Taoiseach using private email servers - a la Hilary Clinton

Impetus

Graham wrote: »

Correct



Most (if not all) government departments can facilitate the digital transfer of very heavily encrypted files of almost any size without resorting to physical media, out of country networks or public IP transit.

Without getting into specific technologies used anywhere; there are commercially available mail proxies/gateways/web proxies to facilitate the content scanning of inbound/outbound mail/attachments and files. One of the functions of this software is to prevent the accidental or deliberate transfer of sensitive/commercial data.

Similarly, there are commercial products that can appropriately restrict the transfer of such data onto physical media.

While I accept all that, my primary point is that gov.ie email, while it may be 'secure' within Ireland, leaves the country un-encrypted, aside perhaps from Irish government offices in other parts of the world. The intelligent observer who has full content access to "drivel" (emails that have not been deliberately encrypted for whatever reason) can often put two and two together and derive almost as much knowledge of an event or situation as might be heavily encrypted in a deliberately made secure communication.

Impetus

Graham wrote: »

There are exemptions from FOI access requests that would render the above largely unnecessary. I suspect that's one of the reasons 'journalists' on an FOI fishing exercise largely restrict their requests to expenses.

I have no doubt that the public service has devised numerous tactics, legal and otherwise, to bypass FoIA requests.

I still suspect it (FoI disclosure risk - ie reading his/her email in a newspaper report) is in the back of the mind of every politician and senior civil servant before they send an email on the "corporate network". If not, perhaps it should be - or else there is no effective FoIA in place.

Impetus

Graham wrote: »

Obviously I've no idea what sort of companies you're referring to.

In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

I think you are being a bit naive. Look at all the hacking attempts that reach the media attention. How many hacks are swept under the carpet? :-)

Graham

Impetus wrote: »

I have no doubt that the public service has devised numerous tactics, legal and otherwise, to bypass FoIA requests.

I still suspect it (FoI disclosure risk - ie reading his/her email in a newspaper report) is in the back of the mind of every politician and senior civil servant before they send an email on the "corporate network". If not, perhaps it should be - or else there is no effective FoIA in place.

Impetus wrote: »

I think you are being a bit naive. Look at all the hacking attempts that reach the media attention. How many hacks are swept under the carpet? :-)

Unfortunately there are not yet any commercial InfoSec products to protect an organisation from 3rd party conspiracy theories, suppositions or suspicions. Should I discover one, you'll be the first to know

Impetus

Graham wrote: »

Unfortunately there are not yet any commercial InfoSec products to protect an organisation from 3rd party conspiracy theories, suppositions or suspicions. Should I discover one, you'll be the first to know

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

Graham

Impetus wrote: »

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

Are you suggesting the Russians are reading Enda Kenny's non-encrypted emails and somehow piecing something relevant?

rolion

Impetus wrote: »

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

Hi,

I carefully choose what sources i read.
As im a techie,i am more interested in Mr Robots type of scenarios rather than some high stakes political games !

I will forward this article here, more techie explanation than some other sources.Of course,we know that, no one is right or wrong until proved !

Regards



____________


Illustration: Soohee Cho for The Intercept
Here’s the Public Evidence Russia Hacked the DNC – It’s Not Enough
Sam Biddle
Sam Biddle

December 14 2016, 4:30 p.m.
Illustration: Soohee Cho for The Intercept

There are some good reasons to believe Russians had something to do with the breaches into email accounts belonging to members of the Democratic party, which proved varyingly embarrassing or disruptive for Hillary Clinton’s presidential campaign. But “good” doesn’t necessarily mean good enough to indict Russia’s head of state for sabotaging our democracy.

There’s a lot of evidence from the attack on the table, mostly detailing how the hack was perpetrated, and possibly the language of the perpetrators. It certainly remains plausible that Russians hacked the DNC, and remains possible that Russia itself ordered it. But the refrain of Russian attribution has been repeated so regularly and so emphatically that it’s become easy to forget that no one has ever truly proven the claim. There is strong evidence indicating that Democratic email accounts were breached via phishing messages, and that specific malware was spread across DNC computers. There’s even evidence that the attackers are the same group that’s been spotted attacking other targets in the past. But again: No one has actually proven that group is the Russian government (or works for it). This remains the enormous inductive leap that’s not been reckoned with, and Americans deserve better.

