John Brennan Denies a Special Harry Reid Briefing

/3 Comments/in , /by

This passage from John Brennan’s testimony about Russia to the House Intelligence Committee yesterday has gotten a lot of attention:

Through the so-called Gang of Eight process, we kept Congress apprised of these issues as we identified them. Again, in consultation with the White House, I personally briefed the full details of our understanding of Russian attempts to interfere with the election to Congressional leadership, specifically Senators Harry Reid, Mitch McConnell, Dianne Feinstein, and Richard Burr, and to Representatives Paul Ryan, Nancy Pelosi, Devin Nunes, and Adam Schiff between 11 August and 6 September. I provided the same briefing to each of the Gang of Eight members.  Given the highly sensitive nature of what was an active counterintelligence case involving an ongoing Russian effort to interfere in our presidential election, the full details of what we knew at the time were shared only with those members of Congress, each of whom was accompanied by one senior staff member. The substance of those briefings was entirely consistent with the main judgments contained in the January classified and unclassified assessments, namely that Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton and harm her electability and potential presidency and to help President Trump’s election chances.

The passage has been used to question why GOP leaders, most especially Mitch McConnell, didn’t react more strongly, particularly given public reports that he wouldn’t sign onto a more aggressive statement about Russian efforts.

As I noted in this post, the record thus far reflects a difference in emphasis (on protecting the election systems rather than on Russian attempts to hurt Clinton).

But I want to look more closely at what Brennan actually said.

His description of the briefings seems to be a denial of what I laid out in this post — the NYT report that he gave Harry Reid a special briefing (one which may have been based on the Christopher Steele dossier) that was more alarming than others.

CIA DIRECTORS SHOULD NOT MEET WITH JUST ONE GANG OF EIGHT MEMBER

The second detail I find most interesting in this story is that John Brennan privately briefed Harry Reid about his concerns about the Russians.

John O. Brennan, the C.I.A. director, was so concerned about the Russian threat that he gave an unusual private briefing in the late summer to Harry Reid, then the Senate Democratic leader.

Top congressional officials had already received briefings on Russia’s meddling, but the one for Mr. Reid appears to have gone further. In a public letter to Mr. Comey several weeks later, Mr. Reid said that “it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government — a foreign interest openly hostile to the United States.”

While I’m generally sympathetic to Democrats’ complaints that DOJ should have either remained silent about both investigations or revealed both of them, it was stupid for Brennan to give this private briefing (and I hope he gets grilled about it by HPSCI when he testifies in a few weeks). In addition to the things Reid said publicly about the investigation, it’s fairly clear he and his staffers were also behind some of the key leaks here (and, as CNN reported yesterday, leaks about the investigation actually led targets of it to alter their behavior). For reasons beyond what appears in this story, I think it likely Reid served as a cut-out for Brennan.

And that’s simply not appropriate. There may well have been reasons to avoid briefing Richard Burr (who was advising Trump). But spooks should not be sharing information with just one party. CIA did so during its torture cover-up in ways that are particularly troubling and I find this — while not as bad — equally problematic.

When Brennan said he “provided the same briefing to each of the Gang of Eight members,” he might be seen as denying that the briefing to Reid was anything unusual.

Except this NYT article describes Reid’s as taking place in “late summer” and describes top officials as already having received briefings. Another NYT article describes the special briefing for Reid as having taken place on August 25.

In an Aug. 25 briefing for Harry Reid, then the top Democrat in the Senate, Mr. Brennan indicated that Russia’s hackings appeared aimed at helping Mr. Trump win the November election, according to two former officials with knowledge of the briefing.

The officials said Mr. Brennan also indicated that unnamed advisers to Mr. Trump might be working with the Russians to interfere in the election. The F.B.I. and two congressional committees are now investigating that claim, focusing on possible communications and financial dealings between Russian affiliates and a handful of former advisers to Mr. Trump. So far, no proof of collusion has emerged publicly.

Mr. Trump has rejected any suggestion of a Russian connection as “ridiculous” and “fake news.” The White House has also sought to redirect the focus from the investigation and toward what Mr. Trump has said, with no evidence, was President Barack Obama’s wiretapping of phones in Trump Tower during the presidential campaign.

The C.I.A. and the F.B.I. declined to comment for this article, as did Mr. Brennan and senior lawmakers who were part of the summer briefings.

