@RidT's Threads
A reported hacking attempt against "Burisma Holdings and some of its subsidiaries and partners" is getting a lot of attention right now, *allegedly* by GRU. Here's the underlying report in question: cdn.area1security.com/reports/Area-1… < 🚨Caution advised, based on what we currently know
The report makes a strong attribution claim (no estimative language, no analysis of competing hypotheses) solely based on TTPs, without access to any victim network (it appears, unless I'm missing something). That's problematic.
This isn't wrong:
This isn't wrong:
Ignore the weak attribution evidence for now. What does that even mean? — An attack is "successful" if and when the attacker successfully breaches a target, not because it looks good.
Did Area 1 have access to victim forensics or not? It appears the answer is no from the report.
Did Area 1 have access to victim forensics or not? It appears the answer is no from the report.
Teaching @SAISHopkins can be a bit like creating, training, and fine-tuning your own temporary think tank — this fall term I'm blown away by the quality of papers in my first-ever DISINFORMATION class. I'm learning so much from my students.
For example:
For example:
@SAISHopkins ^ One favorite paper: the superb analysis of a rare state-sponsored disinformation campaign against its own public *in a democracy* — South Korea's National Intelligence Service attempting to interfere in the presidential election of 2012
^ Or @ScottKaro’s excellent research on how the Internet Research Agency in St Petersburg exploited mass shooting events in the U.S. (tagged here with permission)
Did Putin play Trump? — Yes. It’s nice to have confirmation finally.
When did Putin start playing Trump? — It appears in Hamburg, July 2017 (months after Trump’s infamous AP interview in April). But could be earlier.
When did Putin start playing Trump? — It appears in Hamburg, July 2017 (months after Trump’s infamous AP interview in April). But could be earlier.
Did the Russian government invent the Ukraine-did-it narrative? — Almost certainly no. The timeline doesn’t support this interpretation. See especially Roger Stone in September 2016. Details: theatlantic.com/ideas/archive/…
🧨U.S. Senate Judiciary Committee announces—on remarkably short notice—widely anticipated hearing on "Encryption and Lawful Access: Evaluating Benefits and Risks to Public Safety and Privacy," Tuesday, *10 December* judiciary.senate.gov/meetings/encry…
This is big, bad news: the Trump administration—its credibility at a low point in the middle of impeachment, an Attorney General with radical views, a deeply partisan Senate Judiciary Committee—is finally tackling encryption, the most pivotal tech policy question of our time.
Unpopular, hard truth: the future of end-to-end encryption is more important than the future of this administration, and these hearings—yes, there's a low but nonzero probability of meaningful legislation—are probably more significant than this entire impeachment procedure.
“Exaggerating the effects of disinformation means amplifying the effects of disinformation” — my first in The Atlantic theatlantic.com/ideas/archive/…
Conspiracy theories about conspiracy theories are a thing ... not just on out-there nutty fringe websites
Facebook takedown of 50 Internet Research Agency-linked Instagram accounts from Monday deserves some more attention. A few thoughts.
The FB post: newsroom.fb.com/news/2019/10/r…
Graphika’s report (Ben Nimmo had advance access to some of the data): web.archive.org/web/2019102303…
The FB post: newsroom.fb.com/news/2019/10/r…
Graphika’s report (Ben Nimmo had advance access to some of the data): web.archive.org/web/2019102303…
First off, Facebook isn't revealing how they attributed to IRA (“showed some links”). It is safe to assume an investigative justification for this vagueness. FB's threat intel team had enough confidence in their attribution to brief Zuckerberg for a call washingtonpost.com/technology/201…
The key point here is that Facebook took down a (likely) IRA campaign that was still in an early stage: a small number of assets, with a still small audience, experimenting with some new tactics, and apparently operating with significantly improved OPSEC.
A highly significant move by NSA & GCHQ >>> “By gaining access to the Iranian infrastructure, Turla [likely FSB] was able to use APT34's ‘command and control’ systems to deploy its own malicious code, GCHQ and the NSA said in a public advisory” mobile.reuters.com/article/amp/id…
Okay the internet spoiled everything, including old-school spy drama—but GCHQ catching Russian spies camouflaging as Iranian intel & using their gear is basically the digital equivalent of busting a crafty double agent in a third country, embarrassing *two* adversaries in one go.
Last week the NYT had a well-sourced story on a clandestine GRU special operations unit, 29155, mentioning a wedding of the commander's daughter, attended by a Skripal poisoning suspect.
Now Bellingcat has the wedding pics, videos, seating—& face-matches bellingcat.com/news/uk-and-eu…
Now Bellingcat has the wedding pics, videos, seating—& face-matches bellingcat.com/news/uk-and-eu…
This digital-sources only investigation is pretty incredible, and will sting GRU, no doubt.
Eg: here Bellingcat links unit 99450 to unit 29155 based on a general's phone geolocation history.
That heat map, btw, should also send shivers down the spines of US intel agencies.
