Microsoft Archives - emptywheel

Posts

The Curious Treatment of Michael Cohen’s Trump Organization Email

As close readers know, I’ve been fascinated by DOJ’s treatment of Michael Cohen’s Trump Organization email for some time. That’s true for several reasons.

First, one of the earliest warrants targeting Cohen revealed that Microsoft hosts (or hosted) Trump Organization emails. When the FBI first started putting together an investigation into Cohen for suspicious activity surrounding his Essential Consulting bank account, they first sent preservation orders to Microsoft, then obtained his emails directly from the tech company. Effectively, Cohen (and any other Trump Organization employees the FBI targeted after that, probably including Don Jr) got stung by a practice Microsoft had long been complaining about, that when the government came to it, rather than to Microsoft’s enterprise customers (like universities and businesses), Microsoft could not provide those customers notice, which might provide them an opportunity to challenge an order or protect privileged material.

That’s particularly interesting given the indications that the Trump Organization, which decided what documents to turn over to Congress in response to a subpoena served on Cohen, did not turn over emails that would have proven as false story that Cohen told about his interactions regarding the Trump Tower Moscow story.

Q Now, in your February 28th interview before this committee you mentioned that Alan Futerfas and Alan Garten, the two lawyers who were tied to The Trump Organization, were responsible for the document production that you produced to the committee in response to this committee’s May of 2017 subpoena. ls that accurate?

A That’s accurate.

[snip]

Q Do you have any information about why The Trump Organization would have withheld from this committee production of the January 141h, 2016, email from you to Peskov’s office?

A I do not.

Q Same question as to the January 16th, 2016, email from you to Peskov’s office regarding Sergei lvanov?

A I also do not.

Q Same question with regards to the January 20th,2016, email from Elena Poliyakova (ph)?

A I do not

THE CHAIRMAN: Mr. Cohen, what Mr. Mitchell is asking about is you’ve testified that the members of the joint defense agreement were aware that the written testimony that you were going to give to this committee was false. Documents that would have contradicted that timeline, namely, the three that Mr. Mitchell just referenced, were not produced to this committee. ls there any insight you can shed as to who might have been involved in withholding documentary evidence that would have contradicted your written false testimony?

MR. COHEN: Again, it would be other members of the joint defense team, but specifically at The Trump Organization level.

Cohen told HPSCI that he was reminded of these emails when Mueller showed them to him. In other words, Mueller obtained them, but (if HPSCI is correct on this point) Congress did not, even though the emails were solidly within the scope of a subpoena served on Cohen. That Mueller obtained the emails from Microsoft is one likely explanation for how he got them but HPSCI did not (though he had also subpoenaed Trump Organization in March 2018 before Cohen started cooperating in September of that year and a year before Cohen’s third appearance before HPSCI).

That’s why I’m interested in this footnote in the warrant to search Cohen’s properties in April 2018.

According to an article in the Washington Post, which quoted emails sent from Cohen’s email account hosted by the Trump Organization, on October 17, 2016, Davidson emailed Cohen and threatened to cancel the aforementioned “settlement agreement” by the end of the day if Cohen did not complete the transaction.29 According to the article, Davidson sent Cohen a second email later in the day that stated in part, “Please be advised that my client deems her settlement agreement canceled and void.”

29 Due to the partially covert nature of the investigation to this date, the USAO has not requested documents from the Trump Organization or Davidson, and thus does not possess the email referenced in this article.

There’s no reason to believe the “USAO” (meaning SDNY’s US Attorney’s office) had the email. But the government — Mueller’s team — probably did, from the search warrant served on Microsoft on August 1, 2017. But the public record doesn’t show that Mueller handed it over to SDNY when they handed off the bank investigations February 2018, or even after that time.

On February 28, 2018, SDNY obtained a warrant for the Gmail and 1&1 content Mueller had obtained in 2017 and handed over to SDNY on a USB drive to SDNY on February 8, 2018. But — in spite of the fact that the original Mueller Gmail warrant and the Trump Org warrant discussed (¶¶13-19) Cohen’s payment to Stormy Daniels — the February 28 warrant covered just Cohen’s financial fraud. It wasn’t until April 7, 2018 that SDNY obtained a warrant to search the Gmail content, the 1&1 content, and the iCloud content (which Mueller provided them on March 7, 2018) in the campaign finance investigation.

But as the footnote noted, they never obtained a warrant to search the Trump Org emails, even though that content was presumably also in Mueller’s possession.

There may be a very logical explanation for why they didn’t: on October 27, 2017, DOJ agreed to limit its use of secrecy orders. It’s quite possible that the government believed any new warrant for content originally provided by Microsoft would have to adhere to the new policy, even if it had been obtained before the new policy went into effect (we see similar policy granularity in SDNY’s need to get a warrant for Google content held overseas, whereas Mueller — who operated in a different Circuit without that precedent — did not have to submit a separate warrant).

That said, given the discussions of why things got referred when they did (and the different treatment of Cohen’s non-Russian crime from Manafort and Flynn’s non-Russian crimes), I am rather interested that SDNY treated Trump Org emails differently than Mueller did (and, perhaps, that Mueller submitted a warrant to Trump Org for content he already had).

