Why Did Tom Bossert Claim WannaCry Was Spread Via Phishing?

/4 Comments/in , /by

Writing this post made me look more closely at what Trump’s Homeland Security Czar Tom Bossert said in a briefing on WannaCry on Monday, May 15.

He claimed, having just gotten off the phone with his British counterpart and in spite of evidence to the contrary, that there had been minimal disruption to care in Britain’s DHS.

The UK National Health Care Service announced 48 of its organizations were affected, and that resulted in inaccessible computers and telephone service, but an extremely minimal effect on disruption to patient care.

[snip]

And from the British perspective, I thought it was important to pass along from them two points — one, that they thought it was an extremely small number of patients that might have been inconvenienced and not necessarily a disruption to their clinical care, as opposed to their administrative processes.  And two, that they felt that some of those reports might have been misstated or overblown given how they had gotten themselves into a position of patching.

 

Of course, this may be an issue in the upcoming election, so I can see why Theresa May’s government might want to downplay any impact on patient care, especially since the Tories have long been ignoring IT problems at DHS.

He dodged a follow-up question about whether there might be more tools in the Shadow Brokers haul that would lead to similar attacks in the future, by pointing to our Vulnerabilities Equities Process.

Q    I guess a shorter way to put it would be is there more out there that you’re worried about that would lead to more attacks in the future?

MR. BOSSERT:  I actually think that the United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of.  That’s something that we do when we know of the vulnerability, not when we know we lost a vulnerability.  I think that’s a key distinction between us and other countries — and other adversaries that don’t provide any such consideration to their people, customers, or industry.

Obviously, the VEP did not prevent this attack. More importantly, someone in government really needs to start answering what the NSA and CIA (and FBI, if it ever happens) do when their hacking tools get stolen, an issue which Bossert totally ignored.

But I’m most interested in something Bossert said during the original exchange on NSA’s role in all this.

Q    So this is one episode of malware or ransomware.  Do you know from the documents and the cyber hacking tools that were stolen from NSA if there are potentially more out there?

MR. BOSSERT:  So there’s a little bit of a double question there.  Part of that has to do with the underlying vulnerability exploit here used.  I think if I could, I’d rather, instead of directly answering that, and can’t speak to how we do or don’t do our business as a government in that regard, I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.  This was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents, and cause an infection in encryption and locking. [my emphasis]

Three days into the WannaCry attack, having spent the weekend consulting with DHS and NSA, Bossert asserted that WannaCry was spread via phishing.

That is a claim that was reported in the press. But even by Monday, I was seeing security researchers persistently question the claim. Over and over they kept looking and failing to find any infections via phishing. And I had already seen several demonstrations showing it didn’t spread via phishing.

Now, Bossert is one of the grown-ups in the Trump Administration. His appointment — and the cybersecurity policy continuity with Obama’s policy — was regarded with relief when it was made, as laid out in this Wired profile.

“People that follow cybersecurity issues will be happy that Tom is involved in those discussions as one of the reasoned voices,” Healey says.

“Frankly, he’s an unusual figure in this White House. He’s not a Bannon. He’s not even a Priebus,” says one former senior Obama administration official who asked to remain unnamed, contrasting Bossert with Trump’s top advisers Stephen Bannon and Reince Priebus. “He has a lot of credibility. He’s very straightforward and level-headed.”

And (as the rest of the profile makes clear) he does know cybersecurity.

So I’m wondering why Bossert was stating that this attack spread by phishing at a time when open source investigation had already largely undermined that hasty claim.

There are at least three possibilities. Perhaps Bossert simply mistated here, accidentally blaming the vector we’ve grown used to blaming. Possibly (though this would be shocking) the best SIGINT agency in the world still hadn’t figured out what a bunch of people on Twitter already had.

Or, perhaps there were some phished infections, which quickly got flooded as the infection spread via SMB. Though that’s unlikely, because the certainty that it didn’t spread via email has only grown since Monday.

So assuming Bossert was, in fact, incorrect when he made this claim, why did have this faulty information?

The Legitimacy Problem with NSA’s Silence on WannaCry

/3 Comments/in , /by

Over at Matt Suiche’s website, he chronicles the discovery of a way to work around WannaCry’s ransomware. First a guy named Adrien Guinet figured out how the find the prime numbers that had computed the key locking a computer’s files. Then a guy named Benjamin Delpy recreated the effort and tested it against versions up to Windows 7. This is not a cure-all, but it may be a way to restore files encrypted by the attackers.

This of course comes after Suiche and before him Malware Tech set up sinkholes to divert the malware attack. Other security researchers have released tools to prevent the encryption of files after infection.

And all the while, NSA — which made the exploit that made this worm so damaging, EternalBlue — has remained utterly silent. At this point, Lauri Love, who faces 99 years of prison time for alleged hacking in the US, has done more in public to respond to this global ransomware attack than the NSA has.

The most public comment from NSA has come in the form of this WaPo article, which describes “current and former” officials defending the use of EternalBlue and sort of confirming that NSA told Microsoft of the vulnerability. It also revealed the White House called an emergency cabinet meeting to deal with the attack. Department of Homeland Security released a pretty useless statement last Friday. On Monday, Homeland Security Czar Tom Bossert answered questions at the press briefing (sometimes inaccurately, I think), emphasizing that the US is not responsible for the attack.

I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.

That’s it. That’s what we’ve seen of our government’s response to a malware attack that it had a role in creating.

