160 comments

[ 7.0 ms ] story [ 247 ms ] thread
I'm not completely understanding the story here. Did an actual "hack" occur with a 0-day exploit behind that URL, or did Podesta simply get phished and gave up his password to a 3rd party site? I assumed the latter, but there are statements in the article, such as "That’s the link that opened Podesta’s account to the hackers", that are very confusing.

Was there some SPF/DKIM/Gmail exploit or trickery that allowed the phishing email to display as if it were legit coming from Google?

It's deliberately obtuse because how you are going to make mass-sent phishing mail sound like some Russian cyberweapon if the mope turns out to have entered his own password?

The actual Google myaccount.google.com/.. site that the phishing URL is modeled after asks for a new password.

https://google.com/amp/hackme.com

redirects to hackme.com. The attacker here used tiny.cc to be more elusive. IIRC we had a popular discussion here about this.

How google can still allow this is beyond me.

Wow this is really fucked up. Most people would automatically trust a link from Google.
And the link really results in the real connection to the real Google server, which then merily redirects to wherever.

Whover allowed that in Google, using the main google.com domain, what was he thinking?

For me, that is the major story here.

Wow, this should at least be googleusercontent.com or the like.

It seems amp started as a whitelist of well-known publishers and morphed into somthing like an open proxy.

Ended as the www.google.com becoming the redirector, by default, to anything, without having any query in the URL syntax. It broke what people knew how www.google.com behaved for more than a decade.

But if I understood correctly it started from the idea "Google hosts your pages (if I understand correctly, even the scripts!) now with Google's TLS certificate and on Google's www.google.com domain" which is also quite fracked up for what can be expected of www.google.com?

TL;DR: Spearphishing. Discovered because the attackers used public bit.ly URLs.
They keep on saying the Russians did it and that the trail leads to the Russians. What is the actual evidence that it was the Russians that did it?

And Bitly links ain't it.

"The intelligence community declined to explain how they reached their conclusion, and it’s fair to assume they have data no one else can see."

My personal favorite part of the article, couple paragraphs after that quote:

"We are approaching the point in this case where there are only two reasons for why people say there’s no good evidence,” Rid told me. “The first reason is because they don’t understand the evidence—because the don’t have the necessary technical knowledge. The second reason is they don’t want to understand the evidence.”

(comment deleted)
There is no reason for them to not source the evidence they're using to attribute it to the Russians. If it was them, they already know exactly what they left behind. It's actually not that difficult to disguise sources of attacks (assuming for the sake of argument it was the Russians, it could very well have physically occurred from a Manhattan Starbucks), and based on what we know about the server setup it's not like the hack required particular technical sophistication or traceable 0-days.

Conversely, there are ample reasons for the intelligence community to pin it on their historic enemy, rather than the more likely Murder on the Orient Express scenario where absolutely everyone paying attention hacked every grotesquely unsecured setup, or the insider-threat scenario.

Hey, whatever happened to Seth Rich?

And if the "intelligence community" isn't actively targeting insiders at least as a pure pen-testing contingency, why aren't they?

> There is no reason for them to not source the evidence they're using to attribute it to the Russians.

Well, what if that evidence was gathered via extra-legal means?

Agreed, I'm uncomfortable with the Russia allegations barring irrefutable evidence, and I haven't seen that yet. Even assuming they did do it, I'm unsure what the correct response would be. And I can definitely see incentives to just say, "Russia did it."

I feel like given the amount of info necessary for security clearance & the fact most politicians live and die with their phones means the intelligence agencies have them all pretty much dead to rights.

There is no reason for them to not source the evidence they're using to attribute it to the Russians

What if the source is an actual human asset within the malicious organization?

What if the source is a compromised server of the Russian organization?

What if the source is a legal wiretap on a bad actor?

Assuming it was Russia, and that they did derive it from some secret means, public announcing they discovered it but not giving the source makes that inference more likely.

That's why eg in World War II, the allies only acted on Enigma intercepts if there was a plausible alternate source.

So my inference is that they're lying about having sufficient evidence to definitively point at the rooskies, or they're being reckless with sourcing.

At least they mention it:

"None of this new data constitutes a smoking gun that can clearly frame Russia as the culprit"

The scam was so generic I'm confused why it has to be Russian government vs individuals, but it doesn't matter much IMO.

Given the saber rattling going on between the US and Russia at the moment, it would seem to matter very much. Blaming the Russians gives them more room to deflect without acknowledging content of the leaks.
You're right, I'm sure they tested the message "but...but...the Russians".

I think HRC wins this easily, but these scandals won't just go away. There's enough meat in them to fuel 1-2 years of republican attacks. I fear she'll be the most ineffective President of my time.