As I said, the most likely explanation is that the change in DOJ policy led to a change in treatment of Trump Org’s Microsoft hosted email, meaning SDNY could not ask for the emails even from Microsoft without alerting Trump to the investigation. But it’s possible that the differential treatment arises from greater deference provided to Trump related content as investigations into him proceeded.

As I disclosed last July, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post.

The FBI Went to Microsoft, not Trump Organization, for Emails Incriminating Individual-1

I’m working on a post showing how slow the investigation into Donald Trump and his associates was, contrary to the President’s squeals. That led me to realize something about this August 1 search warrant application for Michael Cohen’s Trump Organization email.

Trump Organization used Microsoft to host their email.

54. On or about July 14,2017, the Federal Bureau of Investigation sent a request, pursuant to l8 U.S.C. $ 2703(f), to Microsoft, requesting that Microsoft preserve all content for all email accounts associated with the domain “trumporg.com,” which included the Target Account.

55. On or about July 20,2017 and again on or about July 25,2017,in response to a grand jury subpoena, Microsoft confirmed that the Target Account was an active account associated with the domain trumporg.com. Microsoft also provided records indicating that email accounts associated with the domain “trumporg.com” are being operated on a Microsoft Exchange server. According to publicly available information on Microsoft’s website, Microsoft hosts emails for clients on Microsoft Exchange servers, while allowing customers to use their own domain (as opposed to the publicly available email domains supplied by Microsoft, such as hotmail.com). According to information supplied by Microsoft, the domain trumporg.com continues to operate approximately 150 active email accounts through Microsoft Exchange, meaning that data associated with trumporg.com still exists on Microsoft’s servers.

[snip]

62. On or about June 21, 2017, the Federal Bureau of Investigation sent a request, pursuant to 18 U.S.C. $ 2703(f), to Microsoft, requesting that Microsoft preserve all content associated with the Target Account.

That means Microsoft — and not (just) Trump Organization — controlled access to these accounts.

This is something that has long been an unrecognized problem. If the government wants your email and your business or university has Microsoft or Gmail host email for them, the tech giants will get and respond to a law enforcement request, not the entity that might make privilege or First Amendment legal challenges to the subpoena. For example, the government would have gotten Xiaoxiang Xi and Ally Watkins’ Temple University email from Google, not the University, preventing both from making a First Amendment challenge to the warrant.

Microsoft sued over the sheer number of gags on such subpoenas in 2016; few people realized that they were concerned primarily about businesses like Trump Organization, not individual customers. That suit settled on October 24, 2017 after DOJ agreed to provide Microsoft more leeway to notice its customers.

But that agreement would have come too late for Michael Cohen and anyone else at Trump Organization who might have been investigated by DOJ. Since June 21, 2017, Cohen’s emails were preserved, and since July 14, 2017 — just after the June 9 meeting arranged via what appears to be Don Jr’s Trump Organization email became public — all Trump Organization emails have been preserved.

In DOJ’s opposition to Michael Cohen’s efforts to get a restraining order on the materials seized in the April 9, 2018 raid on him, there was a redacted reference suggesting that some materials may have gotten destroyed.

Mueller didn’t subpoena documents from Trump Organization directly until March 2018. So if they discovered documents via email searches direct from Microsoft that were withheld in that March subpoena — such as the emails that Cohen received on Trump Tower Moscow — it might explain this redaction.

This is the kind of thing that Trump might make a big stink about, if he ever figures it out (or if it gets Trump Organization lawyer Alan Garten in trouble for blowing off subpoenas — they were already non-responsive in response to the May HPSCI subpoena). But it’s the kind of thing that businesses and universities everywhere are exposed by.

Google at Temple: Did DOJ Follow Its New Guidelines on Institutional Gags?

June 8, 2018/13 Comments/in Leak Investigations, Press and Media /by emptywheel

On October 19, 2017, DOJ issued new guidelines on default gag orders under the Stored Communications Act. It required that prosecutors “conduct an individualized and meaningful assessment requiring the need for protection from disclosure prior to seeking” a gag “and only seek an order when circumstances require.” Sometime after that, in association with its investigation of leaks about Carter Page, DOJ sought Ali Watkins’ call records, including her email subscriber records from when she was an undergraduate at Temple.

Under Justice Department regulations, investigators must clear additional hurdles before they can seek business records that could reveal a reporter’s confidential sources, such as phone and email records. In particular, the rules require the government to have “made all reasonable attempts to obtain the information from alternative, non-media sources” before investigators may target a reporter’s information.

In addition, the rules generally require the Justice Department to notify reporters first to allow them to negotiate over the scope of their demand for information and potentially challenge it in court. The rules permit the attorney general to make an exception to that practice if he “determines that, for compelling reasons, such negotiations would pose a clear and substantial threat to the integrity of the investigation, risk grave harm to national security, or present an imminent risk of death or serious bodily harm.”

Top Justice Department officials must sign off on any attempt to gain access to a journalist’s communications records.

It is not clear whether investigators exhausted all of their avenues of information before confiscating Ms. Watkins’s information. She was not notified before they gained access to her information from the telecommunications companies. Among the records seized were those associated with her university email address from her undergraduate years.

This request would almost certainly not have been presented to Temple University. It would have been presented to Google, which provides email service for Temple. At least, that’s what appears to have happened in the case of Professor Xiaoxiang Xi in DOJ’s investigation of him for carrying out normal academic discussions about semiconductors with colleagues in China.