(For what it’s worth, people in the UK have said their cybersecurity organization, the National Cyber Security Centre, has been very helpful.)

Don’t get me wrong. I’m sure folks at NSA have been working frantically to understand and undercut this attack. Surely they’ve been coordinating with the private sector, including Microsoft and more visible victims like FedEx. NSA intervention may even explain why there have been fewer infections in the US than in Europe. There may even be some cooperation between the security people who’ve offered public solutions and the NSA. But if those things have happened, it remains totally secret.

And I understand why NSA would want to remain silent. After all, companies and countries are going to want some accountability for this, and while the hackers deserve the primary blame, NSA’s own practices have already come in for criticism in Europe.

Plus, I’m sure whatever NSA is doing to counter this attack is even more interesting — and therefore more important to keep secret from the attackers — than the really awesome sinkholes and prime number workarounds the security researchers have come up with. It’s worth noting that the attackers and aspiring copy-catters are undoubtedly watching the public discussions in the security community to figure out how to improve the attack (though the WannaCry attackers didn’t seem to want or be able to use the information on sinkholes to their advantage, as the release that fixed that problem is corrupted).

But, in my opinion, NSA’s silence creates a legitimacy problem. This is the premier SIGINT agency in the world, tasked to keep the US (and more directly, DOD networks) safe from such attacks. And it has remained silent while a bunch of researchers and consultants collaborating together have appeared to be the primary defense against the weaponization of an NSA tool.

If 22 year olds fueled by pizza are the best line of defense against global attacks, then it suggests (I’m not endorsing this view, mind you) that we don’t need the NSA.

Update: On Twitter, Jake Williams asked whether NSA would have had a better response if the defensive Information Assurance Directorate hadn’t been disbanded last year by Mike Rogers. I hadn’t thought of that, but it’s a good question.

Minority Report: A Look at Timing of WannaCry and Trump’s Spillage

/13 Comments/in , /by

CAVEAT: Note well these two points before continuing —

1) Check the byline; this is Rayne, NOT Marcy; we may have very different opinions on matters in this post.

2) This post is SPECULATIVE. If you want an open-and-shut case backed by unimpeachable evidence this is not it. Because it addresses issues which may be classified, there may never be publicly-available evidence.

Moving on…

Like this past week’s post on ‘The Curious Timing of Flynn Events and Travel Ban EO‘, I noticed some odd timing and circumstances. Event timing often triggers my suspicions and the unfolding of the WannaCry ransomware attack did just that. WannaCry didn’t unfold in a vacuum, either.

Timeline (Italics: Trump spillage)

13-AUG-2016 — Shadow Brokers dumped first Equation Group/NSA tools online

XX-XXX-201X — Date TBD — NSA warned Microsoft about ETERNALBLUE, the exploit which Microsoft identified as MS17-010. It is not clear from report if this warning occurred before/after Trump’s inauguration.

XX-FEB-2017 — Computer security firm Avast Software Inc. said the first variant of WannaCry was initially seen in February.

14-MAR-2017 — Microsoft released a patch for vulnerability MS17-010.

14-APR-2017 — Easter weekend — Shadow Brokers dumps Equation Group/NSA tools on the internet for the fifth time, including ETERNALBLUE.

(Oddly, no one noted the convenience to Christian countries celebrating a long holiday weekend; convenient, too, that both western and eastern Orthodox Christian sects observed Easter on the same date this year.)

10-MAY-2017White House meeting between Trump, Foreign Minister Sergei Lavrov, and Ambassador Sergey Kislyak. No US media present; Russian media outlet TASS’ Washington bureau chief and a photographer were, however.

12-MAY-2017 — ~8:00 a.m. CET — Avast noticed increased activity in WannaCry detections.

[graphic: Countries with greatest WannaCry infection by 15-MAY-2017; image via Avast Software, Inc.]

12-MAY-2017 — 3:24 a.m. EDT/8:24 a.m. BST London/9:24 a.m. CET Madrid/10:24 a.m. MSK Moscow — early reports indicated telecommunications company Telefonica had been attacked by malware. Later reports by Spanish government said, “the attacks did not disrupt the provision of services or network operations…” Telefonica said the attack was “limited to some computers on an internal network and had not affected clients or services.”

12-MAY-2017 — 10:00 a.m. CET — WannaCry “escalated into a massive spreading,” according to Avast.

12-MAY-2017 — timing TBD — Portugal Telecom affected as was UK’s National Health Service (NHS). “(N)o services were impacted,” according to Portugal Telecom’s spokesperson. A Russian telecom firm was affected as well, along with the Russian interior ministry.

12-MAY-2017 — ~6:23 p.m. BST — Infosec technologist MalwareTechBlog ‘sinkholes’ a URL to which WannaCry points during execution. The infection stops spreading after the underlying domain is registered.

13-MAY-2017 — Infosec specialist MalwareTechBlog posts a tick-tock and explainer outlining his approach to shutting down WannaCry the previous evening

15-MAY-2017 — ~5:00 p.m. EDT — Washington Post reported Trump disclosed classified “code worded” intelligence to Lavrov and Kislyak during his meeting the previous Wednesday.

16-MAY-2017 — National Security Adviser H. R. McMaster said “I wanted to make clear to everybody that the president in no way compromised any sources or methods in the course of this conversation” with Lavrov and Kislyak. But McMaster did not say information apart from sources or methods had been passed on; he did share that “‘the president wasn’t even aware of where this information came from’ and had not been briefed on the source.”