We should also bear in mind that private security firm CrowdStrike’s frequently cited findings of Russian responsibility were essentially paid for by the DNC, who contracted their services in June. It’s highly unusual for evidence of a crime to be assembled on the victim’s dime. If we’re going to blame the Russian government for disrupting our presidential election — easily construed as an act of war — we need to be damn sure of every single shred of evidence. Guesswork and assumption could be disastrous.

The gist of the Case Against Russia goes like this: The person or people who infiltrated the DNC’s email system and the account of John Podesta left behind clues of varying technical specificity indicating they have some connection to Russia, or at least speak Russian. Guccifer 2.0, the entity that originally distributed hacked materials from the Democratic party, is a deeply suspicious figure who has made statements and decisions that indicate some Russian connection. The website DCLeaks, which began publishing a great number of DNC emails, has some apparent ties to Guccifer and possibly Russia. And then there’s Wikileaks, which after a long, sad slide into paranoia, conspiracy theorizing, and general internet toxicity, has made no attempt to mask its affection for Vladimir Putin and its crazed contempt for Hillary Clinton. (Julian Assange has been stuck indoors for a very, very long time.) If you look at all of this and sort of squint, it looks quite strong indeed, an insurmountable heap of circumstantial evidence too great in volume to dismiss as just circumstantial or mere coincidence.

But look more closely at the above and you can’t help but notice all of the qualifying words: Possibly, appears, connects, indicates. It’s impossible (or at least dishonest) to present the evidence for Russian responsibility for hacking the Democrats without using language like this. The question, then, is this: Do we want to make major foreign policy decisions with a belligerent nuclear power based on suggestions alone, no matter how strong?
What We Know

So far, all of the evidence pointing to Russia’s involvement in the Democratic hacks (DNC, DCCC, Podesta, et al.) comes from either private security firms (like CrowdStrike or FireEye) who sell cyber-defense services to other companies, or independent researchers, some with university affiliations and serious credentials, and some who are basically just Guys on Twitter. Although some of these private firms groups had proprietary access to DNC computers or files from them, much of the evidence has been drawn from publicly available data like the hacked emails and documents.

Some of the malware found on DNC computers is believed to be the same as that used by two hacking groups believed to be Russian intelligence units, codenamed APT (Advanced Persistent Threat) 28/Fancy Bear and APT 29/Cozy Bear by industry researchers who track them.

The attacker or attackers registered a deliberately misspelled domain name used for email phishing attacks against DNC employees, connected to an IP address associated with APT 28/Fancy Bear.
Malware found on the DNC computers was programmed to communicate with an IP address associated with APT 28/Fancy Bear.
Metadata in a file leaked by “Guccifer 2.0″ shows it was modified by a user called, in cyrillic, “Felix Edmundovich,” a reference to the founder of a Soviet-era secret police force. Another document contained cyrillic metadata indicating it had been edited on a document with Russian language settings.
Peculiarities in a conversation with “Guccifer 2.0″ that Motherboard published in June suggests he is not Romanian, as he originally claimed.
The DCLeaks.com domain was registered by a person using the same email service as the person who registered a misspelled domain used to send phishing emails to DNC employees.
Some of the phishing emails were sent using Yandex, a Moscow-based webmail provider.
A bit.ly link believed to have been used by APT 28/Fancy Bear in the past was also used against Podesta.

Why That Isn’t Enough

Viewed as a whole, the above evidence looks strong, and maybe even damning. But view each piece on its own, and it’s hard to feel impressed.

For one, a lot of the so-called evidence above is no such thing. CrowdStrike, whose claims of Russian responsibility are perhaps most influential throughout the media, says APT 28/Fancy Bear “is known for its technique of registering domains that closely resemble domains of legitimate organizations they plan to target.” But this isn’t a Russian technique any more than using a computer is a Russian technique — misspelled domains are a cornerstone of phishing attacks all over the world. Is Yandex — the Russian equivalent of Google — some sort of giveaway? Anyone who claimed a hacker must be a CIA agent because they used a Gmail account would be laughed off the internet. We must also acknowledge that just because Guccifer 2.0 pretended to be Romanian, we can’t conclude he works for the Russian government — it just makes him a liar.

Next, consider the fact that CrowdStrike describes APT 28 and 29 like this:

Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced methods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft – both groups were constantly going back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels and perform other tasks to try to stay ahead of being detected.