Time will tell I suppose. Here's a fun one from today: https://i.redd.it/dxedkw7jwosx.png
is that real ?
can you provide the link to reddit. it is hard to understand what the context is.
The fact that it's on wikileaks doesn't actually prove it's real. Russia has already been proven to have altered a few documents in a big document dump they did a while back (I actually forget the specifics of this one, but it was on HN fairly recently). And Bruce Schneier wrote an article about this very subject a month ago (https://www.schneier.com/blog/archives/2016/09/organizationa...).
While technically true, Wikileaks hasn't lied yet in their history.
They used to say they had lots of people with the ability to protect sources back when they were just a few with no such ability. That's a nice start on integrity. Far as leaks, they posted a lot of them over time that people couldn't verify if they wanted to given lack of internal access. So, my claim on them wouldn't go as far as yours.
Define "lied". Wikileaks publishes material that other people give them. I'm not saying Wikileaks would alter documents, I'm saying the people giving the documents to Wikileaks would alter them, and then Wikileaks will do its job and publish them.
Seems people are discovering DKIM.

Messages are hashed and signed by a private key in the exclusive possesion of the email system, such as gmail. The public keys are published in DNS. This allows anyone to verify the messages are unaltered using widely available tools. It seems this system may have been in place on one of the Exchange servers as well, though the integrity of that key is questionable.

If you're talking about email specifically, and if the email server has DKIM, and if the keys are secure (if the hacker can break into the server to steal emails, are you sure they didn't steal the key too?), then yeah. But many document dumps include a lot of stuff that isn't just emails, and many email document dumps probably aren't fully covered by DKIM (I say probably because I haven't checked, nor am I really in a position to do so) or the DKIM key may not necessarily be secure (if the email server itself is hacked, it may not be; if the user login to the email was hacked, presumably it will be).
Replying to the reply.

Yes, which is why I consider the keys for the Exchange server questionable, as there is no way to disprove intrusion into those systems.

My claim surrounds gmail.com and the set of emails that passed through gmail.com. I am not aware of an intrusion into Google's systems that would have obtained highly protected keys. This also limits the number of actors who could forge the complete collection of messages obtained from a gmail.com account.

(i.e. the only thing obtained was a password, not system level access.)

If the attachments are BASE64 encoded and part of the MIME source, they should also be protected by the DKIM signature.

As far as any documents obtained from blogspot, I have no assertion to make reguarding the integrity of those message contents. The use a specific cracked version of Office may explain the document summary information not matching the proclaimed nationality of the publisher of the documents on blogspot.

I object to the (sometimes deliberate) conflating of the multiple collections and sources and the attendant implied discrediting of all be ine.

This is a forum that I hope values technical explainations and inquiry, many forums have their own version of reality.

May the truth be known, whoever is damned or praised.

Why should this fuel just Republican attacks? The number of people that walked out of the DNC convention because of the rigging against Sanders shows there is far more trouble than just Republicans. The movement within the DNC that actually stands against government corruption will only grow stronger.
Not very important, but: as a lifelong Democrat (voting since about 1970), I have left the Democratic party over the DNC cheating. Fed. Up. In the past I have donated a ton of money to Democratic candidates, so I still get lots of calls; I politely explain each time why I am no longer a Democrat.

EDIT: some fundraising callers pretty much hang up on me in anger, but a lot are also sympathetic. Not hard evidence, but I have heard a convincing "I understand" often enough to think that a lot of rank and file Democrates are Fed. Up.

> I fear she'll be the most ineffective President of my time

One could hope ...

The specific attack vector isn't the only IOC they're working from for these incidents; there are probably dozens of IOCs associated with each attack, some of which are extremely specific to just one or two threat actors. Many of those IOC signatures are non-public; you only get them by being in intelligence or law enforcement, or by being one of the handful of threat intelligence companies deployed at enough giant enterprises to see enough of a cross-section of attackers.

So when people say things like "anyone could have carried out this attack" or "these systems are so insecure it could have been anybody who did it", they're not actually addressing the argument.

Makes sense, but at the end of the day didn't he fall for the same basic phishing attack so many others do? If it's so effective and easy I have to imagine the NSA is doing the same.

Whole thing makes me really wonder if using insecure email in government is a good idea...

I think there are countless examples across government, industry and personal accounts that using insecure email is a universally bad idea.

Unfortunately it has the strongest network effect at the moment, and no one's come up with a way to get everyone to use encryption/cryptographic signatures yet.

Surely an agency like NSA could make such rules?!
There is no secure email. If you need to send a message securely, don't use email to do it. I agree with you.
It's long been known not to use insecure endpoints, email, etc in government. NSA used to certify the high-assurance alternatives. Here was one of the early ones with incredibly-strong TCB for the time:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.454...