The information Trump passed on spontaneously with the Russian officials was related to laptop bomb threats originating from a specific city inside ISIS-held territory. The city was not named by media though it was mentioned by Trump.

16-MAY-2017 — Media outlets reported Israel was the ally whose classified intelligence was shared by Trump.

Attack attribution

You’ll recall I was a skeptic about North Korea as the source of the Sony hack. There could be classified information cinching the link, but I don’t have access to it. I remain skeptical since Sony Group’s entities leaked like sieves for years.

I’m now skeptical about the identity of the hacker(s) behind WannaCry ransomware this past week.

At first it looked like Russia given Cyrillic character content within the malware. But this map didn’t make any sense. Why would a Russian hacker damage their own country most heavily?

[graphic: WannaCry distribution; image via BBC]

The accusations have changed over time. North Korea has been blamed as well as the Lazarus Group. Convenient, given the missile test this past week which appeared focused on rattling Russia while President Putin was attending a conference in China. And some of the details could be attributed to North Korea.

But why did the ransomware first spread in Spain through telecom Telefonica? Why did it spread to the UK so quickly?

This didn’t add up if North Korea is the origin.

Later reports said the first infections happened in western Asia; the affected countries still don’t make sense if North Korea is the perpetrator, and/or China was their main target.

Malware capability

Given the timing of the ransomware’s launch and the other events also unfolding concurrently — events we only learned about last evening — here’s what I want to know:

Can vulnerability MS17-010, on which WannaCry was based, be used as a remote switch?

Think about the kind and size of laptops still running Windows XP and Windows 8, the operating systems Microsoft had not patched for the Server Message Block 1.0 (SMBv1) vulnerability. They’re not the slim devices on which Windows 10 runs; they’re heavier, more often have hard disk drives (HDDs) and bulkier batteries. I won’t go into details, but these older technologies could be replaced by trimmer technologies, leaving ample room inside the laptop case — room that would allow an older laptop to host other resources.

Let’s assume SMBv1 could be used to push software; this isn’t much of an assumption since this is what WannaCry does. Let’s assume the software looks for specific criteria and takes action or shuts down depending on what it finds. And again, it’s not much of an assumption based on WannaCry and the tool set Shadow Brokers have released to date.

Let’s assume that the software pushed via SMBv1 finds the right criteria in place and triggers a detonation.

Yes. A trigger. Not unlike Stuxnet in a way, though Stuxnet only injected randomness into a system. Nowhere near as complicated as WannaCry, either.

Imagine an old bulky laptop running Windows XP, kitted out internally as an IED, triggered by a malware worm. Imagine several in a cluster on the same local network.

Is this a realistic possibility? I suspect it is based on U.S. insistence that a thinly-justified laptop ban on airplanes is necessary.

Revisit timing

Now you may grasp why the timing of events this past week gave me pause, combined with the details of location and technology.

The intelligence Trump spilled to Lavrov and Kislyak had been linked to the nebulous laptop threat we’ve heard so much about for months — predating the inauguration. Some outlets have said the threat was “tablets and laptops” or “electronic devices” carried by passengers onto planes, but this may have been cover for a more specific threat. (It’s possible the MS17-010 has other counterparts not yet known to public so non-laptop threats can’t be ruled out entirely.)

The nature of the threat may also offer hints at why an ally’s assets were embedded in a particular location. I’ll leave it to you to figure this out on your own; this post has already spelled out enough possibilities.

Trump spilled, the operation must be rolled up, but the roll up also must include closing backdoors along the way to prevent damage if the threat has been set in motion by Trump’s ham-handed spillage.

Which for me raises these questions:

1) Was Shadow Brokers the force behind WannaCry — not just some hacker(s) — and not just the leaking of the underlying vulnerability?

2) Was WannaCry launched in order to force telecoms and enterprise networks, device owners, and Microsoft to patch this particular vulnerability immediately due to a classified ‘clear and present danger’?

3) Was WannaCry launched to prevent unpatched MS17-010 from being used to distribute either a malware-as-trigger, or to retaliate against Russia — or both? The map above shows a disproportionate level of impact suggesting Russia was a potential target if secondary to the operation’s aim. Or perhaps Russia screwed itself with the intelligence entities behind Shadow Brokers, resulting in a lack of advance notice before WannaCry was unleashed?

4) Was WannaCry launched a month after the Shadow Brokers’ dump because there were other increasing threats to the covert operation to stop the threat?

5) Are Shadow Brokers really SHADOW BROKERS – a program of discrete roll-up operations? Is Equation Group really EQUATION GROUP – a program of discrete cyber defense operations united by a pile of cyber tools? Are their interactions more like red and blue teams?

6) Is China’s response to WannaCry — implying it was North Korea but avoiding directly blaming them — really cover for the operation which serves their own (and Microsoft’s) interests?

The pittance WannaCry’s progenitor raised in ransom so far and the difficulty in liquidating the proceeds suggests the ransomware wasn’t done for the money. Who or what could produce a snappy looking ransomware project and not really give a rat’s butt about the ransom?

While Microsoft complains about the NSA’s vulnerability hording, they don’t have much to complain about. WannaCry will force many users off older unsupported operating systems like XP, Win 7 and 8, and Windows Server 2003 in a way nothing else has done to date.

[graphic: 5-year chart, MSFT performance via Google Finance]

Mother’s Day ‘gift’?

