Tuesday, January 03, 2017

Dear Obama, From Infosec

Dear President Obama:

We are more than willing to believe Russia was responsible for the hacked emails/records that influenced our election. We believe Russian hackers were involved. Even if these hackers weren't under the direct command of Putin, we know he could put a stop to such hacking if he chose. It's like harassment of journalists and diplomats. Putin encourages a culture of thuggery that attacks opposition, without his personal direction, but with his tacit approval.

Your lame attempts to convince us of what we already agree with has irretrievably damaged your message.

Instead of communicating with the America people, you worked through your typical system of propaganda, such as stories in the New York Times quoting unnamed "senior government officials". We don't want "unnamed" officials -- we want named officials (namely you) who we can pin down and question. When you work through this system of official leaks, we believe you have something to hide, that the evidence won't stand on its own.

We still don't believe the CIA's conclusions because we don't know, precisely, what those conclusions are. Are they derived purely from companies like FireEye and CrowdStrike based on digital forensics? Or do you have spies in Russian hacker communities that give better information? This is such an important issue that it's worth degrading sources of information in order to tell us, the American public, the truth.

You had the DHS and US-CERT issue the "GRIZZLY-STEPPE"[*] report "attributing those compromises to Russian malicious cyber activity". It does nothing of the sort. It's full of garbage. It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.

Yes, hackers use Yahoo for phishing and malvertising. It doesn't mean every access of Yahoo is an "Indicator of Compromise".

For example, I checked my web browser [chrome://net-internals/#dns] and found that last year on November 20th, it accessed two IP addresses that are on the Grizzley-Steppe list:
No, this doesn't mean I've been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzley-Steppe IoCs are garbage.

If your intent was to show technical information to experts to confirm Russia's involvement, you've done the precise opposite. Grizzley-Steppe proves such enormous incompetence that we doubt all the technical details you might have. I mean, it's possible that you classified the important details and de-classified the junk, but even then, that junk isn't worth publishing. There's no excuse for those Yahoo addresses to be in there, or the numerous other problems.

Among the consequences is that Washington Post story claiming Russians hacked into the Vermont power grid. What really happened is that somebody just checked their Yahoo email, thereby accessing one of the same IP addresses I did. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid) is your responsibility. This misinformation is your fault.

You announced sanctions for the Russian hacking [*]. At the same time, you announced sanctions for Russian harassment of diplomatic staff. These two events are confused in the press, with most stories reporting you expelled 35 diplomats for hacking, when that appears not to be the case.

Your list of individuals/organizations is confusing. It makes sense to name the GRU, FSB, and their officers. But why name "ZorSecurity" but not sole proprietor "Alisa Esage Shevchenko"? It seems a minor target, and you give no information why it was selected. Conversely, you ignore the APT28/APT29 Dukes/CozyBear groups that feature so prominently in your official leaks. You also throw in a couple extra hackers, for finance hacks rather than election hacks. Again, this causes confusion in the press about exactly who you are sanctioning and why. It seems as slipshod as the DHS/US-CERT report.

Mr President, you've got two weeks left in office. Russia's involvement is a huge issue, especially given President-Elect Trump's pro-Russia stance. If you've got better information than this, I beg you to release it. As it stands now, all you've done is support Trump's narrative, making this look like propaganda -- and bad propaganda at that. Give us, the infosec/cybersec community, technical details we can look at, analyze, and confirm.

Regards,
Infosec

9 comments:

Unknown said...

".. How they get from the facts (one person accessed Yahoo email) to the story (Russians hacked power grid) is your responsibility. This misinformation is your fault."

I don't think the President has as much control over the media as you imagine. There are other more powerful individuals and groups who have a vested interest in making Russia look bad. https://www.rt.com/news/233439-us-meddling-ukraine-crisis/ I know it's from Russia Today, but I remember most of it from when it actually happened via reporting in Europe. I don't know if the US media covered it in the same way - I highly doubt it.

test said...

"As it stands now, all you've done is support Trump's narrative, making this look like propaganda -- and bad propaganda at that. Give us, the infosec/cybersec community, technical details we can look at, analyze, and confirm."

Perhaps we have all the information we need.

Bame said...

The good conservative get lied to his face times and times again, but is still "more than willing to believe".

Joe Duarte said...

Question: What does it mean to "irretrievably" damage a message? What would we want to retrieve that we can no longer retrieve?

test said...

Respectfully to all viewpoints and affiliations, I'm not sure the op is a 'good conservative' if the 'message' is 'already agreed with' unless Obama is suddenly a conservative...? The op's apparent dismay with these inconvenient truths may reflect a general 'a ha' moment for many reading this post, if not an epiphany for all of those attempting to reconcile an engineer's logic with political platforms. Which platform or message could change, but reason and politics remain relatively constant... and methinks the twain shall rarely meet.

Rowaa[SR13] said...

Guys, why are you even snap at each other? You and President are on the same side! You both are "more than willing to believe" that "ЯUSSIANS АЯЕ СOMING!" Does it matter THAT much that you need a pretty ritual around your delusions and that he is pure believer and only need pastor's word for that?

Anonymous said...

Hogwash! Director of National Intelligence James Clapper said earlier today, "We have evidence that the Russians hacked the DNC and our elections. The most credible
hard evidence is the user names that the hackers used. Some examples of these user names are 'RussionBoy', 'GuyFromRussia', 'RedRussianBear', 'MoscowManny',
'VodkaVinny', 'GeneralBorshevsky', and 'LOLFAG'." If that isn't evidence, I don't know what is! :-P

dramklukkel said...

"Even if these hackers weren't under the direct command of Putin, we know he could put a stop to such hacking if he chose"
You are suggesting that:
A: Putin was well informed about the hacks from within "Russia" (as if location is relevant these days) before and during these hacks.
B: Putin was able to put a stop to those hackers.
C: Putin cared a rodents bottom.

Do you think a president has the knowledge and power to predict, monitor, and prevent anyone from hacking a system outside his country? Substitute Putin/Obama and Russia/USA and read that line back. Does it stil make as much sense?

Unknown said...
This comment has been removed by a blog administrator.