FBI was forced to rely on CrowdStrike's word for what happened to DNC computers and DNC emails, though CrowdStrike had knowingly allowed hackers to remain on DNC computers for over a month:
1/10/17, "Comey: DNC denied FBI's requests for access to hacked servers," The Hill, Katie Bo Williams
"The bureau made "multiple requests at different levels,” according to Comey....
“We’d always prefer to have access hands-on ourselves if that’s possible,” Comey said, noting that he didn’t know why the DNC rebuffed the FBI’s request....
[A senior law enforcement official said], “This left the FBI no choice but to rely upon a third party for information. These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”"...
....................
4 key dates: April-June 2016, involving Crowdstrike and DNC computers, April 29, May 5, May 21, and June 10. Daily Mail (4/5/17) and Washington Post (6/14/2016):
April 29, 2016- Conclusion of CrowdStrike's 5 week investigation into whether Bernie Sanders campaign staffers had breached DNC computers: "According to internal emails, CrowdStrike was already working for the DNC to investigate whether Bernie Sanders campaign staffers had gained unauthorized access to its voter database. That five-week investigation appeared to have wrapped up on April 29, 2016." Daily Mail, 4/5/17 (Comment: During the Bernie investigation, why didn't CrowdStrike remove malware that had been on DNC computers since 2015?)
....................
May 5, 2016-Crowdstrike called back to the DNC for a malware job, hooked up monitoring software to the DNC system on May 5, 2016. During its May 5 hookup, CrowdStrike says it noticed malware right away (it 'lit up'). But no mention is made of actually removing the malware: "Alperovitch said the company hooked up monitoring software to the DNC system on May 5, 2016 and it 'lit up,' indicating a breach."...(A few days earlier, on April 29, 2016, CrowdStrike had concluded a 5 week job for the DNC investigating whether the Bernie Sanders campaign had gained unauthorized access to its computers. Daily Mail, 4/5/17
...................
May 21, 2016: "DNC Chair Debbie Wasserman Schultz, wrote in one May 21 email that Bernie Sanders would 'never be president.'"
This May 21 email smearing Bernie Sanders was among those eventually made public:
*"The vast majority of the email theft appears to have occurred during" the time CrowdStrike was monitoring malware activity on DNC computers (May 5-June 10, 2016). Crowdstrike "monitored the hackers as they pilfered emails and research files," for 5 weeks watched DNC emails walk out the door, WOULD NOT REMOVE THE MALWARE until June 10, 2016. Daily Mail 4/5/17
..........................
June 10, 2016-"Over a month passed before CrowdStrike finally booted the hackers out of the system on June 10, 2016." Between May 5 and June 10, 2016, CrowdStrike said "it built an entirely new computer and phone system for the DNC and monitored the hackers as they pilfered emails and research files:"...Daily Mail, 4/5/17
Second source: 6/14/16, Washington Post also reports that DNC malware wasn't removed until the second weekend in June ("over the past weekend") in a "major computer cleanup campaign:"
June 14, 2016, "Some of the hackers had access to the DNC network for about a year, but all were expelled over the past weekend in a major computer cleanup campaign, the committee officials and experts said." Washington Post (June 10, 2016 was a Friday)
Washington Post confirms that CrowdStrike quickly ("within 24 hours") installed software on DNC computers to analyze data. But Crowdstrike didn't begin removing the malware "within 24 hours," instead waited until the second weekend in June (as stated above):
"Within 24 hours, CrowdStrike had installed software on the DNC’s computers so that it could analyze data that could indicate who had gained access, when and how."
From Washington Post, 6/14/2016:
DNC says it acted "immediately"and "as quickly as possible to kick out the intruders."
They waited 6 weeks "to kick out the intruders." (Late April 2016- second weekend in June 2016)
"DNC leaders were tipped to the hack in late April (2016)."...
"DNC leadership acted quickly after the intrusion’s discovery to contain the damage."...
Rep. Debbie Wasserman Schultz (Fla.), DNC chairwoman:
"“When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”"...[The "intruders" weren't "kicked out" until 6 weeks after DNC learned they were there (Knew they were there in late April 2016, knew they weren't removed until second weekend in June 2016)].
.........................