I confess I wrestled with writing this; I don’t want to set in motion even more ridiculous security measures that don’t work simply because a software company couldn’t see their software product had an inherent risk, and at least one government felt the value of that risk as a tool was worth hiding for years. It’s against what I believe in — less security apparatus and surveillance, more common sense. But if a middle-aged suburban mom in flyover country can line up all these ducks and figure out how it works, I could’t just let it go, either.

Especially when I figured out the technical methodology behind a credible threat on Mother’s Day. Don’t disrespect the moms.

The EternalBlue Source Might Have Been Able to “Fish DOD with Dynamite;” Why Didn’t It?

/6 Comments/in , /by

Let’s look at some dates the WaPo’s sources and Shadow Brokers are giving for the EternalBlue exploit that caused havoc around the world starting on Friday.

Yesterday, WaPo had a story on how concerned people within NSA were about the EternalBlue Windows exploit used in the WannaCry ransomware. It was so powerful, one source described, it was like “fishing with dynamite.”

In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee.

“It was like fishing with dynamite,” said a second.

But that power came with risks. Among others, when the NSA started using the powerful tool more than five years, the military would have been exposed to its use.

Since the NSA began using EternalBlue, which targets some versions of Microsoft Windows, the U.S. military and many other institutions have updated software that was especially vulnerable.

Though Cyberscoop notes the US military hasn’t been entirely protected from WannaCry. An IP address associated with the Army Research Lab in Fort Huachuca was infected (though that could have been a deliberate attempt to respond to the ransomware).

WannaCry ransomware infected a machine tied to an IP address associated with the Army Research Laboratory, CyberScoop has learned. The information, found on a list of affected IP addresses provided by a security vendor, would mark the first time the ransomware was found on a federal government computer.

The security vendor, who provided the data on condition of anonymity to discuss sensitive material, observed communications from the victim IP address to the attackers’ known command and control server on May 12; confirming that the ransomware infection involving the ARL was in fact successful.

The IP address is tied to a server block parked at a host located at Fort Huachuca, Arizona. The type of machine the IP address is attached to is unknown.

In the early days of EternalBlue, the WaPo explains, it would often crash the infected computer, resulting in a bluescreen that might alert victims to its presence. That opened the possibility that the victim might discover the exploit and then turn it back on the US.

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

The WaPo puts the date before which DOD was vulnerable to its own weapon at 2014.

What if the Shadow Brokers had dumped the exploits in 2014, before the government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

In yesterday’s post, Shadow Brokers claimed the Windows exploits released last month — which it had first named in January — came from a 2013 OpsDisk.

In January theshadowbrokers is deciding to show screenshots of lost theequationgroup 2013 Windows Ops Disk.

I’ll have a bit more to say about Shadow Brokers’ claims yesterday. But if this description of the source of the exploit is correct — an ops disk dating to 2013 — it opens up the possibility it was discovered around the same time (perhaps in response to the bluescreen effect). If it did, then it would have been able to attack DOD with it.

I keep asking people what the source for Shadow Brokers’ files might have been able — might still be able — to steal from the US using the tools in question. This timeline seems to suggest the Ops Disk would have been deployed before DOD was prepared to withstand its own weapons.

Shadow Brokers Further Incites War between “scumbag Microsoft Lawyer” and NSA

/13 Comments/in , /by

The other day, Microsoft President and Chief Legal Officer Brad Smith wrote a blog post about the WannaCry ransomware exploiting his company’s products to disrupt the world. At one level it was one of the first entries in what will surely be an interesting policy discussion once there’s an aftermath to the crisis, calling for collective action and a Digital Geneva Convention.

But at another level, Smith’s post provided an opportunity to bitch out the CIA and NSA, the leaked and stolen exploits of which have really fucked with Microsoft in the last few months.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Joining the many people who object to the analogy between Tomahawks and hacking exploits, the entity that caused this crisis, Shadow Brokers, is none too impressed with Smith’s response, either. Along with suggesting NSA was paying Microsoft to sit on vulnerabilities and unleashing a load of expletives (you can click through for both of those), Shadow Brokers lays out the tensions between Microsoft, its enterprise contracts with the government, and the NSA’s reticence about the vulnerabilities in Microsoft products it is exploiting.

Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT.

[snip]

Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch.

Then Shadow Brokers brings the hammer: threatens to dump (among other offerings in an “exploit of the month club”) a Windows 10 vulnerability.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Heck, at this point, Shadow Brokers doesn’t even need to have this exploit (though I’m guessing the NSA and Microsoft both may be erring on the side of caution at this point). Because simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government.

It might even force some disclosure about exploits more critical to NSA’s current toolkit than the very powerful tools Shadow Brokers already used to create a global ransomware worm.

Why Accuracy about Wikileaks Matters

/21 Comments/in , , /by

Let me preface this post by saying that I’m perfectly willing to accept that Julian Assange is a narcissist, accused rapist, destructive hypocrite serving as a willful tool of Russia. I’m also happy to concede that his role in publishing the DNC and Podesta emails may have played a significant part in getting Donald Trump elected (though I think it’s down the list behind Comey and Hillary’s own (in)actions). Please loathe Julian Assange–that is your right.

But please, also, try to be accurate about him and Wikileaks.

There have been two funny claims about Wikileaks since the leak of hacked emails from Emmanuel Macron associates was announced on 4Chan on Friday. First, analysis of how the hashtag #MacronLeaks spread emphasized that Wikileaks got more pickup than right wing propagandist Jack Posobiec or the other right wing promoters of it.