Thus far (as reflected here with the NYT coverage), the focus on whether DOJ followed its own regulations pertains to whether they followed guidelines on obtaining the records of a journalist. But the circumstances surrounding their request for Temple records should focus as much attention on whether the government followed its brand new regulations on imposing gags even when obtaining records from an institutional cloud customer like Temple.

The new guidelines were adopted largely in response to a challenge from Microsoft on default, indefinite gags. While few noted it at the time, what Microsoft most worried about was its inability to give its institutional customers notice their records had been subpoenaed. That meant that certain kind of cloud customers effectively gave up a legal right to challenge legal process by outsourcing that service to Microsoft. Microsoft dropped its suit to legally force this issue when DOJ adopted the new guidelines last year. Best as I understand, those guidelines should have governed whether Google could tell Temple that DOJ was seeking the records of a former student.

So it’s not just that DOJ didn’t give Watkins an opportunity to challenge this subpoena, but also whether they gagged Google from telling Temple, and providing Temple the opportunity to challenge the subpoena on academic freedom grounds.

Given how they treated Xi, it’s unlikely Temple would have done much to protect their former student. But some universities — and other institutions with special First Amendment concerns that use Microsoft or Google for their email service — might. They can only do so, however, if DOJ doesn’t obtain frivolous gags to prevent them from doing so.

A Tale of Two Malware Researchers: DOJ Presented Evidence Yu Pingan Knew His Malware Was Used as Such

August 24, 2017/in Cybersecurity /by emptywheel

The government revealed the arrest in California of a Chinese national, Yu Pingan, who is reportedly associated with the malware involved in the OPM hack.

The complaint that got him arrested, however, has nothing to do with the OPM hack. Rather, it involves four US companies (none of which are in the DC area), at least some of which are probably defense contractors.

Company A was headquartered in San Diego, California, Company B was headquartered in Massachusetts, Company C was headquartered in Los Angeles, California, and Company D was headquartered in Arizona.

Yu is introduced as a “malware broker.” But deep in the affidavit, the FBI describes Yu as running a site selling malware as a penetration testing tool.

UCC #1 repeatedly obtained malware from YU. For example, on or about March 3, 2013, YU emailed UCC #1 samples of two types of malware: “adjesus” and “hkdoor.” The FBI had difficulty deciphering adjesus, but open source records show that it was previously sold as a penetration testing tool (which is what legitimate security researchers call their hacking. tools) on the website penelab.com.5 Part of the coding for the second piece of malware, hkdoor, indicated that “Penelab” had created it for a customer named “Fangshou.”6 Seized communications and open source records show that YU ran the penelab.com website (e.g., he used his email address and real name to register it) and that UCC #1 used the nickname “Fangshou.”

For that reason — and because Yu was arrested as he arrived in the US for a conference — a few people have questioned whether a fair comparison can be made between Yu and Marcus Hutchins, AKA MalwareTech.

It’s an apples to oranges comparison, as DOJ rather pointedly hasn’t shared the affidavit behind Hutchins’ arrest warrant, so we don’t have as much detail on Hutchins. That said, Hutchins’ indictment doesn’t even allege any American victims, whereas Yu’s complaint makes it clear he (or his malware) was involved in hacking four different American companies (and yet, thus far, Yu has been accused with fewer crimes than Hutchins has).

In any case, at least what we’ve been given shows a clear difference. Over a year before providing Unindicted Co-Conspirator 1 two more pieces of malware, the complaint shows, UCC #1 told Yu he had compromised Microsoft Korea’s domain.

YU and UCC #1 ‘s communications include evidence tying them to the Sakula malware. On or about November 10, 2011, UCC #1 told YU that he had compromised the legitimate Korean Microsoft domain used to download software updates for Microsoft products. UCC #1 provided the site http://update.microsoft.kr/hacked.asp so YU could confirm his claim. UCC #1 explained that he could not use the URL to distribute fraudulent updates, but the compromised site could be used for hacking attacks known as phishing.

So unlike in Hutchins’ case, DOJ has provided evidence (and there’s more in the affidavit) that Yu knew he was providing malware to hack companies.

Indeed, unless the government has a lot more evidence against Hutchins (more on that in a second), it’s hard to see why they’ve been charged with the same two crimes, Conspiracy to violate CFAA and CFAA.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers Gets Results! Congress Finally Moves to Oversee Vulnerabilities Equities Process

August 23, 2017/8 Comments/in Cybersecurity, WikiLeaks /by emptywheel

Since the Snowden leaks, there has been a big debate about the Vulnerabilities Equities Process — the process by which NSA reviews vulnerabilities it finds in code and decides whether to tell the maker or instead to turn it into an exploit to use to spy on US targets. That debate got more heated after Shadow Brokers started leaking exploits all over the web, ultimately leading to the global WannaCry attack (the NotPetya attack also included an NSA exploit, but mostly for show).

In the wake of the WannaCry attack, Microsoft President Brad Smith wrote a post demanding that governments stop stockpiling vulnerabilities.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

But ultimately, the VEP was a black box the Executive Branch conducted, without any clear oversight.