Link to Washington Post article:
6/14/2016, "Russian government hackers penetrated DNC, stole opposition research on Trump," Washington Post, Ellen Nakashima
............................
Link to Daily Mail article:
4/5/17, "Exclusive: Cybersecurity experts who were first to conclude that Putin hacked presidential election ABANDON some of their claims against Russia - and refuse to co-operate with Congress," Daily Mail, Alana Goodman
............................
Added: All US "intelligence community" reports, all global media coverage of an alleged DNC email-Russia event are based on the opinion of a single source, CrowdStrike. "Not even the FBI has been granted access" to DNC computers. This despite that CrowdStrike knowingly allowed hackers to remain on DNC computers for over a month, as noted above. CrowdStrike should have no voice whatsoever in this matter:
"Not even the FBI has been granted access to the (DNC) servers. U.S. agencies have instead relied on CrowdStrike's work. There is no other known forensic evidence which has been publicly disclosed to link the Kremlin to the attacks, including in a series of intelligence community statements and reports."
Daily Mail, 4/5/17
.......................
Added: "Democrats Ignored Cybersecurity Warnings Before Theft." Bloomberg reported in July 2016 that FBI is investigating the DNC email theft--but, unfortunately the FBI was denied access to DNC computers, was forced to rely entirely on CrowdStrike's opinion: "The bureau made "multiple requests at different levels,” according to Comey."...
"The Federal Bureau of Investigation is examining the attack, which law enforcement officials and private security experts say may be linked to the Russian government."...
7/27/2016, "Democrats Ignored Cybersecurity Warnings Before Theft," Bloomberg, Michael Riley
"The Democratic National Committee was warned last fall (2015) that its computer network was susceptible to attacks but didn’t follow the security advice it was given, according to three people familiar with the matter.
The missed opportunity is another blow to party officials already embarrassed by the theft and public disclosure of e-mails that have disrupted their presidential nominating convention in Philadelphia and led their chairwoman to resign.
Computer security consultants hired by the DNC made dozens of recommendations after a two-month review, the people said. Following the advice, which would typically include having specialists hunt for intruders on the network, might have alerted party officials that hackers had been lurking in their network for weeks -- hackers who would stay for nearly a year.
Instead, officials didn’t discover the breach until April (2016). The theft ultimately led to the release of almost 20,000 internal e-mails through WikiLeaks last week on the eve of the convention.
The e-mails have devastated party leaders. Representative Debbie Wasserman Schultz, the DNC chairwoman, has agreed to resign at the end of this week’s convention. She was booed off the stage on opening day after the leaked e-mails showed that party officials tried to undermine the presidential campaign of Senator Bernie Sanders in favor of Hillary Clinton, who was formally nominated on Tuesday evening. Party officials are supposed to remain neutral on presidential nominations.
The Federal Bureau of Investigation is examining the attack, which law enforcement officials and private security experts say may be linked to the Russian government. President Barack Obama suggested on Tuesday that Russia might be trying to interfere with the presidential race. Russian officials deny any involvement in the hacking and say they’re not trying to influence the election....
The consultants briefed senior DNC leaders on the security problems they found, the people familiar with the matter said. It’s unclear whether Wasserman Schultz was present. Now, she is likely to face criticism over not only the content of the e-mails -- including one in which a party official proposes pushing stories in the news media questioning Sanders’s Jewish faith -- but also the failure to take steps to stop the theft in the first place.
“Shame on them. It looks like they just did the review to check a box but didn’t do anything with it,” said Ann Barron-DiCamillo, who was director of US-Cert, the primary agency protecting U.S. government networks, until last February. “If they had acted last fall, instead of those thousands of e-mails exposed it might have been much less.”
The assessment by Good Harbor Security Risk Management, headed by the former Clinton and Bush administration official Richard Clarke, occurred over two months beginning in September 2015, the people said. It included interviews with key staff members and a detailed review of the security measures in place on the organization’s network, they said.
The review found problems ranging from an out-of-date firewall to a lack of advanced malware detection technology on individual computers, according to two of the people familiar with the matter.
The firm recommended taking special precautions to protect any financial information related to donors and internal communications including e-mails, these people said.
The DNC paid $60,000 for the assessment, according to federal filings.
