Taoiseach using private email servers - a la Hilary Clinton

Impetus

This morning's Irish Times has an article on Enda Kenny's use of non-government email servers. I never cease to be amazed by the number of people in business and politics who use 'free' email services, like gmail, yahoomail, and the Apple and Microsoft equivalents. Services where the user is the 'product' or more appropriately perhaps the victim.

Hilary Clinton was running her own email server, which is a very challenging task (to keep secure).

By using free email services, politicians and others are exposing themselves and the parties they communicate with to needless security risks.

There are many, inexpensive email services, which operate from countries with strong data privacy legislation that use secure connections between the client (browser or email application) and the email server.

Irish email users are particularly at risk, given the need for most internet traffic to transit Great Britain or the USA, where there is a high probability it will be ransacked by the intelligence gathering mafia.

Even if Kenny used a government server, I suspect that his email traffic to/from Ireland would be equally liable to Anglo-ransacking.

It seems to me that gov.ie urgently needs to:

1. Educate email users about the risks of using 'free' email services. Data Privacy.ie is not doing its job remaining silent about these issues.

2. The government needs to set up additional 'personal' email domains for ministers etc, so their non-official (difficult to define) communications remain as secure as possible.

3. The government's email server should have a secure backup, perhaps in Germany, where communications to and from Ireland could be encrypted until they arrive at the Continental based server. Mails to non-Irish email addresses routed via the Continental server, would need a different domain name, to stop email replies etc from outside of Ireland being routed, in the clear to so called 'secure' Irish email servers.

4. The continental email server should be connected to the Irish system using at least two layers of encryption - a) a strong VPN between Dublin and wherever the server is located b) TLS 1.2 travelling over the VPN to secure the communication between the client and the server and c) For secret traffic, each email should itself be encrypted using (at a minimum) eg GnuPG end to end and transmitted over the tunnel, using maximum key sizes + TLS 1.2 platform, or one of the French military grade encryption products.

http://www.irishtimes.com/business/economy/taoiseach-admits-he-uses-personal-email-account-for-official-business-1.2904976

ItHurtsWhenIP

Impetus wrote: »

...

3. The government's email server should have a secure backup, perhaps in Germany, where communications to and from Ireland could be encrypted until they arrive at the Continental based server. Mails to non-Irish email addresses routed via the Continental server, would need a different domain name, to stop email replies etc from outside of Ireland being routed, in the clear to so called 'secure' Irish email servers.
...

I'm surprised you are suggesting our Government should trust Germany after you warned us all only 2 months ago about Hitler's return and their surveillance and storage of data being on a par with the scary GCHQ.

Perhaps they have "re-educated" you while you were back there and you are now a collaborator of German state forces. :rolleyes:

Impetus

ItHurtsWhenIP wrote: »

I'm surprised you are suggesting our Government should trust Germany after you warned us all only 2 months ago about Hitler's return and their surveillance and storage of data being on a par with the scary GCHQ.

Perhaps they have "re-educated" you while you were back there and you are now a collaborator of German state forces. :rolleyes:

Well perhaps Switzerland. Having said that I doubt if Frau Merkel, herself a victim of Anglo information theft, would have much interest in the un-encrypted digital exhaust of gov.ie, surfacing in that country - even if the domain was to be irlgov.eu for the German (or Swiss) email server platform.

GreenFolder2

The issue is usually down to the corporate systems being very restrictive or obsolete. You'll get someone trying to attach a large word file and hitting an arbitrary limit of maybe 20MB.

Next thing you know they've got an address @gmail.com

Also with both Microsoft and Apple products I've found they've defaulted to saving things into OneDrive and iCloud and often, especially if you're not particularly tech savvy, they're so user friendly that the end user may not even realise they're saving stuff into a server.

Then you've people using services like WeTransfer and Dropbox without any official authorisation from IT departments.

Most of it comes down to inadequate tools being provided by corporate systems though and lack of awareness by end users that they're potentially breeching IT security. Email isn't much use without some kind do large attachment handling system / proper file sharing that is done on a known system.

That being said many of these commercial services, when using two factor security etc are probably more secure than many poorly managed corporate systems anyway. However the risk is you've no idea what level of security the end user has applied. They could be all protected by an easy to guess password, two factor turned off and the same password used for everything.

Graham

Impetus wrote: »

3. The government's email server should have a secure backup, perhaps in Germany, where communications to and from Ireland could be encrypted until they arrive at the Continental based server.