Almost all older or modern ones build email processing capabilities onto guards optionally with a proxy on client's side to integrate with common, mail client. Here's an article describing what a guard is along with some examples government uses today:

https://en.wikipedia.org/wiki/Guard_(information_security)

Firewalls are knockoffs of guards that were created after businesses and much of government rejected high-assurance systems since they didn't have development pace and [insecure] features of low-security competition. Firewalls were cheap, fast, constantly added features, and totally left off the whole "design it to be nearly unhackable" aspect of guards. Even the guards themselves have lowered their assurance at the TCB and guard software over the years as neither military nor commercial market really care outside a small niche of customers. Remaining ones like Boeing SNS Server and BAE's XTS-400 go for $100,000+ a unit due to limited market + high development & certification costs.

So, that's that. Medium-assurance solutions like Nexor's and General Dynamics continue being developed and adopted. They'll get smashed, though, since they're all adopting Linux-based cores & other COTS tech. Such are the market incentives.

Relevent portion from the article:

"US government took the rare step of publicly pointing the finger at the Russian government, accusing it of directing the recent string of hacks and data breaches. The intelligence community declined to explain how they reached their conclusion, and it’s fair to assume they have data no one else can see."

So, if the evidence exists (and I personally believe it does, though I also understand those who disagree) it hasn't been made public.

> I personally believe it does

Not to sound arrogant, I really like to know some reasoning behind it. I'm even more curious to understand if you are an American citizen.

Yes, American citizen here.

With the lack of any publicly available evidence, I guess the reasoning behind it largely comes down to trust. You either trust the government on this or you don't. On this issue, I do, but again, I wouldn't fault you for disagreeing. If I had to elaborate, I'd say:

The cost of being caught in a lie is sufficiently damaging to the organization that makes the claim. What benefit do they gain by making such a claim? does the risk of getting caught in a lie outweigh the benefit? I just don't see the lie as being a risk worth taking.

There have been many times in the past where 'blaming it on Russia' could have been politically convenient. If you do it too often, you become the boy-who-cries-wolf. Would the risk of reputation loss outweigh the benefits gained by telling the lie? again, I don't see the lie as being worth the risk.

>What benefit do they gain by making such a claim?

Not losing the most important general election of this first half-century?

What do you mean, losing? The intelligence community isn't up for election.
The intelligence community feather their nests through control of the executive. They've been collecting skeletons in Clintonian closets for decades, so they own HRC as completely as they owned GWB. They might actually have some shit on Trump as well, but he DGAF. They can imagine pissing him off enough to hurt their own pocketbooks.

This might actually explain KGB/FSB's apparent preference for Trump: the enemy of one's enemy...

So you reckon Trump has no skeletons? And even if he doesn't, I think it's clear he would be child's play to manipulate. Basically if the intelligence community is as corrupt as you suspect, you're in trouble who ever wins the election.
Certainly, this election offers little hope for curbing the surveillance state or the military-industrial complex. Trump is probably an awful person, but he doesn't really cultivate a different image from that on the stump. Even when his opponents think they have a real bombshell (he doesn't respect women!!1! how could anyone have guessed based on his marital history?!?), it seems to have little effect on his popularity.

I only intended to point out that various agencies do have interests in the outcome of elections.

I'd argue that Trump's recent issues with women have actually hurt him a lot. RealClearPolitics runs a poll of polls, where they average dozens of polls. While any individual poll may have oddities that cause it to lean left or right, averaging the polls reduces the odds of a few outliers throwing everything off.

Before the first debate Trump was down by 1 point (but trending upward) according to the RealClearPolitics average. That's within the margin of error on even the largest polls, meaning he was basically tied with Hillary. Then the Alicia Machado story broke at the end of the first debate, and his poll numbers went down to about -4. Then the bus tape came out, and he's now at roughly -7. That's well outside the margin of error. In fact, his poll numbers are now at the point where no one has ever won the presidency while being this far down so close to the election. He might still pull it off, but he's got a steep road ahead of him.

So he's gone from basically tied, to the point where he'd need something huge to happen in order to win. The biggest stories in that period of time were Alicia Machado and the bus tape. Most of the polls give detailed demographic breakdowns. He's dropped a little with men, but most of the damage was with women, where he's seen a double-digit loss of support in some polls.

If there isn't any evidence why would you be inclined to believe it?
There's a difference between "no evidence exists" and "evidence exists, but we haven't disclosed it".

Perhaps my original comment was unclear, but I believe the statements made in the article imply the latter.

Why do you think the American spooks have any credibility?
IMO, the most American of traits is a deep seated disbelief that their own government has private citizens' best interests at heart.

