Tag Archives: DNC Hack

DNC and FBI Fight Over Forensics – Some Tips

Politics being what it is, the FBI and DNC, a year after the attack on the DNC, are fighting over who did what and when.  Since everyone in Washington has to cover their rear ends, this is not a particular surprise, especially after Comey’s “We are investigating Clinton again …. oh, false alarm” letters to Congress a few days before the election, that accusations are flying.

Now the issue is whether the DNC gave “direct access” to their servers or not.

An anonymous official says that the FBI asked for direct access to the servers and data and was rebuffed until the initial compromise had been mitigated.

The DNC told Buzzfeed that the FBI never asked for direct access after the breach.

Leo Taddeo, a former Special Agent in Charge of the FBI’s New York office cyber division told the Hill that it is not unusual for the FBI to bypass a direct examination of a hacked server.  He said that in 9 out of 10 cases they don’t ask for access to a victim’s infrastructure.  “We usually ask for the logs and images, and 99 out of a hundred times, that’s sufficient.”

Taddeo said, basically, that unless they think the victim wants to hide something, there is no reason why a bit for bit image of the server isn’t just as good as the original server.  AND, if they don’t touch the server, they can’t be accused of planting their own malware (after all, the FBI has been accused of that on more than one occasion and back in the dark ages, Director J. Edgar Hoover was well known for planting bugs to hack people he didn’t like).  They also can’t be accused of breaking anything.

Given how much of a political hot potato this investigation was and continues to be, NOT getting direct access is probably the smart thing for the FBI to do.  Of course, that doesn’t mean that someone isn’t going to second guess them.

If the former Special Agent in Charge of the FBI’s New York Cyber Division says that in 99 out of 100 cases, an image is sufficient, I tend to believe him over some anonymous source who says it is not.

DNC deputy communications director Eric Walker said that the FBI never requested access to the servers.

The DNC hired CrowdStrike, certainly a well known and respected incident response and mitigation firm to repair the damage.  I have no reason to believe that CrowdStrike didn’t follow generally accepted incident response practices, which in this case would include doing a bit for bit copy of every disk of every relevant server.

No one says that images were not made and no one says that images were not shared with the FBI, so given how political this has turned out, I am reasonably sure that images were both made and shared.

Also remember – and this is just me, WHY – the DNC was using GMail, which dramatically reduces anyone’s ability to do forensics.  After all, you are not going to go to Mountain View and ask Google if you can image their servers.  Not. Gonna. Happen.

But there certainly are lessons to be learned.

The FBI says that they contacted the DNC about a nation state breach of its systems.  Apparently, the outsourced tech support contractor who fielded the call was unsure of the special agent was from the FBI or a fraud.  For weeks, the FBI says, they continued to call the DNC with no response.

Lesson 1 – a contractor should not have the authority to make a decision about something as potentially life altering as a nation state attack.  In your organization, you need to have a policy, procedure and practice to walk – no RUN – that down the hall to the executive team and let them make that decision.

Lesson 2 – The contractor could always have gotten the agent’s name and called the switchboard at FBI headquarters to confirm that such an agent worked there and used that mechanism (and NOT a phone number that the agent might have given him) to contact the agent back to see if the threat is real – and give that information to the executive team.

IN MY OPINION, given the prevalence of hacks, a low level employee should NEVER make a decision about things like that.

Lesson 3 – According to Google Maps, FBI HQ is, at most, 1.5 miles walking distance from DNC HQ.  If the FBI thinks ANY company is being hacked and they are not getting a response from some phone calls, I PROMISE they will get a response if they walk into the company’s lobby, flash their FBI badge and ask to speak to the CEO.

So in this case, while I absolutely fault the DNC and especially the tech support contractor, I fault the FBI even more.  Sorry.

For companies who are worried about giving proprietary information to law enforcement, here are a couple of tips.

Tip 1 – Separate software and data.  If there is no data stored on the server, if law enforcement makes a copy of the server, there will be limited data collected.

Tip 2 – Encryption.  Servers should be encrypted.  If you make a bit image copy of a server, the copy will also be encrypted.  You can choose to control who and under what conditions you give out the encryption key(s).

Tip 3 – Encryption 2.  Data should also be encrypted.  The data should be encrypted with different keys than the servers are encrypted with.  In fact, multiple encryption keys for the data is better – some software uses a different key for each file.  Again, this gives you the ability to control actual access to the data.

Is encryption perfect?  No.  Especially if the encryption keys are stored on the server. Unencrypted.  I hate to say how many times encryption keys are stored unencrypted in configuration files.

