The US government has declared that the Russian government has hacked important US entities. It has retaliated against the Russian government in response. It has now issued its official report providing the evidence of hacking.
The "evidence" is a joke. It proves nothing but the incompetence and/or duplicity of the agencies that issued it. The near-certain declaration that the Russian government was behind this and related hacks is fake news. The majority of the US press echos the fake news, supporting it with whatever is left of their credibility.
Cybersecurity background
Most large organizations have a big computer security problem. They just don't know how to get it done and don't seem to care, as repeated massive breaches have demonstrated. Government agencies are just as helpless. They issue regulations that tell corporations how to achieve security, but the regulations make things worse, and are ineffective for the government itself. There are solutions, but no one is interested.
The Hacks
The overall results of the hacks are well-known. In July, Wikileaks released 44,053 emails from officials of the DNC. In October, it released a large batch of Hillary Clinton campaign director John Podesta's email. Many important people immediately accused the Russians of performing the hack and providing the documents to Wikileaks.
The Official Evidence
The government's long-awaited official report of evidence that the Russians performed the hack was released last week by this government agency:
Here is how the report is described:
The report is 13 pages long, with a couple of linked files. The first thing that struck me was that, starting on page 5 and going to the end, the content had literally nothing to do with hacks or Russians -- it was just a list of generic nostrums about how to be cyber-secure. One has to wonder where all this supposed powerful wisdom was while the US government Office of Personnel Management (OPM) hack took place; this hack resulted in the loss of highly sensitive data on over 22 million people. People who live in glass houses...
What about the "evidence" contained on the first few pages?
I have personally dealt with computers for a long time. I've had to fix serious problems, evaluate reports of problems and recommend solutions. There is a clear pattern of good work:
- The person and group that did the work is clearly identified.
- There is some kind of narrative that describes the problem and the path of discovery that leads to the conclusion.
- Full details about the computers and software affected are provided. Is it a personal computer or a server? What version of what operating system is installed? If an application is relevant, what is the name and version of the application?
- Full details about event data are provided, for example log files.
- If there are anomalies, full details about them, included where and how they were found.
- Enough data is provided so you can double-check any conclusions that may be drawn.
- If more than one event is involved, this information is provided for each event, with all the information for example servers and operating systems clearly associated with the corresponding event.
None of this standard information was provided in the report! Any conclusions that are drawn, given the total lack of real, professional evidence, are therefore baseless.
Details of the non-evidence
The report provides no separate information about the DNC or Podesta hacks. It says nothing about whether an email server was hacked or a client. Nothing! What the report does have is a little information with generic diagrams, a very techie listing of part of a script, and a list of IP addresses. The contents of what they provided has been competently analyzed by a security firm. Here is their summary:
Let's look at the Podesta hack for a bit.
I looked at a broad sample of the emails on Wikileaks. Podesta had a gmail account, [email protected]. While some of the emails were sent to another address, [email protected], a quick look at the source of the emails (kindly provided by Wikileaks) shows that this was set up as a forwarding address, i.e., automatically forwarded to the gmail account. The source code I examined was all typical, i.e., not faked.
No one claims Google was hacked. So it was Podesta's email account and/or the computer he used to access it. The report, of course, doesn't say. The hack could have been accomplished by any number of techniques, and certainly doesn't require sophistication.
The list of IP addresses given is completely irrelevant for this kind of hack. If the hackers got his user name and password, all they needed to do was log in -- no "attack vectors" required.
Turning to the DNC, the report implies (but doesn't state) that the DNC server was attacked. It talks about how the hacker:
which is quite impressive. How exactly did the malware "escalate privileges?" That's like saying that a lieutenant in the army suddenly became a general! By making it happen himself! It's only possible if there's a bug in the system that was hacked. Was it Microsoft Exchange? What's the bug? We'd like to know!
Going into this made me more suspicious, because the Wikileaks site lists exactly 7 senior officials whose emails were hacked. Here's what they say:
All that's needed to accomplish this is a bent insider, like a junior Edward Snowden, or some good social engineering. In other words, more of the same that worked on Podesta. Otherwise, why would the hack be limited to exactly those 7 and no more?
In other words, an examination of what was hacked leads to the strong suspicion that the "evidence" provided by the government has nothing to do with how the hacking was actually accomplished, or by whom.
Conclusion
Cyber-security is incredibly important. I don't care one way or the other that the DNC and Podesta were hacked. Shame on them for not caring about security when the world is full of bad guys. But I do care that many of our most important institutions such as our government and healthcare institutions fail to take it seriously, and when they do, are incapable of getting the job done. It hurts many of us, and someday could hurt us really badly.
Comments