Saturday, December 10, 2016

Russian Hacking

Russian Hacking and the 2016 US Election Campaign

The statements about Russian hacking and/or interference in the 2016 US election are getting louder. Is this because the evidence has gotten stronger? Or, was there insufficient skeptical pushback against these claims? Are there political motives in the US, especially on the left (and "neocon" right) to exaggerate Russian influence?

For the impatient, I will state up front that I know not who hacked the DNC, or Hillary Clinton campaign manager John Podesta. There's nothing in the evidence I've seen to support any conclusion. It's my opinion that any private sector individuals expressing confidence in the consensus view that Russia is to blame are not exercising reasonable scrutiny on this issue.

My background is in military surveillance, but not of the kind that directly applies here (I worked on so-called "spy planes"). I have no inside connection that affords me any insight not available to the general public. My profession is software engineer, which gives me better-than-average ability to assess the technical details presented in this story; but cyber security is not my specialty. I have done many things in my career, including significant reverse engineering. To that extent, I'm hacker-adjacent, but do not consider myself a hacker.

Technical asides for laymen are presented inline in blue. Skip them if you're familiar with the issue.

Concessions


Before delving into the details, I'll outline major concessions I'll make to the consensus view:
  • Russia has a motive to tip the election in favor of Donald Trump. This seems uncontroversial. Hillary Clinton had repeatedly advocated what can only be considered acts of war against Russia with respect to both cyber security and Syria. Donald Trump has loudly rejected those positions. It's clearly better for Russia to have a President Trump on those points alone. That does not mean there aren't many other actors with anti-Clinton motives as well.
  • The persona Guccifer 2.0 may not be who he says he is. I fully accept that inconsistencies in his statements indicate that he may not have the technical skills to have carried out this hack (alone). This also does not scream "Russia" to me.
  • There may be relevant information pointing to Russia that has not been released to the public. If this is the case, those suspecting Russia may be "right". In my opinion, it would still be for the wrong reasons. In matters that seem easily able to lead to escalation between two of the world's superpowers, I think the public needs to demand a high level of proof.


What Some Others Have Written


Here is a standard piece promoting the view that Russia did conduct these hacks:


And, here is a skeptical view of the situation:



Evidence for Russia


1. Russian VPN Service


One of the primary pieces of evidence pointed to is the fact that Guccifer 2.0, the person/persona claiming responsibility for the DNC hacks, used a Virtual Private Network (VPN) operated by a Russian company.

What is a VPN? A VPN is a network setup for various security reasons. A VPN provides a boundary between computers inside it, and outside it. The boundary can generally be crossed, but mostly in one direction. A VPN might be setup for a whole company, to protect their employees' computers. What makes it "virtual" is that the computers inside the VPN need not be all on the same physical network of computers connected via network cables and Wi-Fi. This is useful, for example, if a company lets employees work on home laptops, while still having their computer protected as if it were inside the company's walls (and firewalls). 

A VPN may also be useful if a person wants their computer to appear to be in a different location. This could be to fool computers elsewhere into thinking their computer is somewhere it's not. It could be to watch sports in geographic regions where access is denied (blacked out). It could be to purchase goods restricted for online sale to particular areas. There is nothing fundamentally shady about using a VPN, nor is it a particularly sophisticated tool that would indicate state-sponsored actors.

A VPN provider may utilize computers (servers) all over the world, to provide access to users all over the world, and also to give users the ability to make their own computer appear to be from a variety of locations.  When a computer inside the VPN contacts a computer on the broader internet, from the perspective of the internet computer (web server, mail server, etc.) it looks like the communication is originating from the server maintained by the VPN provider. No details on what's happening inside that VPN are available to the outside.

The actual VPN server used in all of Guccifer 2.0's communications with the press was a French server. It's entirely normal for a Russian VPN provider to have servers based in France, and elsewhere.

