Archive for the ‘Elections’ Category
Reality: Spearphishing Campaigns and Election Systems
So Bloomberg has a story out today concerning allegations that the hack on the election was larger than first admitted to by authorities and the leak of a document by Reality Winner. This of course started the Twitterati to start making noises and got me to thinking about the whole thing. People have been asking about whether or not the hack was successful and to what end would the hacks be if they were successful or not. I myself have held the idea that the success or failure of the hacks isn’t as important as the notion that the systems had been tainted by hacking or manipulation. As you all may remember there were news stories of how the hackers attacked the systems before the elections before Reality dropped her document on the Intercept and then promptly went to jail for her stellarly bad OPSEC. Those stories seem to have been largely forgotten by the general populace but not so much with the IC given the snips of the document given to the Intercept. The snips show how the adversaries used common phishing exploits to “spearphish” the users at particular companies in a credential harvesting operation. Once I really took a close look at these though I began to question some things and thought maybe you all should too.
Why doesn’t the NSA know whether or not the attacks were successful?
So yeah, why doesn’t the NSA know whether or not things worked for the adversaries attacking these systems? Were there no forensics? Were the NSA not allowed to see anything? One begins to wonder why all this is in the report marked TS and such. Of course something in the markings also says “To US” so would this imply that the data came from FIVEEYE to the us? Once you begin to ponder all these things you start down the dark path of the game of shadows and we don’t need that. All of this said though, once again, the document here is showing only that they know attacks happened but they have no evidence of the attacks working and to what extent.
Why is that?
Where are the C2’s and other IOC’s?
Given that we don’t have the information on whether or not these attacks worked, then I guess it is a foregone conclusion to ask for, ya know, evidence right? Well I am gonna ask anyway, where is the evidence of the attacks other than the email address given in the report? No C2’s no infrastructures outlined. Are they in another compartment somewhere? In fact Reality had made mention of another document in her jailhouse tapes so are these bits in there? Without these one cannot conclude much of anything as to the adversary we are dealing with. After all, you all in the business know that these kinds of phishing attacks are quite common. How many of you blue team folks who read me have seen these same kinds of Google Drive/WP/PHP sites that harvest creds then pass you to the site you wanted?
This is not advanced
This is not uncommon
This is not a lock on any adversary in particular
Yet here they are saying it was the GRU… Why? What other evidence do they have? HUMINT? SIGINT? None of this is mentioned in what we have been given by the Intercept.
Why is this all marked TS if there is no real sources and methods here to burn?
Back to the whole TS/FVEY/ORCON alphabet soup, why is this being held so closely? Now, I have my own particular bent here that I have written about in the past which goes something like this;
- We don’t want to admit the hacks happened because if we did it would cast doubt on the election
- If we admit they happened people will doubt the system and it will erode the democracy
- If we admit they happened AND they actually got in and they manipulated the system… Well… HOLY SHIT there’s goes the election system and the democracy
- If we admit it happened and it worked then how much trust would there be in the government anymore?
In fact in articles circulating today, and I think it was in the Bloomberg piece, the case was made by President Obama that they would not want to admit to a hack for these very reasons…
So, there is that huh? If the scope of the hack is proven then it will in fact have the effects above and it would give Putin the satisfaction that his goals of active measures are still bearing him smelly fruit. I can then see them wanting to keep all of this stuff super secret couldn’t you? I guess Reality, though an idiot, perhaps had the same feeling and decided to do this in some warped view on trying to get rid of the current president. Another reason may be, and this is a tenuous one, that all of this is now part of the investigation into Russian meddling that the Congress is carrying out. I doubt that is the reason though. I really think it is just the IC being the IC and that the government has a reason to keep this all secret because it would erode things further where the government and our system of elections are concerned.
GRU or Patriot Hackers? (A Team versus B Team)
Alrighty, now we get on to the whole whodunnit thing. The documents sure do say that it is the GRU but like I said they don’t give you enough proof to do anything in a court of law for sure. While I was pondering this I had a flash on what Pooty said recently about “patriot hackers” and how the NSA document here alludes to klunky attacks. Like I said above, these phishing exploits are not uncommon. I see these every god damned day so it is really a measure of how well they were put together and whether or not escalation and pivoting happened to show another kind of actor here. Oh, and yeah, that information is conveniently not in the report here and once again, the NSA does not know if the attacks succeeded.