Why would you want the secondary mail server to be hosted out of country?

GreenFolder2 wrote: »

The issue is usually down to the corporate systems being very restrictive or obsolete. You'll get someone trying to attach a large word file and hitting an arbitrary limit of maybe 20MB.

Not the case here.

GreenFolder2

It's usually down to ignorance and lack of clarity on what's permissible. Rarely down to any kind of malicious intent.

Impetus

GreenFolder2 wrote: »

The issue is usually down to the corporate systems being very restrictive or obsolete. You'll get someone trying to attach a large word file and hitting an arbitrary limit of maybe 20MB.

Next thing you know they've got an address @gmail.com

Also with both Microsoft and Apple products I've found they've defaulted to saving things into OneDrive and iCloud and often, especially if you're not particularly tech savvy, they're so user friendly that the end user may not even realise they're saving stuff into a server.

Then you've people using services like WeTransfer and Dropbox without any official authorisation from IT departments.

Most of it comes down to inadequate tools being provided by corporate systems though and lack of awareness by end users that they're potentially breeching IT security. Email isn't much use without some kind do large attachment handling system / proper file sharing that is done on a known system.

That being said many of these commercial services, when using two factor security etc are probably more secure than many poorly managed corporate systems anyway. However the risk is you've no idea what level of security the end user has applied. They could be all protected by an easy to guess password, two factor turned off and the same password used for everything.

I have tried to use AWS S3 to send large encrypted files via an email link, and in many cases, the corporate firewall at the other end refused the other party access to the Amazon AWS url. In any event I can't see why government and corporate email systems limit the size of attachments to less than they need, for some arbitrary security tick box issue.

In relation to multi-factor authentication, this too can be compromised by the determined. The user with the MF calculator logs into the other system, and a keystroke logger steals their entire login (including the code that changes every 30 seconds), and uses it in real time for the thief to gain access. Meanwhile the person who thought they had MF logged in securely, is presented with fake HTML, perhaps designed to steal some more information from them. At the other end, the thief is logged in and good to go, using a VPN (which routes his communications back via the legit client) which was installed as part of the installation of the keystroke logger. The system sees the IP number it was expecting.

You need an onion approach. At least two different multi-factor authentication processes, one of which takes place on another clean pc, which is used exclusively for the purpose of this application, and nothing else (eg banking). Or some alternative confirmation mechanism that travels over different platforms. This might be combined with access to a 'presentation system' at the other end - rather than direct access to a database server, to prevent vandalism. Some banks use this for home banking and branch access to central servers. The clients see and interact with a copy of their account information.

I know someone who works for a large company in England, and they use one of the major banks, and they have a GBP 1 million limit on CHAPS payments (which is GB's real-time payments system). Which is reckless in the extreme in my view.

Graham

Impetus wrote: »

In any event I can't see why government and corporate email systems limit the size of attachments to less than they need, for some arbitrary security tick box issue.

It's probably safe to assume you don't work in any area related to IT security and you have no actual knowledge of:

• The restrictions in place in any of the organisation types you mentioned.
• The reasons for those restrictions
• Alternative arrangements they may have in place to facilitate the transfer of large volumes of business related data.

Impetus

Graham wrote: »

Why would you want the secondary mail server to be hosted out of country?

Because I suspect that all data travelling in and out of Ireland is subject to surveillance on a full content basis (not just traffic data).

So send the non-Irish destined email via somewhere less untrustworthy, and vice versa on email traffic coming in. And if they don't bother too much with Joe Soap's email contents, I have no doubt that they watch gov.ie email closely (I don't know what domain gov.ie uses for email).

Back in the day with eircom or Telecom Eireann or whatever they were called at the time were doing some large corporate deals, via London, they encrypted everything. All the large companies (eg Airbus, Siemens, the big banks, and their type) encrypt communications, generally end to end. Being a telco, they will be acutely aware of what goes on and what is possible. And they will be involved with surveillance activities too.

AnCatDubh

Impetus wrote: »

In any event I can't see why government and corporate email systems limit the size of attachments to less than they need, for some arbitrary security tick box issue.

More likely a data management issue.

Storage may be cheap but managing storage is more likely to be the significant and unseen part.

Impetus

Graham wrote: »

It's probably safe to assume you don't work in any area related to IT security and you have no actual knowledge of:

• The restrictions in place in any of the organisation types you mentioned.
• The reasons for those restrictions
• Alternative arrangements they may have in place to facilitate the transfer of large volumes of business related data.