Why is the VPN provider being a Russian company important? Honestly, I don't know. This doesn't seem like more than circumstantial evidence to me. This is of the flavor of "Edward Snowden is working with Putin because he fled to Russia", but actually much weaker. No, Snowden got stuck in Russia. Why would he choose Russia? Because it's one of a limited number of countries that he would know would not cooperate with US authorities looking to catch him. Russia may be the enemy of Snowden's "enemy", but that does not make them friends. In the Guccifer 2.0 case, this person(s) is attacking, in essence, the US government. Were he, for example to use a US VPN provider, it's entirely possible that the VPN provider would cave to pressure (possibly in secret) from the US government to reveal details that might uncover Guccifer 2.0's true identity. There is absolutely nothing suspicious in my view of someone, wanting to be anonymous with respect to the US government, using a Russian VPN service.

The homepage for the Elite VPN service does come up in Russian, but even the native Chrome browser can perform a pretty good translation into English with the press of a button. Elite VPN also advertises English language support. So, it makes no sense to me to assume that the hacker(s) must be Russian to use this VPN.




The ThreatConnect blog I referenced earlier makes some additional points. They point out that the specific IP address used by Guccifer 2.0's VPN is not an IP address available to the general public.

What is an IP address? An IP address is the network address uniquely identifying a particular computer. Actually, one computer can have multiple IP addresses if they're connected to multiple networks, but that's not an important detail. Think of an IP address as the internet analog of your phone number (you might have multiple phone numbers, too). Every computer on the internet has an IP address. Some are permanent (static), and some are temporary ones that change regularly.

There is nothing esoteric about IP addresses. They are as well-understood to computing professionals as telephone numbers are to everyone else. If you were blowing the whistle on the potential President of the United States, you probably wouldn't call the press from your home phone, would you? 

ThreatConnect hasn't stumbled onto some deeply secretive data here. Anyone sophisticated enough to even use a VPN almost certainly knows that the reason they are doing so is to hide the true IP address (and therefore, location) of their real computer. Again, when communicating with the outside world, they will only see the IP address of your VPN service's server, not your computer's address.

So, let's assess the claim about Guccifer 2.0's VPN IP address not being available to the public. Is this true? I don't know. I haven't taken the time to sign up for Elite VPN myself. Someone could try, and see if 95.130.15.34 is available as a choice on Elite VPN's user website.  But, even if it's not, I see multiple explanations for that:

  • That IP address used to be available, and was removed recently. Internet hosting providers change their servers' IP addresses constantly. Try looking up the IP addresses for common websites you use (by their domain name), and do it again in a few hours/days/weeks. The numbers change ... much more frequently than companies change phone numbers.
  • Depending on where you (the VPN user) live, Elite VPN gives you different choices for which VPN server you'd like to use. This could make sense to optimize performance, and balance traffic among their global userbase. Did ThreatConnect check which VPN server IPs were available from their own computers (in the US)? From their computers, themselves using a VPN? From France? From Romania? I didn't see that information.
I would love for someone to explain why these previous two explanations don't seem exceedingly plausible. This is important, because much of ThreatConnect's subsequent arguments hinge on this point: that Guccifer 2.0's VPN server was not a publicly available one. Why is this crucial? Because they go on to list other supposedly incriminating activity that originates from 95.130.15.34. Normally, all of the users inside a given server's VPN (e.g. that of 95.130.15.34) would be viewed as the same by the rest of the internet. Bob and Joe, if both using the 95.130.15.34 VPN, would appear indistinguishable from the perspective of internet web servers, mail servers, etc. So, if this was in fact a publicly available Elite VPN server, none of the other activity that appears to originate from 95.130.15.34 can be confidently attributed to Guccifer 2.0, or Guccifer 2.0's colleagues. They could be activities of any user who picked that same VPN server (or was assigned it by the service provider).

And, let's be clear. There are lots of shady users who choose VPNs to hide their tracks.  If this was a publicly available VPN server, then other activity coming through that server is no more attributable to Guccifer 2.0 and friends than a list of crimes that were also committed by people in my ZIP code, or phone area code, are attributable to me.

From this point, ThreatConnect proceeds to associate this IP address with others based on a digital fingerprint. Unfortunately, this association cannot be verified today as there is no longer more than one computer found with that fingerprint. This could be perpetrators covering their tracks. Or not. Again, server infrastructure changes regularly.

It is from one of these associated IP addresses that the domain name fr1.vpn-service.us is looked up. ThreatConnect then goes on to elaborately make the case that the (publicly visible) domain registration information for that domain name is now listed as an American in New York, but in 2004 was the same "American" from New-Yourk (ZIP code 35555). The registration email address from that 2004 listing is supposedly sec.service@mail.ru. The plot thickens!

