Tag Archives: Politics

Forensics – Proving a Negative

Note: I am going to try and keep this as non-political as possible.

Just weeks before the presidential election a New York newspaper published documents that they claimed belonged to Hunter Biden and documented supposedly potentially illegal business dealings he had in China and Ukraine (article here).

I grew up in New York and even when I was a kid, the New York Post was not exactly considered a newspaper of record, if you get what I mean. That by itself, raises alarm bells.

As the story goes, Hunter supposedly took some Macbooks, full of incriminating documents, to a Mac repair shop in Wilmington, DE, did not provide any identification and then abandoned them there. I have never claimed to be the brightest light bulb in the chandelier, but if I had a couple computers full of sensitive stuff, would I just take them to the local computer store and say fix them? And then abandon them?

The New York Post claims that the repair shop gave them a copy of the hard drive that Hunter abandoned at the repair shop (why?) and they gave it to Rudy Giuliani who gave it to the feds. Credit: Slate

One possibility is that everything in these stories are 100% true. Another possibility is that the Post was set up by someone, say, maybe the Russian GRU spy agency.

In any case, as often happens after a breach or a leak, forensics experts are called in to try and validate what happened.

They have to figure out if the documents are real or they are forged. With some of today’s technology, that can be hard to figure out.

For example, one of the most explosive emails released by the Post curiously was published in a way that hid one important verification tool called Domain Keys or DKIM. Also, the metadata that was displayed questions whether the file was the original or a doctored copy. If it was doctored, who doctored it – the Russians? Some middleman? The Post? Unknown.

“You’re trying to prove a negative,” said Mike Weber, vice president of innovation at Coalfire. “It’s hard to prove data was never on your network.”

Is it possible digitally sign documents? Sure, for example, many of us have used the company Docusign to digitally sign a document. However, out of the tens of thousands of documents (including emails, text messages and computer files) that you have touched, say in the last year, how many were digitally signed by Docusign or a competitor? I bet it is a tiny percentage – bordering on zero.

Even organizations like the Defense Department don’t sign everything.

The average person probably has no idea how any of that works and certainly isn’t going to spend a lot of money trying to use that. And if the documents were incriminating, might you encrypt them so that, say, a random computer repair person couldn’t read them.

It is true that companies like Best Buy work closely with the FBI, but they are looking for more obvious crimes like child porn, not memos that only make sense to someone with a lot of context.

Weber continues: Even in diligently designed systems, hackers could use access to a network to plant a document to meet the non-repudiation checks, cryptographic keys might fall out of a company’s control, and hackers could claim damaging leaked documents came from a vendor outside the encryption system.

And that, Weber says, assumes the most expensive, best implemented system of signatures and back-ups and evidence building is in place.

In this case, the Post did not make the DKIM signatures available. While they are not perfect and can be spoofed in a number of ways, especially by an organization like the GRU, they are a first line of confirmation.

This is the process that forensics experts get to deal with every day. Whether they are working for a company that got breached, or as part of a lawsuit or, as in this case, as part of a political campaign.

I am not going to make an assessment about this other than my previous comment about the Post; that is not the point of this post. What I am trying to point out is that attribution and validation is hard under the best of conditions.

In this case, since Rudy gave the disk, supposedly, to the FBI, they have access to some of the best forensics resources in the world if they think that is appropriate. In the case of the FBI, they likely have access to the resources of the National Security Agency, probably some of the best security experts in the world.

But there is another problem. Anyone who has watched a cop show on TV knows that the defense attorney gets his client off by claiming that the chain of evidence was not maintained. Between some computer repair shop in Delaware to someone to the Post to Rudy to whoever – there is no valid chain of custody. That makes things very difficult to validate.

We also need to be careful not take everything we read at face value. Maybe something is valid, and maybe it is not.

This does not mean that the Post is lying. I don’t know. It is certainly possible that they were set up. After all, the reporters at the Post are likely not security experts. If a reporter is presented with a potentially prize winning story or wanting to beat out the competition, he or she has to decide whether to run a story or not (along with his/her editor). Anyone remember the “Dewey Defeats Truman” newspaper headlines in 1948? Being first is not always best. But if you are first and right, that could be a career maker.

Forensics is part science and part art and it usually operates in less than optimal conditions. For more details see this article.

