[Busec] Report on Russian hacking

Manuel Egele megele at bu.edu
Fri Jan 6 16:35:52 EST 2017


Sure and north Korea hacked Sony according to FBI director Comey. I guess that stance moved to, the north Koreans hired the Chinese to do it. The IC does not have a history of caring about "the truth".

Cheers
Manuel

On January 6, 2017 10:23:36 PM GMT+01:00, Ethan Heilman <eth3rs at gmail.com> wrote:
>>In my (completely unsolicited) opinion, this is why there is no value
>making
>assessments such as these public; they should be provided (with
>evidence)
>only
>to those with sufficient clearance to see and critique them.
>
>I agree that this isn't primary evidence. However I would posit that
>the
>value of this assessment is as a signal that the US IC actually
>believes
>Russia is behind it. As you said:
>
>>If you trust the analyses of the FBI, CIA, and NSA, then this is
>certainly
>a strong
>statement;
>
>If it turns out Russia was not behind it, such assessments would
>embarrass
>the people in charge of the US IC and so such a signal assures me that
>at
>least the DNI believes it.
>
>
>On Fri, Jan 6, 2017 at 4:11 PM, Ari Trachtenberg <trachten at bu.edu>
>wrote:
>
>> This is very interesting as a political piece, but it gives no
>technical
>> evidence
>> whatsoever (I suspect this is on purpose, to protect “methods and
>> sources”).
>>
>> If you trust the analyses of the FBI, CIA, and NSA, then this is
>certainly
>> a strong
>> statement; if you don’t trust the analyses, this does nothing to
>support
>> the
>> public proclamations.
>>
>> In my (completely unsolicited) opinion, this is why there is no value
>> making
>> assessments such as these public; they should be provided (with
>evidence)
>> only
>> to those with sufficient clearance to see and critique them.
>>
>> best,
>> -Ari
>>
>>
>> On Jan 6, 2017, at 3:49 PM, Ethan Heilman <eth3rs at gmail.com> wrote:
>>
>> New DNI report on Russian intentions in hacking DNC:
>> https://www.dni.gov/files/documents/ICA_2017_01.pdf
>>
>> 'Background to “Assessing Russian Activities and Intentions in Recent
>US
>> Elections”: The Analytic Process and Cyber Incident Attribution'
>>
>> On Wed, Jan 4, 2017 at 2:54 PM, Ari Trachtenberg <trachten at bu.edu>
>wrote:
>>
>>> This just goes to show that ... well, people are corruptible, and
>>> academics
>>> no less than anyone else.  Complete transparency is no panacea
>either
>>> (witness the complete uselessness of "privacy notices", or the major
>>> vulnerabilities with open-source software).
>>>
>>> Seeing as we're developing a cynicism toward a benevolent monarchy,
>>> perhaps a system of checks and balances will solve all our problems
>;-)
>>>
>>> > On Jan 4, 2017, at 1:51 PM, Egele, Manuel <megele at bu.edu> wrote:
>>> >
>>> > On Wed, 2017-01-04 at 13:48 -0500, Ethan Heilman wrote:
>>> >> The Silk road case was also not without problems. For instance
>the two
>>> >> DEA agents in the Silk Road investigation that stole Bitcoins,
>ran an
>>> >> extortion racket, sold investigation details to potential
>suspects and
>>> >> altered evidence. US federal investigation bodies don't have a
>great
>>> >> reputation --see FBI collaboration with Boston organised crime
>and DEA
>>> >> employees selling confidential informant identities to drug
>cartels.
>>> >
>>> > Sure, but that was purely on the Law Enforcement side. The case
>with
>>> > CMU-CERT was different as the let's call it malice, originated
>from the
>>> > "academic" side of the partnership. You (or at least I as a
>responsible
>>> > researcher) simply don't go, break TOR and then don't tell anyone
>about
>>> > it.
