Dailydave mailing list archives
Re: "When you shoot at the king, you best not miss."
From: Adam Shostack <adam () shostack org>
Date: Thu, 16 Jun 2016 11:56:46 -0400
It's entirely possible that this is a disinformation campaign, or that attribution is hard, and Crowdstrike made a mistake: http://www.csoonline.com/article/3084594/security/dnc-hacker-slams-crowdstrike-publishes-opposition-memo-on-donald-trump.html On Thu, Jun 16, 2016 at 11:26:46AM -0400, dave aitel wrote: | So I want to point out some things about this really weird DNC Hack. The | only example I can think of where a nation-state hacked someone and then | released the documents under a cover-account is North Korea and Sony | Pictures Entertainment. I can see examples of other smaller services | (Iran, etc.) doing this as well. North Korea, to be fair, doesn't have a | lot to lose, so acting like this can make sense and probably showed some | teeth at an important time. | But Russia is a whole different kind of service! They have important | connections to the United States, and having the first thing Hillary | thinks if she wins the Presidency be "Let's get back at Russia for | trying to take my campaign out" seems like a cost-benefit equation that | would preclude this kind of action. | | Are there other examples of Russian intelligence doing this sort of | thing? Is this a change from the norm? Surely this isn't what Russia | wants the new norm to be, right? | | -dave | | | Conversation <https://twitter.com/thegrugq/timelines/743231527639621632> | | 1. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743179750064037888> | | Now THIS is a really interesting development in #*DncHack* | <https://twitter.com/hashtag/DncHack?src=hash>: @*Gawker* | <https://twitter.com/Gawker> has & is publishing the DNC's Trump | oppo research | | 97 retweets101 likes | Re | More | 2. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743180111038472192> | | This is a big development, because it means whoever did #*DncHack* | <https://twitter.com/hashtag/DncHack?src=hash> to get Trump oppo | file was doing it (bear with me) in *support* of Trump. | | *View conversation* | <https://twitter.com/pwnallthethings/status/743180111038472192> | 35 retweets43 likes | Reply | | Retweet | | 35 | | Like | | 43 | | More | 3. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743180624731717636> | | How does this help Trump, you ask? It's a full dump. Trump gets lots | of bad news today, but DNC loses ability to use contents strategically. | | *View conversation* | <https://twitter.com/pwnallthethings/status/743180624731717636> | 34 retweets45 likes | Reply | | Retweet | | 34 | | Like | | 45 | | More | 4. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743183682530324480> | | A few observations about this op 1) Another data point in Russian | SIGINT strategically leaking stolen data to push a particular narrative. | | *View conversation* | <https://twitter.com/pwnallthethings/status/743183682530324480> | 22 retweets31 likes | Reply | | Retweet | | 22 | | Like | | 31 | | More | 5. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743184280008916992> | | 2) This para. V. bad for DNC if those are classification markings | (but could be campaign "doc is sensitive" bluster) | | 16 retweets17 likes | Reply | | Retweet | | 16 | | Like | | 17 | | More | 6. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743184776547340288> | | 3) Gosh, I wonder what outlet Russian intelligence is going to use | to launder these stolen documents. | | 21 retweets24 likes | Reply | | Retweet | | 21 | | Like | | 24 | | More | 7. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 18h18 hours ago | <https://twitter.com/pwnallthethings/status/743184953546924033> | | 4) If you want to peruse the Trump oppo research directly, here's | the PDF: https://assets.documentcloud.org/documents/2861555/1.pdf … | <https://t.co/D6qUsqIoDN> | | *View conversation* | <https://twitter.com/pwnallthethings/status/743184953546924033> | 28 retweets27 likes | Reply | | Retweet | | 28 | | Like | | 27 | | More | 8. