With liberty and justice for all...?
Jan. 24th, 2004 01:28 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
doc_strangeSeveral papers reported on the apparent infiltration of Democratic Senators' files by Republican counterparts on the Judiciary committee. Apparently, the discovery of the infiltration was the result of an investigation by the Senate Sergeant-at-arms into how certain memos got leaked back in November. The New York Times had a pretty straightforward article on it on Friday.
What's particularly interesting to me is the assertion that there was "no hacking" involved. Note the spin control of preemptively declaring that "hacking' (a vague term in and of itself) was not involved. Now, unless the Senators' documents were on an utterly open file share, I just don't see how that would be the case. Are you offended that an action that would get a 16-year-old with only joy-riding intentions 5-10 years is being discussed only in "ethics" terms? I sure am. Heck, we have about -><- that much actual technical information on what happened.
The technical details and mens rea of the infiltration and infiltrators is critical to whether this was simply a touch naughty or downright (Federally) criminal. The idea is downright un-American that a Senate staffer is somehow immune from the (irrationally, IMHO) heavy sentencing doled out to others who commit unauthorized access; the idea it was just an indiscretion or over-zealous pursuit of the job only compounds the offense by making it for gain. I'll withhold judgment for the moment, but unless that computer was some kind of shared server among the Senate staff and the files were on an open share, there's not much that can excuse the action. It wasn't well-locked-down? Hey, look, slipping into ill-locked-down systems, finding misconfigured servers, unpassworded accounts, forgotten services, etc. is precisely what dozens of hackers have been convicted of doing over the last decade. That's part of what unauthorized access IS.
Indeed, a more extensive report appeared in the Boston Globe on Thursday -- the day before the NYT article, oddly enough. The Globe story had several more significant details: several systems had been seized by Secret Service, including the servers involved, and "one server from the office of Senate majority leader Bill Frist" -- forensic analysts were involved, including forensics personnel from General Dynamics.
There are several items remaining to be examined, and the answers, should any be found, are going to come from the interviews that are being conducted and from those computers' hard drives.
1) How was the data accessed? Was it just out there in the open, or was there a modicum of protection such that a reasonable person would know the owner was not granting authorization to access the data?
2) Is there any direct evidence that the staffers knew they were not authorized to access the data?
3) Was it accessed with regularity, showing intent to continue to intrude?
4) Was there any attempt to hide tracks? Delete logs? Erase locally-copied data with low-level file-wiping programs?
5) Finally, do the interviewees stories match the activity history evidenced by the forensic data analysis?
A forensic analysis process, in the hands of a deeply knowledgeable technician, can reveal incredible details. I've seen our top forensic expert explain to a system owner in detail the actions that had been (lied about) and taken to hide data, obscure data, and wipe data, the programs the defendant had used to do it, the day and time each action was taken, and what the defendant had said in IM and email right around each action. It came together neatly in a tight quilt of actions, despite very technically-savvy attempts to hide the illicit activity.
There's almost nothing even a skilled user can do to both hide all evidence of the data itself and of the deep wiping of data. You probably know that "deleted" data is just de-referenced, and that it must be intentionally overwritten to be truly deleted. On Windows and other typical user platforms, tidbits of the data, pointers to the data, scraps, cache, etc. appear all over the place so that even deep overwriting is not entirely effective. In the hands of an expert, forensic tools don't just dig up the data; they make the data line up and tell a story. General Dynamics may also have the ability to perform analysis on the disk platters such that even overwritten data can be recovered by analysis of latent EM residue.
While the NYT is playing one song only here, there are hints of much more to come in the Globe report. I eagerly await the story that the analyzed data will tell. I hope it, and the technical details make the press.
What's particularly interesting to me is the assertion that there was "no hacking" involved. Note the spin control of preemptively declaring that "hacking' (a vague term in and of itself) was not involved. Now, unless the Senators' documents were on an utterly open file share, I just don't see how that would be the case. Are you offended that an action that would get a 16-year-old with only joy-riding intentions 5-10 years is being discussed only in "ethics" terms? I sure am. Heck, we have about -><- that much actual technical information on what happened.
The technical details and mens rea of the infiltration and infiltrators is critical to whether this was simply a touch naughty or downright (Federally) criminal. The idea is downright un-American that a Senate staffer is somehow immune from the (irrationally, IMHO) heavy sentencing doled out to others who commit unauthorized access; the idea it was just an indiscretion or over-zealous pursuit of the job only compounds the offense by making it for gain. I'll withhold judgment for the moment, but unless that computer was some kind of shared server among the Senate staff and the files were on an open share, there's not much that can excuse the action. It wasn't well-locked-down? Hey, look, slipping into ill-locked-down systems, finding misconfigured servers, unpassworded accounts, forgotten services, etc. is precisely what dozens of hackers have been convicted of doing over the last decade. That's part of what unauthorized access IS.