Many people do not agree, believing that their government (as defined by what they think it should do) is on their side.

It is a matter of trust or distrust by default. Personally, I believe the spirit of the US Constitution is to distrust those in charge.

It doesn't matter, the outcome is still the same - if there's no evidence presented then it might as well not exist.
Well sure. But I thought the same about WMD.
So, here we are again, repeating history, deja vu Iraq war and WMD's that our intelligence community was so sure existed.

I for one would really like to see this evidence and I'm very reluctant to just assume these people have it right as they have had it wrong so many times.

It gets better than this. Because regardless of the source, the contents of these emails is something the american public should be a lot more alarmed about.

Anyway, the sheer fact that a phishing attempt at a personal email accout yielded anything already points to gross incompetence in the government. The miasma of email scandals around Clinton and her friends just keeps on spreading...

I think most people would consider an organisation running ancient badly configured un-patched mail servers much grosser incompetence than a gmail user getting phished.

I'm not American so I have no skin in the game, but I'm surprised that Trump keeps banging on about the email server. If that (and that someone in her organisation got phished) is the worst you've got on Clinton, I'm glad that you're going to have such a clean president.

lol but it's not... it's the actual contents that really matter! Google around...
It's not by a long shot.
> Because regardless of the source, the contents of these emails is something the american public should be a lot more alarmed about.

Not sure why you feel a risotto recipe is supposed to be critically important to the American public.

I mean, don't we already know to add the broth in a little at a time? Are there really people that dump the entire broth in at once?

No you add one part FEC-regulated campaign for federal office, two parts questionable journalistic ethics, and half a cup of PAC. Stir together until message and strategy are sufficiently coordinated and the desired component rises to the top (you should have already ensured this result before consulting the public). Then, as you said, slowly heat while adding the remaining broth.

Non-partisan outrage and country-before-party are necessary reguardless of the names or affiliations.

If you remember, the US intelligence community was hardly convinced that WMDs existed in Iraq. This was one of the most contentious things about the lead-up to the war. Many high-ranking officials lost their jobs because their organizations were not producing intelligence that confirmed the "Saddam has WMDs" narrative for the administration. Cheney essentially set up his own small intelligence organization that was distinct from the CIA, DIA, etc. in order to scrounge up smoking guns that the administration thought the rest of the US intelligence community was failing to locate.
It might not be that different this time. Hard to tell yet. In that the administration attempts to present this as one unified voice.

We have only a very general statement that does not say anything is actually 'confirmed'. It is speculative, so you could say the intelligence isn't convinced this time either. However, politicians are already spinning it for their agenda. https://www.dni.gov/index.php/newsroom/press-releases/215-pr...

I'm coming to understand that the chain of evidence is in the following steps:

0. FireEye identifies a threat group known as APT28 (active since 2007) as having Russian origin, based upon political identities of targets, language markers, timezone data, and compiler settings. This analysis is from 2014. [EDIT: added this step later on to solidify Russian attribution] Sources:

- https://www.fireeye.com/blog/threat-research/2014/10/apt28-a... (blog)

- https://www.fireeye.com/content/dam/fireeye-www/global/en/cu... (long-form report PDF)

1. CrowdStrike & SecureWorks identifying the DNC breaches originating from the well-known Russian state threat actor APT28. Sources:

- https://www.crowdstrike.com/blog/bears-midst-intrusion-democ...

- https://www.secureworks.com/research/threat-group-4127-targe...

2. This Motherboard article revealing the custom bitly links used in the Podesta phishing email. Sources:

- [OP] http://motherboard.vice.com/read/how-hackers-broke-into-john...

3. Politico confirming with SecureWorks that the Podesta spoofed phishing domain from step 2 has previously been used by threat actor APT28: "'The Google-spoofing domain in the Motherboard article is one we observed used by Fancy Bear,' SecureWorks researcher Tom Finney told POLITICO in an email." Sources:

- http://www.politico.com/story/2016/10/russia-responsible-pod...

This Politico article is the better summary. It also links to 2 other quality corroborating stories from ThreatConnect and Esquire. The Motherboard one is key but doesn't tie the whole story together. Sorry to disappoint parent commenter but the evidence does involve bitly custom domains! I'm not 100% clear whether this was simply a decently-executed vanilla phishing attack or if there were some advanced techniques used, but none of the evidence above hinges on that.

There is no evidence here. The "Sources" are thinly veiled advertisements for their Security^TM products.
So if I hear you correctly, you are essentially claiming that the 4 security companies CrowdStrike, SecureWorks, Fidelis and ThreatConnect all conspired together to manufacture evidence in order to mislead the DNC & USGOVT in this investigation because it would be good advertising for their industry?

