Dailydave mailing list archives
Re: "When you shoot at the king, you best not miss."
From: Mara Tam <marasawr () gmail com>
Date: Thu, 16 Jun 2016 17:59:28 -0400
Leaving aside problems with assuming that this is definitely state-sponsored, it is worth reading through the Information Security Doctrine of the Russian Federation.[1] N.B. This has been in place since 2000, and is due to be updated shortly. This Diplomaatia piece surveys the substance of likely changes as well as the motivations driving them.[2] There have been interim update of sorts in changes to the military doctrine from 2010,[3] and from 2014.[4] But, lest one be tempted to shout ‘Ah-HA!’, the US and Russia have been working fitfully towards something like the Sino-American and Sino-Russian non-aggression pacts for ICT since 2013. If Guccifer 2.0 is a proxy acting at the direction of the Russian state, then Russia has been caught violating a core tenet of their own ICT security doctrine (i.e. interfering in the internal affairs of a foreign power), which would be very extremely not good.[5] That said, it is worth keeping in mind that an actor contracted by the state to engage in information warfare may contract to non-state clients as well. And here we trip over the fuzzy grey lines separating ‘sponsored’, ‘sanctioned’, and ’tolerated'. Attribution is hard. -mara _________ [1] http://archive.mid.ru/bdomp/ns-osndoc.nsf/1e5f0de28fe77fdcc32575d900298676/2deaa9ee15ddd24bc32575d9002c442b!OpenDocument [2] http://www.diplomaatia.ee/en/article/venemaa-foderatsiooni-soovid-it-valdkonna-reguleerimisel/ [3] https://globalvoices.org/2010/02/23/russian-military-doctrine/ [4] Mostly the same as 2010, some additional language specific to the information space in conflict. https://www.offiziere.ch/wp-content/uploads-001/2015/08/Russia-s-2014-Military-Doctrine.pdf [5] For the purposes of this thought experiment, Georgia, Crimea, Kharkiv, Luhansk, and Donetsk are not ‘foreign’.
On 16 Jun 2016, at 11:26, dave aitel <dave () immunityinc com> wrote: So I want to point out some things about this really weird DNC Hack. The only example I can think of where a nation-state hacked someone and then released the documents under a cover-account is North Korea and Sony Pictures Entertainment. I can see examples of other smaller services (Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a lot to lose, so acting like this can make sense and probably showed some teeth at an important time. But Russia is a whole different kind of service! They have important connections to the United States, and having the first thing Hillary thinks if she wins the Presidency be "Let's get back at Russia for trying to take my campaign out" seems like a cost-benefit equation that would preclude this kind of action. Are there other examples of Russian intelligence doing this sort of thing? Is this a change from the norm? Surely this isn't what Russia wants the new norm to be, right? -dave Conversation • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago Now THIS is a really interesting development in #DncHack: @Gawker has & is publishing the DNC's Trump oppo research 97 retweets101 likes Re More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago This is a big development, because it means whoever did #DncHack to get Trump oppo file was doing it (bear with me) in *support* of Trump. View conversation35 retweets43 likes Reply Retweet 35 Like 43 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago How does this help Trump, you ask? It's a full dump. Trump gets lots of bad news today, but DNC loses ability to use contents strategically. View conversation34 retweets45 likes Reply Retweet 34 Like 45 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago A few observations about this op 1) Another data point in Russian SIGINT strategically leaking stolen data to push a particular narrative. View conversation22 retweets31 likes Reply Retweet 22 Like 31 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago 2) This para. V. bad for DNC if those are classification markings (but could be campaign "doc is sensitive" bluster) <ClBSKVuXIAAALo3.jpg> 16 retweets17 likes Reply Retweet 16 Like 17 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago 3) Gosh, I wonder what outlet Russian intelligence is going to use to launder these stolen documents. <ClBSnM2WkAApNd9.jpg> 21 retweets24 likes Reply Retweet 21 Like 24 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 18h18 hours ago 4) If you want to peruse the Trump oppo research directly, here's the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf … View conversation28 retweets27 likes Reply Retweet 28 Like 27 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago 5) Site apparently set up by the group that hacked DNC https://guccifer2.wordpress.com/ <ClBYdsHWgAA53kN.jpg> 21 retweets25 likes Reply Retweet 21 Like 25 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago 6) This is all of the text from the hacker's post, in case website gets taken down. Check out the broken English. <ClBZKsnXEAAC9y2.jpg> <ClBZLXJXEAAgOyW.jpg> <ClBZKLTXIAQGlIX.jpg> <ClBZLaXXIAA3kJ-.jpg> 