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 17h17 hours ago | <https://twitter.com/pwnallthethings/status/743191210718797824> | | 5) Site apparently set up by the group that hacked DNC | https://guccifer2.wordpress.com/ <https://t.co/AqXxuUwzS0> | | 21 retweets25 likes | Reply | | Retweet | | 21 | | Like | | 25 | | More | 9. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 17h17 hours ago | <https://twitter.com/pwnallthethings/status/743191996437770241> | | 6) This is all of the text from the hacker's post, in case website | gets taken down. Check out the broken English. | | | 32 retweets29 likes | Reply | | Retweet | | 32 | | Like | | 29 | | More | 10. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 17h17 hours ago | <https://twitter.com/pwnallthethings/status/743194146752565248> | | 7) Uh oh. This is an unfortunate document for Russia to stolen from | under the noses of the DNC. | | 25 retweets29 likes | Reply | | Retweet | | 25 | | Like | | 29 | | More | 11. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 17h17 hours ago | <https://twitter.com/pwnallthethings/status/743197064843104257> | | 8) Lol. Russian #*opsec* | <https://twitter.com/hashtag/opsec?src=hash> fail. | | 65 retweets76 likes | Reply | | Retweet | | 65 | | Like | | 76 | | More | 12. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 17h17 hours ago | <https://twitter.com/pwnallthethings/status/743199185596465152> | | 9) Better #*opsec* <https://twitter.com/hashtag/opsec?src=hash> in | the "NatSec & Foreign Policy" doc. Attackers using VMs to open some | (but clearly not all) docs | | 10 retweets12 likes | Reply | | Retweet | | 10 | | Like | | 12 | | More | 13. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 17h17 hours ago | <https://twitter.com/pwnallthethings/status/743200699975086083> | | 10) Files from Russian Intelligence Agencies can contain viruses. | It's safer to stay in Protected View | | 11 retweets19 likes | Reply | | Retweet | | 11 | | Like | | 19 | | More | 14. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 16h16 hours ago | <https://twitter.com/pwnallthethings/status/743201610235514880> | | 11) Document #5 leaks via tracked changes (thx @*TheCyberSecExp* | <https://twitter.com/TheCyberSecExp>) but it's not very interesting, | and likely not hacker | | 5 retweets9 likes | Reply | | Retweet | | 5 | | Like | | 9 | | More | 15. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 16h16 hours ago | <https://twitter.com/pwnallthethings/status/743203462683496448> | | Pwn All The Things Retweeted Peter Johnson | | 12) To clarify: leak is the RU-lang settings, not name (cover name | references "Iron Felix" | https://en.wikipedia.org/wiki/Felix_Dzerzhinsky … | <https://t.co/E14IjtJv9b>) | | Pwn All The Things added, | | *Peter Johnson* @alcebaid | @*pwnallthethings* Felix is really a pseudo | *View conversation* | <https://twitter.com/pwnallthethings/status/743203462683496448> | 5 retweets9 likes | Reply | | Retweet | | 5 | | Like | | 9 | | More | 16. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 16h16 hours ago | <https://twitter.com/pwnallthethings/status/743208737469509632> | | Pwn All The Things Retweeted (((davi - 德海))) | | 13) Another #*opsec* <https://twitter.com/hashtag/opsec?src=hash> | fail. (This happened because they did an Export as PDF, and then | later saved, w/ lang set to RU) | | Pwn All The Things added, | | *(((davi - 德海)))* @daviottenheimer | @*pwnallthethings* "error! invalid hyperlinks" in Russian... | *View conversation* | <https://twitter.com/pwnallthethings/status/743208737469509632> | 25 retweets27 likes | Reply | | Retweet | | 25 | | Like | | 27 | | More | 17. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 16h16 hours ago | <https://twitter.com/pwnallthethings/status/743209989217587200> | | 14) Tldr: this "lone hacker" uses many VMs, speaks Russian; username | is founder of USSR secret police & likes laundering docs via Wikileaks. | | *View conversation* | <https://twitter.com/pwnallthethings/status/743209989217587200> | 64 retweets62 likes | Reply | | Retweet | | 64 | | Like | | 62 | | More | 18. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 16h16 hours ago | <https://twitter.com/pwnallthethings/status/743211918995951616> | | 15) Spot the difference: Left: doc sent to Gawker (page 210). On | right, same page in https://guccifer2.wordpress.com/ | <https://t.co/AqXxuUwzS0> | | | 13 retweets18 likes | Reply | | Retweet | | 13 | | Like | | 18 | | More | 19. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 15h15 hours ago | <https://twitter.com/pwnallthethings/status/743221774725300224> | | 16) Tangentially related: "VantageUploader" is the tool DNC use to | share vids. JWT arg leaks author email in base64. | | 4 retweets12 likes | Reply | | Retweet | | 4 | | Like | | 12 | | More | 20. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 15h15 hours ago | <https://twitter.com/pwnallthethings/status/743226558412918788> | | 17) Final piece of metadata: Creation date and software used to turn | DOC into the Gawker PDF (note: could be journo) | | | 4 retweets8 likes | Reply | | Retweet | | 4 | | Like | | 8 | | More | 21. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 15h15 hours ago | <https://twitter.com/pwnallthethings/status/743228802646573060> | | 18) Metadata from the various docs | | | 5 retweets3 likes | Reply | | Retweet | | 5 | | Like | | 3 | | More | 22. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 15h15 hours ago | <https://twitter.com/pwnallthethings/status/743230570440826886> | | Pwn All The Things Retweeted Florian Wagner | | 19) @*_fl01* <https://twitter.com/_fl01> points out "Grizli777" | indicates that pirated Office (2007) was used by the hacker. | | Pwn All The Things added, | | *Florian Wagner* @_fl01 | @*_fl01* @*pwnallthethings* Get it now ;) »Grizli777«'s cracked MS | Office seems 2b popular among Russians and Romanians. | 1. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 14h14 hours ago | <https://twitter.com/pwnallthethings/status/743232989602156546> | | 20) Extra data-point: Author on The Smoking Gun's PDF is | different again. (good chance this is TSG's journo) | | 4 retweets6 likes | Reply | | Retweet | | 4 | | Like | | 6 | | More | 2. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 3h3 hours ago | <https://twitter.com/pwnallthethings/status/743408033691279361> | | 21) Missed this yesterday, but the hacker contacted TSG (and | probably Gawker) via a GMZ.us (anoymous) email addr | | 7 retweets3 likes | Reply | | Retweet | | 7 | | Like | | 3 | | More | 3. | *Pwn All The Things* @*pwnallthethings* | <https://twitter.com/pwnallthethings> 2h2 hours ago | <https://twitter.com/pwnallthethings/status/743416709281898496> | | Pwn All The Things Retweeted CrowdStrike | | 22) A weak data point, but @*CrowdStrike* | <https://twitter.com/CrowdStrike> also says Guccifer2.0 doesn't | change their attribution of #*DncHack* | <https://twitter.com/hashtag/DncHack?src=hash> to Russia | | Pwn All The Things added, | | *CrowdStrike* @CrowdStrike | New hacker claims credit for DNC hack. CrowdStrike fully stands | by attribution to Russian government | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ … | 1 retweet4 likes | Reply | | Retweet | | 1 | | Like | | 4 | | More | *View conversation* | <https://twitter.com/pwnallthethings/status/743230570440826886> | 6 retweets12 likes | Reply | | Retweet | | 6 | | Like | | 12 | | More | | | | _______________________________________________ | Dailydave mailing list | Dailydave () lists immunityinc com | https://lists.immunityinc.com/mailman/listinfo/dailydave -- Don't miss out on my news, which comes out roughly once a quarter. http://adam.shostack.org/newthing.html _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- "When you shoot at the king, you best not miss." dave aitel (Jun 16)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." Paul Melson (Jun 17)
- Re: "When you shoot at the king, you best not miss." Allen (Jun 17)
- Re: "When you shoot at the king, you best not miss." spacerog () spacerogue net (Jun 16)
- Re: "When you shoot at the king, you best not miss." Mara Tam (Jun 17)
- Re: "When you shoot at the king, you best not miss." Thomas Quinlan (Jun 17)
- Re: "When you shoot at the king, you best not miss." Adam Shostack (Jun 16)