>>> >
>>> > cheers,
>>> > --manuel
>>> >
>>> >> On Wed, Jan 4, 2017 at 1:12 PM, Manuel Egele <megele at bu.edu>
>wrote:
>>> >>        On Wed, 2017-01-04 at 08:11 -0800, Hristo Stoyanov wrote:
>>> >>> Here's ESET claims they've acquired XAgent source
>>> >>> code:
>>> >>       
>http://www.welivesecurity.com/wp-content/uploads/2016/10/ese
>>> t-sednit-part-2.pdf (described on the ESET website here:
>>> https://www.eset.com/us/about/newsroom/press-releases/dissec
>>> tion-of-sednit-espionage-group/)
>>> >>> Here's another claim of a third party also having the XAgent
>>> >>        source
>>> >>> code:
>>> >>        https://medium.com/@jeffreycarr/the-gru-ukraine-artillery-
>>> hack-that-may-never-have-happened-820960bbb02d (this article
>references
>>> the ESET report in the first link). Kinda shaky, I heard it from a
>friend
>>> of a friend of my aunt type of evidence, admittedly.
>>> >>>
>>> >>>
>>> >>> This can be post-factum attempt to get plausible deniability
>>> >>        or it
>>> >>> could be someone had XAgent that wasnt APT28. Can't tell
>>> >>        between
>>> >>> confirmation bias and circumstantial evidence here.
>>> >>>
>>> >>>
>>> >>> Another thing that I'm missing is how exactly are APT28 as
>>> >>        users of
>>> >>> xagent and this PHP malware tied together. What detail links
>>> >>        the two?
>>> >>>
>>> >>>
>>> >>> As for an open and transparent organization that attempts to
>>> >>        build
>>> >>> good cases by acquiring the kind of evidence Ari listed - a
>>> >>        lot of
>>> >>> this seems to require some legal capabilities usually
>>> >>        afforded to
>>> >>> government agencies (hack back, gather court admissable
>>> >>        evidence). The
>>> >>> kind of thing that FBI is supposed to do. Perhaps some form
>>> >>        of
>>> >>> partnership between FBI and academia would be productive.
>>> >>        They dealt
>>> >>> very successfully with Silk road, after all.
>>> >>
>>> >>        I particularly agree with the last paragraph. Also, I'm
>not
>>> >>        sure that
>>> >>        modeling sth along the lines of CMU-CERT with respect to
>the
>>> >>        security
>>> >>        community is a good citizen model --- just look at the
>fallout
>>> >>        that
>>> >>        CMU-CERT's deanonymying TOR exercise produced.
>>> >>
>>> >>        cheers,
>>> >>        --manuel
>>> >>
>>> >>> Hristo
>>> >>>
>>> >>> 2017-01-04 7:13 GMT-08:00 Ari Trachtenberg
>>> >>        <trachten at bu.edu>:
>>> >>>        Sounds like a perfect role for academia (maybe
>>> >>        patterned after
>>> >>>        CMU's CERT here at BU).  The biggest problem is, of
>>> >>        course,
>>> >>>        with
>>> >>>        getting reliable data ... perhaps it is possible to
>>> >>        cull data
>>> >>>        from everybody
>>> >>>        and use statistical tests to fish for bias.
>>> >>>
>>> >>>        Regarding Hristo's question ... I think that the key
>>> >>        word is
>>> >>>        evidence,
>>> >>>        since most things can be faked with enough effort.
>>> >>        Evidence
>>> >>>        could
>>> >>>        include:
>>> >>>        * use, structure, and style reuse of attributed code
>>> >>        or
>>> >>>        vulnerabilities,
>>> >>>                ideally those that are private
>>> >>>        * IP addresses
>>> >>>        * cryptographic keys
>>> >>>        * pictures of hackers and geolocation (as with the
>>> >>        Chinese
>>> >>>        hackers not so long ago)
>>> >>>        * hack back data
>>> >>>
>>> >>>        best,
>>> >>>                -Ari
>>> >>>
>>> >>>> On Jan 4, 2017, at 9:03 AM, Ethan Heilman
>>> >>        <eth3rs at gmail.com>
>>> >>>        wrote:
>>> >>>>
>>> >>>> I worry that this wordfence report makes it look
>>> >>        like only
>>> >>>        that php
>>> >>>> malware was used and that there is no additional
>>> >>        evidence.
>>> >>>>
>>> >>>> However my understanding is that DNC hackers used
>>> >>        several
>>> >>>        forms of
>>> >>>> persistence including XAgent (according to the
>>> >>        crowdstrike).
>>> >>>        I was
>>> >>>> unable to find any evidence that XAgent was
>>> >>        available for
>>> >>>        use by
>>> >>>> anyone other than SEDNIT/APT28. I would love to
>>> >>        see a report
>>> >>>        on the
>>> >>>> windows variant of the XAgent used in the DNC
>>> >>        hack.
