Putting FUD Back in Information Security

FUD is Fear, Uncertainty and Doubt. A tactic well played in the early days of Information Security. I never liked it because… well you know that Boy Who Cried Wolf story, right? It appears to me that FUD is making a strong comeback. This time instead of being used to help bolster InfoSec budgets or sell a product, it is being used to shape political opinion.

Russia, Russia, Russia

Take the whole Russians hacked the Democratic National Committee (DNC). I do not doubt a computer system was hacked. Just check the news, it happens and has been happening all day, every day to everyone. The question is, was it an opportunist attack or thoughtful targeting? We know it started as a simple phishing email.

The hack of the DNC computer is one that supposedly changed the course of human history. The report “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution” is a declassified version of a highly classified assessment of Russian interference. The only problem is, there are zero technical details and many conclusions.
For example, one part of the report states:
Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.  DHS assesses that the types of systems Russian actors targeted or compromised were not involved in vote tallying.
It does not however give any details and uses loose language like “elements.” What elements?
Ripped from the Washington Post August 29, 2016 is the headline, “Russian hackers targeted Arizona election system.” Yet inside the story we get the following details:
The bureau described the threat as “credible” and significant, “an eight on a scale of one to 10,” Matt Roberts, a spokesman for Arizona Secretary of State Michele Reagan (R), said Monday. As a result, Reagan shut down the state’s voter registration system for nearly a week.

It turned out that the hackers had not compromised the state system or even any county system. They had, however, stolen the username and password of a single election official in Gila County.
The article goes on to note:
In addition to Arizona, Illinois officials discovered an intrusion into their election system in July. Although the hackers did not alter any data, the intrusion marks the first successful compromise of a state voter registration database, federal officials said.
I looked up the event. It turns out McLean County Clerk - Kathy Michael posted some details to Facebook. Here is the scoop (emphases added):
The pathway into IVRS (Illinois Voter Registration System) was NOT through our firewalls but through a vulnerability on our public web page that an applicant may use to check the status of their online voter registration application. The method used was SQL injection. The offenders were able to inject SQL database queries into the IVRS database in order to access information. This was a highly sophisticated attack most likely from a foreign (international) entity.
If you know anything about SQL injection – you know it is not considered a highly sophisticated attack. SQL Injection has been in the OWASP Top 10 forever. In fact, it was number one on the first ever OWASP Top 10 in 2010. If, however, you don’t know anything about Information Security, it seems like something highly sophisticated and most likely from a foreign entity. As such, it is easy to do the FUD dance.

The DNC after being hacked, never turned the server over to the FBI, even though the bureau made “multiple requests at different levels.” Why? That makes no sense to me… at all! They did turn it over to Crowdstrike. Sam Biddle of The Intercept did a great job commenting on the public evidence in a December 2016 article titled, Here’s the Public Evidence Russia Hacked the DNC — It’s Not Enough. Of note Biddle states:
…notice all of the qualifying words: Possibly, appears, connects, indicates. It’s impossible (or at least dishonest) to present the evidence for Russian responsibility for hacking the Democrats without using language like this.
Yet a following Biddle article published in June 2017 lends credence to the Russia Hacking,  Top-Secret NSA Report Details Russian Hacking Effort Days Before the 2016 Election. Of note in the NSA report:
Russian General Staff Main Intelligence Directorate actors… executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.
One problem with the Top-Secret NSA Report is the assumed logic jump made. There was evidence of domains registered that looked like voting registration domains. There were phishing attempts to steal credentials for voting databases. Thus, the assumed logic is Russia tried to interfere with US voting. But are there other possible explanations? Did everyone forget about the President’s commission on vote fraud? Forty-five States Refused to Give Voter Data to Trump Panel. The irony of that is not lost on me.

However, irony aside, the main reason given by states for not participating was “privacy concerns.” Amongst the data elements requested by the commission on vote fraud was date of birth and the last four digits of social security. Think a hacker might want to infiltrate voter databases for something other than vote manipulation?

Strange Behavior

I continue to wonder about the DNC’s desire to keep the FBI from looking at its hacked servers and instead turning them over to CrowdStrike. CrowdStrike is admittedly a strong forensic investigative team. It is just unfortunate the firm’s CTO and co-founder, Dmitri Alperovitch, is a senior fellow at the Atlantic Council, a think tank with openly anti-Russian sentiments that is funded by Ukrainian billionaire Victor Pinchuk, who also happened to donate at least $10 million to the Clinton Foundation.

