ya think?
Nearly a decade and a half after the Iraq-WMD faceplant, the American press is again asked to co-sign a dubious intelligence assessment
In an extraordinary development Thursday, the Obama administration announced a series of sanctions against Russia. Thirty-five Russian nationals will be expelled from the country. President Obama issued a terse statement seeming to blame Russia for the hack of the Democratic National Committee emails.
"These data theft and disclosure activities could only have been directed by the highest levels of the Russian government," he wrote.
Russia at first pledged, darkly, to retaliate, then backed off. The Russian press today is even reporting that Vladimir Putin is inviting "the children of American diplomats" to "visit the Christmas tree in the Kremlin," as characteristically loathsome/menacing/sarcastic a Putin response as you'll find.
This dramatic story puts the news media in a jackpot. Absent independent verification, reporters will have to rely upon the secret assessments of intelligence agencies to cover the story at all.
more
Something About This Russia Story Stinks - Rolling Stone
To a befuddled Rolling Stone reporter.
By lance on December 30, 2016 5:32 PM | 7 Comments
(Ed: Please pardon me for the wall of text, but that last entry annoyed the heck out of me.)
You know how in your teenage and college fantasy where you played Dustin Hoffman in All The Presidents Men? Remember when you dreamed of getting that one little lead and following breadcrumbs from point A to Pulitzer Prize? Yeah, network security and audits are a lot like that. Your problem is that you've had eight years of getting used to reading gov't reports and taking for granted that they tell the story. Stenographers 'R Us, in a nutshell.
When you talk about IT or whether to 'believe' intelligence reports about it, do better than read a 13pp PDF directed to network admins. You should really look at the data supplied too.
This page released by CERT (that's important) is the Joint Analysis Report released by the FBI and DHS. At the bottom is the link to the 13 page PDF that they released. What the author of the Rolling Stone article linked to in the last entry failed to do is look at the other file on that page. It's available in a handy CSV file format if you don't grok STIX XML. The CSV is utterly redundant. CERT only needs to distribute the STIX format as that's what admins will use to harden their networks. The CSV is there for reporters.
Back to CERT, which is one of the most trusted of information disseminating entities in the world of IT. For the most part, they send out weekly bulletins about security related patches for firmware, OS's, services, and applications. Occasionally they'll send out flashes of things, but that is rare and a big deal when they do.
To say yesterdays publication via CERT is unprecedented may be accurate, but to question the make up of a document that is light on 'facts' misreads the purpose of the document. It was aimed at security and network professionals on the front-lines. It wasn't written for reporters. If every administrator of machines and networks followed the recommended security setups and procedures in that document no one would ever be talking about hacking.
Now, rather than write an article complaining how not enough data was spoon-fed to you, you could look at the actual data files, contact some of the owners of the IP addresses and maybe figure out why the intelligence services are confident in their claim.
Email spam is already well-known. Targeted email is a different beast. If the target is a hunter then the crafted email they get looks like an email from Cabela's. The hit ratio goes way up. Most people would just think that google sold their search info instead of them being the target of a malicious attack. In actuality the website the email links to goes to one of the domains below and hosts a malicious website made to look like Cabela's site. It has javascript in it that infects your computer. Even worse, the link in the email is a shortened form link. 'bty.com/276dfgr, 'tco.com/erfgh' or 'ln.com/badlink' so the target can't verify the end point by looking at it. Anyone can make these.
These domains were used in targeted email spoofs.
Xarelto Lawsuit (Rivaroxaban) – Make a Claim Today - 209.236.67.159 - WestHost, Inc. - Providence UT, USA
ritsoperrol.ru - dead domain name
littjohnwilhap.ru - dead domain name
wilcarobbe.com - dead domain name
one2shoppee.com - dead domain name
insta.reduct.ru - 146.185.161.126 - Digital Ocean, Inc., New York, NY
editprod.waterfilter.in.ua - 176.114.0.120 - FOP Sedinckin Olexandr Valeriyovuch - Boyarka, Ukraine
mymodule.waterfilter.in.ua - dead domain name
efax.pfdregistry.net - dead domain name
Of the 249 identified IP addresses, these are Canadian: (Any CDN reporters wanna call McGill? For kicks, maybe?)
167.114.35.70 - OVH Hosting - Montreal - McGill College
198.50.177.202 - OVH Hosting - Montreal - McGill College
142.10.38.212 - Ontario Hydro
69.70.199.50 - Videotron Ltee - Montreal
207.176.226.8 - Rigstar Communications Inc - Calgary
66.158.142.2 - MORGAN SCHAFFER INC. - Lasalle, Quebec
See below the fold for a numerical count of IP's by country.
45 China
44 the United States
19 the Netherlands
14 Germany
11 France
8 Sweden
8 South Korea
6 Thailand
6 Japan
6 Canada
5 Denmark
4 Romania
3 Vietnam
3 Turkey
3 the United Kingdom
3 Taiwan
3 Swaziland
3 Spain
3 Puerto Rico
3 Mexico
3 Italy
3 Indonesia
3 Bulgaria
2 Russia
2 Luxembourg
2 Lithuania
2 Iraq
2 Iran
2 India
2 Greece
2 Finland
2 Estonia
2 Czech Republic
2 Brazil
1 Venezuela
1 United Kingdom
1 Ukraine
1 the Slovakia
1 Singapore
1 Serbia
1 Poland
1 Mongolia
1 Malaysia
1 Kenya
1 Kazakhstan
1 Hungary
1 Ghana
1 Egypt
1 Cambodia
1 Belgium
1 Bangladesh
1 Austria
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf
now get on with your lives and try to maintain.
that is all.