Everybody who works with a computer, especially in a professional, business or political capacity should be aware of the issues. And of course there are alternative ways to transfer large volumes of data. But you have time pressures, and too much stuff goes unprotected.

Impetus

AnCatDubh wrote: »

More likely a data management issue.

Storage may be cheap but managing storage is more likely to be the significant and unseen part.

Probably. But you can encrypt 4GB of data in storage just as easily as 10 MB. I suspect much of the limitation on attachment size is a function of old systems created back in the day when you had tiny processors, and poor bandwidth.

Graham

Impetus wrote: »

Because I suspect that all data travelling in and out of Ireland is subject to surveillance on a full content basis (not just traffic data).

ignoring the tinfoil hat elements. You appear to misunderstand the purpose of a backup mail server.

It's also evident you have no knowledge of how inter-governmental IP traffic is routed.

GreenFolder2

I just mean that you'd be shocked at how many corporate systems allow users to have a single password for IMAP without any multifactorial security or have very primitive security on webmail access etc etc.

I'm sure the government IT systems are fairly solid but, I'm regularly shocked at the sheer complacency I see in SMEs and even in web hosting. Things like a control panel to manage domain settings only protected by a maximum of 8 character password and no multifactorial security of any type.

In a lot of cases commercial email and cloud providers actually have far more sophisticated security than many office systems that are open to the outside world.

Graham

Impetus wrote: »

I suspect much of the limitation on attachment size is a function of old systems created back in the day when you had tiny processors, and poor bandwidth.

You suspect wrongly.

Impetus

Graham wrote: »

You suspect wrongly.

Looking at three of your postings, Graham, I suspect you may have some close knowledge of practices in this area.

The purpose of my postings are to make people aware of the current environment, as I see it. Even if we are talking about 'diplomatic bags' as an alternative to file attachments, journalist Laura Poitras* was detained and questioned some 39 times at airports (in the five 'eyes countries') (with her luggage examined with a fine tooth comb, no doubt) presumably in an attempt to dissuade her from engaging in investigative journalism. And she is not alone. Do yourself a favour see the Snowden movie while you are at it.

*https://en.wikipedia.org/wiki/Laura_Poitras

Impetus

If one was to advise a politician or similar in public office (which I am not), I suspect that one of their motivations for using a 'private email service' might have something to do with avoiding freedom of information requests (FoIA). Is it worth risking one's communications from being 'hacked' by somebody else, rather than an FoIA requester? I am not suggesting that An Taoiseach or anybody else is motivated in this direction. But the risk is present, nevertheless.

Graham

Impetus wrote: »

Looking at three of your postings, Graham, I suspect you may have some close knowledge of practices in this area.

Correct

Impetus wrote: »

The purpose of my postings are to make people aware of the current environment, as I see it. Even if we are talking about 'diplomatic bags' as an alternative to file attachments

Most (if not all) government departments can facilitate the digital transfer of very heavily encrypted files of almost any size without resorting to physical media, out of country networks or public IP transit.

Without getting into specific technologies used anywhere; there are commercially available mail proxies/gateways/web proxies to facilitate the content scanning of inbound/outbound mail/attachments and files. One of the functions of this software is to prevent the accidental or deliberate transfer of sensitive/commercial data.

Similarly, there are commercial products that can appropriately restrict the transfer of such data onto physical media.

Graham

Impetus wrote: »

If one was to advise a politician or similar in public office (which I am not), I suspect that one of their motivations for using a 'private email service' might have something to do with avoiding freedom of information requests (FoIA). Is it worth risking one's communications from being 'hacked' by somebody else, rather than an FoIA requester? I am not suggesting that An Taoiseach or anybody else is motivated in this direction. But the risk is present, nevertheless.

There are exemptions from FOI access requests that would render the above largely unnecessary. I suspect that's one of the reasons 'journalists' on an FOI fishing exercise largely restrict their requests to expenses.

CIARAN_BOYLE

Graham wrote: »

• Alternative arrangements they may have in place to facilitate the transfer of large volumes of business related data.

The problem is that most personnel not involved in IT security aren't aware of this either.

Graham wrote: »

Most (if not all) government departments can facilitate the digital transfer of very heavily encrypted files of almost any size without resorting to physical media, out of country networks or public IP transit.

Staff don't know this and in some cases would prefer to courier over a usb key to avoid sending unsecure e-mail when the actual e-mail service won't send an attachment.

