Imagine a hand palming a human face forever
posted by Winston Smith at
“When you have only a few details, the nefarious ones loom large in your imagination,” says Errata Security’s Robert David Graham. “But for people like me who've setup and managed lots of DNS and email servers, the more likely explanation is incompetence and legacy systems.”I have immediate confidence in Mr. Graham on the basis of those words alone. That dude knows what's up.This is a pretty good article, really. I shared all the following thoughts, with expansions/comments included:A server replying to a ping with an error message isn’t unusual Like, at all. It's hardly evidence of anything. It's evidence of this nature: if (A) you were rejecting all traffic from everyone but a single host, then (B) you would be rejecting Internet Control Message Protocol (ICMP) pings from the potential trolls/analysts (let's call them the PTAs for the sake of a happy acronymic coincidence).So, as my philosophically-inclined friend is well-aware, to reason from B to A in this case is a classic converse error.There are plenty of ways to stay anonymous on the internet, whether through fake names, third-party hosts, or circumvention networks like Tor — but neither party attempted anything like that.True, but sometimes hiding in plain sight is the best choice. A repurposed old spam server as a secret channel ain't too bad of an idea for all the plausible deniability reasons you're seeing expounded through all the speculative jabber going on. Changing its name or giving any indication of that nature that you are using it for some other purpose would soften the plausible deniability that comes along with being able to say "That's just some shitty old legacy system we incompetently left running. We took it down. It's cool."Right. Fits nicely with the correct outlook of the smart guy at the start, eh? You can try stealth, but sometimes that just calls you out when even a slight mistake is made. It's a lot easier to simply try fitting in with the n00b herd.Even the existence of DNS records is a kind of tell. All our evidence of the connection between the two servers comes from repeated public queries made over the course of months — but if this was really a secret hotline, why make those queries at all? If the servers were only meant to talk to each other, why not connect directly, storing the IP-domain link locally and skipping public domain registration entirely?I did immediately think of this, too. It is hard to figure out why anyone would've used DNS for the systems' communication at all, but it could always be either (A) genuine incompetence or (B) the intent to appear no different from genuine incompetence.Failing that, why not use a shared email account or any of dozens of private messaging services that leave less of a metadata trail?Because...There are plenty of hard problems in building untraceable chat systemsThat. And the hiding in plain sight thing.
Alfabank’s representatives offered Foer, saying the leading theory was that the servers “may have been responding with common DNS lookups to spam sent to it by a marketing server.”It’s unusual to respond to a spam email with a DNS lookup, but it can be useful for checking the general location of the server and ensuring it exists.So, actually, it's a standard part of many anti-spam implementations to perform what are known as "reverse DNS lookups" to identify the source of an email. Basically, your mail server receives a message from someone on the Interwebs, and that someone conveys to the server his/her IP address so that the conversation required to transmit the email can happen (the sender says "Hi, I'm 220.127.116.11" or whomever, and that IP address is to whom server responses are sent for the short communication necessary to receive the email. If the IP address provided is wrong, then the sender will never hear back from the server, so spoofing an IP address doesn't work unless the sender controls the network infrastructure over which the communication is taking place, but that's some real conspiracy theory land there..).In order to confirm that mail is not sent by an unauthorized sender (like me sending mail allegedly from "Noonan@peggy.com"), people who run email servers can put in place what's called the "Sender Policy Framework" which puts into DNS a text record that can be looked up by email recipients to see what IP addresses are legitimate mail servers for that domain. So, like, if you receive something from "Noonan@peggy.com", you can query the SPF record for "peggy.com" (if they have one) and see if the IP address (mine, in this case) is on the list of legitimate senders for peggy.com. Since I am not on that list (and cannot be unless the owner of the DNS record updates it, or I gain access to the owner's account, or whatever), your email server can call bullshit on that email and reject it as spam.I used it very happily when I managed an Exchange server and it alone was responsible for a nice percentage of the spam rejected by my organization (which was about 50% of the total traffic we had, amazingly enough).So it's a plausible explanation, really.Though the timing with political events is hard to explain. If that data is legit, of course.
Post a Comment
Subscribe to Post Comments [Atom]
Create a Link
View my complete profile
Subscribe toPosts [Atom]