Personally, I would consider that a somewhat extraordinary claim. Is there anyone familiar with this sector who can comment on this?

It is very unlikely that Crowdstrike is making things up.

I think very few people on HN understand how Crowdstrike works. Know how every Fortune-1000 company in the world has McAfee or Norton Antivirus installed (or at least used to)? Crowdstrike is like that, except they hoover up all the malware detection stuff they do on endpoints to a central data center and correlate it across customers.

Hats off to a company that can convince companies to become a member of its botnet and charge for the privilege!
What widely-deployed desktop software can you not say this about?
grep

More seriously, anything not phoning home with traffic patterns for things that 'might be attacks'.

I don't get it. How do you go from "there is no evidence here" to "conspiracy"?

It's fine to explain how malware works and turn it into a PR piece with fancy pictures of minified JavaScript, but none of that is proof of some Russian connection. Neither are professional sounding statements like "we have medium confidence the attackers are Russian actors" or similar baloney.

All there is is Stratfor style analysis along the lines of "we think NATO countries X, Y, Z got exploited so it must be Russia" when in reality that's probably just because all their customers are NATO countries X, Y, Z.

I see what you are saying. Your initial response was dismissive and unclear as to what you were attempting to communicate. Something along the lines of "I disagree with your claim that this threat actor has been identified as Russian" would have been more helpful.

I believe that the industry's identification of APT28 (active since 2007) as a Russian group is based on both the political identities of their targets, and language and timezone indicators leaked in their work. Here is one such analysis from 2014 from a different security company:

https://www.fireeye.com/blog/threat-research/2014/10/apt28-a...

Assange has publicly stated that the DNC servers being hacked and Wikileaks obtaining DNC emails are two separate things and it seems that journalists conflating them are unable to count to 2.
Exactly, why can't it be possible that Assange is an ass, but Wikileaks isn't in cahoots with Russia, and Russia hacked the DNC?
If Assange were say that any state other than Russia were behind the attacks, I'd be inclined to believe him, but since it's Russia and Assange works for RT, I wouldn't put money on anything he says about the Russia state activity.
> What is the actual evidence that it was the Russians that did it?

If there actually is evidence, it's not public.

In my opinion, the "RUSSIANS WILL KILL US ALL AND TRUMP IS BEST FRIENDS WITH PUTIN" meme is nothing but a scare tactic to influence older voters who were around during the cold war. Obviously, I could be completely wrong. That's just my cynical opinion.

(comment deleted)
Those who aren't cynical, aren't paying attention.
This is a meaningless statement.

"Those who are not hopeful, who do not believe in a better future, are not paying attention." --me

Same amount of authority.

I agree with your "quoted" statement. Cynicism is not a flavor of pessimism.
Short pithy statements, are worth the electrons written on.
Most of your HN comments are one or two sentences?
Can we not live in a world where the Russians did execute the hack, but the "RUSSIANS WILL KILL US" meme is also nothing but a scare tactic?
Last time I will post this as have linked to this all over the shop in the last week.

At no point in the official statement [0] is Russia EVER blamed for the DNC hack and subsequent leaks. This statement has given the media carte blanche to make the accusation themselves.

When previously posted, numerous people have said it does accuse the Russians of this. I would urge you to read the statement extremely carefully. The amount of intelligence and man-hours that go into crafting something like this is huge. There is a reason why at no point, is any current official coming out and explicitly accusing Russia of the DNC hack. Note that at no point has POTUS, Earnest during press briefings of Clinton ever accused the Russians of the DNC hack. Every time they refer to the matter they take great time and care to get their wording right.

[0] https://www.dhs.gov/node/23199

edit: What I am saying is not far-fetched or crazy. For those down-voting I hope you get a lawyer before signing any important legal document.

Do not forgot Bill Clinton during his trial at the Grand Jury :"It depends upon what your definition of is is."

I have my doubts as well, but this seems pretty direct:

> The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.

"the recent compromises of e-mails from US persons and institutions, including from US political organizations"

which recent compromises are they referring to?

They're referring to all recent compromises leaked "on sites like DCLeaks.com and WikiLeaks and by the Guccifer 2.0 online persona".
You interpret it to be referring to the following sentence. In a court, a lawyer could extremely easily say this was not referring to the accusation in the previous sentence. It stands alone.

Each statement can be proved to be correct individually. They do not have to refer to each other from a legal standpoint.

"are consistent with the methods and motivations of Russian-directed efforts"

The methods can be anything referring to hacking. Anyone who hacked the DNC would have been using methods (hacking) consistent with previous Russian hacking attempts.

Motivations? Motivations can be defined as someone wanting to take private information and making it public.

Read it like a lawyer. There is a reason why these statements are carefully crafter.