Compare that description to CrowdStrike’s claim it was able to finger APT 28 and 29, described above as digital spies par excellence, because they were so incredibly sloppy. Would a group whose “tradecraft is superb” with “operational security second to none” really leave behind the name of a Soviet spy chief imprinted on a document it sent to American journalists? Would these groups really be dumb enough to leave cyrillic comments on these documents? Would these groups that “constantly [go] back into the environment to change out their implants, modify persistent methods, move to new Command & Control channels” get caught because they precisely didn’t make sure not to use IP addresses they’d been associated before? It’s very hard to buy the argument that the Democrats were hacked by one of the most sophisticated, diabolical foreign intelligence services in history, and that we know this because they screwed up over and over again.

But how do we even know these oddly named groups are Russian? CrowdStrike co-founder Dmitri Alperovitch himself describes APT 28 as a “Russian-based threat actor” whose modus operandi “closely mirrors the strategic interests of the Russian government” and “may indicate affiliation [Russia’s] Main Intelligence Department or GRU, Russia’s premier military intelligence service.” Security firm SecureWorks issued a report blaming Russia with “moderate confidence.” What constitutes moderate confidence? SecureWorks said it adopted the “grading system published by the U.S. Office of the Director of National Intelligence to indicate confidence in their assessments. … Moderate confidence generally means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.” All of this amounts to a very educated guess, at best.

Even the claim that APT 28/Fancy Bear itself is a group working for the Kremlin is speculative, a fact that’s been completely erased from this year’s discourse. In its 2014 reveal of the group, the high-profile security firm FireEye couldn’t even blame Russia without a question mark in the headline: “APT28: A Window into Russia’s Cyber Espionage Operations?” The blog post itself is remarkably similar to arguments about the DNC hack: Technical but still largely speculative, presenting evidence the company “[believes] indicate a government sponsor based in Moscow.” Believe! Indicate! We should know already this is no smoking gun. FireEye’s argument that the malware used by APT 28 is connected to the Russian government is based on the belief that its “developers are Russian language speakers operating during business hours that are consistent with the time zone of Russia’s major cities.”

As security researcher Jeffrey Carr pointed out in June, FireEye’s 2014 report on APT 28 is questionable from the start:

To my surprise, the report’s authors declared that they deliberately excluded evidence that didn’t support their judgment that the Russian government was responsible for APT28’s activities:

“APT28 has targeted a variety of organizations that fall outside of the three themes we highlighted above. However, we are not profiling all of APT28’s targets with the same detail because they are not particularly indicative of a specific sponsor’s interests.” (emphasis added)

That is the very definition of confirmation bias. Had FireEye published a detailed picture of APT28’s activities including all of their known targets, other theories regarding this group could have emerged; for example, that the malware developers and the operators of that malware were not the same or even necessarily affiliated.

The notion that APT 28 has a narrow focus on American political targets is undermined in another SecureWorks paper, which shows that the hackers have a wide variety of interests: 10 percent of their targets are NGOs, 22 percent are journalists, 4 percent are aerospace researchers, and 8 percent are “government supply chain.” SecureWorks says that only 8 percent of APT 28/Fancy Bear’s targets are “government personnel” of any nationality — hardly the focused agenda described by CrowdStrike.

Truly, the argument that “Guccifer 2.0″ is a Kremlin agent or that GRU breached John Podesta’s email only works if you presume that APT 28/Fancy Bear is a unit of the Russian government, a fact that has never been proven beyond any reasonable doubt. According to Carr, “it’s an old assumption going back years to when any attack against a non-financial target was attributed to a state actor.” Without that premise, all we can truly conclude is that some email accounts at the DNC et al. appear to have been broken into by someone, and perhaps they speak Russian. Left ignored is the mammoth difference between Russians and Russia.

Security researcher Claudio Guarnieri put it this way:

[Private security firms] can’t produce anything conclusive. What they produce is speculative attribution that is pretty common to make in the threat research field. I do that same speculative attribution myself, but it is just circumstantial. At the very best it can only prove that the actor that perpetrated the attack is very likely located in Russia. As for government involvement, it can only speculate that it is plausible because of context and political motivations, as well as technical connections with previous (or following attacks) that appear to be perpetrated by the same group and that corroborate the analysis that it is a Russian state-sponsored actor (for example, hacking of institutions of other countries Russia has some geopolitical interests in).