Nearly a decade and a half after the Iraq-WMD faceplant, the American press is again asked to co-sign a dubious intelligence assessment
In an extraordinary development Thursday, the Obama administration announced a series of sanctions against Russia. Thirty-five Russian nationals will be expelled from the country. President Obama issued a terse statement seeming to blame Russia for the hack of the Democratic National Committee emails.
"These data theft and disclosure activities could only have been directed by the highest levels of the Russian government," he wrote.
Russia at first pledged, darkly, to retaliate, then backed off. The Russian press today is even reporting that Vladimir Putin is inviting "the children of American diplomats" to "visit the Christmas tree in the Kremlin," as characteristically loathsome/menacing/sarcastic a Putin response as you'll find.
This dramatic story puts the news media in a jackpot. Absent independent verification, reporters will have to rely upon the secret assessments of intelligence agencies to cover the story at all.
more
Something About This Russia Story Stinks - Rolling Stone
To a befuddled Rolling Stone reporter.
By lance on December 30, 2016 5:32 PM | 7 Comments
(Ed: Please pardon me for the wall of text, but that last entry annoyed the heck out of me.)
You know how in your teenage and college fantasy where you played Dustin Hoffman in All The Presidents Men? Remember when you dreamed of getting that one little lead and following breadcrumbs from point A to Pulitzer Prize? Yeah, network security and audits are a lot like that. Your problem is that you've had eight years of getting used to reading gov't reports and taking for granted that they tell the story. Stenographers 'R Us, in a nutshell.
When you talk about IT or whether to 'believe' intelligence reports about it, do better than read a 13pp PDF directed to network admins. You should really look at the data supplied too.
This page released by CERT (that's important) is the Joint Analysis Report released by the FBI and DHS. At the bottom is the link to the 13 page PDF that they released. What the author of the Rolling Stone article linked to in the last entry failed to do is look at the other file on that page. It's available in a handy CSV file format if you don't grok STIX XML. The CSV is utterly redundant. CERT only needs to distribute the STIX format as that's what admins will use to harden their networks. The CSV is there for reporters.
Back to CERT, which is one of the most trusted of information disseminating entities in the world of IT. For the most part, they send out weekly bulletins about security related patches for firmware, OS's, services, and applications. Occasionally they'll send out flashes of things, but that is rare and a big deal when they do.
To say yesterdays publication via CERT is unprecedented may be accurate, but to question the make up of a document that is light on 'facts' misreads the purpose of the document. It was aimed at security and network professionals on the front-lines. It wasn't written for reporters. If every administrator of machines and networks followed the recommended security setups and procedures in that document no one would ever be talking about hacking.
Now, rather than write an article complaining how not enough data was spoon-fed to you, you could look at the actual data files, contact some of the owners of the IP addresses and maybe figure out why the intelligence services are confident in their claim.
Email spam is already well-known. Targeted email is a different beast. If the target is a hunter then the crafted email they get looks like an email from Cabela's. The hit ratio goes way up. Most people would just think that google sold their search info instead of them being the target of a malicious attack. In actuality the website the email links to goes to one of the domains below and hosts a malicious website made to look like Cabela's site. It has javascript in it that infects your computer. Even worse, the link in the email is a shortened form link. 'bty.com/276dfgr, 'tco.com/erfgh' or 'ln.com/badlink' so the target can't verify the end point by looking at it. Anyone can make these.
These domains were used in targeted email spoofs.
Xarelto Lawsuit (Rivaroxaban) – Make a Claim Today - 209.236.67.159 - WestHost, Inc. - Providence UT, USA
ritsoperrol.ru - dead domain name
littjohnwilhap.ru - dead domain name
wilcarobbe.com - dead domain name
one2shoppee.com - dead domain name
insta.reduct.ru - 146.185.161.126 - Digital Ocean, Inc., New York, NY
editprod.waterfilter.in.ua - 176.114.0.120 - FOP Sedinckin Olexandr Valeriyovuch - Boyarka, Ukraine
mymodule.waterfilter.in.ua - dead domain name
efax.pfdregistry.net - dead domain name
Of the 249 identified IP addresses, these are Canadian: (Any CDN reporters wanna call McGill? For kicks, maybe?)
167.114.35.70 - OVH Hosting - Montreal - McGill College
198.50.177.202 - OVH Hosting - Montreal - McGill College
142.10.38.212 - Ontario Hydro
69.70.199.50 - Videotron Ltee - Montreal
207.176.226.8 - Rigstar Communications Inc - Calgary
66.158.142.2 - MORGAN SCHAFFER INC. - Lasalle, Quebec
See below the fold for a numerical count of IP's by country.
45 China
44 the United States
19 the Netherlands
14 Germany
11 France
8 Sweden
8 South Korea
6 Thailand
6 Japan
6 Canada
5 Denmark
4 Romania
3 Vietnam
3 Turkey
3 the United Kingdom
3 Taiwan
3 Swaziland
3 Spain
3 Puerto Rico
3 Mexico
3 Italy
3 Indonesia
3 Bulgaria
2 Russia
2 Luxembourg
2 Lithuania
2 Iraq
2 Iran
2 India
2 Greece
2 Finland
2 Estonia
2 Czech Republic
2 Brazil
1 Venezuela
1 United Kingdom
1 Ukraine
1 the Slovakia
1 Singapore
1 Serbia
1 Poland
1 Mongolia
1 Malaysia
1 Kenya
1 Kazakhstan
1 Hungary
1 Ghana
1 Egypt
1 Cambodia
1 Belgium
1 Bangladesh
1 Austria
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf
now get on with your lives and try to maintain.
that is all.