Graham

CIARAN_BOYLE wrote: »

The problem is that most personnel not involved in IT security aren't aware of this either.

People within the organisations generally become aware when they're blocked from doing/transferring/sending/copying something.

Ive worked for two large cloud providers who were oh-so proud of their clouds yet still used dropbox everywhere for sharing files. Its not just in government. IT Security everywhere is a joke. Part of this is because IT Security policies(particularly badly thought out ones) get in the way of getting business done so are resisted. Another reason is its not explained to employees why that rule or policy exists. Finally, there is little communication between employees and InfoSec/IT Ops, on why certain things are needed.

One place I worked they gave out iPod Nanos to everyone at the Christmas party and everyone started plugging their iPod into their computer to charge them. Then war broke out with InfoSec giving out to people for doing that and potentially spreading malware. So I suggested we install USB wall sockets and dot them around the office. Now everyone had somewhere to charge their phone or iPod with no risk of malware infection. End of drama.

Another place they didnt want people smoking beside the side security door as it was intimidating for people going past, because theres nothing more intimidating than 5 developers having a smoke break :rolleyes:. So the developers started smoking outside the fire exit. The fire exit door was a swing shut type so someone propped a brick against it to stop it swinging shut. What happened next was predictable. Someone forgot to remove the brick on a friday evening, They came in on Monday morning to find all the PCs had been nicked.

Why do I work in InfoSec? Its a bit like hitting yourself with a hammer - it'll feel really good when I eventually stop.

Graham

Deleted User wrote: »

Ive worked for two large cloud providers who were oh-so proud of their clouds yet still used dropbox everywhere for sharing files. Its not just in government.

The assumption there is that the likes of dropbox are accessible.

Deleted User wrote: »

One place I worked they gave out iPod Nanos to everyone at the Christmas party and everyone started plugging their iPod into their computer to charge them. So I suggested we install USB wall sockets and dot them around the office. Now everyone had somewhere to charge their phone or iPod with no risk of malware infection. End of drama.

Alternatively they could have blocked access to the USB ports other than for approved devices.

Graham

Graham wrote: »

The assumption there is that the likes of dropbox are accessible.

Not sure I follow what you mean?

Graham wrote: »

Alternatively they could have blocked access to the USB ports other than for approved devices.

There is a plethora of solutions they could have employed. My point was, InfoSec's initial plan was to just tell people not to do it. But people still did it. So InfoSec shouted a little louder. A little bit of joined up thinking is all that was needed.

jacksie66

This post has been deleted.

Graham

Deleted User wrote: »

Not sure I follow what you mean?

It would be unusual for the likes of DropBox to be an issue because they would be blocked directly or indirectly.

Graham

Graham wrote: »

It would be unusual for the likes of DropBox to be an issue because they would be blocked directly or indirectly.

Again I think you missed my point. In both of these companies dropbox was allowed, encouraged even for sharing files among users. They weren't being blocked.

And actually I have seen dropbox allowed in numerous companies. From what Ive seen its actually unusual for it to be blocked.

Graham

Deleted User wrote: »

Again I think you missed my point. In both of these companies dropbox was allowed, encouraged even for sharing files among users. They weren't being blocked.

Dumb companies will learn when it costs them.

Deleted User wrote: »

I have seen dropbox allowed in numerous companies. From what Ive seen its actually unusual for it to be blocked.

There are certain types of organisation where access to such services would be incredibly unusual.

Graham

Graham wrote: »

Dumb companies will learn when it costs them.

I wouldn't count on it.

Graham

Deleted User wrote: »

I wouldn't count on it.

Obviously I've no idea what sort of companies you're referring to.

In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

Graham

Graham wrote: »

Obviously I've no idea what sort of companies you're referring to.

In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

As I said the two companies I refferred to were cloud providers so big MNCs. As a former security consultant I have visited about 30 companies in the British Isles over the last 4 years and stringent is not the word I would use to describe their security stance. This would be an eclectic assortment of government, defence, public and private organizations though obviously as a result of NDAs I can't go into which.

Honestly, in some places it was shocking. Many places had GRC teams and dedicated InfoSec, but you can tick every box on the PCI-DSS self assessment, and you can have policies covering everything, but often times none of that prevents me going from unprivileged user to Domain Admin in a matter of minutes.

Impetus

Graham wrote: »

Correct



Most (if not all) government departments can facilitate the digital transfer of very heavily encrypted files of almost any size without resorting to physical media, out of country networks or public IP transit.