>>> >>>>
>>> >>>>> I believe (correct me if I'm wrong), there is no
>>> >>        other data
>>> >>>        available from the USG. Only (very) pointed
>>> >>        accusations
>>> >>>        against a certain country.
>>> >>>>
>>> >>>> Not sure why the DHS/FBI report goes out of its
>>> >>        way to
>>> >>>        present so
>>> >>>> little evidence. Was the crowdstrike report
>>> >>        incorrect? Did
>>> >>>        they not
>>> >>>> want to step on crowdstrikes toes? Is this the
>>> >>        result of
>>> >>>        over zealous
>>> >>>> secrecy?
>>> >>>>
>>> >>>> This issue highlights a critical need for neutral
>>> >>        ICT
>>> >>>        investigative
>>> >>>> bodies that operate not as intelligence agencies
>>> >>        but instead
>>> >>>        work to
>>> >>>> build public cases and publish evidence in a
>>> >>        trustworthy
>>> >>>        open manner.
>>> >>>> This should be the role of the FBI, but clearly
>>> >>        something
>>> >>>        went wrong
>>> >>>> here. Currently private companies like Crowdspike
>>> >>        and
>>> >>>        Fireeye fill
>>> >>>> this role but since they are hired and paid by an
>>> >>        interested
>>> >>>        party
>>> >>>> they are often viewed with skepticism.
>>> >>>>
>>> >>>>
>>> >>>> On Wed, Jan 4, 2017 at 2:47 AM, Hristo Stoyanov
>>> >>>        <htstoyanov at gmail.com> wrote:
>>> >>>>> Here's some actual details based on the csv and
>>> >>        xml
>>> >>>        published alongside the
>>> >>>>> written report:
>>> >>>>>
>>> >>>
>>> >>        
>https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack/
>>> >>>>>
>>> >>>>> Conclusions: old freely available malware,
>>> >>        incredibly wide
>>> >>>        variety of
>>> >>>>> countries making up the IP addresses given as a
>>> >>        source of
>>> >>>        the attack. Hence,
>>> >>>>> that data is as evidence-free as the written
>>> >>        report. I
>>> >>>        believe (correct me
>>> >>>>> if I'm wrong), there is no other data available
>>> >>        from the
>>> >>>        USG. Only (very)
>>> >>>>> pointed accusations against a certain country.
>>> >>>>>
>>> >>>>> However, what would be good technical details
>>> >>        that show
>>> >>>        attribution? Russian
>>> >>>>> documents/emails that order/discuss/report on the
>>> >>        attack
>>> >>>        (perhaps with some
>>> >>>>> signatures :)) would definitely cut it. What
>>> >>        else?
>>> >>>>>
>>> >>>>> - Hristo
>>> >>>>>
>>> >>>>> 2017-01-03 13:10 GMT-08:00 Ari Trachtenberg
>>> >>>        <trachten at bu.edu>:
>>> >>>>>>
>>> >>>>>> Yes, the crowdstrike report is much more
>>> >>        interesting, but,
>>> >>>        at this point,
>>> >>>>>> rather dated.
>>> >>>>>> What it doesn't include is evidence of
>>> >>        attribution to the
>>> >>>        Russian
>>> >>>>>> government (just
>>> >>>>>> some suggestive information about the slickness
>>> >>        of the
>>> >>>        attack and a belief
>>> >>>>>> of
>>> >>>>>> some link).  Has anyone seen public technical
>>> >>        details in
>>> >>>        this realm?
>>> >>>>>>
>>> >>>>>> best,
>>> >>>>>>       -Ari
>>> >>>>>>
>>> >>>>>>> On Jan 3, 2017, at 2:32 PM, Ethan Heilman
>>> >>>        <eth3rs at gmail.com> wrote:
>>> >>>>>>>
>>> >>>>>>> With the exception of the attribution of
>>> >>        individual
>>> >>>        hackers the
>>> >>>>>>> DHS/FBI report is almost entirely detail free.
>>> >>        The
>>> >>>        crowdstrike report
>>> >>>>>>> provides many of the missing details:
>>> >>>>>>>
>>> >>>>>>>
>>> >>>
>>> >>        
>https://www.crowdstrike.com/blog/bears-midst-intrusion-demo
>>> cratic-national-committee/
>>> >>>>>>>
>>> >>>>>>> One interesting tidbit in DHS/FBI report was
>>> >>        that it
>>> >>>        blame Slavik of
>>> >>>>>>> Zeus Gameover fame.