Think about that.
Then they go on to say it was Russia.
Ok, so maybe, just maybe it was Russia but it was the patriotic hacker B team eh? What if Pooty was telling a truth there and we all just scoffed and moved on? Given what the documents say I can see that maybe some talented amateurs or a B team decided to carry out a moonlighting operation to amplify things. Hey crazier things have happened right? What I am saying is open your minds to the idea that this was not the GRU but other actors like cyber patriots who may have gotten in but then failed to really do damage to the systems.
Maybe.
Without ya know like evidence though… Meep Meep.
Conclusion:
Welp, the cat is out of the bag NSA. It’s time to fess up. I think you and the government need to start producing evidence, forensic evidence, or GTFO. If the election data was hacked and manipulated then let us all know and then FUCKING FIX THE SYSTEMS AND MAKE THEM CRITICAL FUCKING INFRASTRUCTURE!
Dr. K.
OFFICIAL STATEMENT On (ISC)2 and The Freak Power Ticket
;
Recently I added my name to the candidate list of ISC2 board members in the running this year. After a flagging showing thus far and some tweet conversations I am getting some impressions that people have some odd notions about ISC2 and perhaps my running. So I wanted to clear the air some and to set the record straight for those unable to navigate sarcasm or irony. I am running partially as a serious effort and partially as a farce. Now, this may escape some and I would encourage those who don’t get the motives or means to go look up Hunter S. Thompson’s run for Sheriff in Colorado for a little better understanding of my meaning.
I am running for the board while knowing that we, “The Four Horsemen of the Infosec Apocalypse” have little to no chance of getting on the board in the first place. Why do we have little to no chance?Because the org is an ossified bastille on a hill of old guard founders who don’t want the boat rocked at all. That’s why. All of us are undertaking not only a battle with little chance of winning in the first place (we all pretty much agree on this) but then, once inside, were any to make it, would surely be voted down on the changes we would like to make to this org.
All of us, all the horsemen, are seeking to change the org for the better because in some way we think we can and should. Others, like @errattarob feel that the org just needs to be burned to the ground and loathes it for its very aegis as it stands. I would agree with Robert, but, I don’t think that the org just needs to burn, instead perhaps there is a minuscule at best chance that some change can come with the right group of people rattling cages.
Oh god.. Does that make me a Pollyana? Crap…
Anyway, look, yeah, I am taking this all tongue in cheek, but, like Hunter, I do have a reason and that reason is not just for the LULZ. If I were on the board I would try to make things better. Short of that though, were there no way to effect change, then I would make their lives as miserable as possible. Why? Because they are doing all of us a disservice with the way things are run now. The very least of these things is the way that ethics are handled within this org by the old guard in place. Just look at the players here..
Do you really think any of us has a chance here? I mean, c’mon, we get 500 signatures and then the BOARD votes on who they want on it? WTF kind of election process is that?
EDIT: MEA CULPA, I did not read the bylaws and was misinformed. The voting is done by the masses via email evidently. MYBAD… So, the rest of my screed still applies, but I wanted to correct this factual error. At least the masses can vote for whom they want.
Vote for the horsemen… If not me, then the others. I am doing this on a lark really, but, it’s for a bigger point here. Those of you who take the ISC and CISSP seriously need to seriously look at your org. You need to take that rather large stick out of your asses and your fingers out of your ears and really LOOK at it all. Do you think that any of us with this certification really are good at what we do because we took that test and adhere to some crap ass ethics rules that the board ignores when they see fit?
Get over yourselves.
If that’s your gig, and you think everything in ISC2 is nirvana inc… So be it.. Continue on your way.
If you want change and effectiveness to this org and this certification.. VOTE for one or all of us.
“FREAK POWER!”
K.
;
TEXT
Krypt3ia 