Eg: here Bellingcat links unit 99450 to unit 29155 based on a general's phone geolocation history.
That heat map, btw, should also send shivers down the spines of US intel agencies.
Is there a word in investigative journalism for getting a big scoop, publishing it, and then being put to shame (to a degree) by digital research wizards on the internet? Like, getting "bellingcatted"?
Vol II of the Senate Intelligence Committee's report on Russian active measures has a surprising amount of redactions—& not that much fresh detail. Here's a new anecdote (source redacted, also: exaggerating their own success would be expected from IRA)
intelligence.senate.gov/sites/default/…
intelligence.senate.gov/sites/default/…
Even the IRA thought Linkedin is a waste of time
Remarkable: about 7 pages redacted under the heading "GRU"
Encryption is about trust. The less you trust—the more you encrypt. If you can't trust your gov't, you encrypt end-to-end.
And now three gov'ts, two in outright constitutional crisis caused by lying at the top, are asking us to put stronger trust in weakening democracies. Srsly?
And now three gov'ts, two in outright constitutional crisis caused by lying at the top, are asking us to put stronger trust in weakening democracies. Srsly?
Some background reading in light of tomorrow's news >>> "encryption policy is becoming a crucial test of the values of liberal democracy in the twenty-first century" tandfonline.com/doi/full/10.10…
It appears there's an error in Barr's letter, I fixed it nytimes.com/2019/10/03/us/…
There's a lot going on in this paragraph from the Trump-Zelensky transcript, p. 3 whitehouse.gov/wp-content/upl…
The president appears to be referring to a number of different conspiracy theories here—none of this appears to have any basis in reality. Two questions therefore:
The president appears to be referring to a number of different conspiracy theories here—none of this appears to have any basis in reality. Two questions therefore:
1) Who claimed that "Ukraine has the server"? (The claim is wrong and makes no sense.)
btw, evergreen
btw, evergreen
2) Who claimed that "a lot of it started in Ukraine"? Did the president or some of his sources potentially get confused by the infamous Podesta phishing email? (Note that the email did, in fact, not come from Ukraine; the information below is made up and fake).
My son is two. Sometimes when I play with him a scary, depressing thought crosses my mind: he may see the beginning of the twenty-second century—and we are, I am, treating his precious planet like a public restroom in NYC in the summer with broken AC: shit, whine, do nothing.
I can no longer look him in the eye, say bye see you in two or four days, and go board a plane to cross an ocean or a continent for some conference or workshop or meeting or talk for—let’s be honest—very marginal benefit.
So: no more long-haul flights for flimsy reasons.
So: no more long-haul flights for flimsy reasons.
When declining invitations to travel, I have started referring to the climate crisis as the main reason. You should too.
And to organizers, team leads, funders: why not raise the bar for what kind of meeting really requires in-person participantion? Soooo much room for movement.
And to organizers, team leads, funders: why not raise the bar for what kind of meeting really requires in-person participantion? Soooo much room for movement.
A few cautious, historical reminders as the reviews of Edward Snowden's PERMANENT RECORD are rolling in. >>>
One of the biggest, most embarrassing intelligence leaks of the past century was the defection of Vasili Mitrokhin in 1992—he was an archivist for one of the most competent, disciplined, shrewd & ruthless intelligence organizations of all time, the KGB's First Chief Directorate.
Russian intelligence can draw on decades of experience with handling defectors from hostile Western agencies—all the way from forging books to gently influencing activists, witting or unwitting, sometimes by subtly taking advantage of their physical presence in Moscow.
Big story just now: Twitter and Facebook jointly take down a network of Chinese forged accounts attacking Hong Kong, both (!) linking the activity to the Chinese government—note the remarkably crude, vile content
Twitter: blog.twitter.com/en_us/topics/c…
Facebook: newsroom.fb.com/news/2019/08/r…
Twitter: blog.twitter.com/en_us/topics/c…
Facebook: newsroom.fb.com/news/2019/08/r…
What I hear about the attribution is impressive. Sorry to be cryptic here.
This is a picture the Chinese government is putting out to dehumanize its own citizens. Let that sink in.
(I don't use the word dehumanize lightly; but this is literally the textbook illustration here.)
(I don't use the word dehumanize lightly; but this is literally the textbook illustration here.)
Yesterday the US Senate Intelligence Committee published vol 1, 67 pages, of its larger report on the 2016 election interference. Not that many fresh facts in there.
intelligence.senate.gov/sites/default/…
A few detailed observations here that I largely missed in the press coverage so far—
intelligence.senate.gov/sites/default/…
A few detailed observations here that I largely missed in the press coverage so far—
First, "targeted" doesn't mean "hacked." Obviously.
Secondly: "scanning" isn't (really) "targeting" yet, let alone "attacking" — okay, it depends, remote system scanning is often part of targeting. But automated, high-volume scanning is not very meaningful as an indicator. Important to be more specific case-by-case.
