Tuesday, August 15, 2017

Why that "file-copy" forensics of DNC hack is wrong

People keep asking me about this story about how forensics "experts" have found proof the DNC hack was an inside job, because files were copied at 22-megabytes-per-second, faster than is reasonable for Internet connections.

This story is bogus.

Yes, the forensics is correct that at some point, files were copied at 22-MBps. It's correct that Internet-speeds [A] make it improbable that the files were copied across the Internet at such speeds.


[B] But the who hacker broke into the DNC was still within the victim's network, within the DNC. Outside hackers are also "insiders". Indeed, as someone experienced doing this sort of hack, I'm certain that at some point such a copy happened. The computers you are able to hack into are rarely the computers that have the data you want. Instead, you have to copy the data from other computers to the hacked computer, and then exfiltrate the data out of the hacked computer. There is not reason to assume an inside transfer of files was done by an inside employee, rather than a hacker.

[C] Or, data may have been transferred between computers within the hacker's own network, after the data was stolen. Again as a hacker, I can tell you that I frequently do this. Indeed, as this story points out, the timestamps of the file shows that the 22-MBps copy happened months after the hack was detected.

[D] If the 22-MBps was the speed of exfiltrating data, it might not have been from inside the DNC building, but from some cloud service, as this tweet points out. Hackers usually have "staging" servers in the cloud that can talk to other cloud servers at easily 10 times the 22-MBps, even around the world. I have staging servers that will do this, and indeed, have copied files at this data rate. If the DNC had that data or backups in the cloud, this would explain it. 


My point is that while the forensic data-point is good (data was copied at 22-MBps) the conclusion is bad. There's too many alternate explanation better than "it must have been an insider". It's silly to insist on only the one explanation that fits your pet theory.

As a side note, you can tell the stories are poor from the way they are told. Rather than explain the evidence and let it stand on its own, the stories hype the credentials of those who believe the story, using the "appeal to authority" fallacy.


1 comment:

jjarven said...

psstt, should be MBps, not mBps (or in case of transfer speed, the correct is Mbps)