Without getting into specific technologies used anywhere; there are commercially available mail proxies/gateways/web proxies to facilitate the content scanning of inbound/outbound mail/attachments and files. One of the functions of this software is to prevent the accidental or deliberate transfer of sensitive/commercial data.

Similarly, there are commercial products that can appropriately restrict the transfer of such data onto physical media.

While I accept all that, my primary point is that gov.ie email, while it may be 'secure' within Ireland, leaves the country un-encrypted, aside perhaps from Irish government offices in other parts of the world. The intelligent observer who has full content access to "drivel" (emails that have not been deliberately encrypted for whatever reason) can often put two and two together and derive almost as much knowledge of an event or situation as might be heavily encrypted in a deliberately made secure communication.

Impetus

Graham wrote: »

There are exemptions from FOI access requests that would render the above largely unnecessary. I suspect that's one of the reasons 'journalists' on an FOI fishing exercise largely restrict their requests to expenses.

I have no doubt that the public service has devised numerous tactics, legal and otherwise, to bypass FoIA requests.

I still suspect it (FoI disclosure risk - ie reading his/her email in a newspaper report) is in the back of the mind of every politician and senior civil servant before they send an email on the "corporate network". If not, perhaps it should be - or else there is no effective FoIA in place.

Impetus

Graham wrote: »

Obviously I've no idea what sort of companies you're referring to.

In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

I think you are being a bit naive. Look at all the hacking attempts that reach the media attention. How many hacks are swept under the carpet? :-)

Graham

Impetus wrote: »

I have no doubt that the public service has devised numerous tactics, legal and otherwise, to bypass FoIA requests.

I still suspect it (FoI disclosure risk - ie reading his/her email in a newspaper report) is in the back of the mind of every politician and senior civil servant before they send an email on the "corporate network". If not, perhaps it should be - or else there is no effective FoIA in place.

Impetus wrote: »

I think you are being a bit naive. Look at all the hacking attempts that reach the media attention. How many hacks are swept under the carpet? :-)

Unfortunately there are not yet any commercial InfoSec products to protect an organisation from 3rd party conspiracy theories, suppositions or suspicions. Should I discover one, you'll be the first to know

Impetus

Graham wrote: »

Unfortunately there are not yet any commercial InfoSec products to protect an organisation from 3rd party conspiracy theories, suppositions or suspicions. Should I discover one, you'll be the first to know

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

Graham

Impetus wrote: »

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

Are you suggesting the Russians are reading Enda Kenny's non-encrypted emails and somehow piecing something relevant?

rolion

Impetus wrote: »

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

Hi,

I carefully choose what sources i read.
As im a techie,i am more interested in Mr Robots type of scenarios rather than some high stakes political games !

I will forward this article here, more techie explanation than some other sources.Of course,we know that, no one is right or wrong until proved !

Regards



____________


Illustration: Soohee Cho for The Intercept
Here’s the Public Evidence Russia Hacked the DNC – It’s Not Enough
Sam Biddle
Sam Biddle

December 14 2016, 4:30 p.m.
Illustration: Soohee Cho for The Intercept

There are some good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy.

There’s a lot of evidence from the attack on the table, mostly detailing how the hack was perpetrated, and possibly the language of the perpetrators. It certainly remains plausible that Russians hacked the DNC, and remains possible that Russia itself ordered it. But the refrain of Russian attribution has been repeated so regularly and so emphatically that it’s become easy to forget that no one has ever truly proven the claim. There is strong evidence indicating that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers. There’s even evidence that the attackers are the same group that’s been spotted attacking other targets in the past. But again: No one has actually proven that group is the Russian government (or works for it). This remains the enormous inductive leap that’s not been reckoned with, and Americans deserve better.

We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, who contracted their services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime. If we’re going to blame the Russian government for disrupting our presidential election — easily construed as an act of war — we need to be damn sure of every single shred of evidence. Guesswork and assumption could be disastrous.

The gist of the Case Against Russia goes like this: The person or people who infiltrated the DNC’s email system and the account of John Podesta left behind clues of varying technical specificity indicating they have some connection to Russia, or at least speak Russian. Guccifer 2.0, the entity that originally distributed hacked materials from the Democratic party, is a deeply suspicious figure who has made statements and decisions that indicate some Russian connection. The website DCLeaks, which began publishing a great number of DNC emails, has some apparent ties to Guccifer and possibly Russia. And then there’s Wikileaks, which after a long, sad slide into paranoia, conspiracy theorizing, and general internet toxicity, has made no attempt to mask its affection for Vladimir Putin and its crazed contempt for Hillary Clinton. (Julian Assange has been stuck indoors for a very, very long time.) If you look at all of this and sort of squint, it looks quite strong indeed, an insurmountable heap of circumstantial evidence too great in volume to dismiss as just circumstantial or mere coincidence.