In the August briefing for Mr. Reid, the two former officials said, Mr. Brennan indicated that the C.I.A., focused on foreign intelligence, was limited in its legal ability to investigate possible connections to Mr. Trump. The officials said Mr. Brennan told Mr. Reid that the F.B.I., in charge of domestic intelligence, would have to lead the way.

As described by the NYT, the Reid briefing went beyond what Brennan says he briefed all the Gang of Eight members on, specially with regards to Trump advisors working with Russia. It’s possible Brennan briefed Reid twice.

Much later in the hearing, Trey Gowdy asked Brennan about the Steele dossier. Some of Brennan’s responses — especially his claim not to know who commissioned the Steele dossier; watch him play with his pen — were not all that believable. Brennan went on to say that the CIA didn’t rely on the dossier, but his denial pertained to the IC report on the hack.

It wasn’t part of the corpus of intelligence, uh, information that we had. It was not in any way used as a basis for the intelligence community assessment that was done, uh, it was not.

Note the funny mouth gesture which used to be Brennan’s main “tell.”

Gowdy being Gowdy was not smart enough to ask whether the dossier was ever used in a briefing to members of Congress.

As I have noted, the IC denials pertaining to the dossier are, um, unconvincing (one two three). That’s all the more true given that Steele has admitted to sharing copies of his dossier with his former employer, who would naturally share with Brennan (elsewhere in the hearing Brennan refused to address what our foreign partners had shared with us).

In any case, it seems to me the question is not so much whether McConnell blew off the seriousness of the Brennan warning, but, still, whether Reid received another briefing–perhaps outside that date scope–that included information McConnell didn’t get.

Did Pompeo Also Get an Obstruction Call from Trump?

/14 Comments/in , /by

The WaPo reports that Trump called both Admiral Mike Rogers and Dan Coats to ask if they could issue statements denying any collusion between Trump’s campaign and Russia.

Trump made separate appeals to the director of national intelligence, Daniel Coats, and to Adm. Michael S. Rogers, the director of the National Security Agency, urging them to publicly deny the existence of any evidence of collusion during the 2016 election.

Coats and Rogers refused to comply with the requests, which they both deemed to be inappropriate, according to two current and two former officials, who spoke on the condition of anonymity to discuss private communications with the president.

If Trump was calling spooks, he presumably would have called all spooks, including CIA Director Mike Pompeo (with whom he is probably closer than the other two). So why aren’t we hearing about that call? Is Pompeo just better at keeping secrets than his counterparts? Or is he hiding it because he didn’t object as strongly as his counterparts?

The Kushner-Comey Connection

/16 Comments/in , /by

The WaPo is reporting that the FBI probe into ties between Russia and Trump’s campaign is looking at a person still in the White House, in addition to Mike Flynn and Paul Manafort.

The law enforcement investigation into possible coordination between Russia and the Trump campaign has identified a current White House official as a significant person of interest, showing that the probe is reaching into the highest levels of government, according to people familiar with the matter.

Further down in the article, WaPo names some people that might be this other person of interest — but just one of them is actually in the White House.

Current administration officials who have acknowledged contacts with Russian officials include President Trump’s son-in-law, Jared Kushner, as well as Attorney General Jeff Sessions and Secretary of State Rex Tillerson.

Still further down, the WaPo covers what first got me believing Jared Kushner is the ultimate target of this probe: his meeting with Sergey Gorkov, the FSB-trained head of the sanctioned Russian bank, Vnesheconombank.

The White House also has acknowledged that Kushner met with Kislyak, the Russian ambassador to the United States, in late November. Kushner also has acknowledged that he met with the head of a Russian development bank, Vnesheconombank, which has been under U.S. sanctions since July 2014. The president’s son-in-law initially omitted contacts with foreign leaders from a national security questionnaire, though his lawyer has said publicly he submitted the form prematurely and informed the FBI soon after that he would provide an update.

Vnesheconombank handles development for the state, and in early 2015, a man purporting to be one of its New York-based employees was arrested and accused of being an unregistered spy.

That man — Evgeny Buryakov — ultimately pleaded guilty and was eventually deported. He had been in contact with former Trump adviser Carter Page, though Page has said he shared only “basic immaterial information and publicly available research documents” with the Russian. Page was the subject of a secret warrant last year issued by the Foreign Intelligence Surveillance Court, based on suspicions he might have been acting as an agent of the Russian government, according to people familiar with the matter. Page has denied any wrongdoing, and accused the government of violating his civil rights.

