DNC and FBI Fight Over Forensics – Some Tips

Politics being what it is, the FBI and DNC, a year after the attack on the DNC, are fighting over who did what and when.  Since everyone in Washington has to cover their rear ends, this is not a particular surprise, especially after Comey’s “We are investigating Clinton again …. oh, false alarm” letters to Congress a few days before the election, that accusations are flying.

Now the issue is whether the DNC gave “direct access” to their servers or not.

An anonymous official says that the FBI asked for direct access to the servers and data and was rebuffed until the initial compromise had been mitigated.

The DNC told Buzzfeed that the FBI never asked for direct access after the breach.

Leo Taddeo, a former Special Agent in Charge of the FBI’s New York office cyber division told the Hill that it is not unusual for the FBI to bypass a direct examination of a hacked server.  He said that in 9 out of 10 cases they don’t ask for access to a victim’s infrastructure.  “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Taddeo said, basically, that unless they think the victim wants to hide something, there is no reason why a bit for bit image of the server isn’t just as good as the original server.  AND, if they don’t touch the server, they can’t be accused of planting their own malware (after all, the FBI has been accused of that on more than one occasion and back in the dark ages, Director J. Edgar Hoover was well known for planting bugs to hack people he didn’t like).  They also can’t be accused of breaking anything.

Given how much of a political hot potato this investigation was and continues to be, NOT getting direct access is probably the smart thing for the FBI to do.  Of course, that doesn’t mean that someone isn’t going to second guess them.

If the former Special Agent in Charge of the FBI’s New York Cyber Division says that in 99 out of 100 cases, an image is sufficient, I tend to believe him over some anonymous source who says it is not.

DNC deputy communications director Eric Walker said that the FBI never requested access to the servers.

The DNC hired CrowdStrike, certainly a well known and respected incident response and mitigation firm to repair the damage.  I have no reason to believe that CrowdStrike didn’t follow generally accepted incident response practices, which in this case would include doing a bit for bit copy of every disk of every relevant server.

No one says that images were not made and no one says that images were not shared with the FBI, so given how political this has turned out, I am reasonably sure that images were both made and shared.

Also remember – and this is just me, WHY – the DNC was using GMail, which dramatically reduces anyone’s ability to do forensics.  After all, you are not going to go to Mountain View and ask Google if you can image their servers.  Not. Gonna. Happen.

But there certainly are lessons to be learned.

The FBI says that they contacted the DNC about a nation state breach of its systems.  Apparently, the outsourced tech support contractor who fielded the call was unsure of the special agent was from the FBI or a fraud.  For weeks, the FBI says, they continued to call the DNC with no response.

Lesson 1 – a contractor should not have the authority to make a decision about something as potentially life altering as a nation state attack.  In your organization, you need to have a policy, procedure and practice to walk – no RUN – that down the hall to the executive team and let them make that decision.

Lesson 2 – The contractor could always have gotten the agent’s name and called the switchboard at FBI headquarters to confirm that such an agent worked there and used that mechanism (and NOT a phone number that the agent might have given him) to contact the agent back to see if the threat is real – and give that information to the executive team.

IN MY OPINION, given the prevalence of hacks, a low level employee should NEVER make a decision about things like that.

Lesson 3 – According to Google Maps, FBI HQ is, at most, 1.5 miles walking distance from DNC HQ.  If the FBI thinks ANY company is being hacked and they are not getting a response from some phone calls, I PROMISE they will get a response if they walk into the company’s lobby, flash their FBI badge and ask to speak to the CEO.

So in this case, while I absolutely fault the DNC and especially the tech support contractor, I fault the FBI even more.  Sorry.

For companies who are worried about giving proprietary information to law enforcement, here are a couple of tips.

Tip 1 – Separate software and data.  If there is no data stored on the server, if law enforcement makes a copy of the server, there will be limited data collected.

Tip 2 – Encryption.  Servers should be encrypted.  If you make a bit image copy of a server, the copy will also be encrypted.  You can choose to control who and under what conditions you give out the encryption key(s).

Tip 3 – Encryption 2.  Data should also be encrypted.  The data should be encrypted with different keys than the servers are encrypted with.  In fact, multiple encryption keys for the data is better – some software uses a different key for each file.  Again, this gives you the ability to control actual access to the data.

Is encryption perfect?  No.  Especially if the encryption keys are stored on the server. Unencrypted.  I hate to say how many times encryption keys are stored unencrypted in configuration files.

In the FBI’s defense, the anonymous source said the DNC was recalcitrant and difficult to work with.  Given the political nature of this election and the history between Clinton and the FBI, that is not completely surprising, if it is true.

It is not uncommon for lawyers of private companies to deny requests for law enforcement to access their servers.  After all, what could go wrong?  And certainly the FBI wouldn’t pay to fix the damage or lost revenue.  If a company is in control, they also control the damage.

Comey wishes that people would trust the FBI more, but I think the FBI is challenged in this area.  Technology moves VERY quickly and the FBI moves a little more slowly.  How do you get an organization as old and large as the FBI to turn on a dime when even profit motivated private companies don’t do that very well?

We live in interesting times!

Information for this post came from The Hill.


Leave a Reply

Your email address will not be published.