I am a lawyer. Reading it like myself, it's quite clear they're blaming Russia.

Additionally, why are you bringing in all this courtroom talk? This, and the many other statements by officials, have been directed to the general public. If the matter ever made it to court it would be the layperson's interpretation that would be key.

I fear you may not be well-versed in this area and I think it's really dangerous to be spreading such egregious misinformation.

Keep in mind the American public won't look at that statement with the same care (if at all). People (even Hillary, last debate) have no problem pointing fingers:

"[The hack] has come from the highest levels of the Russian government, clearly from Putin himself, in an effort – as 17 of our intelligence agencies have confirmed – to influence our election."

This infuriates me to no end -- misrepresenting the issue and making an enemy out of Russia with a single bold-faced lie. The problem is not Russia airing dirty laundry, it's that our politicians have dirty laundry to air.
(comment deleted)
I have a fundamental problem with this. Someone working on an election campaign still has as much of a right to private (professional and personal) communication as you or I do.
Good, then it should make you angry as well -- Hillary's repeatedly shown herself to be in favor of weakening encryption. Out of all the possible responses to the leak hers was the absolute worst.
If that someone is working for the campaign of a politician/party which supports NSA spying on Americans, he or she has no right to privacy in my eyes. The way I see it, if you want me to respect your privacy, you have to respect mine.

  At no point in the official statement [0] is Russia EVER 
  blamed for the DNC hack and subsequent leaks
(click)

  We believe, based on the scope and sensitivity of these 
  efforts, that only Russia's senior-most officials could 
  have authorized these activities.
Hmm.
That could easily refer to the previous sentence if this was in a courtroom

"Such activity is not new to Moscow—the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there"

What are you looking for in terms of evidence? Please bear in mind that we're very unlikely to find something signed "PUTIN WUZ HERE" anywhere.
>And Bitly links ain't it.

And why aren't they? Too damning I presume.

This blog post is part of a longer trail of breadcrumbs that is spread out across multiple sources and over a long period of time.

It started with the WashPo story[0] on the DNC hack and the CrowdStrike attribution (there were some good rebuttal stories at that time, I think they have changed their minds) and now you have 10-15 different sources kicking this story further down the road each day.

That's how journalism is changing - rather than having 2-3 investigative reporters at one newspaper do a one year investigation then publish their in-depth series (pass go, collect pulitzer etc.) the large stories are now often broken down piecemeal and worked on in public over time.

It means many more experts can work on it and the stories are better for it - but the downside is that they're very difficult to keep track of (the only way is Twitter or reddit, IMO - and the netsec reddit is horrible with approving stories). If you come into it part way you can feel lost because the writers assume you've been following along (which is a mistake)

I've honestly probably read 100+ stories on this thread, likely more. At this stage you need to bring the thread back together yourself with Google or starting with the Wikipedia pages[2][3]

[0] https://www.washingtonpost.com/world/national-security/russi...

[1] https://www.crowdstrike.com/blog/bears-midst-intrusion-democ...

[2] https://en.wikipedia.org/wiki/Democratic_National_Committee_...

[3] https://en.wikipedia.org/wiki/2016_Democratic_National_Commi...

You say you read 100+ stories. How do you keep track of all of them? It is easy to forget when you read so much and more difficult to exactly pinpoint where you read it?
Vice has been a government mouth piece for a while now, so of course they're going to say Russia.
What makes you say that about Vice?
The screens actually show that Google blocks attempts to log in from other, non-typical addresses:

"Google stopped this sign in attempt"

So it seems it's even not that Podesta just gave his password to the phishing server but some more interesting story?

No, the screen w/ "Google stopped this sign in attempt" is not from Google. Presumably the "Change Password" link pointed to a server controlled by the phishers.
I think you don't know what Google does and make an empty claim, unsupported by the screens displayed. They actually have such kind of protections, I've seen them.

Why would the phishers inform the victim that they got his password? It's against their goals.

Edit: Fascinatingly, the google.com/amp does the redirection, but the google.com is contacted first. Why would google.com do this? Ah, yes... the Google validated AMP cache. Nice.

Edit2: Dude in the reply to this, the fascinating thing is, the google.com is actually contacted from that address first. Mind blown. The phishing using the actual, real google.com. Really, really, nice. That is for me the most fascinating detail from this whole story. It is actually the real www.google.com who made that thing possible. Wow.

Dude. Look at the caption underneath those screenshots. They say, "A screenshot of the phishing email received by ..."

The fact that Google actually sends out emails that look like that is what makes the phishing attack so effective. The email looks like it is from Google, and therefore trustworthy.

As to why the phishers would inform him that they got his password? The reason is that at the time they sent the phishing email, they didn't actually have his password, and wanted him to click on a link that they controlled so he would give them his password.