The most important surge came when WikiLeaks began tweeting the hashtag. The tweet itself was cautious, pointing out that the leak “could be a 4chan practical joke,” but it was retweeted over 2,000 times, compared with over 600 times for Posobiec.

Yet people have taken that to suggest that everyone who shared Wikileaks’ links to the materials were themselves promoting the emails positively. That is, they ignored the extent to which people share Wikileaks tweets critically, which itself added to the buzz about the dump. The surge in attention, in other words, was in part critical attention to what Wikileaks was doing with respect to the leak.

More troubling, still, outlets including NPR claimed that Wikileaks posted the documents (it has since issued a correction).

Finally, there are absurd pieces like this which, after babbling that, “Macron, by contrast, is favored by those who want … a France looking to the future rather than clinging to the fearful and fictional nostalgia promulgated by Le Pen,” states,

Literally at the 11th hour, before the blackout would silence it, the Macron campaign issued a statement saying it had been hacked and many of the documents that were dumped on the American 4Chan site and re-posted by Wikileaks were fakes.

On top of being poorly edited — Macron’s statement said nothing at all about who dumped the documents — the claims as to both 4Chan and Wikileaks are not technically correct. The documents weren’t dumped on 4Chan, a post on 4Chan included a link to a Pastebin with them. More importantly, Wikileaks didn’t “re-post” them, though it did post magnet links to them.

The importance of the distinction becomes evident just two paragraphs later when the article notes that some of the tweets in which Wikileaks linked to the documents described the vetting process it was undertaking.

Meanwhile, Wikileaks jumped on the document dump, but didn’t seem to be familiar with the material in it. Responding to the Macron statement that some of the items were bogus, Wikileaks tweeted, “We have not yet discovered fakes in #MacronLeaks & we are very skeptical that the Macron campaign is faster than us.”

Curiously, the article doesn’t link to WL’s first tweet, posted less than an hour after the 4Chan post, which said it could be a 4Chan practical joke.

In any case, contrary to what some idiotic readings of this article claim — that Macron succeeded in fooling Wikileaks — in fact, Macron has not succeeded, at least not yet, because Wikileaks has not posted the documents on its own site (Wikileaks could yet claim it had determined the documents to be real only to have Macron present proof they weren’t). Indeed, while Wikileaks expressed skepticism from the start, one thing that really raised questions for Wikileaks was that Macron so quickly claimed to have determined some were fake.

Plus, it’s not actually clear that Macron did fool the hackers who passed them onto the 4Chan source. Here’s the full description from Mounir Mahjoubi, the head of Macron’s digital team, on what their counteroffensive looked like.

“We also do counteroffensive against them,” says Mahjoubi.

[snip]

“We believe that they didn’t break through. We are sure of it,” said Mahjoubi. “But the only way to be ready is to train the people. Because what happened during the Hillary Clinton campaign is that one man, the most powerful, [campaign chairman] John Podesta, logged on to his [fake] page.”

To keep the entire Macron campaign aware of such dangers, Mahjoubi said, “Every week we send to the team screen captures of all the phishing addresses we have found during the week.” But that’s just the first phase of the response. Then the Macron team starts filling in the forms on the fake sites: “You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.”

If Mahjoubi was being honest about his certainty the hackers didn’t succeed, then the campaign would have no reason or means to feed disinformation. And the details offered here appear to be about disinformation in response to phishing probes — that is, disinformation about metadata — not disinformation about content.

But now, between the Daily Beast’s gloating and the sharing of it with even less factual gloating, coupled with Macron’s quick declaration that the dump included fake documents, raises real (but potentially unjustified!) questions about whether the campaign added the Cyrillic metadata that got so much attention. Not only has Wikileaks’ vetting process not (yet) been exposed as a fraud, but the reporting may create even more distrust and uncertainty than there was. [Note, I posted a tweet to that effect that I have deleted now that I’m convinced there’s no evidence Macron faked any documents.]

Moreover, even if it is the case that GRU hacked Macron and Wikileaks would have happily published the emails if they passed its vetting process (which are both likely true), Wikileaks didn’t get and post the documents, which itself is worth noting and understanding.

In other words, some inaccuracies — and the rush to gloat against Wikileaks — may actually have been counterproductive to the truth and even the ability to understand what happened.

And this is not the only time. The other most celebrated case where inaccurate accusations against Wikileaks may have been counterproductive was last summer when something akin to what happened with the Macron leak did. Wikileaks posted a link to Michael Best’s archived copy of the AKP Turkish emails that doxed a bunch of Turkish women. A number of people — principally Zeynep Tufekci — blamed Wikileaks, not Best, for making the emails available, and in so doing (and like the Macron dump) brought attention to precisely what she was rightly furious about — the exposure of people to privacy violations and worse. Best argues that had Tufekci spoken to him directly rather than writing a piece drawing attention to the problem, some of the harm might have been avoided.

But I also think the stink surrounding Wikileaks distracted focus from the story behind the curious provenance of that leak. Here’s how Motherboard described it.

Here’s what happened:

First, Phineas Fisher, the hacker notorious for breaching surveillance companies Hacking Team and FinFisher, penetrated a network of the AKP, Turkey’s ruling party, according to their own statement. The hacker was sharing data with others in Rojava and Bakur, Turkey; there was apparently a bit of miscommunication, and someone sent a large file containing around half of akparti.org.tr’s emails to WikiLeaks.

WikiLeaks then published these emails on July 19, and as some pointed out, the emails didn’t actually seem to contain much public interest material.

