersecurity.”

Lavrov says Trump brought up accusations of Russian hacking; Moscow and DC will set up joint working group on cybersecurity.

Here’s how Trump has been talking about this in an [unthreaded] rant this morning.

People who’re just discovering this from Trump’s tweets are suitably outraged.

But I think even there they’re missing what a master stroke this was from Putin and Lavrov.

First, as I noted at the time, this comes at the moment Congress is trying to exclude Kaspersky Lab products from federal networks, accompanied by a more general witch hunt against the security firm. As I have said, I think the latter especially is problematic (and probably would have been designed at least partly to restore some asymmetry on US spying on the world, as Kaspersky is one of the few firms that will consistently ID US spying), even if there are reasons to want to keep Kaspersky out of sensitive networks. Kaspersky would be at the center of any joint cyber security effort, meaning Congress will have a harder time blackballing them.

Then there’s the fact that cooperation has been tried. Notably, the FBI has tried to share information with the part of FSB that does cyber investigations. Often, that ends up serving to tip off the FSB to which hackers the FBI is most interested in, leading to them being induced to spy for the FSB itself. More troubling, information sharing with US authorities is believed to partly explain treason charges against some FSB officers.

Finally, there’s the fact that the Russians asked for proof that they hacked our election.

SECRETARY TILLERSON: The Russians have asked for proof and evidence. I’ll leave that to the intelligence community to address the answer to that question. And again, I think the President, at this point, he pressed him and then felt like at this point let’s talk about how do we go forward. And I think that was the right place to spend our time, rather than spending a lot of time having a disagreement that everybody knows we have a disagreement.

If the US hadn’t been represented by idiots at this meeting, the obvious follow-up would be to point to Russia’s efforts to undermine US extradition of Russians against whom the US has offered proof, at least enough to get a grand jury to indict, most notably of the three Russians involved in the Yahoo hack, as well as Yevgeniy Nikulin. The US would be all too happy to offer proof in those cases, but Russia is resisting the process that will end up in that proof.

But instead, Trump and his oil-soaked sidekick instead agreed to make future hacking of the US easier.

In Mistaking Surveillance for Sabotage, NYT Fearmongers Nukes Again

/8 Comments/in , /by

Last night, the NYT had an alarming story reporting that suspected Russian spies were compromising engineers that work at nuclear power plants across the United States. Amber! the story screamed.

Since May, hackers have been penetrating the computer networks of companies that operate nuclear power stations and other energy facilities, as well as manufacturing plants in the United States and other countries.

Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The joint report was released on June 28. It was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the severity of the threat.

After screaming “Amber,” the story went on to scream “bears!”

The origins of the hackers are not known. But the report indicated that an “advanced persistent threat” actor was responsible, which is the language security specialists often use to describe hackers backed by governments.

The two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.

Ultimately, the story worked its way up to invoke StuxNet, an attack on the actual enrichment processes of a nuclear facility.

In 2008, an attack called Stuxnet that was designed by the United States and Israel to hit Iran’s main nuclear enrichment facility, demonstrated how computer attacks could disrupt and destroy physical infrastructure.

The government hackers infiltrated the systems that controlled Iran’s nuclear centrifuges and spun them wildly out of control, or stopped them from spinning entirely, destroying a fifth of Iran’s centrifuges.

In retrospect, [former chairman of the Federal Energy Regulatory Commission] Mr. Wellinghoff said that attack should have foreshadowed the threats the United States would face on its own infrastructure.

And yet, in the fourth paragraph of the story, NYT admitted it’s not really clear what the penetrations involved. With that admission, the story also revealed that the computer networks in question were not the control systems that manage the plants.

The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.

Still further down, the report admitted that this involved phishing and watering hole attacks on engineers, not attacks on control systems.

In most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.

[snip]

Hackers wrote highly targeted emails messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.

[snip]

In some cases, the hackers also compromised legitimate websites that they knew their victims frequented — something security specialists call a watering hole attack.

That is, even while screaming “Amber Russian bear OMIGOSH StuxNet!!” the article admitted that this is not StuxNet. This amounts to spies, quite possibly Russian, “hunting SysAdmins,” just like the United States does (of course, the US and its buddy Israel also assassinate nuclear engineers, which for all its known assassinations, Russia is not known to have done).

That distinction is utterly critical to make, no matter how much you want to fearmonger with readers who don’t understand the distinction.

There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.

This is spying, what our own cyber doctrine calls “Cyber Collection.”

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)

That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.

But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.

And it’s not just me saying that. Robert M. Lee, who works on cyber defense for the energy industry and who recently authored a report on Crash Override, Russia’s grid-targeting sabotage tradecraft (and as such would have been an obvious person to cite in this article) had this to say:

So while the threat to nuclear from cyber is a real concern because of impact it’s very improbable and “what about Stuxnet” is a high bar

Or said more simply: phishing emails are lightyears removed from “what about Stuxnet” arguments. It’s simply otherworldly in comparison.

There’s one more, very real reason why the NYT should have been far more responsible in clarifying that this is collection, not sabotage. Among the things Shadow Brokers, with its presumed ties to Russia, has been threatening to expose is “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.” If the NYT starts inflating the threat from cyber collection on nuclear facilities, it could very easily lead to counter-inflation, with dangerous consequences for the US and its ability to monitor our adversaries.

There is very real reason to be concerned that Russia — or some other entity — is collecting information on how our nuclear and other power facilities work. But, as Lee notes, conflating that with StuxNet is “otherworldly.”