Mark Paustenbach, a spokesman for the DNC, declined to comment on the Good Harbor report. Emilian Papadopoulos, president of Washington-based Good Harbor, said he couldn’t comment on work done for a specific client.
Missed Warnings
The security review commissioned by the DNC was perhaps the most detailed of a series of missed warnings. Officials at both the Republican National Committee and the DNC received government briefings on espionage and hacking threats beginning last year, and then received a more specific briefing this spring, according to another person familiar with the matter.
Cyber-security assessments can be a mixed blessing. Legal experts say some general counsels advise organizations against doing such assessments if they don’t have the ability to quickly fix any problems the auditors find, because customers and shareholders could have cause to sue if an organization knowingly disregards such warnings.
Papadopoulos said a risk analysis by his firm is designed to “help an organization’s senior leadership answer the questions, ‘What are our unique and most significant cyber security risks, how are we doing managing them, and what should we improve?’”
The firm typically recommends that clients conduct a so-called breach assessment to determine whether hackers are already lurking in the network, Papadopoulos said. He wouldn’t confirm whether such a recommendation was among those delivered to the DNC.
“We give recommendations on governance, policies, technologies and crisis management,” he said. “For organizations that have not had a compromise assessment done, that is one of the things we often recommend.”
It isn’t certain a breach assessment would have spotted the hackers, according to Barron-DiCamillo, but it would have increased the chances. “"Why spend the money to have Good Harbor come in and do the recommendations and then not act on them?,” she asked."
................................
Added: FBI was denied access to DNC computers, was forced to rely on Crowdstrike opinion about alleged Russia access to DNC emails:
1/10/17, "Comey: DNC denied FBI's requests for access to [allegedly] hacked servers," The Hill, Katie Bo Williams
"The bureau made "multiple requests at different levels,” according to Comey, but ultimately struck an agreement with the DNC that a “highly respected private company” would get access and share what it found with investigators.
“We’d always prefer to have access hands-on ourselves if that’s possible,” Comey said, noting that he didn’t know why the DNC rebuffed the FBI’s request....
The DNC told BuzzFeed in a statement published last week [Jan. 2017] that the FBI never requested access to its servers after they were breached.
But a senior law enforcement official disputed that characterization the following day.
“The FBI repeatedly stressed to DNC officials the necessity of obtaining direct access to servers and data, only to be rebuffed until well after the initial compromise had been mitigated,” the official said.
“This left the FBI no choice but to rely upon a third party for information. These actions caused significant delays and inhibited the FBI from addressing the intrusion earlier.”
CrowdStrike, the private security firm in question, has published extensive forensic analysis backing up its assessment that the threat groups that infiltrated the DNC were associated with Russian intelligence."
........................
Added: Re: "Threat groups," (The Hill, above) aren't groups of people despite what the term may suggest. "Threat groups" are a set
of software and related network infrastructure:
"A common misconception of “threat group” is that it refers to a group of people. It doesn’t. Here’s how ESET [link goes to general site] describes SEDNIT, one of the names for the threat group known as APT28, Fancy Bear, etc. This definition is found on p.12 of part two “En Route with Sednit: Observing the Comings and Goings”:
"A common misconception of “threat group” is that it refers to a group of people. It doesn’t. Here’s how ESET [link goes to general site] describes SEDNIT, one of the names for the threat group known as APT28, Fancy Bear, etc. This definition is found on p.12 of part two “En Route with Sednit: Observing the Comings and Goings”:
"As security researchers, what we call “the Sednit group” is merely a set of software and the related network infrastructure, which we can hardly correlate with any specific organization."
Unlike
Crowdstrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian
Intelligence Service or anyone else for a very simple reason. Once
malware is deployed, it is no longer under the control of the hacker who
deployed it or the developer who created it. It can be
reverse-engineered, copied, modified, shared and redeployed again and
again by anyone. In other words — malware deployed is malware enjoyed!...
It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will."...
12/30/2016, "FBI/DHS Joint Analysis Report: A Fatally Flawed Effort," Jeffrey Carr
.............. It is both foolish and baseless to claim, as Crowdstrike does, that X-Agent is used solely by the Russian government when the source code is there for anyone to find and use at will."...
12/30/2016, "FBI/DHS Joint Analysis Report: A Fatally Flawed Effort," Jeffrey Carr
......................
No comments:
Post a Comment