Then Phineas Fisher dumped more files themselves. Thomas White, a UK-based activist also known as The Cthulhu, also dumped a mirror of the data, including the contentious databases of personal info. This is where Best, who uploaded a copy to the Internet Archive, comes in.

Best said he didn’t check the contents of the data beforehand in part because the files had already been released.

“I was archiving public information,” he said. “Given the volume, the source, the language barrier and the fact that it was being publicly circulated already, I basically took it on faith and archived a copy of it.”

Without laying out all the details here, I think there are some interesting issues about this hack-and-leak that might have gotten more scrutiny if the focus weren’t Wikileaks. But instead, the focus was entirely on what Wikileaks did (or actually, on blaming Wikileaks for what Best did), rather than how the hack-and-leak really happened.

I get that people have the need, emotionally, to attack Assange, and I have no problem with that. But when emotion disrupts any effort to understand what is really going on, it may make it more difficult to combat the larger problem (or, as lefties embrace coverage of the Bradley Foundation based on hacked documents and more mass hack-and-leak reporting gets journalism awards, to set norms for what might be legitimate and illegitimate hack-and-leaks).

If you hate Assange, your best approach may be to ignore him. But barring that, there really is a case for aspiring to factual accuracy even for Wikileaks.

Update: Fixed description of what WL actually linked to — h/t ErrataRob.

Update: This article provides more detail on the hack and Macron’s attempts to counter the hackers.

“Il y a des dossiers qui ont été ajoutés à ces archives. Des dossiers dont on ne sait pas à quoi ils correspondent. Qui ne sont pas des dossiers d’emails, par exemple. Ensuite, il y a des faux emails qui ont été ajoutés, qui ont été complétés. Il y a aussi des informations que nous-même on avait envoyées en contre-représailles des tentatives de phishing !”, a expliqué Mounir Mahjoubi.

So some of the added documents (which, incidentally, are the ones that show Cyrillic metadata) are from someplace unknown, not the five hacked email boxes. There are fake emails, described has “having been completed,” which may mean (this is a guess) the hackers sent emails that were sitting in draft; if so there might be fake emails that nevertheless come with authenticating DKIM codes. The description of what the campaign did — counter-attacks to phishing attempts — is still not clear as to whether it is metadata (faked emails) or content, but still seems most likely to be metadata.

WSJ Aims to Restore Confidence in SWIFT … by Remaining Silent about Risks from NSA

/2 Comments/in /by

WSJ has a 2000 word puff piece talking about how the international financial messaging system, SWIFT, is safe from hackers now because more banks are using two-factor authentication (!!) with the system that can transfer billions of dollars with each message.

The bank also wasn’t using two-factor authentication on the system it used to access Swift, according to a person familiar with the bank’s procedures. Two-factor authentication is a higher security standard that requires a second measure of verification in addition to a password.

Software that Swift provides to customers now has built-in two-factor authentication, but they can opt not to use it. At the time of the Bangladesh cyberattack, two-factor authentication was merely Swift’s preference for local access, according to a copy of its security guidance reviewed by The Wall Street Journal.

Two people briefed on the theft say two-factor authentication might not have made the hacks impossible but would have made them more difficult.

[snip]

Within days [of the Bangladesh hack], Swift rolled out a new customer security program, hinting that it wouldn’t rule out the possibility of kicking violators out of the network. Swift didn’t make the controls mandatory until September.

The 16 mandatory standards include tighter password security, such as two-factor authentication. Swift ordered bank customers to update software, threatening to report to regulators anyone who doesn’t obey. Regulators have the power to withdraw licenses from banks deemed insufficiently safe and sound.

Axletree’s Mr. Murali says the number of clients he works with who have requested two-factor authentication for the Swift messaging system has jumped to about 150 from 10 since last year.

Swift will likely need more time to fully win back confidence. The New York Fed stopped making payments on the strength of Swift messages alone and adopted a policy of double-confirming orders from Bangladesh by phone.

But the piece on the recent hacks — it discusses Bangladesh and Ecuador specifically, but mentions 26 total attempted attacks, though claims the other 24 were unsuccessful — remains utterly silent about the background to the hacks by thieves: the hack by NSA, which was first exposed in 2013, but recently exposed in far more detail in a Shadow Brokers dump.

I mean, sure, financial systems that can affect billions of dollars should have 2FA!

But it’s likely the thieves figured out SWIFT’s vulnerabilities thanks to the exposed NSA hacks.

Facebook Claims Just .1% of Election Related Sharing Was Information Operations

/2 Comments/in , , , /by

In a fascinating report on the use of the social media platform for Information Operations released yesterday, Facebook make a startling claim. Less than .1% of what got shared during the election was shared by accounts set up to engage in malicious propaganda.

Concurrently, a separate set of malicious actors engaged in false amplification using inauthentic Facebook accounts to push narratives and themes that reinforced or expanded on some of the topics exposed from stolen data. Facebook conducted research into overall civic engagement during this time on the platform, and determined that the reach of the content shared by false amplifiers was marginal compared to the overall volume of civic content shared during the US election.12

In short, while we acknowledge the ongoing challenge of monitoring and guarding against information operations, the reach of known operations during the US election of 2016 was statistically very small compared to overall engagement on political issues.

12 To estimate magnitude, we compiled a cross functional team of engineers, analysts, and data scientists to examine posts that were classified as related to civic engagement between September and December 2016. We compared that data with data derived from the behavior of accounts we believe to be related to Information Operations. The reach of the content spread by these accounts was less than one-tenth of a percent of the total reach of civic content on Facebook.