The Intelligence Authorization would change that. Starting 3 months after passage of the Intel Authorization, it would require each intelligence agency to report to Congress the “process and criteria” that agency uses to decide whether to submit a vulnerability for review; the reports would be unclassified, with a classified annex.

In addition, each year the Director of National Intelligence would have to submit a classified list tracking what happened with the vulnerabilities reviewed in the previous year. In addition to showing how many weren’t disclosed, it would also require the DNI to track what happened to the vulnerabilities that were disclosed. One concern among spooks is that vendors don’t actually fix their vulnerabilities in timely fashion, so disclosing them may not make end users any safer.

There would be an unclassified report on the aggregate reporting of vulnerabilities both at the government level and by vendor. Arguably, this is far more transparency than the government provides right now on actual spying.

This report would, at the very least, provide real data about what actually happens with the VEP and may show (as some spooks complain) that vendors won’t actually fix vulnerabilities that get disclosed. My guess is SSCI’s mandate for unclassified reporting by vendor is meant to embarrass those (potentially including Microsoft?) that take too long to fix their vulnerabilities.

I’m curious how the IC will respond to this (especially ODNI, which under James Clapper had squawked mightily about new reports). I also find it curious that Rick Ledgett wrote his straw man post complaining that Shadow Brokers would lead people to reconsider VEP after this bill was voted out of the SSCI; was that a preemptive strike against a reasonable requirement?

SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT.

Report Policy And Process.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government.

(2) FORM.—Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(b) Annual Report On Vulnerabilities.—

(1) IN GENERAL.—Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on—

(A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year;

(B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and

(i) been patched or mitigated by the responsible vendor; or

(ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed.

(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:

(A) The date the vulnerability was disclosed to the responsible vendor.

(B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor.

(i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and

(ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments.

(3) FORM.—Each report submitted under paragraph (1) shall be in classified form.

(c) Vulnerabilities Equities Policy And Process Of The Federal Government Defined.—In this section, the term “vulnerabilities equities policy and process of the Federal Government” means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software).

The Legitimacy Problem with NSA’s Silence on WannaCry

May 19, 2017/3 Comments/in Cybersecurity, Russian hacks /by emptywheel

Over at Matt Suiche’s website, he chronicles the discovery of a way to work around WannaCry’s ransomware. First a guy named Adrien Guinet figured out how the find the prime numbers that had computed the key locking a computer’s files. Then a guy named Benjamin Delpy recreated the effort and tested it against versions up to Windows 7. This is not a cure-all, but it may be a way to restore files encrypted by the attackers.

This of course comes after Suiche and before him Malware Tech set up sinkholes to divert the malware attack. Other security researchers have released tools to prevent the encryption of files after infection.

And all the while, NSA — which made the exploit that made this worm so damaging, EternalBlue — has remained utterly silent. At this point, Lauri Love, who faces 99 years of prison time for alleged hacking in the US, has done more in public to respond to this global ransomware attack than the NSA has.

The most public comment from NSA has come in the form of this WaPo article, which describes “current and former” officials defending the use of EternalBlue and sort of confirming that NSA told Microsoft of the vulnerability. It also revealed the White House called an emergency cabinet meeting to deal with the attack. Department of Homeland Security released a pretty useless statement last Friday. On Monday, Homeland Security Czar Tom Bossert answered questions at the press briefing (sometimes inaccurately, I think), emphasizing that the US is not responsible for the attack.

I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government.

So this was not a tool developed by the NSA to hold ransom data.

That’s it. That’s what we’ve seen of our government’s response to a malware attack that it had a role in creating.

(For what it’s worth, people in the UK have said their cybersecurity organization, the National Cyber Security Centre, has been very helpful.)

Don’t get me wrong. I’m sure folks at NSA have been working frantically to understand and undercut this attack. Surely they’ve been coordinating with the private sector, including Microsoft and more visible victims like FedEx. NSA intervention may even explain why there have been fewer infections in the US than in Europe. There may even be some cooperation between the security people who’ve offered public solutions and the NSA. But if those things have happened, it remains totally secret.

And I understand why NSA would want to remain silent. After all, companies and countries are going to want some accountability for this, and while the hackers deserve the primary blame, NSA’s own practices have already come in for criticism in Europe.

Plus, I’m sure whatever NSA is doing to counter this attack is even more interesting — and therefore more important to keep secret from the attackers — than the really awesome sinkholes and prime number workarounds the security researchers have come up with. It’s worth noting that the attackers and aspiring copy-catters are undoubtedly watching the public discussions in the security community to figure out how to improve the attack (though the WannaCry attackers didn’t seem to want or be able to use the information on sinkholes to their advantage, as the release that fixed that problem is corrupted).

But, in my opinion, NSA’s silence creates a legitimacy problem. This is the premier SIGINT agency in the world, tasked to keep the US (and more directly, DOD networks) safe from such attacks. And it has remained silent while a bunch of researchers and consultants collaborating together have appeared to be the primary defense against the weaponization of an NSA tool.

If 22 year olds fueled by pizza are the best line of defense against global attacks, then it suggests (I’m not endorsing this view, mind you) that we don’t need the NSA.

Update: On Twitter, Jake Williams asked whether NSA would have had a better response if the defensive Information Assurance Directorate hadn’t been disbanded last year by Mike Rogers. I hadn’t thought of that, but it’s a good question.