As I’ve noted since, there was a lot of smoke coming from Kushner’s direction: first, SSCI’s explicit interest in interviewing Kusher and then two competing stories about a Trump request for CIA’s Sergey Kislyak dossier that only makes sense if the audience were Kushner, not Flynn.

But there are a few more dots (in addition to people claiming to have confirmed this point) that support the idea that Kushner is the ultimate target here, and that Trump, in his clumsy attempts to protect Mike Flynn by firing Jim Comey, is actually attempt to protect the father of his grandchildren.

Back on March 2, Jim Comey’s then still secret Twitter account favorited this NYT article disclosing that Mike Flynn had a previously undisclosed face-to-face meeting with Sergey Kislyak at Trump Tower. (h/t TC)

Michael T. Flynn, then Donald J. Trump’s incoming national security adviser, had a previously undisclosed meeting with the Russian ambassador in December to “establish a line of communication” between the new administration and the Russian government, the White House said on Thursday.

Jared Kushner, Mr. Trump’s son-in-law and now a senior adviser, also participated in the meeting at Trump Tower with Mr. Flynn and Sergey I. Kislyak, the Russian ambassador. But among Mr. Trump’s inner circle, it is Mr. Flynn who appears to have been the main interlocutor with the Russian envoy — the two were in contact during the campaign and the transition, Mr. Kislyak and current and former American officials have said.

[snip]

They generally discussed the relationship and it made sense to establish a line of communication,” Ms. Hicks said. “Jared has had meetings with many other foreign countries and representatives — as many as two dozen other foreign countries’ leaders and representatives.”

The story was presented as White House confirmation of earlier New Yorker reporting that Kushner had the meeting, with the White House newly disclosing Flynn’s presence at it. But we now know that the representation that Kushner’s meeting with Kislyak was just one of a slew of meetings with foreign leaders wasn’t quite right. He had sent an aide to a subsequent meeting, and coming out of that meeting, he met with Gorkov, basically meeting with someone personally lobbying to get rid of Ukraine-related sanctions.

Later that month, though, Mr. Kislyak requested a second meeting, which Mr. Kushner asked a deputy to attend in his stead, officials said. At Mr. Kislyak’s request, Mr. Kushner later met with Sergey N. Gorkov, the chief of Vnesheconombank, which the United States placed on its sanctions list after President Vladimir V. Putin of Russia annexed Crimea and began meddling in Ukraine.

Of course, while we only learned that fact later, when Comey favorited that story on March 2, he would have known the full details of the follow-up communications. In other words, he would recognize that story as yet another case of the White House hiding Russian communications. He would also likely already know that Kushner had not included that meeting on his security clearance form.

We only learned that story on March 27, when the NYT revealed the Senate Intelligence Committee wanted to interview Kushner about the meeting. As I noted at the time, the discussion between Gorkov and Kushner, coming before Flynn’s December 29 discussions with Kislyak, would dramatically change the connotation of Flynn’s discussions of sanctions. Because, while the immediate context of the December 29 discussions would have been the new hacking related sanctions imposed on December 28, with the prior meeting with Gorkov, they would likely also include the Ukrainian ones. That was the payoff discussed in any quid pro quo related to the election: Putin would help elect Trump, and in exchange Trump would end economic sanctions.

Of course, to make the argument that Flynn was offering to give Russia the payoff for the election-related help, you’d have to get Flynn to cooperate. If you got Flynn to cooperate, he’d be able to tell the FBI whether or not those December 29 conversations pertained just to the hacking sanctions or also to the Ukrainian ones.

The FBI has a great many things they can and will use to get Flynn to cooperate, including his undisclosed foreign payments and his lies to the FBI in his January 24 interview.

[Large section based off erroneous reading of Wittes’ post removed.]

When Trump fired Comey, he claimed that Comey had thrice told him “he” wasn’t under investigation. Even assuming Comey did, consider how Trump would understand that and how normal people would. To us, “he” would include just Trump. But to someone like Trump whose only real loyalty is to family, “he” would include his family. Including Kushner.

Trump may well think Flynn is a nice man that deserves his loyalty. More likely, though, Trump knows that Flynn could sink his son-in-law. I believe that’s why Trump had to fire Comey in an effort to undercut the Flynn investigation.