32 retweets29 likes Reply Retweet 32 Like 29 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago 7) Uh oh. This is an unfortunate document for Russia to stolen from under the noses of the DNC. <ClBbIr3WQAAgkGx.jpg> 25 retweets29 likes Reply Retweet 25 Like 29 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago 8) Lol. Russian #opsec fail. <ClBdykWWEAALE9E.jpg> 65 retweets76 likes Reply Retweet 65 Like 76 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago 9) Better #opsec in the "NatSec & Foreign Policy" doc. Attackers using VMs to open some (but clearly not all) docs <ClBfuApWAAAuD8a.jpg> 10 retweets12 likes Reply Retweet 10 Like 12 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 17h17 hours ago 10) Files from Russian Intelligence Agencies can contain viruses. It's safer to stay in Protected View <ClBhGJUWMAEgFQ7.jpg> 11 retweets19 likes Reply Retweet 11 Like 19 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago 11) Document #5 leaks via tracked changes (thx @TheCyberSecExp) but it's not very interesting, and likely not hacker <ClBh7IhWEAAO6dV.jpg> 5 retweets9 likes Reply Retweet 5 Like 9 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago Pwn All The Things Retweeted Peter Johnson 12) To clarify: leak is the RU-lang settings, not name (cover name references "Iron Felix" https://en.wikipedia.org/wiki/Felix_Dzerzhinsky …) Pwn All The Things added, Peter Johnson @alcebaid @pwnallthethings Felix is really a pseudo View conversation5 retweets9 likes Reply Retweet 5 Like 9 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago Pwn All The Things Retweeted (((davi - 德海))) 13) Another #opsec fail. (This happened because they did an Export as PDF, and then later saved, w/ lang set to RU) Pwn All The Things added, <ClBfs3FUsAAtuk7.jpg> (((davi - 德海))) @daviottenheimer @pwnallthethings "error! invalid hyperlinks" in Russian... View conversation25 retweets27 likes Reply Retweet 25 Like 27 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago 14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username is founder of USSR secret police & likes laundering docs via Wikileaks. View conversation64 retweets62 likes Reply Retweet 64 Like 62 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 16h16 hours ago 15) Spot the difference: Left: doc sent to Gawker (page 210). On right, same page in https://guccifer2.wordpress.com/ <ClBrTJtWEAQwnHT.jpg> <ClBrR5KWkAACaFo.jpg> 13 retweets18 likes Reply Retweet 13 Like 18 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago 16) Tangentially related: "VantageUploader" is the tool DNC use to share vids. JWT arg leaks author email in base64. <ClB0Q2LWYAArFdA.jpg> 4 retweets12 likes Reply Retweet 4 Like 12 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago 17) Final piece of metadata: Creation date and software used to turn DOC into the Gawker PDF (note: could be journo) <ClB4nXdWgAIRY-K.jpg> <ClB4nYMWgAEfvcI.jpg> 4 retweets8 likes Reply Retweet 4 Like 8 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago 18) Metadata from the various docs <ClB6p5XWgAQZXCn.jpg> <ClB6p6QXEAAVA4M.jpg> <ClB6p7gXEAQc0P1.jpg> 5 retweets3 likes Reply Retweet 5 Like 3 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 15h15 hours ago Pwn All The Things Retweeted Florian Wagner 19) @_fl01 points out "Grizli777" indicates that pirated Office (2007) was used by the hacker. Pwn All The Things added, <ClB38YpWIAAOOzt.jpg> Florian Wagner @_fl01 @_fl01 @pwnallthethings Get it now ;) »Grizli777«'s cracked MS Office seems 2b popular among Russians and Romanians. • Pwn All The Things @pwnallthethings 14h14 hours ago 20) Extra data-point: Author on The Smoking Gun's PDF is different again. (good chance this is TSG's journo) <ClB-dwjWYAEmW2x.jpg> 4 retweets6 likes Reply Retweet 4 Like 6 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 3h3 hours ago 21) Missed this yesterday, but the hacker contacted TSG (and probably Gawker) via a GMZ.us (anoymous) email addr <ClEdqi1WIAA1u9Y.jpg> 7 retweets3 likes Reply Retweet 7 Like 3 More • <0bc84c66d3048178cd4d1361f34aa224_bigger.jpeg>Pwn All The Things @pwnallthethings 2h2 hours ago Pwn All The Things Retweeted CrowdStrike 22) A weak data point, but @CrowdStrike also says Guccifer2.0 doesn't change their attribution of #DncHack to Russia Pwn All The Things added, CrowdStrike @CrowdStrike New hacker claims credit for DNC hack. CrowdStrike fully stands by attribution to Russian government https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ … 1 retweet4 likes Reply Retweet 1 Like 4 More View conversation6 retweets12 likes Reply Retweet 6 Like 12 More _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- "When you shoot at the king, you best not miss." dave aitel (Jun 16)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." Paul Melson (Jun 17)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." spacerog () spacerogue net (Jun 16)
- Re: "When you shoot at the king, you best not miss." Mara Tam (Jun 17)
- Re: "When you shoot at the king, you best not miss." Thomas Quinlan (Jun 17)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)