Add to all of this a recent report from The Forensicator. The Forensicator in a controversial review of file metadata published from the supposed DNC hack, concluded the files were copied locally (i.e. an inside job). The report was met with many detractors. Yet in what is to be an even more controversial, but substantial report, The Forensicator has deemed the Russian Fingerprints were actually planted in the initial released 1.doc document.

But wait… there is more! In 2017, the Washington Free Beacon made the first publicly acknowledged FOIA request for the investigative documents CrowdStrike turned over to the FBI and the DoJ. The Beacon’s FOIA request qualified as a complex medium request, and the government said that the result of the FOIA would likely be available in March 2018. As I write this, it is May 2018 and still no documents.

FUD Is Spreading

The FUD narrative is branching out well beyond the initial DNC hack. Kaspersky Labs, a Russian cybersecurity and anti-virus provider headquartered in Moscow has come under fire. Based on a similar set of complex and non-demonstrative assertions, the US government has banned the use of Kaspersky software. Now to be fair, on the surface that seems like a fairly straightforward decision. I’m guessing the Russian government doesn’t use Windows, Adobe, Outlook, Word, Google, AWS, Oracle… et al.

If Kaspersky is feeding data to Russian Intelligence, then it is getting what it deserves. However, if it isn’t and if FUD was used to launch a PR attack (maybe to help bolster the Russian DNC hack narrative) then the Information Security community is losing one of the better contributors to cybersecurity.

Kaspersky in an effort to clear its name launched a Global Transparency Initiative:
Trust First: Kaspersky Lab launches its Global Transparency Initiative; will provide source code – including updates – for a third-party review; will open three Transparency Centers worldwide
Also
In July, Kaspersky offered to share its source code with the U.S. government, an offer the U.S. never took the company up on, a company spokesperson recently told Nextgov.
Did I mention our press still cannot get FOIA data on the DNC, FBI and CrowdStrike alliance? Oh yes, I believe I did.

Tom’s Guide, one of the most respected technology review websites considers Kaspersky one of the best AV products on the market. In a recent article Tom’s Guide made the following comment:
We at Tom's Guide have yet to be persuaded that the company, which makes excellent antivirus software, is a tool of the Kremlin, or favors any particular government over another.
Tom’s even highlighted an April 23 Kaspersky blog report summarizing the activities of a Russian state-sponsored hacking group that has been targeting the energy industry worldwide. Kaspersky has a long history of reporting such, regardless of geopolitical borders.

Still the narrative is not so easily dismissed. A recent Daily Mail article titled, “Kaspersky Lab antivirus firm used by hundreds of thousands of Britons 'is controlled by Russian secret service'”, notes a whistleblower has now claimed that the firm is controlled by Russian intelligence. Kaspersky countered with, “Yet again, these articles present no substantial evidence of any wrongdoing the company is continuously accused of. We have never helped and will never help any government with its cyberespionage efforts.”

All of this is kind of sad because Kaspersky is regularly rated number one for protection.

Best antivirus for Windows 10 in 2018
Kaspersky 2018 Review: Top of the Line

I’m not beyond reading a good conspiracy theory or even starting one. The initial details about how all this software spying by Kaspersky got started is the software's heuristics identified some NSA malware that a contractor had taken home to work on as potentially malicious and Kaspersky exfiltrated it as part of its normal operation. That is to say, if you participate in most vendor protection software’s online sharing, when malicious activity is noticed the protection software will forward a copy of the malware for evaluation (see: DirectDefense vs Carbon Black).

Since Kaspersky isn’t based in the US nor the UK, it is unlikely to be working closely with the NSA or GCHQ to make sure certain malware is not discovered.  Could it be that Kaspersky software is too good? Past trends might lend credibility to such a thought process:
The Department of Justice’s Office of the Inspector General (OIG) last week released a new report that supports what EFF has long suspected: that the FBI’s legal fight with Apple in 2016 to create backdoor access to a San Bernardino shooter’s iPhone was more focused on creating legal precedent than it was on accessing the one specific device
FUD in Information Security is usually based on some piece of reality, but by misrepresenting all of the facts, the final outcome is a distrust and disrespect of those pushing said FUD. The same is true for those in politics. When a country can be completely turned upside down and split apart because of FUD narratives and FUD editorials, it sparks the same distrust and disrespect as it does when employed as an Information Security tool.