Minority Report: A Look at Timing of WannaCry and Trump’s Spillage

May 18, 2017/13 Comments/in Cybersecurity, Trump Administration /by Rayne

CAVEAT: Note well these two points before continuing —

1) Check the byline; this is Rayne, NOT Marcy; we may have very different opinions on matters in this post.

2) This post is SPECULATIVE. If you want an open-and-shut case backed by unimpeachable evidence this is not it. Because it addresses issues which may be classified, there may never be publicly-available evidence.

Moving on…

Like this past week’s post on ‘The Curious Timing of Flynn Events and Travel Ban EO‘, I noticed some odd timing and circumstances. Event timing often triggers my suspicions and the unfolding of the WannaCry ransomware attack did just that. WannaCry didn’t unfold in a vacuum, either.

Timeline (Italics: Trump spillage)

13-AUG-2016 — Shadow Brokers dumped first Equation Group/NSA tools online

XX-XXX-201X — Date TBD — NSA warned Microsoft about ETERNALBLUE, the exploit which Microsoft identified as MS17-010. It is not clear from report if this warning occurred before/after Trump’s inauguration.

XX-FEB-2017 — Computer security firm Avast Software Inc. said the first variant of WannaCry was initially seen in February.

14-MAR-2017 — Microsoft released a patch for vulnerability MS17-010.

14-APR-2017 — Easter weekend — Shadow Brokers dumps Equation Group/NSA tools on the internet for the fifth time, including ETERNALBLUE.

(Oddly, no one noted the convenience to Christian countries celebrating a long holiday weekend; convenient, too, that both western and eastern Orthodox Christian sects observed Easter on the same date this year.)

10-MAY-2017 — White House meeting between Trump, Foreign Minister Sergei Lavrov, and Ambassador Sergey Kislyak. No US media present; Russian media outlet TASS’ Washington bureau chief and a photographer were, however.

12-MAY-2017 — ~8:00 a.m. CET — Avast noticed increased activity in WannaCry detections.

[graphic: Countries with greatest WannaCry infection by 15-MAY-2017; image via Avast Software, Inc.]

12-MAY-2017 — 3:24 a.m. EDT/8:24 a.m. BST London/9:24 a.m. CET Madrid/10:24 a.m. MSK Moscow — early reports indicated telecommunications company Telefonica had been attacked by malware. Later reports by Spanish government said, “the attacks did not disrupt the provision of services or network operations…” Telefonica said the attack was “limited to some computers on an internal network and had not affected clients or services.”

12-MAY-2017 — 10:00 a.m. CET — WannaCry “escalated into a massive spreading,” according to Avast.

12-MAY-2017 — timing TBD — Portugal Telecom affected as was UK’s National Health Service (NHS). “(N)o services were impacted,” according to Portugal Telecom’s spokesperson. A Russian telecom firm was affected as well, along with the Russian interior ministry.

12-MAY-2017 — ~6:23 p.m. BST — Infosec technologist MalwareTechBlog ‘sinkholes’ a URL to which WannaCry points during execution. The infection stops spreading after the underlying domain is registered.

13-MAY-2017 — Infosec specialist MalwareTechBlog posts a tick-tock and explainer outlining his approach to shutting down WannaCry the previous evening

15-MAY-2017 — ~5:00 p.m. EDT — Washington Post reported Trump disclosed classified “code worded” intelligence to Lavrov and Kislyak during his meeting the previous Wednesday.

16-MAY-2017 — National Security Adviser H. R. McMaster said “I wanted to make clear to everybody that the president in no way compromised any sources or methods in the course of this conversation” with Lavrov and Kislyak. But McMaster did not say information apart from sources or methods had been passed on; he did share that “‘the president wasn’t even aware of where this information came from’ and had not been briefed on the source.”

The information Trump passed on spontaneously with the Russian officials was related to laptop bomb threats originating from a specific city inside ISIS-held territory. The city was not named by media though it was mentioned by Trump.

16-MAY-2017 — Media outlets reported Israel was the ally whose classified intelligence was shared by Trump.

Attack attribution

You’ll recall I was a skeptic about North Korea as the source of the Sony hack. There could be classified information cinching the link, but I don’t have access to it. I remain skeptical since Sony Group’s entities leaked like sieves for years.

I’m now skeptical about the identity of the hacker(s) behind WannaCry ransomware this past week.

At first it looked like Russia given Cyrillic character content within the malware. But this map didn’t make any sense. Why would a Russian hacker damage their own country most heavily?

[graphic: WannaCry distribution; image via BBC]

The accusations have changed over time. North Korea has been blamed as well as the Lazarus Group. Convenient, given the missile test this past week which appeared focused on rattling Russia while President Putin was attending a conference in China. And some of the details could be attributed to North Korea.

But why did the ransomware first spread in Spain through telecom Telefonica? Why did it spread to the UK so quickly?

This didn’t add up if North Korea is the origin.

Later reports said the first infections happened in western Asia; the affected countries still don’t make sense if North Korea is the perpetrator, and/or China was their main target.

Malware capability

Given the timing of the ransomware’s launch and the other events also unfolding concurrently — events we only learned about last evening — here’s what I want to know:

Can vulnerability MS17-010, on which WannaCry was based, be used as a remote switch?