And Rod Rosenstein, the survivor, just picked a partner from the firm of Kushner and Ivanka’s lawyer Jamie Gorelick, Robert Mueller, to take over the investigation into Flynn.

Update: Sure enough, Reuters is reporting that Mueller, by design, may not be able to investigate Kushner or Paul Manafort.

Within hours of Mueller’s appointment on Wednesday, the White House began reviewing the Code of Federal Regulations, which restricts newly hired government lawyers from investigating their prior law firm’s clients for one year after their hiring, the sources said.

An executive order signed by Trump in January extended that period to two years.

Mueller’s former law firm, WilmerHale, represents Trump’s son-in-law Jared Kushner, who met with a Russian bank executive in December, and the president’s former campaign manager Paul Manafort, who is a subject of a federal investigation.

Legal experts said the ethics rule can be waived by the Justice Department, which appointed Mueller. He did not represent Kushner or Manafort directly at his former law firm.

If the department did not grant a waiver, Mueller would be barred from investigating Kushner or Manafort, and this could greatly diminish the scope of the probe, experts said.

Why Did Tom Bossert Claim WannaCry Was Spread Via Phishing?

/4 Comments/in , /by

Writing this post made me look more closely at what Trump’s Homeland Security Czar Tom Bossert said in a briefing on WannaCry on Monday, May 15.

He claimed, having just gotten off the phone with his British counterpart and in spite of evidence to the contrary, that there had been minimal disruption to care in Britain’s DHS.

The UK National Health Care Service announced 48 of its organizations were affected, and that resulted in inaccessible computers and telephone service, but an extremely minimal effect on disruption to patient care.

[snip]

And from the British perspective, I thought it was important to pass along from them two points — one, that they thought it was an extremely small number of patients that might have been inconvenienced and not necessarily a disruption to their clinical care, as opposed to their administrative processes.  And two, that they felt that some of those reports might have been misstated or overblown given how they had gotten themselves into a position of patching.

 

Of course, this may be an issue in the upcoming election, so I can see why Theresa May’s government might want to downplay any impact on patient care, especially since the Tories have long been ignoring IT problems at DHS.

He dodged a follow-up question about whether there might be more tools in the Shadow Brokers haul that would lead to similar attacks in the future, by pointing to our Vulnerabilities Equities Process.

Q    I guess a shorter way to put it would be is there more out there that you’re worried about that would lead to more attacks in the future?

MR. BOSSERT:  I actually think that the United States, more than probably any other country, is extremely careful with their processes about how they handle any vulnerabilities that they’re aware of.  That’s something that we do when we know of the vulnerability, not when we know we lost a vulnerability.  I think that’s a key distinction between us and other countries — and other adversaries that don’t provide any such consideration to their people, customers, or industry.

Obviously, the VEP did not prevent this attack. More importantly, someone in government really needs to start answering what the NSA and CIA (and FBI, if it ever happens) do when their hacking tools get stolen, an issue which Bossert totally ignored.

But I’m most interested in something Bossert said during the original exchange on NSA’s role in all this.

Q    So this is one episode of malware or ransomware.  Do you know from the documents and the cyber hacking tools that were stolen from NSA if there are potentially more out there?

MR. BOSSERT:  So there’s a little bit of a double question there.  Part of that has to do with the underlying vulnerability exploit here used.  I think if I could, I’d rather, instead of directly answering that, and can’t speak to how we do or don’t do our business as a government in that regard, I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.  This was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents, and cause an infection in encryption and locking. [my emphasis]

Three days into the WannaCry attack, having spent the weekend consulting with DHS and NSA, Bossert asserted that WannaCry was spread via phishing.

That is a claim that was reported in the press. But even by Monday, I was seeing security researchers persistently question the claim. Over and over they kept looking and failing to find any infections via phishing. And I had already seen several demonstrations showing it didn’t spread via phishing.

Now, Bossert is one of the grown-ups in the Trump Administration. His appointment — and the cybersecurity policy continuity with Obama’s policy — was regarded with relief when it was made, as laid out in this Wired profile.

“People that follow cybersecurity issues will be happy that Tom is involved in those discussions as one of the reasoned voices,” Healey says.

“Frankly, he’s an unusual figure in this White House. He’s not a Bannon. He’s not even a Priebus,” says one former senior Obama administration official who asked to remain unnamed, contrasting Bossert with Trump’s top advisers Stephen Bannon and Reince Priebus. “He has a lot of credibility. He’s very straightforward and level-headed.”