No, it doesn't. Simply by knowing the domain name fr1.vpn-service.us, we know that it belongs to vpn-service.us. Visiting that website (as we did above) takes you directly to a page that makes quite clear that it's a Russian service. There's no subterfuge here. Are we to believe that Russians are trying to hide their association with fr1.vpn-service.us, despite the root site vpn-service.us advertising in full view that Russian is their primary language? This doesn't pass my smell test.

The supposedly covered tracks from the 2004 domain registration not only contains cartoonishly bad spelling and ZIP code errors, but lists the contact address as "sec.service@mail.ru"?  The Russian FSB is the Federal Security Service. This would be like our NSA registering a domain in Russia and putting nat.sec@aol.com as their contact address. This frankly strains credibility. Again, the vpn-service.us domain name is clearly operated by a Russian VPN provider. This detail of a 12 year old public domain registration record with ridiculously fake American info and a Russian email address seems likely to be one of two things:

  1. This is an FSB operation, and those conducting it are complete idiots
  2. This is anti-FSB propaganda, designed to be read by laymen who won't closely inspect details
When assessing the likelihood of either, I find it less likely that state-sponsored actors from a country with high technical sophistication are complete idiots, and more likely that US-based propagandists are relying on only gentle scrutiny from a public that has shown itself to be easily baited into supporting militarism.

Or, maybe, it is FSB and they're hoping to elicit my exact reaction: that this probably isn't FSB, because FSB can't be that stupid. Possible. But, now we're firmly into the territory of "I have no idea who did this".

Finally, we see ThreatConnect associate other shady (or just Russian) activities with the Guccifer 2.0 95.130.15.34 address, such as Russian bride scams, password hacking, and ... gasp ... using cryptocurrency (like Bitcoin). Again, this is meaningless if other people are allowed to use that same VPN. No reason to suspect association with Guccifer 2.0.  And, even if it is? My favorite is the reference to the EDR Coin cryptocurrency.  Are we to believe that one of the world's largest petro-states prefers that when its agents use digital currency to hide their tracks, they use the cryptocurrency that is environmentally friendly? (Bitcoin is not environmentally friendly, by the way). Somehow, I suspect Jill Stein is soon to be implicated in this plot! (sarcasm)


This all seems like a hodgepodge of circumstantial evidence built on conjecture blended with a combination of false flags and hilarious direct Russian references.  How can anyone draw confidence from this jumble?


2. Guccifer 2.0 and Metadata


Another main point of this argument is that one of the documents leaked by Guccifer 2.0 shows details of being viewed/edited by a Russian. 

What is metadata? For a computer document, these are details about the document itself, not about the topic the document is dealing with. Typically, the metadata would include information about computer language settings, the name of the author, or last person to modify the document, a timestamp for creation/modification, etc. This is not highly hidden data. Depending on your operating system, you can find this data either by right-clicking a file and choosing Properties; or on a Mac, Get Info would show you metadata. Inside a program like Microsoft Word, there may be additional metadata for a document.

The report is that one of Guccifer 2.0's documents shows ownership (or modification) by a Russian. But, not just any Russian. Felix Dzerzhinsky, the founder of the Soviet Union's secret police. Now, as a flaming atheist, I cannot endorse any theories that involve Felix (who is long since deceased) being involved himself! But, does this even make sense that it would be a Russian agent? Do US operatives set the login information (which determines the default metadata on new files) on their computers to use the username "J. Edgar Hoover"? Again, this seems like a joke. As a hacker-adjacent person, I know that such people love to leave slightly-hidden jokes in their work, in the hopes that one or two people with their level of knowledge laughs at the same arcane reference. This looks like a joke to me. Not even someone who wants the US authorities to think it's Russia. That's still too obvious. Someone who is literally mocking US surveillance state types, and the ease with which they can be made to jump at existential boogeymen.