I'm trying to get through to you. Please tell me it's working.

The open redirect on google.com has been known for a while: [1]

Google's official policy regarding open redirectors: "Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk." [2]

[1] http://seclists.org/bugtraq/2016/Apr/70

[2] https://sites.google.com/site/bughunteruniversity/nonvuln/op...

> "tooltips are not a reliable security indicator"

Translation: "we don't look at that sh.t"

> "poses very little practical risk."

I'm sure Powell, Podesta and a big part of the world now clearly agree with them. /s

Everybody knew t.co/sh.t is somewhere else. www.google.com/whatever/without/query wasn't. Fracking up the established expectations.

> "offers fairly clear benefits"

Translation "For us. Muahhaha."

At least, until something like this. Hopefully.

(comment deleted)
Wait, the account didn't have two-factor auth enabled?!?
Outdated estimate, but better than nothing:

https://duo.com/blog/estimating-googles-two-factor-2sv-adopt...

Seems to point to likely less than 10% of users having 2FA enabled.

Sure, but I'd expect high-profile people to have _someone_ telling them to enable it!
(comment deleted)
No one at the DNC or Clinton campaign have heard about encrypting emails either.
They thought they just had to keep the server in the bathroom...
(comment deleted)
The one thing I kept looking for in the article was "How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts", but despite the title, the don't say exactly how and it probably wasn't a hack. They just entered their passwords after clicking a phishing link as far as I can tell now.

Also, I think I have the technical knowledge to understand the evidence and I certainly want to understand but it is still unclear to me. What a strange article.

Huh, so phishing, eh? Underwhelming. I don't understand the Russian connection. Is it because the ultimate "account.google.com-security..." domain is associated with Russia?

Also, from the article:

> It’s unclear why the hackers used the encoded strings, which effectively reveal their targets to anyone. Kyle Ehmke, a threat intelligence researcher at security firm ThreatConnect, argued that “the strings might help them keep track of or better organize their operations, tailor credential harvesting pages to specific victims, monitor the effectiveness of their operations, or diffuse their operations against various targets across several URLs to facilitate continuity should one of the URLs be discovered.”

It seems like because with the email encoded in the URL you can prefill the "someone logged into your Google Account: XYZ", right? That way you could send out millions of these things to harvest email/password combinations. I don't understand how or why they would do it any way but that way.

The Russian connection is that those bit.ly links point back to a domain name that is known to be used by APT28.
(comment deleted)
It really sounds like it was some guy who weighs 400 pounds in his bedroom, rather than some elite nation-state-level Russian attack.
If email filters can detect that the ultimate long URLs are malicious (hence the use of bitly shortened links), couldn't bitly detect those malicious links using the same techniques to cut down on these types of attack? Their response seemed a little defeatist.
People use bit.ly specifically to shorten long URLs; for example, URLs with long Google analytics parameters (e.g. &utm=...) so that would defeat the purpose of using bit.ly.
I should explain what I meant further: I wasn't suggesting that bit.ly prevent people from shortening links, rather I was suggesting that they filter for links like the one mentioned in the article which are clearly intended to trick people into thinking they are clicking a link to a Google domain when in fact it is a link to the nefarious party's server. See the long link in the article for what I mean. It looked like a google.com link but in fact was a link to a.tk domain.
”They don’t want to understand the evidence.”

No evidence has been provided showing these command and control servers are under the control of the FSB. So how the hell can anyone hope to understand the evidence when we don't have access to it?

Show us the links between FancyBear and the command and control servers or GTFOOH

edit regarding related dnc hack: turns out the command and control thing was debunked:https://medium.com/@jeffreycarr/can-facts-slow-the-dnc-breac...

Under 'Fact Check the Evidence'

Now the only other evidence for Russian involvement is the metadata found in the Guccifer files, which, if you are to take as 'evidence' means that that link between Premise and toddandclare.com of pedo-gate fame is irrefutable. Which it is not, because it relies on the same borderline intelligent inductions.

I find the use of Google's AMP cache notable to avoid having to use a spoofed domain, you can use it to have Google serve up your content themselves, rendering the advice to 'look at the domain name of the link before clicking' even more useless than it was before

Compare:

http://myaccount.google.com-securitysettingpage.ml/security/...

in the first screenshot to the screenshot from a Bellingcat journalist:

https://www.google.com/amp/tiny.cc/...

Both links are broken.
Sorry, in hindsight my comment is rather opaque. Those links are incomplete links of the phishing links contained in the emails. I wanted to highlight the difference in the screenshots in the vice.com article between seeing a clear www.google.com (due to the AMP cache) and a google.com-user-security.tk or whatever spoofed domain that got used. Point being Google is making it easy for phishers to spoof links with the AMP cache.