Finally, one can’t be reminded enough that all of this evidence comes from private companies with a direct financial interest in making the internet seem as scary as possible, just as Lysol depends on making you believe your kitchen is crawling with E. Coli.
What Does the Government Know?

In October, the Department of Homeland Security and the Office of the Director of National Intelligence released a joint statement blaming the Russian government for hacking the DNC. In it, they state their attribution plainly:

The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.

What’s missing is any evidence at all. If this federal confidence is based on evidence that’s being withheld from the public for any reason, that’s one thing — secrecy is their game. But if the U.S. Intelligence Community is asking the American electorate to believe them, to accept as true their claim that our most important civic institution was compromised by a longtime geopolitical nemesis, we need them to show us why.

The same goes for the CIA, which is now squaring off directly against Trump, claiming (through leaks to the Washington Post and New York Times) that the Russian government conducted the hacks for the express purpose of helping defeat Clinton. Days later, Senator John McCain agreed with the assessment, deeming it “another form of warfare.” Again, it’s completely possible (and probable, really) that the CIA possesses hard evidence that could establish Russian attribution — it’s their job to have such evidence, and often to keep it secret.

But what we’re presented with isn’t just the idea that these hacks happened, and that someone is responsible, and, well, I guess it’s just a shame. Our lawmakers and intelligence agencies are asking us to react to an attack that is almost military in nature — this is, we’re being told, “warfare.” When a foreign government conducts (or supports) an act of warfare against another country, it’s entirely possible that there will be an equal response. What we’re looking at now is the distinct possibility that the United States will consider military retaliation (digital or otherwise) against Russia, based on nothing but private sector consultants and secret intelligence agency notes. If you care about the country enough to be angry at the prospect of election-meddling, you should be terrified of the prospect of military tensions with Russia based on hidden evidence. You need not look too far back in recent history to find an example of when wrongly blaming a foreign government for sponsoring an attack on the U.S. has tremendously backfired.
We Need the Real Evidence, Right Now

It must be stated plainly: The U.S. intelligence community must make its evidence against Russia public if they want us to believe their claims. The integrity of our presidential elections is vital to the country’s survival; blind trust in the CIA is not. A governmental disclosure like this is also not entirely without precedent: In 2014, the Department of Justice produced a 56-page indictment detailing their exact evidence against a team of Chinese hackers working for the People’s Liberation Army, accused of stealing American trade secrets; each member was accused by name. The 2014 trade secret theft was a crime of much lower magnitude than election meddling, but what the DOJ furnished is what we should demand today from our country’s spies.

If the CIA does show its hand, we should demand to see the evidence that matters (which, according to Edward Snowden, the government probably has, if it exists). I asked Jeffrey Carr what he would consider undeniable evidence of Russian governmental involvement: “Captured communications between a Russian government employee and the hackers,” adding that attribution “should solely be handled by government agencies because they have the legal authorization to do what it takes to get hard evidence.”

Claudio Guarnieri concurred:

All in all, technical circumstantial attribution is acceptable only so far as it is to explain an attack. It most definitely isn’t for the political repercussions that we’re observing now. For that, only documental evidence that is verifiable or intercepts of Russian officials would be convincing enough, I suspect.

Given that the U.S. routinely attempts to intercept the communications of heads of state around the world, it’s not impossible that the CIA or the NSA has exactly this kind of proof. Granted, these intelligence agencies will be loath to reveal any evidence that could compromise the method they used to gather it. But in times of extraordinary risk, with two enormous military powers placed in direct conflict over national sovereignty, we need an extraordinary disclosure. The stakes are simply too high to take anyone’s word for it.

ItHurtsWhenIP

Graham wrote: »

...
In recent times I can't think of a single blue chip, financial institution, government department, MNC (of any maturity) that hasn't had stringent security in place. It's usually driven by best practice, corporate governance, legislation and self-preservation.

I worked for a large MNC for a few years who had all the policies, procedures and practices in place that would tick every checkbox that an auditor would need. In most cases the implementation of such policies was demonstrable to and auditor, so everything was hunky dory.

However I could see frickin HUGE gaps, that may not have been obvious to your average bear. For example, in the client meeting room, there was wifi provided for the clients. This was offered on a typical domestic ADSL type connection, which was completely air-gapped from the corporate LAN. There wasn't a corporate wifi solution at the time, but the meeting room came with Ethernet connections, which our staff was supposed to use. Of course the corporate LAN had all of the restrictions on what sites our staff could use, etc.