And (as the rest of the profile makes clear) he does know cybersecurity.

So I’m wondering why Bossert was stating that this attack spread by phishing at a time when open source investigation had already largely undermined that hasty claim.

There are at least three possibilities. Perhaps Bossert simply mistated here, accidentally blaming the vector we’ve grown used to blaming. Possibly (though this would be shocking) the best SIGINT agency in the world still hadn’t figured out what a bunch of people on Twitter already had.

Or, perhaps there were some phished infections, which quickly got flooded as the infection spread via SMB. Though that’s unlikely, because the certainty that it didn’t spread via email has only grown since Monday.

So assuming Bossert was, in fact, incorrect when he made this claim, why did have this faulty information?

The Legitimacy Problem with NSA’s Silence on WannaCry

/3 Comments/in , /by

Over at Matt Suiche’s website, he chronicles the discovery of a way to work around WannaCry’s ransomware. First a guy named Adrien Guinet figured out how the find the prime numbers that had computed the key locking a computer’s files. Then a guy named Benjamin Delpy recreated the effort and tested it against versions up to Windows 7. This is not a cure-all, but it may be a way to restore files encrypted by the attackers.

This of course comes after Suiche and before him Malware Tech set up sinkholes to divert the malware attack. Other security researchers have released tools to prevent the encryption of files after infection.

And all the while, NSA — which made the exploit that made this worm so damaging, EternalBlue — has remained utterly silent. At this point, Lauri Love, who faces 99 years of prison time for alleged hacking in the US, has done more in public to respond to this global ransomware attack than the NSA has.

The most public comment from NSA has come in the form of this WaPo article, which describes “current and former” officials defending the use of EternalBlue and sort of confirming that NSA told Microsoft of the vulnerability. It also revealed the White House called an emergency cabinet meeting to deal with the attack. Department of Homeland Security released a pretty useless statement last Friday. On Monday, Homeland Security Czar Tom Bossert answered questions at the press briefing (sometimes inaccurately, I think), emphasizing that the US is not responsible for the attack.

I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.

That’s it. That’s what we’ve seen of our government’s response to a malware attack that it had a role in creating.

(For what it’s worth, people in the UK have said their cybersecurity organization, the National Cyber Security Centre, has been very helpful.)

Don’t get me wrong. I’m sure folks at NSA have been working frantically to understand and undercut this attack. Surely they’ve been coordinating with the private sector, including Microsoft and more visible victims like FedEx. NSA intervention may even explain why there have been fewer infections in the US than in Europe. There may even be some cooperation between the security people who’ve offered public solutions and the NSA. But if those things have happened, it remains totally secret.

And I understand why NSA would want to remain silent. After all, companies and countries are going to want some accountability for this, and while the hackers deserve the primary blame, NSA’s own practices have already come in for criticism in Europe.

Plus, I’m sure whatever NSA is doing to counter this attack is even more interesting — and therefore more important to keep secret from the attackers — than the really awesome sinkholes and prime number workarounds the security researchers have come up with. It’s worth noting that the attackers and aspiring copy-catters are undoubtedly watching the public discussions in the security community to figure out how to improve the attack (though the WannaCry attackers didn’t seem to want or be able to use the information on sinkholes to their advantage, as the release that fixed that problem is corrupted).

But, in my opinion, NSA’s silence creates a legitimacy problem. This is the premier SIGINT agency in the world, tasked to keep the US (and more directly, DOD networks) safe from such attacks. And it has remained silent while a bunch of researchers and consultants collaborating together have appeared to be the primary defense against the weaponization of an NSA tool.

If 22 year olds fueled by pizza are the best line of defense against global attacks, then it suggests (I’m not endorsing this view, mind you) that we don’t need the NSA.

Update: On Twitter, Jake Williams asked whether NSA would have had a better response if the defensive Information Assurance Directorate hadn’t been disbanded last year by Mike Rogers. I hadn’t thought of that, but it’s a good question.

Wherein emptywheel Avoids Saying Blowjob on the TV

/20 Comments/in /by

Amid a crazy week traveling, I kept getting asked to do TV, in one case extending a short airport transfer in Chicago overnight to appear on Democracy Now. I thought I’d share today’s interviews.

