Tag Archives: Biden

Forensics – Proving a Negative

Note: I am going to try and keep this as non-political as possible.

Just weeks before the presidential election a New York newspaper published documents that they claimed belonged to Hunter Biden and documented supposedly potentially illegal business dealings he had in China and Ukraine (article here).

I grew up in New York and even when I was a kid, the New York Post was not exactly considered a newspaper of record, if you get what I mean. That by itself, raises alarm bells.

As the story goes, Hunter supposedly took some Macbooks, full of incriminating documents, to a Mac repair shop in Wilmington, DE, did not provide any identification and then abandoned them there. I have never claimed to be the brightest light bulb in the chandelier, but if I had a couple computers full of sensitive stuff, would I just take them to the local computer store and say fix them? And then abandon them?

The New York Post claims that the repair shop gave them a copy of the hard drive that Hunter abandoned at the repair shop (why?) and they gave it to Rudy Giuliani who gave it to the feds. Credit: Slate

One possibility is that everything in these stories are 100% true. Another possibility is that the Post was set up by someone, say, maybe the Russian GRU spy agency.

In any case, as often happens after a breach or a leak, forensics experts are called in to try and validate what happened.

They have to figure out if the documents are real or they are forged. With some of today’s technology, that can be hard to figure out.

For example, one of the most explosive emails released by the Post curiously was published in a way that hid one important verification tool called Domain Keys or DKIM. Also, the metadata that was displayed questions whether the file was the original or a doctored copy. If it was doctored, who doctored it – the Russians? Some middleman? The Post? Unknown.

“You’re trying to prove a negative,” said Mike Weber, vice president of innovation at Coalfire. “It’s hard to prove data was never on your network.”

Is it possible digitally sign documents? Sure, for example, many of us have used the company Docusign to digitally sign a document. However, out of the tens of thousands of documents (including emails, text messages and computer files) that you have touched, say in the last year, how many were digitally signed by Docusign or a competitor? I bet it is a tiny percentage – bordering on zero.

Even organizations like the Defense Department don’t sign everything.

The average person probably has no idea how any of that works and certainly isn’t going to spend a lot of money trying to use that. And if the documents were incriminating, might you encrypt them so that, say, a random computer repair person couldn’t read them.

It is true that companies like Best Buy work closely with the FBI, but they are looking for more obvious crimes like child porn, not memos that only make sense to someone with a lot of context.

Weber continues: Even in diligently designed systems, hackers could use access to a network to plant a document to meet the non-repudiation checks, cryptographic keys might fall out of a company’s control, and hackers could claim damaging leaked documents came from a vendor outside the encryption system.

And that, Weber says, assumes the most expensive, best implemented system of signatures and back-ups and evidence building is in place.

In this case, the Post did not make the DKIM signatures available. While they are not perfect and can be spoofed in a number of ways, especially by an organization like the GRU, they are a first line of confirmation.

This is the process that forensics experts get to deal with every day. Whether they are working for a company that got breached, or as part of a lawsuit or, as in this case, as part of a political campaign.

I am not going to make an assessment about this other than my previous comment about the Post; that is not the point of this post. What I am trying to point out is that attribution and validation is hard under the best of conditions.

In this case, since Rudy gave the disk, supposedly, to the FBI, they have access to some of the best forensics resources in the world if they think that is appropriate. In the case of the FBI, they likely have access to the resources of the National Security Agency, probably some of the best security experts in the world.

But there is another problem. Anyone who has watched a cop show on TV knows that the defense attorney gets his client off by claiming that the chain of evidence was not maintained. Between some computer repair shop in Delaware to someone to the Post to Rudy to whoever – there is no valid chain of custody. That makes things very difficult to validate.

We also need to be careful not take everything we read at face value. Maybe something is valid, and maybe it is not.

This does not mean that the Post is lying. I don’t know. It is certainly possible that they were set up. After all, the reporters at the Post are likely not security experts. If a reporter is presented with a potentially prize winning story or wanting to beat out the competition, he or she has to decide whether to run a story or not (along with his/her editor). Anyone remember the “Dewey Defeats Truman” newspaper headlines in 1948? Being first is not always best. But if you are first and right, that could be a career maker.

Forensics is part science and part art and it usually operates in less than optimal conditions. For more details see this article.

Minneapolis City Web Sites Hit by Denial of Service Attacks

Last Thursday, early in the morning, a number of City of Minneapolis web sites were disabled by denial of service attacks. The attacks are short lived and the city was able to restore most of the services within a few hours. It is certainly possible that we will see more cyberattacks as a way to continue civil disobedience. Credit: The Hill

GA Gov. Kemp’s (R) Claims that Dems Hacked his SoS Web Site In 2018 Are False

Two days before the 2018 election, then GA Secretary of State Kemp opened an investigation into what he said was a failed hacking attempt of voter registration systems by the Democratic Party.

Newly released case files from the GBI says that there was no such hacking attempt. The report says that Kemp got confused by an authorized and planned security test by HOMELAND SECURITY with a hack. Kemp’s CIO approved the scan by DHS.

The GBI did say that there were significant security holes in the web site at the time, even though Kemp said that patches to the web site two days before the election were standard practice. No one in their right mind would make changes to critical election systems two days before the election unless it was an emergency. Credit: Atlanta Journal Constitution

Chinese and Iranians Hacking Biden and Trump

Google’s Threat Analysis Group (TAG) warned the campaigns that the were seeing the Chinese targeting Biden and the Iranians targeting Trump. Currently, there is no sign of compromise, but we still have months to go before the election. Not only is there lots of information to steal, but they have the possibility of impacting the election or causing a loss of trust by voters in the process. Credit: SC Magazine

FBI Says Big Business Email Compromise Attacks on the Upswing

The FBI has reports of multiple fraudulent invoice BEC attacks in April and May. In on case hackers used a trusted vendor relationship and a transportation company to steal $1.5 Million. They are reporting multiple incidents in different industries, so caution is advised. Credit: FBI Liaison Information Reports 200605-007, security level GREEN.