Think about the kind and size of laptops still running Windows XP and Windows 8, the operating systems Microsoft had not patched for the Server Message Block 1.0 (SMBv1) vulnerability. They’re not the slim devices on which Windows 10 runs; they’re heavier, more often have hard disk drives (HDDs) and bulkier batteries. I won’t go into details, but these older technologies could be replaced by trimmer technologies, leaving ample room inside the laptop case — room that would allow an older laptop to host other resources.

Let’s assume SMBv1 could be used to push software; this isn’t much of an assumption since this is what WannaCry does. Let’s assume the software looks for specific criteria and takes action or shuts down depending on what it finds. And again, it’s not much of an assumption based on WannaCry and the tool set Shadow Brokers have released to date.

Let’s assume that the software pushed via SMBv1 finds the right criteria in place and triggers a detonation.

Yes. A trigger. Not unlike Stuxnet in a way, though Stuxnet only injected randomness into a system. Nowhere near as complicated as WannaCry, either.

Imagine an old bulky laptop running Windows XP, kitted out internally as an IED, triggered by a malware worm. Imagine several in a cluster on the same local network.

Is this a realistic possibility? I suspect it is based on U.S. insistence that a thinly-justified laptop ban on airplanes is necessary.

Revisit timing

Now you may grasp why the timing of events this past week gave me pause, combined with the details of location and technology.

The intelligence Trump spilled to Lavrov and Kislyak had been linked to the nebulous laptop threat we’ve heard so much about for months — predating the inauguration. Some outlets have said the threat was “tablets and laptops” or “electronic devices” carried by passengers onto planes, but this may have been cover for a more specific threat. (It’s possible the MS17-010 has other counterparts not yet known to public so non-laptop threats can’t be ruled out entirely.)

The nature of the threat may also offer hints at why an ally’s assets were embedded in a particular location. I’ll leave it to you to figure this out on your own; this post has already spelled out enough possibilities.

Trump spilled, the operation must be rolled up, but the roll up also must include closing backdoors along the way to prevent damage if the threat has been set in motion by Trump’s ham-handed spillage.

Which for me raises these questions:

1) Was Shadow Brokers the force behind WannaCry — not just some hacker(s) — and not just the leaking of the underlying vulnerability?

2) Was WannaCry launched in order to force telecoms and enterprise networks, device owners, and Microsoft to patch this particular vulnerability immediately due to a classified ‘clear and present danger’?

3) Was WannaCry launched to prevent unpatched MS17-010 from being used to distribute either a malware-as-trigger, or to retaliate against Russia — or both? The map above shows a disproportionate level of impact suggesting Russia was a potential target if secondary to the operation’s aim. Or perhaps Russia screwed itself with the intelligence entities behind Shadow Brokers, resulting in a lack of advance notice before WannaCry was unleashed?

4) Was WannaCry launched a month after the Shadow Brokers’ dump because there were other increasing threats to the covert operation to stop the threat?

5) Are Shadow Brokers really SHADOW BROKERS – a program of discrete roll-up operations? Is Equation Group really EQUATION GROUP – a program of discrete cyber defense operations united by a pile of cyber tools? Are their interactions more like red and blue teams?

6) Is China’s response to WannaCry — implying it was North Korea but avoiding directly blaming them — really cover for the operation which serves their own (and Microsoft’s) interests?

The pittance WannaCry’s progenitor raised in ransom so far and the difficulty in liquidating the proceeds suggests the ransomware wasn’t done for the money. Who or what could produce a snappy looking ransomware project and not really give a rat’s butt about the ransom?

While Microsoft complains about the NSA’s vulnerability hording, they don’t have much to complain about. WannaCry will force many users off older unsupported operating systems like XP, Win 7 and 8, and Windows Server 2003 in a way nothing else has done to date.

[graphic: 5-year chart, MSFT performance via Google Finance]

Mother’s Day ‘gift’?

I confess I wrestled with writing this; I don’t want to set in motion even more ridiculous security measures that don’t work simply because a software company couldn’t see their software product had an inherent risk, and at least one government felt the value of that risk as a tool was worth hiding for years. It’s against what I believe in — less security apparatus and surveillance, more common sense. But if a middle-aged suburban mom in flyover country can line up all these ducks and figure out how it works, I could’t just let it go, either.

Especially when I figured out the technical methodology behind a credible threat on Mother’s Day. Don’t disrespect the moms.

Three Things: Day 1 – Tax Day, Ballmer’s Gift, Microsoft

April 18, 2017/9 Comments/in Cybersecurity, Domestic Policy, Trump Administration /by Rayne

Day 1: Tax Day
You have today until midnight local time today to file your federal income taxes or file for an extension. As of midnight, Trump owes us yet another federal tax return.

And no, Trump’s federal income tax return for 2016 is NOT under audit as the deadline hasn’t even passed. Even if an audit of Trump’s 2016 filing began tomorrow there’s no excuse for not disclosing what has been filed with the IRS regardless of audit status.

What made America great has been its lower rate of corruption and clear expectations of oversight and governance. What makes America less than great is a failure of governance, lack of transparency, and increasing corruption. Why would any foreign individual, or company, or country invest in the U.S. when they can no longer reasonably expect fairness and security from our government? Trump’s behavior (and that of his family and his corporate holding structure) placing himself beyond the law undermines our strength. This cannot continue.