To explain the Beeb clip above: I have a history of totally bolloxing the time difference in Chicago. So I thought I had another hour to get myself safely ensconced someplace quiet at O’Hare. Instead, they texted me and said I had 5 minutes while I was on the El heading out to O’Hare. So I jumped off at the next stop, huddled down in a shelter and did the interview sitting on the platform. The Beeb did a tremendous job editing out the train and highway noise–I could barely hear myself speak.

Then there’s this Democracy Now interview, which was a comedy of errors in its own way (if one of you wants to walk me through buying my own TV interview earpiece, I’d appreciate the help). I think the interview was good; it’s always a treat to be on with Amy Goodman. But I wanted to call attention to this part of the interview.

MARCY WHEELER: Right. So, this is not Ken Starr. For those of you old enough to remember, Ken Starr was investigating everything and everywhere and couldn’t be fired. And that—the law that authorized such investigations was ended, on the logic that they encouraged kind of wide—they encouraged investigators to keep investigating until they found anything, such as the consensual relationship between Clinton and Monica Lewinsky.

You can too teach an old dog new tricks!

One more note: the lack of make-up in these was not my fault. I thought I was adulting plenty by bringing a jacket with me just in case I had to go adulting somewhere, so I was reasonably okay for the Democracy Now interview. But I didn’t have makeup with me because … why?

Something new to add to my adulting list, now that I’ve mastered translating “blowjob” into “consensual relationship,” and even before coffee: make-up.

Some day soon I might yet grow up.

Update: Adding a link to the Intercepted podcast I was on with Jeremy Scahill and Glenn Greenwald, because it was a lot of fun.

The Scope of the Special Counsel Appointment Is Totally Inadequate

/33 Comments/in , , , , /by

Rod Rosenstein just appointed former FBI Director (and, before that, US Attorney) Robert Mueller as Special Counsel to take over the investigation into Trump and his associates.

I’m agnostic about the selection of Mueller. He has the benefit of credibility among FBI Agents, so will be able to make up for some of what was lost with Jim Comey’s firing. He will be regarded by those who care about such things as non-partisan. With Jim Comey, Mueller stood up to Dick Cheney on Stellar Wind in 2004 (though I think in reality his willingness to withstand Cheney’s demands has been overstated).

But Mueller has helped cover up certain things in the past, most notably with the Amerithrax investigation.

My bigger concern is with the scope, which I believe to be totally inadequate.

Here’s how the order describes the scope:

(b) The Special Counsel is authorized to conduct the investigation confirmed by then-FBI Director James 8. Comey in testimony before the House Permanent Select Committee on Intelligence on March 20, 2017, including:

(i) any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump; and

(ii) any matters that arose or may arise directly from the investigation; and

(iii) any other matters within the scope of 28 C.F.R. § 600.4(a).

As I read this, it covers just the investigation into ties between the Russian government and people associated with Trump’s campaign. Presumably, that includes Mike Flynn, Paul Manafort, and Carter Page, among others.

But there are other aspects of the great swamp that is the Trump and Russia orbit that might not be included here. For example, would Manafort’s corrupt deals with Ukrainian oligarchs be included? Would Flynn’s discussions with Turkish officials, or Rudy Giuliani’s attempt to excuse Turkey’s violation of Iran sanctions? Would the garden variety money laundering on behalf of non-governmental Russian mobbed up businessmen be included, something that might affect Manafort, Jared Kushner, or Trump himself?

And remember there are at least two other aspects of the Russian hacking investigation. Back in February, Reuters reported that San Francisco’s office was investigating Guccifer 2.0 and Pittsburgh was investigating the actual hackers.  Somewhere (San Francisco would be the most logical spot), they’re presumably investigating whoever it is that has been dumping NSA’s hacking tools everywhere. I’ve learned that that geography has either changed, or there are other aspects tied to those issues in other corners of the country.

Plus, there’s the Wikileaks investigation in EDVA, the same district where the Mueller-led investigation might reside, but a distinct investigation.

Any one of those investigations might present strings that can be pulled, any one of which might lead to the unraveling of the central question: did Trump’s associates coordinate with the Russian government to become President. Unless Mueller can serve to protect those other corners of the investigation from Trump’s tampering, it would be easy to shut down any of them as they become productive.

Yet, as far as I understand the scope of this, Mueller will only oversee the central question, leaving those disparate ends susceptible to Trump’s tampering.

Update: In its statement on the appointment, ACLU raises concerns about whether this would include the investigation into Trump’s attempt to obstruct this investigation.