That may seem  like a totally bogus number — and it may well be! But to assess it, understand what they’re measuring.

That’s one of the laudable aspects of the report: it tries to break down the various parts of the process, distinguishing things like “disinformation” — inaccurate information spread intentionally — from “misinformation” — inaccurate information spread without malicious intent.

Information (or Influence) Operations – Actions taken by governments or organized non-state actors to distort domestic or foreign political sentiment, most frequently to achieve a strategic and/or geopolitical outcome. These operations can use a combination of methods, such as false news, disinformation, or networks of fake accounts (false amplifiers) aimed at manipulating public opinion.

False News– News articles that purport to be factual, but which contain intentional misstatements of fact with the intention to arouse passions, attract viewership, or deceive.

False Amplifiers – Coordinated activity by inauthentic accounts with the intent of manipulating political discussion (e.g., by discouraging specific parties from participating in discussion, or amplifying sensationalistic voices over others).

Disinformation – Inaccurate or manipulated information/content that is spread intentionally. This can include false news, or it can involve more subtle methods, such as false flag operations, feeding inaccurate quotes or stories to innocent intermediaries, or knowingly amplifying biased or misleading information. Disinformation is distinct from misinformation, which is the inadvertent or unintentional spread of inaccurate information without malicious intent.

Having thus defined those terms, Facebook distinguishes further between false news sent with malicious intent from that sent for other purposes — such as to make money. In this passage, Facebook also acknowledges the important detail for it: false news doesn’t work without amplification.

Intent: The purveyors of false news can be motivated by financial incentives, individual political motivations, attracting clicks, or all the above. False news can be shared with or without malicious intent. Information operations, however, are primarily motivated by political objectives and not financial benefit.

Medium: False news is primarily a phenomenon related to online news stories that purport to come from legitimate outlets. Information operations, however, often involve the broader information ecosystem, including old and new media.

Amplification: On its own, false news exists in a vacuum. With deliberately coordinated amplification through social networks, however, it can transform into information operations

So the stat above — the amazingly low .1% — is just a measure of the amplification of stories by Facebook accounts created for the purpose of maliciously amplifying certain fake stories; it doesn’t count the amplification of fake stories by people who believe them or who aren’t formally engaged in an information operation. Indeed, the report notes that after an entity amplifies something falsely, “organic proliferation of the messaging and data through authentic peer groups and networks [is] inevitable.” The .1% doesn’t count Trump’s amplification of stories (or of his followers).

Furthermore, the passage states it is measuring accounts that “reinforced or expanded on some of the topics exposed from stolen data,” which would seem to limit which fake stories it tracked, including things like PizzaGate (which derived in part from a Podesta email) but not the fake claim that the Pope endorsed Trump (though later on the report says it identifies false amplifiers by behavior, not by content).

The entire claim raises questions about how Facebook identifies which are the false amplifiers and which are the accounts “authentically” sharing false news. In a passage boasting of how it has already suspended 30,000 fake accounts in the context of the French election, the report includes an image that suggests part of what it does to identify the fake accounts is identifying clusters of like activity.

But in the US election section, the report includes a coy passage stating that it cannot definitively attribute who sponsored the false amplification, even while it states that its data does not contradict the Intelligence Community’s attribution of the effort to Russian intelligence.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

That presents the possibility (one that is quite likely) that Facebook has far more specific forensic data on the .1% of accounts it deems malicious amplifiers that it coyly suggests it knows to be Russian intelligence. Note, too, that the report is quite clear that this is human-driven activity, not bot-driven.

So the .1% may be a self-serving number, based on a definition drawn so narrowly as to be able to claim that Russian spies spreading propaganda make up only a tiny percentage of activity within what it portrays as the greater vibrant civic world of Facebook.

Alternately, it’s a statement of just how powerful Facebook’s network effect is, such that a very small group of Russian spies working on Facebook can have an outsized influence.

 

Turns Out Alaskans Won’t Get to See Russian Hacker Pyotr Levashov from Their Windows

/4 Comments/in , /by

Earlier this month, DOJ got some good press by releasing the first known Rule 41 nationwide hacking warrant. It targeted Pyotr Levashov, who ran a big botnet infecting tons of Americans’ computers. He was arrested on April 9 in Barcelona and DOJ shut down the botnet.

The good press continued when EFF lauded the way the Rule 41 hacking warrant was handled. I’m not aware that anyone has reviewed the Pen Register application that went along with the warrant, about which I have more concerns, but having EFF’s blessing goes some way to rolling out a new authority without controversy.

Last week, DOJ announced the indictment, last Thursday, of Levashov. Whereas the Rule 41 warrant was submitted in Alaska, the indictment (and much of the investigation) was done in New Haven. Levashov was charged with eight different counts. Of note, the indictment includes two conspiracy-related charges against Levashov without naming any co-conspirators.

What I find interesting about all this is that there’s a still sealed complaint, dated March 24, against Levashov in the New Haven docket, with its own affidavit.

So I’m wondering why the Rule 41 action was taken in Alaska whereas the prosecution (assuming Levashov is extradited) appears slotted for New Haven.

The Alaska affidavit makes abundant reference to the investigative activities in New Haven. It describes that New Haven FBI Agents tested the Kelihos malware, identified how Kelihos harvested credentials, and tracked how Kelihos installed WinPCAP to intercept traffic.

It also includes a footnote describing other cases against Levashov.