Indeed, a more extensive report appeared in the Boston Globe on Thursday -- the day before the NYT article, oddly enough. The Globe story had several more significant details: several systems had been seized by Secret Service, including the servers involved, and "one server from the office of Senate majority leader Bill Frist" -- forensic analysts were involved, including forensics personnel from General Dynamics.
There are several items remaining to be examined, and the answers, should any be found, are going to come from the interviews that are being conducted and from those computers' hard drives.
1) How was the data accessed? Was it just out there in the open, or was there a modicum of protection such that a reasonable person would know the owner was not granting authorization to access the data?
2) Is there any direct evidence that the staffers knew they were not authorized to access the data?
3) Was it accessed with regularity, showing intent to continue to intrude?
4) Was there any attempt to hide tracks? Delete logs? Erase locally-copied data with low-level file-wiping programs?
5) Finally, do the interviewees stories match the activity history evidenced by the forensic data analysis?
A forensic analysis process, in the hands of a deeply knowledgeable technician, can reveal incredible details. I've seen our top forensic expert explain to a system owner in detail the actions that had been (lied about) and taken to hide data, obscure data, and wipe data, the programs the defendant had used to do it, the day and time each action was taken, and what the defendant had said in IM and email right around each action. It came together neatly in a tight quilt of actions, despite very technically-savvy attempts to hide the illicit activity.
There's almost nothing even a skilled user can do to both hide all evidence of the data itself and of the deep wiping of data. You probably know that "deleted" data is just de-referenced, and that it must be intentionally overwritten to be truly deleted. On Windows and other typical user platforms, tidbits of the data, pointers to the data, scraps, cache, etc. appear all over the place so that even deep overwriting is not entirely effective. In the hands of an expert, forensic tools don't just dig up the data; they make the data line up and tell a story. General Dynamics may also have the ability to perform analysis on the disk platters such that even overwritten data can be recovered by analysis of latent EM residue.
While the NYT is playing one song only here, there are hints of much more to come in the Globe report. I eagerly await the story that the analyzed data will tell. I hope it, and the technical details make the press.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2004-01-24 01:15 pm (UTC)1) How was the data accessed? Was it just out there in the open, or was there a modicum of protection such that a reasonable person would know the owner was not granting authorization to access the data?
A technician hired by the new judiciary chairman, Patrick Leahy, Democrat of Vermont, apparently made a mistake that allowed anyone to access newly created accounts on a Judiciary Committee server shared by both parties -- even though the accounts were supposed to restrict access only to those with the right password. [Emphasis added]
We'll have to wait for the forensic analysis, but it sounds as if accounts were created with a poor default password. I don't see how someone could reasonably think they were authorized to access someone else's account.
2) Is there any direct evidence that the staffers knew they were not authorized to access the data?
3) Was it accessed with regularity, showing intent to continue to intrude?
"They had an obligation to tell each of the people whose files they were intruding upon -- assuming it was an accident -- that that was going on so those people could protect themselves," said one Senate staffer. "To keep on getting these files is just beyond the pale."
And, yes, I am offended that this is being handled as a congressional ethics issue instead of a big, steaming pile of federal felonies.
(no subject)
Date: 2004-01-24 04:05 pm (UTC)(no subject)
Date: 2004-01-24 03:31 pm (UTC)(no subject)
Date: 2004-01-24 03:53 pm (UTC)(no subject)
Date: 2004-01-24 11:35 pm (UTC)(no subject)
Date: 2004-01-25 12:49 am (UTC)Like, running over people in South Dakota.
Oh, wait, South Dakota said "you killed someone, that's murder, you do time."
We need more South Dakota.
(no subject)
Date: 2004-01-25 10:08 am (UTC)(no subject)
Date: 2004-01-26 03:05 pm (UTC)Forensic analysis at this level is definitely one my weaker points. While some of this is having the right tools (e.g. EnCase), finding good information on how to do this has been incredibly challenging. Do you (or your expert) have any good pointers?
-Mort
(no subject)
Date: 2004-01-26 03:47 pm (UTC). . . is the big differentiator between decent tool user and wowza expert. I know our guy does training; I'll ask if he has any good resources other than raw experience and research.
(no subject)
Date: 2004-01-26 10:34 pm (UTC)-M