Update: WaPo’s Philip Rucker reminds that Mueller is law firm partners with Jamie Gorelick, who has been representing both Ivanka and Kushner in this issue.

Update: Mueller is quitting WilmberHale to take this gig. He’s also taking two WilmerHale former FBI people with him. Still, that’s a close tie to the lawyer of someone representing key subjects of this investigation.

Update: One addition to the ACLU concern about investigating the Comey firing. In the most directly relevant precedent, the Plame investigation, when Pat Fitzgerald expanded his investigation from the leak of Plame’s identity to the obstruction of the investigation, he asked for approval to do so from the Acting Attorney General overseeing the investigation — in that case, Jim Comey.

The Acting Attorney General in this case is Rod Rosenstein. So if Mueller were as diligent as Fitzgerald was, he would have to ask the guy who provided the fig leaf for Comey’s firing to approve the expansion of the investigation to cover his own fig leaf.

Update: Petey noted to me that Jeff Sessions’ narrow recusal may limit how broadly Rosenstein’s order may be drawn. It’s a really interesting observation. Here’s what I said about Sessions’ recusal (which is very similar to what I tried to address in this post).

There are two areas of concern regarding Trump’s ties that would not definitively be included in this recusal: Trump’s long-term ties to mobbed up businessmen with ties to Russia (a matter not known to be under investigation but which could raise concerns about compromise of Trump going forward), and discussions about policy that may involve quid pro quos (such as the unproven allegation, made in the Trump dossier, that Carter Page might take 19% in Rosneft in exchange for ending sanctions against Russia), that didn’t involve a pay-off in terms of the hacking. There are further allegations of Trump involvement in the hacking (a weak one against Paul Manafort and a much stronger one against Michael Cohen, both in the dossier), but that’s in no way the only concern raised about Trump’s ties with Russians.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers: “All your bases are belong to us”

/9 Comments/in /by

Back when Shadow Brokers doxxed some NSA hackers, I argued some allusions Shadow Brokers made served as a kind of warning, in that case directed at people who hack for NSA. As I understand it, Shadow Brokers’ threats reflected access to specific and accurate information.

Though I haven’t confirmed any of these details, yesterday’s Shadow Brokers post seems to do more of the same, although this time directed at NSA itself.

Consider this passage:

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? “75% of U.S. cyber arsenal” TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS. This is theshadowbrokers way of telling theequationgroup “all your bases are belong to us”. TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.

Shadow Brokers starts by saying it just dropped the EternalBlue dump, along with some other files, because “The ShadowBrokers is having many more where [those were] coming from.” Shadow Brokers then cites from a detail first reported in a WaPo report (though presents the factoid as a direct quote when it is not): that Hal Martin stole 75% of the US cyberarsenal. The WaPo report actually stated that Martin had stolen “75 percent of TAO’s library of hacking tools.”

Shadow Brokers then made some assertions that may disprove a claim WaPo made yesterday: “It is not clear how the Shadow Brokers obtained the hacking tools, which are identical to those breached by former NSA contractor Harold T. Martin III, according to former officials.” It described exactly where, on the NSA servers, the files came from. “TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS.” Having suggested it had at least seen file paths or screen caps of the NSA’s file system, Shadow Brokers then made its point even more clear: “This is theshadowbrokers way of telling theequationgroup ‘all your bases are belong to us‘,” both making fun of the claims about its broken language but also suggesting takeover (though I’m curious if mis-citation using a plural here is intentional — perhaps these file systems are in different places? — or just one of a some egregious typos in this post).

Again, I haven’t confirmed whether those details are accurate. Surely the NSA has doublechecked. If they are accurate, then the other claims made in the post — specifically about the other things it has to dump — will especially merit attention.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

One more point. Shadow Brokers seems to suggest Oracle and another Microsoft patch were due to notice from former NSA hackers, as if all the former NSA employees are helping their employers clean up holes they’ve long known about.

Oracle is patching huge numbers of vulnerabilities but TheShadowBrokers is not caring enough to be look up exact dates.

[snip]

TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?

It’s not clear whether they’d be doing this because they knew of holes NSA had been using or not.

But it’s worth observing that Shadow Brokers is not making vague threats here.

The EternalBlue Source Might Have Been Able to “Fish DOD with Dynamite;” Why Didn’t It?

/6 Comments/in , /by

Let’s look at some dates the WaPo’s sources and Shadow Brokers are giving for the EternalBlue exploit that caused havoc around the world starting on Friday.