Security News for the Week Ending September 25, 2020

GAO Tells Treasury: Track Cyber Risk in Financial Sector

The GAO told Treasury to work with Homeland Security to better track cyber risk in the financial sector.

The GAO says that Treasury does not track efforts or prioritize them. The “sector specific” security plan was last updated in 2016 and, of course, most of the tens of trillions of dollars of assets belong to private companies.

Not only that but Treasury has not implemented the recommendations from the last audit. Credit: Meritalk

Trump Campaign Spent $4 Million to Buy Your Location Data

The Trump campaign spent $4 million buying data on voters, including location, from a data broker named Phunware. The company makes a software development kit that developers can use to collect your data, including location, and sell it to data brokers. Nothing illegal, but lucrative for the app developers and useful for political campaigns and others. Credit: Vice

Google and Amazon – Both Can Be Un-Secure

We always talk about Amazon S3 storage buckets being configured in an un-secure manner, leaking data. Researchers say that 6 percent of a sample of Google storage buckets are also configured so that the wrong people can read from or write to it. Documents they were able to read include passports and birth certificates. Just like with Amazon, Google will disavow any responsibility if you mis-configure your storage. Bottom line – test your security regularly and do not assume that anything is secure. Credit: Threatpost

Russia and China, Oh, My! (Hacking)

While the current occupant of 1600 Pennsylvania Avenue continues to put pressure on China, he is not putting pressure on Russia and they are definitely going after us.

The Russian government hacking group known as APT28 or Fancy Bear is sending out fake NATO training materials laced with hard to detect Zebrocy Delphi malware. The email attachment has a zipx file extension. At the time researchers got a copy of the malware only 3 virus products detected it. It seems like with this campaign, the Ruskies are going after government computers, but there is always collateral damage. Credit: Bleeping Computer

At the same time, the FBI says that the Chinese are still actively going after Covid-19 research, including vaccines. After all, it is easier to steal a vaccine than to develop and test one. The Chinese read the newspapers, see who is claiming interesting stuff, and then try to hack them and steal their information. They are not alone. Russia and Iran are also trying to steal research and vaccine info. Credit: MSN

In Case You Thought Russia Was Done Meddling With Elections …

Politics is a pretty interesting game.

In the United States, almost everyone, except the President, thinks that Russia interfered with the 2016 US Presidential elections.

In the UK, there is a report – that the current Prime Minister Boris Johnson has refused to release – on Russian interference in British politics, with some accusing Johnson of a coverup.

Likely in both cases, there are additional agendas.

There is a British election this week after Johnson was unable to get Parliament to agree to his plan for leaving the EU (sound familiar?  The last British PM lost her job for the same reason).  And since politics is a full contact sport everywhere, Johnson’s competitor for the job, Jeremy Corbyn, released some documents that say that Johnson would offer to sell Britain’s National Health Service (NHS) to United States corporations in a trade deal with President Trump.  In Britain, the NHS is considered a national treasure and offering to privatize it to a foreign company is not considered a route to getting yourself elected.  Corbyn “declined” to say where he got the documents and the British government says that they think the documents are real.

One of the places these documents were posted was the social media site Reddit.

Reddit said this past week that the document leak was part of a Russian influence operation known as Secondary Infektion.  It is likely that Secondary Infektion is part of the Russian hacking group Sandworm (if you are interested in this kind of intrigue, I highly recommend the book Sandworm), which is part of Russia’s military Intelligence known as GRU.  As a result of their investigation, Reddit has banned 61 accounts.  Of course, there is nothing to stop the Russians from creating new accounts.

The combination of Johnson’s refusal to release the report on past Russian hacking of British elections and the posting of and Corbyn’s use of these new documents indicates that Russian interference in worldwide politics has not stopped or slowed down.

It also means that, short of a miracle, Russia will likely interfere with the US elections next year.  Using cyber theft (DNC emails, Clinton Emails, Boris Johnson documents) is far easier than hacking into a whole bunch of election machines and changing votes, so that is likely the route the Russians will take next year.

Whether Russia’s release of the Boris Johnson documents will affect this week’s British Prime Minister’s election is unknown and even if Johnson loses, he can blame many factors other than Russia for his loss.

Still, is shows that politics remains a full contact sport – a reality that is not likely to change anytime soon.

Information for this post came from the Guardian.