But look more closely at the above and you can’t help but notice all of the qualifying words: Possibly, appears, connects, indicates. It’s impossible (or at least dishonest) to present the evidence for Russian responsibility for hacking the Democrats without using language like this. The question, then, is this: Do we want to make major foreign policy decisions with a belligerent nuclear power based on suggestions alone, no matter how strong?
What We Know

So far, all of the evidence pointing to Russia’s involvement in the Democratic hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms (like CrowdStrike or FireEye) who sell cyber-defense services to other companies, or independent researchers, some with university affiliations and serious credentials, and some who are basically just Guys on Twitter. Although some of these private firms groups had proprietary access to DNC computers or files from them, much of the evidence has been drawn from publicly available data like the hacked emails and documents.

Some of the malware found on DNC computers is believed to be the same as that used by two hacking groups believed to be Russian intelligence units, codenamed APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry researchers who track them.

The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with APT 28/Fancy Bear.
Malware found on the DNC computers was programmed to communicate with an IP address associated with APT 28/Fancy Bear.
Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained cyrillic metadata indicating it had been edited on a document with Russian language settings.
Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard published in June suggests he is not Romanian, as he originally claimed.
The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees.
Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider.
A bit.ly link believed to have been used by APT 28/Fancy Bear in the past was also used against Podesta.

Why That Isn’t Enough

Viewed as a whole, the above evidence looks strong, and maybe even damning. But view each piece on its own, and it’s hard to feel impressed.

For one, a lot of the so-called evidence above is no such thing. CrowdStrike, whose claims of Russian responsibility are perhaps most influential throughout the media, says APT 28/Fancy Bear “is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.” But this isn’t a Russian technique any more than using a computer is a Russian technique — misspelled domains are a cornerstone of phishing attacks all over the world. Is Yandex — the Russian equivalent of Google — some sort of giveaway? Anyone who claimed a hacker must be a CIA agent because they used a Gmail account would be laughed off the internet. We must also acknowledge that just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works for the Russian government — it just makes him a liar.

Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:

Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.

Compare that description to CrowdStrike’s claim it was able to finger APT 28 and 29, described above as digital spies par excellence, because they were so incredibly sloppy. Would a group whose “tradecraft is superb” with “operational security second to none” really leave behind the name of a Soviet spy chief imprinted on a document it sent to American journalists? Would these groups really be dumb enough to leave cyrillic comments on these documents? Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before? It’s very hard to buy the argument that the Democrats were hacked by one of the most sophisticated, diabolical foreign intelligence services in history, and that we know this because they screwed up over and over again.

But how do we even know these oddly named groups are Russian? CrowdStrike co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based threat actor” whose modus operandi “closely mirrors the strategic interests of the Russian government” and “may indicate affiliation [Russia’s] Main Intelligence Department or GRU, Russia’s premier military intelligence service.” Security firm SecureWorks issued a report blaming Russia with “moderate confidence.” What constitutes moderate confidence? SecureWorks said it adopted the “grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments. … Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” All of this amounts to a very educated guess, at best.

Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin is speculative, a fact that’s been completely erased from this year’s discourse. In its 2014 reveal of the group, the high-profile security firm FireEye couldn’t even blame Russia without a question mark in the headline: “APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post itself is remarkably similar to arguments about the DNC hack: Technical but still largely speculative, presenting evidence the company “[believes] indicate a government sponsor based in Moscow.” Believe! Indicate! We should know already this is no smoking gun. FireEye’s argument that the malware used by APT 28 is connected to the Russian government is based on the belief that its “developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities.”

As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report on APT 28 is questionable from the start:

To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

The notion that APT 28 has a narrow focus on American political targets is undermined in another SecureWorks paper, which shows that the hackers have a wide variety of interests: 10 percent of their targets are NGOs, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are “government supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s targets are “government personnel” of any nationality — hardly the focused agenda described by CrowdStrike.

Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit of the Russian government, a fact that has never been proven beyond any reasonable doubt. According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, all we can truly conclude is that some email accounts at the DNC et al. appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.