Yesterday, WaPo had a story on how concerned people within NSA were about the EternalBlue Windows exploit used in the WannaCry ransomware. It was so powerful, one source described, it was like “fishing with dynamite.”

In the case of EternalBlue, the intelligence haul was “unreal,” said one former employee.

“It was like fishing with dynamite,” said a second.

But that power came with risks. Among others, when the NSA started using the powerful tool more than five years, the military would have been exposed to its use.

Since the NSA began using EternalBlue, which targets some versions of Microsoft Windows, the U.S. military and many other institutions have updated software that was especially vulnerable.

Though Cyberscoop notes the US military hasn’t been entirely protected from WannaCry. An IP address associated with the Army Research Lab in Fort Huachuca was infected (though that could have been a deliberate attempt to respond to the ransomware).

WannaCry ransomware infected a machine tied to an IP address associated with the Army Research Laboratory, CyberScoop has learned. The information, found on a list of affected IP addresses provided by a security vendor, would mark the first time the ransomware was found on a federal government computer.

The security vendor, who provided the data on condition of anonymity to discuss sensitive material, observed communications from the victim IP address to the attackers’ known command and control server on May 12; confirming that the ransomware infection involving the ARL was in fact successful.

The IP address is tied to a server block parked at a host located at Fort Huachuca, Arizona. The type of machine the IP address is attached to is unknown.

In the early days of EternalBlue, the WaPo explains, it would often crash the infected computer, resulting in a bluescreen that might alert victims to its presence. That opened the possibility that the victim might discover the exploit and then turn it back on the US.

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

The WaPo puts the date before which DOD was vulnerable to its own weapon at 2014.

What if the Shadow Brokers had dumped the exploits in 2014, before the government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

In yesterday’s post, Shadow Brokers claimed the Windows exploits released last month — which it had first named in January — came from a 2013 OpsDisk.

In January theshadowbrokers is deciding to show screenshots of lost theequationgroup 2013 Windows Ops Disk.

I’ll have a bit more to say about Shadow Brokers’ claims yesterday. But if this description of the source of the exploit is correct — an ops disk dating to 2013 — it opens up the possibility it was discovered around the same time (perhaps in response to the bluescreen effect). If it did, then it would have been able to attack DOD with it.

I keep asking people what the source for Shadow Brokers’ files might have been able — might still be able — to steal from the US using the tools in question. This timeline seems to suggest the Ops Disk would have been deployed before DOD was prepared to withstand its own weapons.

Shadow Brokers Further Incites War between “scumbag Microsoft Lawyer” and NSA

/13 Comments/in , /by

The other day, Microsoft President and Chief Legal Officer Brad Smith wrote a blog post about the WannaCry ransomware exploiting his company’s products to disrupt the world. At one level it was one of the first entries in what will surely be an interesting policy discussion once there’s an aftermath to the crisis, calling for collective action and a Digital Geneva Convention.

But at another level, Smith’s post provided an opportunity to bitch out the CIA and NSA, the leaked and stolen exploits of which have really fucked with Microsoft in the last few months.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Joining the many people who object to the analogy between Tomahawks and hacking exploits, the entity that caused this crisis, Shadow Brokers, is none too impressed with Smith’s response, either. Along with suggesting NSA was paying Microsoft to sit on vulnerabilities and unleashing a load of expletives (you can click through for both of those), Shadow Brokers lays out the tensions between Microsoft, its enterprise contracts with the government, and the NSA’s reticence about the vulnerabilities in Microsoft products it is exploiting.

Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup. Microsoft and theequationgroup is having very very large enterprise contracts millions or billions of USD each year. TheEquationGroup is having spies inside Microsoft and other U.S. technology companies. Unwitting HUMINT.

[snip]

Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch.

Then Shadow Brokers brings the hammer: threatens to dump (among other offerings in an “exploit of the month club”) a Windows 10 vulnerability.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Heck, at this point, Shadow Brokers doesn’t even need to have this exploit (though I’m guessing the NSA and Microsoft both may be erring on the side of caution at this point). Because simply by threatening another leak after leaking two sets of Microsoft exploits, Shadow Brokers will ratchet up the hostility between Microsoft and the government.

It might even force some disclosure about exploits more critical to NSA’s current toolkit than the very powerful tools Shadow Brokers already used to create a global ransomware worm.