I am also aware that an indictment was filed in 2007 in the Eastern District of Michigan for conspiracy to commit electronic mail fraud, mail fraud, and wire fraud in violation of 18 U.S.C. $$ 371, 1037(a)(2)-(a)(B), 1037(b)(2)(C), 1341, and 1343 and several substantive counts of violating 18 U.S.C. $$ 1037(a)(2), 1037(b)(2)(C), and Section 2. That indictment remains pending. I am also aware that a criminal complaint fi1ed in the U.S. District Court for the District of Columbia, which in 2009 charged LEVASHOV in his true name with two substantive counts of violating 18 U.S.C. $$ 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 1030(a)(5)(A)(i) and 1030(a)(5XBXV), as well as one count of conspiracy to commit these offenses in violation of 18 U.S.C. $ 371. These charges resulted from LEVASHOV’s operating the Storm Botnet from January 2007 until September 22,2008. That botnet, like that which is the subject of this prosecution, sent spam to facilitate pump and dump schemes and the purchase of grey market pharmaceuticals. Because the government was unable to apprehend and detain LEVASHOV, it dismissed the complaint in 2014.

But it doesn’t mention the complaint, which had already been filed, in CT — unless that’s what the almost paragraph long redaction in the affidavit was.

One possible explanation for the jurisdictional oddity is just that DOJ could. To test their new authorities, perhaps, they chose to obtain a warrant in a totally different jurisdiction from the one they were prosecuting in, just to lay out the precedent of doing so. And as noted, it’s possible the big redacted passage in the AK affidavit explains all this.

I’d feel better about that if the FBI affidavit submitted in AK hadn’t (possibly) hidden the already existing complaint in CT, though.

I’ve got a question into DOJ and will update if they provide an explanation. But for now, know that Alaska won’t get to host a high profile hacking trial after all.

Upated, fixed DOJ announce date h/t EG.

Three Things: Oracle’s 299, Flashback, Longreads and 4/20

/7 Comments/in , , /by

Day Zero — the day after federal income tax filings were due — came and went, with zero Trump tax returns disclosed to the public. While Trump’s positions on many issues flip-flop and confuse the world, on transparency, ethics, and his tax returns he has been utterly consistent: opaque and unethical.

Fortunately today is 4/20. Do with that what you will. Do you smell brownies?

Speaking of 4/20, did you know that states where marijuana legalization appeared on the 2016 ballot, those initiatives outperformed one or more of the two main presidential candidates? What a candidate or political party might do with that knowledge…anyhow, on with three things.

Unprophetic Oracle
There’s still some fallout after The Shadow Brokers (TSB) release last week of NSA Tailored Access Operations’ (TAO) toolkit. Software vendor Oracle announced a patch for 299 vulnerabilities revealed by the TSB.

Wrap your head around that: 299 fixes.

Bigger than the whopping 276 fixes Oracle issued last summer in one fell swoop.

Now wrap your head around the fact this mega-patch covers a range of corporate enterprise software used for nearly every aspect of business operations, from human resource management to service or manufacturing resource planning.

If the NSA isn’t conducting economic espionage Oracle seems like an odd target to saturate so wide and deeply.

Still haven’t decided what to think of Oracle’s ability to push out this many patches inside a week. Were they tipped off, or were these vulnerabilities so obvious they should have been fixed ages ago? Or maybe this is what happens when a business like Oracle takes its eyes off the ball and focuses on the wrong things like a protracted lawsuit against Google?

Memories, jogged
When I saw this table fragment on Twitter, listing a few exploits revealed by TSB, I had a flashback to the Bush administration.

Gee, I wonder how much of the NSA TAO-Equation Group toolkit could explain the White House’s missing emails post-Plame outing?

Longreads: Economics, Liberalism, Google’s first moonshot
These are worth your time yet this week or weekend.

The Liberal Order Is Rigged by Jeff D. Colgan and Robert O. Keohane in Foreign Affairs (registration required) — An examination of liberalism’s failure and how the failure led to anti-democratic populism. In my opinion, this assessment is good but simplistic; the knee-jerk reaction many will have to the word ‘liberalism’ alone indicates there is far more at work than liberalism failing to deliver on its merits. It’s still worth a read; we must begin to pick out and save the liberal from neoliberal if we are to save democracy. Must say I’m surprised at Foreign Affairs’ steady shift away from rigid conservatism as well as neoliberalism.

The moral burden on economists — Darryl Hamilton’s 2017 presidential address to the National Economic Association warns against treating economics as a morally neutral ‘science’. How much of the failure of liberalism is really due to immoral/non-neutral application of economics?

Torching the Modern-Day Library of Alexandria by James Somers for The Atlantic — This tagline is quite the hook: “Somewhere at Google there is a database containing 25 million books and nobody is allowed to read them.” Heartbreaking to think there hasn’t been a middle ground to free these books to the public. In my opinion, Google is out the money on the scanning process. What would happen if they spun off this effort as a nonprofit digital Library of Alexandria? Could the funds from books approaching out-of-copyright date pay for the upkeep and digitization of new works?

Chaffetz out?
I don’t even know what to think of the rumors that Rep. Jason Chaffetz may leave Congress before his term ends December 2017. Some speculate his role in cutting funding directly related to security for diplomats plays a role; others speculate the decision is based on a more personal driver. I hope he can live with what he’s done and what he may yet choose to do. I’d hate to have to explain myself to my kids if I’d made some of his decisions to date.

There’s your three things and a lagniappe. À bientôt!