Security researcher Claudio Guarnieri put it this way:

[Private security firms] can’t produce anything conclusive. What they produce is speculative attribution that is pretty common to make in the threat research field. I do that same speculative attribution myself, but it is just circumstantial. At the very best it can only prove that the actor that perpetrated the attack is very likely located in Russia. As for government involvement, it can only speculate that it is plausible because of context and political motivations, as well as technical connections with previous (or following attacks) that appear to be perpetrated by the same group and that corroborate the analysis that it is a Russian state-sponsored actor (for example, hacking of institutions of other countries Russia has some geopolitical interests in).

Finally, one can’t be reminded enough that all of this evidence comes from private companies with a direct financial interest in making the internet seem as scary as possible, just as Lysol depends on making you believe your kitchen is crawling with E. Coli.
What Does the Government Know?

In October, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement blaming the Russian government for hacking the DNC. In it, they state their attribution plainly:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.

What’s missing is any evidence at all. If this federal confidence is based on evidence that’s being withheld from the public for any reason, that’s one thing — secrecy is their game. But if the U.S. Intelligence Community is asking the American electorate to believe them, to accept as true their claim that our most important civic institution was compromised by a longtime geopolitical nemesis, we need them to show us why.

The same goes for the CIA, which is now squaring off directly against Trump, claiming (through leaks to the Washington Post and New York Times) that the Russian government conducted the hacks for the express purpose of helping defeat Clinton. Days later, Senator John McCain agreed with the assessment, deeming it “another form of warfare.” Again, it’s completely possible (and probable, really) that the CIA possesses hard evidence that could establish Russian attribution — it’s their job to have such evidence, and often to keep it secret.

But what we’re presented with isn’t just the idea that these hacks happened, and that someone is responsible, and, well, I guess it’s just a shame. Our lawmakers and intelligence agencies are asking us to react to an attack that is almost military in nature — this is, we’re being told, “warfare.” When a foreign government conducts (or supports) an act of warfare against another country, it’s entirely possible that there will be an equal response. What we’re looking at now is the distinct possibility that the United States will consider military retaliation (digital or otherwise) against Russia, based on nothing but private sector consultants and secret intelligence agency notes. If you care about the country enough to be angry at the prospect of election-meddling, you should be terrified of the prospect of military tensions with Russia based on hidden evidence. You need not look too far back in recent history to find an example of when wrongly blaming a foreign government for sponsoring an attack on the U.S. has tremendously backfired.
We Need the Real Evidence, Right Now

It must be stated plainly: The U.S. intelligence community must make its evidence against Russia public if they want us to believe their claims. The integrity of our presidential elections is vital to the country’s survival; blind trust in the CIA is not. A governmental disclosure like this is also not entirely without precedent: In 2014, the Department of Justice produced a 56-page indictment detailing their exact evidence against a team of Chinese hackers working for the People’s Liberation Army, accused of stealing American trade secrets; each member was accused by name. The 2014 trade secret theft was a crime of much lower magnitude than election meddling, but what the DOJ furnished is what we should demand today from our country’s spies.

If the CIA does show its hand, we should demand to see the evidence that matters (which, according to Edward Snowden, the government probably has, if it exists). I asked Jeffrey Carr what he would consider undeniable evidence of Russian governmental involvement: “Captured communications between a Russian government employee and the hackers,” adding that attribution “should solely be handled by government agencies because they have the legal authorization to do what it takes to get hard evidence.”

Claudio Guarnieri concurred:

All in all, technical circumstantial attribution is acceptable only so far as it is to explain an attack. It most definitely isn’t for the political repercussions that we’re observing now. For that, only documental evidence that is verifiable or intercepts of Russian officials would be convincing enough, I suspect.

Given that the U.S. routinely attempts to intercept the communications of heads of state around the world, it’s not impossible that the CIA or the NSA has exactly this kind of proof. Granted, these intelligence agencies will be loath to reveal any evidence that could compromise the method they used to gather it. But in times of extraordinary risk, with two enormous military powers placed in direct conflict over national sovereignty, we need an extraordinary disclosure. The stakes are simply too high to take anyone’s word for it.

ItHurtsWhenIP

Graham wrote: »

...
In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

I worked for a large MNC for a few years who had all the policies, procedures and practices in place that would tick every checkbox that an auditor would need. In most cases the implementation of such policies was demonstrable to and auditor, so everything was hunky dory.