In the FBI’s defense, the anonymous source said the DNC was recalcitrant and difficult to work with.  Given the political nature of this election and the history between Clinton and the FBI, that is not completely surprising, if it is true.

It is not uncommon for lawyers of private companies to deny requests for law enforcement to access their servers.  After all, what could go wrong?  And certainly the FBI wouldn’t pay to fix the damage or lost revenue.  If a company is in control, they also control the damage.

Comey wishes that people would trust the FBI more, but I think the FBI is challenged in this area.  Technology moves VERY quickly and the FBI moves a little more slowly.  How do you get an organization as old and large as the FBI to turn on a dime when even profit motivated private companies don’t do that very well?

We live in interesting times!

Information for this post came from The Hill.


Why Employee Training is a CRITICAL Component of Security Training

According to Buzzfeed, nine days after Hillary Clinton had won big on Super Tuesday, the Russians launched their cyber attack on her campaign.

The Russians sent malicious emails to all of her senior campaign staff.  The emails looked like standard Google GMail emails alerting to suspicious activity on their accounts and asked them to click on the link.  The link led to a page, likely hosted in Russia, that looked very much like a GMail password reset page.  Unless they checked the address in the address bar.

As soon as they entered their email and password, the Russians had full, unfettered access to all of their emails from that point forward.

POINT #1: Call me paranoid, but from a security standpoint does it really make sense to use GMail for the official campaign email system for a presidential campaign?  Sure, that make sense for uncle Joe in Pittsburgh, but did it never occur to anyone that this might not be very smart?

POINT #2:   Did campaign workers receive any cyber security training?  That is a pretty normal phishing technique.  Out of all the people who received these emails, did not even one of them question it?

POINT #3:  If they did question it, did the campaign have a chief cyber security staffer to send the concern to?  Not physical security, but cyber security.

But I digress….

Since that worked so well, the Russians tried the same trick with the Democratic National Committee.

POINT #4:  Did (or does) the DNC  train its people on phishing?

And then, being successful beyond their dreams, they tried the same trick with the Democratic  Congressional Campaign Committee.

POINT #5:   I am not even going to ask.

By mid June, the first leak had been identified and the DNC emails started coming to light.

I assume that others started to panic at this point and those who didn’t use email (like Trump, apparently) were laughing.

The group that orchestrated this is known as APT 28 or Fancy Bear, but there is nothing fancy about this attack.  In fact, a fifth grader could have likely done it.

In a rare display of political annoyance, the White House definitively said last week that Russia did this.  There was no beating around the bush.  The Department of Defense piled on.  I am sure that there is a fair bit of classified evidence, but apparently, the government was convinced enough to publicly blame Putin.

If you want more details, please read the Buzzfeed article below, but for the purposes of this post, this is sufficient.

After reading this, I have a few thoughts and those thoughts apply to everyone – political parties on any side of the fence, businesses or private citizens.

THOUGHT #1 : Email is private – until you hit the send button.  Beyond that, all bets are off.

THOUGHT #2: If you would be concerned, embarrassed or thrown in jail if that email appeared on the front page of the New York Post (or Wall Street Journal), DO NOT SEND IT!  You just cannot guarantee what will happen after you hit the send button.

THOUGHT #3:  At the very least, a private email server gives you some more control and the ability to monitor traffic.  BUT ONLY IF YOU DO IT RIGHT.  It is 10 times easier to do it wrong than to do it right.

THOUGHT #4: Encrypted email (and I don’t mean SSL based web mail) also helps, but again, the devil is in the details.  I have a few patents with my name on them in this area, so I think I understand the problem, what works and what doesn’t work.

THOUGHT #5: Training is critical.  Really.  Human beings are always the weak spot.  Period.  Invest in training.

THOUGHT #6: Monitoring and alerting is the next most critical thing.  If, by chance, the Ruskies accidentally logged in from Russia, alarm bells should have gone off.  There is no monitoring for users of GMail.  You are on your own.

THOUGHT #7:  I like Sergey Brin and Larry Page.  Google is a great search engine.  Not so much is it a great enterprise email solution, even though they would argue with me.  Vehemently.  But then, I am calling their baby ugly.  U.G.L.Y!  Sorry.

THOUGHT #8, 9 and 10:  If security and privacy is important to your organization – and they may not be – then treat it that way.  Find the expertise and hire it (#8).  Listen to what they tell you to do (#9).  And tell your users that this is not a democracy and they don’t get a vote on whether or not to follow the security policies (#10).

I know that is harsh, but the question is, is security and privacy important to you.

Information for this post came from Buzzfeed.