I'm guessing Google is relying on their existing malware detection and site reporting process to weed out pages that take advantage of this. This approach mostly works for mass spammed links and sites trying to pass on malware but won't work for targetted phishing attacks against all but the savviest of security conscious users.

Is it possible the article writer got served the AMP page and the redirect was to the .com-* subdomain?

Are the bit.ly targets known?

If they're public bitly accounts and the emails are encoded in the URL can't we just go look at the bitly accounts for all the urls and figure out who else they tried to spearfish? Wouldn't that be useful information about what could be coming next? Maybe this is a better question posed in the reddit thread that I'm sure exists.
This article is saying its irrefutable based on the link's and origin of the attack that it was state sponsored and even suggests that you're either contrarian or just an idiot if you think otherwise.

But isn't it within the realm of possibility that traffic is being proxied through a Russian located server to make it appear like Russia? Furthermore, I know that when security researchers look at a group they look beyond just the origin of attack and at behavior patterns but couldn't you spoof those easily too? I guess my point is that there is still a possibility its not the Russian/state sponsored based on evidence I have seen.

The former UK Ambassador to Uzbekistan (who has visited Assange at the Ecuadorian embassy) claims:

"I can tell you with 100% certainty that it is not any Russian state actor or proxy that gave the Democratic National Committee and Podesta material to WikiLeaks. The claim is nonsense. Journalists are also publishing that these were obtained by “hacking” with no evidence that this was the method used to obtain them."

https://www.craigmurray.org.uk/archives/2016/10/really-reall...

The article isn't talking about tracing traffic through Russia or any of that, so I don't understand how your comment is at all appropriate. The article is talking about how a bunch of attacks against people can all be traced back to the same group Fancy Bear (which is claimed to be a group of Russian hackers) because they all used a single bit.ly account to craft the short URLs that were used in the phishing emails. This account was found by tracking down Fancy Bear's command and control domains (so it was already known to belong to Fancy Bear before they connected it to John Podesta).

So are you saying that Fancy Bear isn't actually Russian hackers? Or are you saying you think the article is lying about the fairly strong evidence tying all these attacks together?

I'm more pointing out the possibility its not state sponsored by Russia even if the attack originated in Russia. Based on the evidence they have released do we have any idea what Fancy Bear is really comprised of and what their motivations are? For all we know there could be Americans in the group. It could be hackers sharing techniques with eachother and operating under the same flag. I still have questions in my mind and I'm not willing to pass the judgement on what I have seen but its possible the security researchers have more evidence they can't release for various reasons.
Why does the "intelligence community" refuse to give this as their source of attribution?
> refuse to give this

Do you mean, why doesn't the intelligence community publicly release all the info they have pointing towards Russia?

Because the answer seems kind of self-evident. The intelligence community is not in the business of releasing any information it doesn't have to. In fact, its business is protecting information, and trying to get information about other people. If the intelligence community publicly released all the info about why they think it's Russia, then depending on what the info is, that could seriously damage their ability to gather more info in the future, or maybe even put people's lives at risk (e.g. if the info was provided by people in Russia).

The article mentions how the same account was used in 2014 to attack journalists outside the U.S. covering the Malaysia Airlines Flight 17 shootdown over Ukraine. This lends credibility to the idea that it was Russian-sponsored actor(s) using this tool/M.O. over time.
Those are script kiddie level phishing attacks. They use free domains and free link shorteners. Only a user that doesn't look at the address bar could buy that.

Is shows how insecure web is: a typical user cannot distinct between real and a fake login page. That is why we should stop using outdated insecure password system and switch to cryptographic USB tokens.

But Google usually blocks access to the account when you try to login from a new IP address. Why didn't it work here?

Wrong.

Look at the https://google.com/amp/hackme.com and pictures from article.

TL;DR: google amp does redirect, and you can use bit.ly/xxx instead hackme.com in example above.

The website url is still http://www.hackme.com though.

These different iterations of myaccount-google.com, support.goog1e.com, etc. are common for many companies - the best thing to do is use 2-step auth.

The fake login page still is not on a google domain.
"The phishing email that Podesta received on March 19 contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link."

Ha....looked at the link and can conclude...long enough to bypass the average attention span ;)

Is there a list somewhere of all "known" APT's, i.e. which number is suspected to be who? And is the "APT numbering" something internal to the NSA or is it by now a sort of an informal standard? And are there reports of how the Russians and the Chinese 'label' Western groups?
One would have assumed that Mandiant would act as the IANA for APT? b^)
Why doesn't bitly block obvious phishing domains - like ones that contain popular domains as a prefix?