GUMBO
How the U.S. Hobbled Its Hacking Case Against Russia and Enabled Truthers
There’s a ton of evidence tying Moscow to the DNC hack. Somehow, Washington managed to screw up its presentation of that evidence.
Kevin Poulsen
Contributing Editor
The Daily Beast,
Updated 04.11.17 4:11PM ET / Published 01.06.17 1:15AM ET
https://www.thedailybeast.com/how-the-us-hobbled-its-hacking-case-against-russia-and-enabled-truthers
the Department of Homeland Security and the FBI released a technical exposé of Russia’s hacking that industry experts are slamming as worse than useless—so jumbled that it potentially harms cybersecurity, so aimless that it muddies the clear public evidence that Russia hacked the Democratic Party to affect the election, and so wrong it enables the Trump-friendly conspiracy theorists trying to explain away that evidence.
“At every level this report is a failure,” says security researcher Robert M. Lee. “It didn’t do what it set out to do, and it didn’t provide useful data. They’re handing out bad information to the industry when good information exists.” At issue is the “Joint Analyses Report” released by DHS last Thursday as part of the Obama administration’s long-awaited response to Russia’s election hacking. The 13-page document was widely expected to lay out the government’s evidence that Russia was behind the intrusions into the Democratic National Committee’s private network, and a separate attack that exposed years of the private email belonging to Hillary Clinton campaign chair John Podesta.
ADVERTISEMENT
Instead, the report is a gumbo of earnest security advice mixed with random information from a broad range of hacking activity. One piece of well-known malware used by criminal hackers, the PAS webshell, is singled out for special attention, while the sophisticated Russian “SeaDuke” code used in the DNC hack barely rates a mention. A full page of the report is dedicated to listing names that computer security companies have assigned to Russian malware and hacking groups over the years, information that nobody is asking for.
Rather than focusing on the Russian intelligence services, the U.S. seemingly opted to gather all Russia-sourced hacking under a single rubric, code named “Grizzly Steppe,” putting everything from online bank heists to identity theft in the same bucket as the Kremlin-linked intrusions into the White House, State Department, and the DNC.
Though the written report is confusing, it’s the raw data released along with it that truly exasperates security professionals. The department released 876 internet IP addresses it says is linked to Grizzly Steppe hacking, and urged network administrators everywhere to add the list to their networking monitoring.
Lists of IP addresses used by hackers can be useful “indicators of compromise” in network security—admins can check the list against access logs, or program an intrusion detection system to sound the alarm when it sees traffic from a suspect address. But that assumes that the list is good: carefully culled, and surrounded with enough context that administrators know what to do when they get a hit.
The DHS list is none of these things, as Lee, founder of the cyber security firm Dragos, discovered when he ran the list against a stored cache of known clean traffic his company keeps around for testing. The results stunned him. “We had thousands of hits,” he says. “We had an extraordinary high amount of false positives on this dataset… Six of them were Yahoo e-mail servers.”
It turns out that some, perhaps most, of the watchlisted addresses have a decidedly weak connection to the Kremlin, if any. In addition to the Yahoo servers, about 44 percent of the addresses are exit nodes in the Tor anonymity network, The Intercept’s Micah Lee reported Wednesday. Tor is free software used primarily for anonymous web browsing. Russian hackers use Tor, but so do plenty of other people.
moar at the link
https://www.thedailybeast.com/how-the-us-hobbled-its-hacking-case-against-russia-and-enabled-truthers