Steve Ballmer’s gift: USAFacts
Admittedly, I was never very crazy about Ballmer as CEO of Microsoft. He continued Bill Gates’ flawed ideology after Windows reached near-ubiquity, suppressing Microsoft’s value and negatively influencing the tech industry for too long. What a pleasant surprise, though, to learn about his retirement hobby: USAFacts, a Big Data initiative tracing the flow of tax dollars using government data.

The project began after Ballmer’s spouse prodded him to do more philanthropically. He resisted because he paid a lot of taxes; weren’t his tax dollars enough? Mm-hmm.

He learned a lot, and I expect we will be, too, as USAFacts matures. Some ugly truths have already been exposed to people like Ballmer who might not otherwise have looked — like the power of the gun lobby to suppress government reporting, or the inability of children to rise from poverty.

Ballmer’s redeeming himself. I only hope his project can get out in front of the Trump administration’s rapid decimation of government reporting.

Microsoft: a very different gift
Systems administrators who manage Windows-based enterprises aren’t very happy with a change Microsoft made to its security bulletins — they’re gone, replaced by a searchable database.

Which sounds all fine and dandy in theory until reality meets the road. Just read users’ feedback and you’ll quickly grasp additional workload has been pushed off onto administrators who already have quite enough to do. SANS Internet Storm Center looked swamped by the change.

Elimination of the security bulletin format had been expected since last November and anticipated for February. It’s not clear if there is a relationship between the unusual patch pushes February and March and this new security updates database.

One meager upside: malicious hackers will have just as much difficulty (or more) determining what was patched as will Windows administrators.

Speaking of hackers, I should note here I may be a minority report on The Shadow Brokers (TSB). The manner in which the last three months of Windows’ security fixes have been handled — which included many key vulnerabilities in advance of TSB’s latest NSA toolkit dump — suggests somebody inside Microsoft already knew what to patch months ago. Perhaps even last year when the change to security bulletins was announced given the amount of lead time needed to fix complex vulnerabilities.

Further, Microsoft had been compromised once some years ago that we know of by a Russian spy. Recall the roundup of the Illegals Program by FBI in late June 2010 when ten Russian sleeper agents including Anna Chapman were taken into custody and deported less than two weeks later in a spy swap. An eleventh agent had been picked up in Seattle where he worked for Microsoft. Reports said he was a only entry-level software tester who had established employment under his real name, Alexey Karetnikov. He first worked as an intern for Microsoft in the summer of 2008, then hired on full time in October 2009 after a gap year in Russia. (Karetnikov wasn’t the only Illegal Program spy in the Seattle area; a spy using the name ‘Tracey Foley‘ had been hired to work for a real estate company’s Seattle branch but had not fully established a presence in the northwest by the time she was arrested. There didn’t appear to be an immediate link between Foley and Microsoft or any Seattle-area technology company.)

What did Microsoft do after they learned about Karetnikov’s presence? When did they learn about him — before his arrest, or only when the arrest took place? How did MSFT mitigate risks, including the possibility there were other undisclosed spies in their ranks? Is TSB really a means by which now-useless or exposed tools are rolled up while being used as a honeypot? Could explain why linguists say TSB is likely English-speaking masquerading as non-English speaker.

We’ll probably never know for sure.

A little less than seven hours until tax filing deadline here in Eastern Daylight timezone. Tick-tock.

Wednesday: Feliz Dia de los Muertos — Happy Day of the Dead!

November 2, 2016/7 Comments/in Culture, Cybersecurity /by Rayne

In this Day of the Dead roundup: World Series Game 7, Rule 41, AT&T and net neutrality, Google spanks Microsoft, Slack smacks.

Happy All Saints’ Day Two — the second day of observation through Latin America as el Dia de los Muertos.

Was thinking of death and dying when I saw a post about one of my favorite movie soundtracks by one of my favorite contemporary composers. The Fountain, composed by Clint Mansell, was released today on vinyl. The 2006 film directed by Darren Aronofsky may not be everybody’s cup of tea, but the score surely must have wider appeal. The score features collaborative work of the contemporary classical chamber group Kronos Quartet and post-rock quartet Mogwai. The former provides most of the string work and the latter most of the rhythm, melding into some truly haunting music.

I think The Fountain is some of Mansell’s finest work; it was nominated for multiple awards including a Golden Globe. But do check out some of Mansell’s other film work, including that for Requiem for a Dream (especially the cut Lux Aeterna) and Black Swan. Stoker did not receive the recognition it should have; its presence is another character in the film. Granted, Mansell’s score for Stoker was only part of a soundtrack featuring other artists’ compositions.

World Series – Great Lakes Edition
So Game 7 is underway. I’d rather see Chicago Cubs up against Detroit Tigers, but the summer kitties let me down. I’m hoping for a Cubs win just because. What about you?