>>> >>>>>>>
>>> >>>>>>> On Tue, Jan 3, 2017 at 2:08 PM, Ari
>>> >>        Trachtenberg
>>> >>>        <trachten at bu.edu>
>>> >>>>>>> wrote:
>>> >>>>>>>> Somehow I'm missing the description ... I just
>>> >>        see
>>> >>>        generic malware
>>> >>>>>>>> information on a popular web shell tool and
>>> >>>>>>>> generic mitigation strategies.  If anything,
>>> >>        the
>>> >>>        suggests a *lack* of
>>> >>>>>>>> an
>>> >>>>>>>> actual smoking gun.
>>> >>>>>>>>
>>> >>>>>>>> best,
>>> >>>>>>>> -Ari
>>> >>>>>>>>
>>> >>>>>>>> On Dec 29, 2016, at 5:56 PM, Scheffler, Sarah,
>>> >>        Ann
>>> >>>        <sscheff at bu.edu>
>>> >>>>>>>> wrote:
>>> >>>>>>>>
>>> >>>>>>>> This is a joint report written by DHS and the
>>> >>        FBI, and
>>> >>>        it's the first
>>> >>>>>>>> actual
>>> >>>>>>>> decent description I've found of the Russian
>>> >>        hacking
>>> >>>        that's been all
>>> >>>>>>>> over
>>> >>>>>>>> the news, and I figured y'all might be
>>> >>        interested in
>>> >>>        reading it:
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>
>>> >>        
>http://www.nytimes.com/interactive/2016/12/29/us/politics/
>>> document-Report-on-Russian-Hacking.html
>>> >>>>>>>>
>>> >>>>>>>> Happy last-two-and-a-half-days-of-2016,
>>> >>>>>>>> Sarah
>>> >>>>>>>>
>>> >>        _______________________________________________
>>> >>>>>>>> Busec mailing list
>>> >>>>>>>> Busec at cs.bu.edu
>>> >>>>>>>>
>>> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>> —
>>> >>>>>>>> Prof. Ari Trachtenberg
>>> >>>>>>>> Electrical and Computer Engineering
>>> >>>>>>>> Boston University
>>> >>>>>>>> trachten at bu.edu
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>>>>>>>
>>> >>        _______________________________________________
>>> >>>>>>>> Busec mailing list
>>> >>>>>>>> Busec at cs.bu.edu
>>> >>>>>>>>
>>> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
>>> >>>>>>>>
>>> >>>>>>
>>> >>>>>> —
>>> >>>>>> Prof. Ari Trachtenberg
>>> >>>>>> Electrical and Computer Engineering
>>> >>>>>> Boston University
>>> >>>>>> trachten at bu.edu
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> _______________________________________________
>>> >>>>>> Busec mailing list
>>> >>>>>> Busec at cs.bu.edu
>>> >>>>>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>>> >>>>>>
>>> >>>>>
>>> >>>
>>> >>>        —
>>> >>>        Prof. Ari Trachtenberg
>>> >>>        Electrical and Computer Engineering
>>> >>>        Boston University
>>> >>>        trachten at bu.edu
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Busec mailing list
>>> >>> Busec at cs.bu.edu
>>> >>> http://cs-mailman.bu.edu/mailman/listinfo/busec
>>> >>
>>> >>
>>> >>        _______________________________________________
>>> >>        Busec mailing list
>>> >>        Busec at cs.bu.edu
>>> >>        http://cs-mailman.bu.edu/mailman/listinfo/busec
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>> > _______________________________________________
>>> > Busec mailing list
>>> > Busec at cs.bu.edu
>>> > http://cs-mailman.bu.edu/mailman/listinfo/busec
>>>
>>>>>> Prof. Ari Trachtenberg
>>> Electrical and Computer Engineering
>>> Boston University
>>> trachten at bu.edu
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> ---
>> Prof. Ari Trachtenberg            ECE, Boston University
>> trachten at bu.edu                    http://people.bu.edu/trachten
>>
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cs-mailman.bu.edu/pipermail/busec/attachments/20170106/29941096/attachment-0001.html>


More information about the Busec mailing list