Here's Barr's deeply misguided speech on "weakening encryption" justice.gov/opa/speech/att…
"Materially" is the operational word here
Important, must-read analysis of Barr's speech by my JHU colleague @matthew_d_green
Excellent thread on the neglected HUMINT-enhanced threat model in tech companies. I would add one important, often neglected consideration here. /1
There appears to be a widespread assumption out there that informants *knowingly* report to specific intelligence agencies — that spies know that they report to a handler, and that they know who the handler works for or reports to. /2
Historical counter-example: Stasi's foreign intelligence arm, HVA, regularly recruited anti-Communist-minded informants and ran them "under false flag" (an HVA term). Some HVA spies believed for years they actually helped the US, but in reality were paid and steered by Stasi. /3
A reminder that the internet forgets every day, all the time. Unless we save it.
Yesterday I had coffee with @MarkGraham from the @internetarchive—I was, again, so inspired by their work and the principles that guide this work that I spontaneously donated $1K that evening.
Yesterday I had coffee with @MarkGraham from the @internetarchive—I was, again, so inspired by their work and the principles that guide this work that I spontaneously donated $1K that evening.
@MarkGraham @internetarchive Eg: check out the Wayback Machine's fantastic new "Save Page Now" in beta, for example: web.archive.org/save (requires you're logged-in)
@MarkGraham @internetarchive Oh, and if you work for a security company that does serious investigations, say in digital forensics or IR, there's a very good chance that the Wayback Machine is part of your employer's critical infrastructure.
Tell them to say thanks > archive.org/donate
Tell them to say thanks > archive.org/donate
Leaks have long been a sharp tool of diplomacy (many historical examples.¹) Yet Darroch's resignation is raising the stakes—and the pressure for UK investigators to identify the source, and quickly. Foreign offices everywhere are watching nervously.
___
¹ amazon.com/Active-Measure…
___
¹ amazon.com/Active-Measure…
It is important to keep an open mind about the leak's source—a genuine, UK gov't source is still the most likely hypothesis here.
It is also important to keep in mind the active measures precedents. Here's a recent one
It is also important to keep in mind the active measures precedents. Here's a recent one
This reminds me: German diplomats have a very elegant verb to describe the process of gently placing well-timed information into ongoing news coverage, 𝘥𝘶𝘳𝘤𝘩𝘴𝘵𝘦𝘤𝘩𝘦𝘯, which literally means "piercing through"
ACTIVE MEASURES, out 21 April 2020, now in production and available to pre-order — 140K+ words, 1,100+ endnotes, 450+ pages, 75+ images, 31 chapters, dozens of unreported stories, a three-pronged argument, one superb cover, and I could not be more excited amazon.com/Active-Measure…
Q for researchers and historians: I have a superb 2:40h recording of a conversation on disinformation with L. Bittman, from March 2017. Should I publish the audio?—Our talk was not off the record; but the great man died, so can't authorize release ... nytimes.com/2018/09/21/obi…
Bittman's spouse granted me permission to publish the audio of our conversation. More when ACTIVE MEASURES will be out; the book's primary source "appendix" will be online as a dedicated collection at the @internetarchive.
Thanks for replies @jerryzmuller @taosecurity @ryanaraine
Thanks for replies @jerryzmuller @taosecurity @ryanaraine
U.S. operators have reportedly hacked an Iranian intelligence unit in retaliation—fascinating story by @JennaMC_Laugh et al. A few notes and questions news.yahoo.com/pentagon-secre…
N1: it is likely that any U.S. cyber ops story sourced from officials in DC isn’t really about the good stuff—especially absent noticeable effects, and/or when okayed in one way or the other by officials, especially intelligence officials. Publicity burns capabilities.
N2: big ships are hackable swimming networks—many connected devices, very bored users, little open pen-testing, likely change-averse admins, likely bad patching, likely bad air-gapping on the water, even navigation and other control systems likely hooked up to legacy boxes.
A few observations on today's "online escalation" New York Times story. I see lots of people making assumptions and jumping to conclusions. Also, why I’m filing this story under to-be-confirmed for now. nytimes.com/2019/06/15/us/…
The story makes two big claims: that CYBERCOM has placed “implants” “inside the Russian grid,” and that these U.S. intrusions were intended to be noticed in order to deter Russian decision-makers.
The NYT does not seem to have access to the “classified details of the operation.” The NSC and the NSA declined to comment on the record.
Note the story isn’t just about “the Russian grid,” but also other potential targets. Likely military targets.
Note the story isn’t just about “the Russian grid,” but also other potential targets. Likely military targets.
Just FYI I'm automatically removing all my LinkedIn connections right now (didn't want to delete the account for research purposes).
linkedhelper.com > "connections remover" is slow but appears to work fine.
linkedhelper.com > "connections remover" is slow but appears to work fine.
I hereby authenticate my remaining profile on linkedin (it has no connections).
Context: Max has raised a good point
Context: Max has raised a good point
Explanation: in my view the risks of using linkedin today outweigh its benefits (risk: very small; benefit: even smaller to negative).
Now back to interesting things.
Now back to interesting things.