Cyber-y stuff

Less than a month before Rule 41 deadline (ZDNet) — Congress has diddled around after the Supreme Court created a potentially awful opportunity for law enforcement overreach. I can’t even imagine the foreign policy snafus this could create, let alone the fuckups which could happen from searching machines with spoofed identities and locations. I can think of a case where a political entity plopped on an IP address belonging to a major corporation — now imagine some huckleberry charging into that situation. FIX THIS, CONGRESS.
That’s not the airport, that’s the Kremlin! (MoscowTimes) — Speaking of spoofed identities, apparently the Kremlin’s location has been masked by a beacon emitting the GPS and GLONASS geolocation coordinates for the Vnokovo airport to prevent drones from snooping. An interesting bit, this…I wonder where/when else geolocation coordinates have been spoofed?
AT&T ‘zero-rating’ on DirecTV content should be reviewed (WSJ) — Favoring DirecTV — owned by AT&T — by lifting data caps on its content isn’t net neutrality when content streamed from other providers like Netflix does count against data limits.
AT&T already in the hot seat with USDOJ on Dodgers’ games (Bloomberg) — USDOJ sued AT&T and DirecTV for colluding with competitors to influence negotiations for Los Angeles Dodgers’ ball games. Imagine what this network will do if it owns content? Definitely not net neutrality — a perfect example of the conflict of interest between ISPs/network carriers and content creators.
Google takes Microsoft to the woodshed in full view of public (Threatpost) — I think Google is fed up with Microsoft’s buggy software and slow response which causes Google a mess of heartburn to plug on their end. Google told Microsoft of a new major zero-day vulnerability being actively exploited and then told the public 10 days after they told Microsoft. Apparently, MSFT hadn’t gotten a grip on a fix yet nor issued an advisory to warn users. By the way, guess when the next Patch Tuesday is? Election Day in the U.S. Uh-huh.
Slack takes out a full-page ad to welcome/razz Microsoft (WinBeta) — Microsoft is currently working on a competing group communication tool called Team, aimed at Slack’s market share. Slack welcomed the competition and gave MSFT some free pointers. Based on my experience, these pointers will go right over the head of MSFT’s management as they don’t mesh with their corporate culture.

That all for now, off to finish watching the Cubs who are giving it to Cleveland in a really fast-paced game that won’t last much longer at this rate. Must be all that Great Lakes water.

Thursday: Hotter than Hell

July 21, 2016/35 Comments/in Culture, Cybersecurity /by Rayne

Have a little indie synthpop if your day isn’t hot enough. The artist Dua Lipa lives in London; she originally moved to the United Kingdom in the 1990s with her parents who are Kosovar-Albanian. Imagine a UK to which artists like Lipa cannot easily immigrate.

Money, money, money

HSBC’s global head of Forex trading in London arrested at JFK on Tuesday (Bloomberg) — Mark Johnson was picked up before his flight by the feds; his counterpart, Stuart Scott, HSBC’s former head of currency trading in Europe, has also been charged with Johnson for conspiracy to manipulate currency based on insider information. The transaction on which the case is based took place in 2011, earning HSBC $8 million on a $3.1 billion deal. Gee, I wonder if these guys worked the pre- and post-Brexit fall of the pound.
Mastercard snaps up UK’s VocaLink for $920M (Businesswire) — Should probably keep a tally of UK businesses bought while pound is still down from pre-referendum highs. VocaLink gives Mastercard huge reach in payroll and household bill processing across UK and access to a substantive majority of UK consumer data.
Subzero bond yields: who’d have predicted this? (Bloomberg) — Analysis of overall trends this year, including flights to safety and their effect on the market. Still trying to wrap my head around subzero bond yields; does this make sense to pay for safekeeping without expectation of increase in value at the end? What might this do to consumption and growth?

Daily dose of cyber

Forbidden Research: fixing “leaky” cellphones (MIT Media Lab) — Electrical engineer/hacker Andrew “bunnie” Huang and NSA whistleblower Edward Snowden published a paper presented at today’s MIT’s Forbidden Research event, outlining their work countering surveillance abuse by law enforcement. Journalists in particular are targets for surveillance; their cellphones “leak” all kinds of information about them and their location which airplane mode does not shield. Huang and Snowden propose a method for monitoring radio transmissions by a cellphone, including GPS, and a means for killing the transmissions. Abstract here, and the paper itself here. Very straightforward reads even for the non- to low-tech audience.
Dead man’s prints brought back from the dead (Fusion) — Law enforcement approached a Michigan State University professor Anil Jain and his PhD student Sunpreet Arora and asked them to recreate a dead man’s fingerprints in order to unlock his phone. There are few details disclosed about the case — not even which law enforcement agency made the ask — but the phone belonged to a murder victim and may contain information about his murderer. Or so the story says.
UK’s largest internet provider suffers two days of massive outages (TechRadar) — Outages have been blamed on power failures, but no additional information offered on reasons for power loss. Coincidentally, a C1 solar flare which began on July 17 caused radio disruption and aurora over the last 15-24 hours — might have made the situation worse.
France’s National Data Protection Commission says Microsoft Windows 10 operating system gathers too much personal data (Libération + BetaNews) — Surprised La Commission nationale de l’informatique et des libertés (CNIL) haven’t cuffed up Microsoft sooner given every version of Windows “phoned home” within information about its users and devices when patching and updating. Why is it Windows 10 in particular doesn’t comply with their Data Protection Act — is it the sniffing of users’ navigation data? Microsoft responded to CNIL’s complaint, not denying the claim but only saying it will work with CNIL on a solution. Right, then.

Tonight’s dinner and a movie: Jujubes and Ghostbusters. Yum. Stay cool, look after elderly neighbors and pets who need a reprieve from the heat.