However I could see frickin HUGE gaps, that may not have been obvious to your average bear. For example, in the client meeting room, there was wifi provided for the clients. This was offered on a typical domestic ADSL type connection, which was completely air-gapped from the corporate LAN. There wasn't a corporate wifi solution at the time, but the meeting room came with Ethernet connections, which our staff was supposed to use. Of course the corporate LAN had all of the restrictions on what sites our staff could use, etc.

What some geniuses that worked for us realised, was that they could not only connect wired to the LAN, but could also connect wirelessly to the UNSECURED wifi and access stuff they shouldn't do.

I kept banging on about it, until they bit the bullet and put in a proper corporate wifi network, with a captive portal for clients. But there were a period of years that this large MNC, with the sooperest of policies, procedures and standards in the world, had some gobshine bridging the unsecured internet to the corporate LAN on his laptop, cause he wanted to access some mucky pics or something. :rolleyes:

You can't make everything foolproof, because they keep making better fools.

Graham

ItHurtsWhenIP wrote: »

You can't make everything foolproof, because they keep making better fools.

Can't argue with that

Security in general is a never ending arms race.

ItHurtsWhenIP

Graham wrote: »

Can't argue with that

Security in general is a never ending arms race.

And that is why I liked this Q&A ...

Deleted User wrote: »

...
Why do I work in InfoSec? Its a bit like hitting yourself with a hammer - it'll feel really good when I eventually stop.

It is so very, very, <ouch>, very true <ouch> :D:D

Hotblack Desiato

Impetus wrote: »

Even if Kenny used a government server, I suspect that his email traffic to/from Ireland would be equally liable to Anglo-ransacking.

The problem with emailing a third party is that you can't be sure what the third party does with it. If he uses a government account to email some randomer in Harare then it's exited the circle of trust and the recipient, or whoever can see it in Zimbabwe ISP, can do whatever they like with it. That's not the case for comms within irlgov or EU.

Impetus wrote: »

I suspect that one of their motivations for using a 'private email service' might have something to do with avoiding freedom of information requests (FoIA).

Unlikely as any civil servants involved in such email conversations are subject to FOI and so these emails could be accessed from the 'other end' as it were.

You forget that the taoiseach is not only a prime minister but the head of a political party (and a private citizen) and it would be inappropriate to use government systems for the latter two purposes.

Deleted User wrote: »

One place I worked they gave out iPod Nanos to everyone at the Christmas party and everyone started plugging their iPod into their computer to charge them. Then war broke out with InfoSec giving out to people for doing that and potentially spreading malware. So I suggested we install USB wall sockets and dot them around the office. Now everyone had somewhere to charge their phone or iPod with no risk of malware infection. End of drama.

Yeah but not end of the risk (and in this case I'd be much more worried about data exfiltration than malware.) You need an endpoint policy which blocks unapproved and/or unencrypted USB storage devices. They'll still be able to charge

Why do I work in InfoSec? Its a bit like hitting yourself with a hammer - it'll feel really good when I eventually stop.

LOL. Tell you what, I emphasise a lot more with the helldesk guys now than when I was working on goddamn Oracle. Some of the things people do truly boggle the mind, that includes a former senior IT staff member attempting to unblock an email flagged as "VIRUS" for three days in a row then raising a helpdesk call as to why it couldn't be unblocked. "SPAM" can be unblocked, if you really insist, but "VIRUS" can never be for obvious reasons.

Impetus wrote: »

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

You may be conflating a political party with the government. They're not the same thing. A party is more akin to a non-profit organisation than a commercial body or an arm of government. Most of them are run on a shoestring and rely heavily on volunteer labour including in their IT efforts. There may or may not be a lot of money running through these organisations, but it's spent on campaigning and advertising, admin (and therefore IT sec) is seen as a waste.

Of course we now know that political parties probably should consider their infosec requrements as akin to a government rather than a non-profit, at least if they want to win...

There's a real risk though that party political appointees will, in government office, continue to use the same half-assed systems and processes they used when they were only a party hack.

Hotblack Desiato

Just to add - it was common knowledge in the 80s that all comms exiting Ireland were subject to GCHQ interception and this was later proven. So the neutral uninformed observer would conclude it would be reasonable to infer that countermeasures have been in place for quite some time

https://en.wikipedia.org/wiki/Capenhurst#Capenhurst_tower

I'll just tap the side of my nose twice now, you ain't seen me, right...