What some geniuses that worked for us realised, was that they could not only connect wired to the LAN, but could also connect wirelessly to the UNSECURED wifi and access stuff they shouldn't do.

I kept banging on about it, until they bit the bullet and put in a proper corporate wifi network, with a captive portal for clients. But there were a period of years that this large MNC, with the sooperest of policies, procedures and standards in the world, had some gobshine bridging the unsecured internet to the corporate LAN on his laptop, cause he wanted to access some mucky pics or something. :rolleyes:

You can't make everything foolproof, because they keep making better fools.

Graham

ItHurtsWhenIP wrote: »

You can't make everything foolproof, because they keep making better fools.

Can't argue with that

Security in general is a never ending arms race.

ItHurtsWhenIP

Graham wrote: »

Can't argue with that

Security in general is a never ending arms race.

And that is why I liked this Q&A ...

Deleted User wrote: »

...
Why do I work in InfoSec? Its a bit like hitting yourself with a hammer - it'll feel really good when I eventually stop.

It is so very, very, <ouch>, very true <ouch> :D:D

Hotblack Desiato

Impetus wrote: »

Even if Kenny used a government server, I suspect that his email traffic to/from Ireland would be equally liable to Anglo-ransacking.

The problem with emailing a third party is that you can't be sure what the third party does with it. If he uses a government account to email some randomer in Harare then it's exited the circle of trust and the recipient, or whoever can see it in Zimbabwe ISP, can do whatever they like with it. That's not the case for comms within irlgov or EU.

Impetus wrote: »

I suspect that one of their motivations for using a 'private email service' might have something to do with avoiding freedom of information requests (FoIA).

Unlikely as any civil servants involved in such email conversations are subject to FOI and so these emails could be accessed from the 'other end' as it were.

You forget that the taoiseach is not only a prime minister but the head of a political party (and a private citizen) and it would be inappropriate to use government systems for the latter two purposes.

Deleted User wrote: »

One place I worked they gave out iPod Nanos to everyone at the Christmas party and everyone started plugging their iPod into their computer to charge them. Then war broke out with InfoSec giving out to people for doing that and potentially spreading malware. So I suggested we install USB wall sockets and dot them around the office. Now everyone had somewhere to charge their phone or iPod with no risk of malware infection. End of drama.

Yeah but not end of the risk (and in this case I'd be much more worried about data exfiltration than malware.) You need an endpoint policy which blocks unapproved and/or unencrypted USB storage devices. They'll still be able to charge

Why do I work in InfoSec? Its a bit like hitting yourself with a hammer - it'll feel really good when I eventually stop.

LOL. Tell you what, I emphasise a lot more with the helldesk guys now than when I was working on goddamn Oracle. Some of the things people do truly boggle the mind, that includes a former senior IT staff member attempting to unblock an email flagged as "VIRUS" for three days in a row then raising a helpdesk call as to why it couldn't be unblocked. "SPAM" can be unblocked, if you really insist, but "VIRUS" can never be for obvious reasons.

Impetus wrote: »

One wonders if you read this article in Thursday's New York Times -

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

The Russians invaded the Democratic party IT systems, and started posting party-confidential stuff on Wikileaks - among other things. One wonders what skeletons gov.ie wouldn't like to see on Wikileaks and similar?

http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0

You may be conflating a political party with the government. They're not the same thing. A party is more akin to a non-profit organisation than a commercial body or an arm of government. Most of them are run on a shoestring and rely heavily on volunteer labour including in their IT efforts. There may or may not be a lot of money running through these organisations, but it's spent on campaigning and advertising, admin (and therefore IT sec) is seen as a waste.

Of course we now know that political parties probably should consider their infosec requrements as akin to a government rather than a non-profit, at least if they want to win...

There's a real risk though that party political appointees will, in government office, continue to use the same half-assed systems and processes they used when they were only a party hack.

Hotblack Desiato

Just to add - it was common knowledge in the 80s that all comms exiting Ireland were subject to GCHQ interception and this was later proven. So the neutral uninformed observer would conclude it would be reasonable to infer that countermeasures have been in place for quite some time

https://en.wikipedia.org/wiki/Capenhurst#Capenhurst_tower

I'll just tap the side of my nose twice now, you ain't seen me, right...