I'm also skeptical of the idea that this metadata was left accidentally. I know readers may be learning about file metadata for the first time. But, it's not an esoteric topic. It's about as well-known among hackers as those IP addresses. In fact, even with my barely anonymous Twitter account, I take steps to remove metadata from files I post that are connected to my account. Here's one, done months ago. Download the file. Look for the metadata. Again, to assume that this was left accidentally and was also done by Russian agents is to think they're complete idiots ... who also have a sense of humor (?) about secret police history.

3. US Intelligence Community


In addition to private sector cybersecurity groups like ThreatConnect and CrowdStrike, the US Intelligence community itself is cited as evidence that Russia is the culprit here.

17 Agencies


I'm not sure I've seen another claim by Politifact that they rate true, which was so obviously false (or some grade of not true).  Here are the US Intelligence Community agencies (and there's the overall supervising Director of National Intelligence office itself).

In my capacity as a defense contractor, I've worked with (not for) at least 3 of those agencies. I simply don't believe all of them would even offer an opinion on the question of whether Russia conducted these hacks. It's a Republican talking point that the government is made up of dozens of redundant agencies. In fact, these agencies do different things. They're not all involved in cybersecurity investigations.

The Coast Guard Intelligence offered an opinion on whether Russia conducted these hacks? What does this have to do with the Coast Guard?  NGIA is an agency that provides detailed map data (some of it, classified) to other military programs. How does this case have anything to do with them? The National Reconnaissance Office is responsible for airborne and spaceborne surveillance (satellite spying). FBI is one of the 17 agencies, and reportedly did not want to publicly endorse this statement.




Joint DHS/DNI Statement


The statement was remarkably brief, but pundits have turned it into much more. The key words, in my mind, were
The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. 

What this sounds like to me is the following conversation between a manager, and subordinate, in the intelligence community:

(M)anager: The political climate is getting tough right now. They want us to provide a statement about Russia hacking the Democrats.

(S)ubordinate: But, we don't know who hacked the Democrats.

M: Yeah, they're not going to settle for that, right now. Is there anything that we can say about it maybe being Russia.

S: Sure, it could be Russia.

M: Still not strong enough. We know they have a motive here, right?

S: Ok, yeah. Clearly.

M: And, they could have conducted the hack in exactly this way, as we think they've done in other cases?

S: Sure, this hack looks just like a lot of other hacks.

M: So, we could say that this is "consistent with the methods and motivations of Russian-directed efforts"?

S: Well, that's pushing it, but I guess is technically true.

M: Ok, then.

That's just my take. The Podesta hack in particular seems to have been conducted against an aging man who hasn't a clue how to conduct electronic communications securely. The Wikileaks dump indicates not only that Podesta fell for a phishing scam, but that his IT person did, too! Even if you're inclined not to believe the Wikileaks emails are authentic (despite none of them being proven to be fakes), we know that Podesta's iCloud and Twitter account were hacked this year as well.

What is phishing? Phishing refers to a category of scams where the attacker pretends to be someone, or some group, that you trust. They convince you to give your information to that group, after which the attacker will use that information to steal something of value to you. The most popular variant of this is an email to you that claims to be from your email provider (Google, Yahoo, Hotmail, etc.) or your bank. They claim there's a problem that requires you login to your account to address. They offer you a link that takes you not to the real bank/email website, but to an attacker's website, that has been designed to look exactly like the real one. You enter your username and password into this (fake) website's authentication form, and they now have the credentials needed to login to your real account. At that point, your money or email may be stolen.  You should familiarize yourself with this attack. I literally get them every day. Once you learn two or three things, they're easy to defeat.

In other words, John Podesta's computing security is appallingly bad. Anyone could have hacked him. Therefore, the statement that this was "consistent with methods" could be applied not only to Russia, but any other group conducting hacking operations. Podesta appears to have fallen for the most basic of all scams. I see no indication that nation-state-level sophistication was required here. Drumming up stories about Russia provides some cover for what should be an embarrassment, not only for Podesta, but for the Clintons, who've themselves been lax with their own computing security.

US Propaganda


Finally, we need to tackle the elephant in the room. This exceedingly looks to me like members of the US government, and/or supporters of Hillary Clinton, are themselves guilty of influencing the public with false propaganda. As near as I can tell, they've done so with considerably greater reach and effect than Russia.




(to be continued)




References

Here are some of the documents I used in assessing these claims:









Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)