Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank (slate.com)

Posted by BeauHD on from the fraternizing-with-the-enemy dept.

In light of the Democratic National Committee hack by the Russians earlier this year, a "tightly knit community of computer scientists" working in a variety of fields came up with the hypothesis, "which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump's many servers." In late July, one of the scientists who asked to be referred to as Tea Leaves discovered possible malware emanating from Russia, with the destination domain having Trump in its name. What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": Slate Magazine reports: More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues. The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn't the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation -- conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The server was first registered to Trump's business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. That wasn't the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health.

14 of 548 comments (clear)

  1. Hack by the Russians? by LynnwoodRooster · · Score: 3, Informative

    Turns out it was Huma using Yahoo, and Podesta getting phished... No Russians involved, just plain old incompetence.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  2. Unlikely to be of any use by Okian+Warrior · · Score: 3, Informative

    While this is certainly interesting and deserves attention (I voted it up in the firehose), it's unlikely to be of any use during the campaign.

    For one, the server was registered in 2009 and is unlikely to be anything related to the elections. Trump's business is pretty big, and he has contacts all over the world.

    (For comparison, the Podesta group is registered with the U.S. government as a lobbyist for Sberbank. Google "Podesta Russia" for lots of links and info.)

    For another, if it's nefarious it's more likely to be some sort of mole or agent within Trump's organization. Again, Trump's business is huge, and there are probably one or more foreign government agents working for him (also in Google, Facebook, and a hundred other big organizations).

    Also, there might be a perfectly reasonable explanation. We should wait for the Trump campaign explanation, then see if their explanation seems reasonable. God only knows how many times we've done that for the Clintons!

    And finally, it might be too little too late. Word on the street is that Clinton will be stepping down on Tuesday (tomorrow), Veritas is planning a "blockbuster" drop this week, Wikieaks is about to start phase three of its election coverage, and internal leaks from the campaign indicate that Hillary is coming apart at the seams: binge drinking, uncontrolled anger, and poor judgement in general.

    As the saying goes, it's not over until its over.

    Let's just wait for the election.

    1. Re:Unlikely to be of any use by meta-monkey · · Score: 3, Informative

      Why didn't they deny the content of the videos then, and why did Creamer and Foval resign?

      Also, people have matched the girl from the video who said she shut down the Arizona freeway to pictures from the scene, and found her payment records with Hillary's campaign. Everything checks out about the Veritas story so far.

      Also, can you give me a plausible explanation for how "clever editing" makes innocent conversation sound exactly like someone explicitly stating they hire the mentally ill to start fights at their opponents' political events?

      --
      We don't have a state-run media we have a media-run state.
  3. Re:I've seen things at least that strange by PopeRatzo · · Score: 3, Informative

    There are all sorts of reasons this sort of behavior might materialize.

    Are there also "all sorts of reasons" that the peak activity of this server would occur only during dates immediately following dramatic election news?

    Read the whole story. It wasn't "typo-squatters" it was a Russian bank owned by oligarchs that was connecting to Trump's secret private email server.

    It's a well-researched and written story. You might want to check it out unless the news upsets you for some reason.

    That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health. (The company said in a statement: “Spectrum Health does not have a relationship with Alfa Bank or any of the Trump organizations. We have concluded a rigorous investigation with both our internal IT security specialists and expert cyber security firms. Our experts have conducted a detailed analysis of the alleged internet traffic and did not find any evidence that it included any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.”)

    Spectrum accounted for a relatively trivial portion of the traffic. Eighty-seven percent of the DNS lookups involved the two Alfa Bank servers. “It’s pretty clear that it’s not an open mail server,” Camp told me. “These organizations are communicating in a way designed to block other people out.”

    Earlier this month, the group of computer scientists passed the logs to Paul Vixie. In the world of DNS experts, there’s no higher authority. Vixie wrote central strands of the DNS code that makes the internet work. After studying the logs, he concluded, “The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.” Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence. Over the summer, the scientists observed the communications trail from a distance.

    * * *

    While the researchers went about their work, the conventional wisdom about Russian interference in the campaign began to shift. There were reports that the Trump campaign had ordered the Republican Party to rewrite its platform position on Ukraine, maneuvering the GOP toward a policy preferred by Russia, though the Trump campaign denied having a hand in the change. Then Trump announced in an interview with the New York Times his unwillingness to spring to the defense of NATO allies in the face of a Russian invasion. Trump even invited Russian hackers to go hunting for Clinton’s emails, then passed the comment off as a joke.

    --
    You are welcome on my lawn.
  4. Re:possibily illegal by Xenographic · · Score: 5, Informative

    Nah, it's worse than that, looks like they were sniffing traffic at either the ISP of one of the two endpoints or a backbone.

    If there were something here, you'd expect them to talk about finding data in the ICMP echo requests. You'd expect them to communicate over something normal like SSH. You'd expect some evidence that there was something illegal or improper going on here (other than, y'know, spying on other people's network traffic....).

    Their audience is apparently morons who don't know what a ping is.

  5. Re: Temper your enthusiasm by Swave+An+deBwoner · · Score: 3, Informative

    Ahem ...

    Federal Judge Allows Suit Against Trump University to Proceed
    http://www.nytimes.com/2016/08/03/us/politics/trump-university-case.html

    Reminder: Donald Trump due in court after Election Day on child rape and racketeering charges
    https://www.rawstory.com/2016/10/reminder-donald-trump-due-in-court-after-election-day-on-child-rape-and-racketeering-charges/

  6. Re: BULL SH!T by Anonymous Coward · · Score: 0, Informative

    And how exactly does posting under the dugancent pseudonym reveal your identity? Oh, that's right, it DOESN'T. Grow up.

  7. Re: BULL SH!T by ArmoredDragon · · Score: 5, Informative

    Without having read TFA, often even as a network engineer, I'll use the term "ping" even when not referring to ICMP. For example, I'll refer to an SNMP walk (of any kind) as a "ping".

    Still though, this doesn't come off as suspicious to me at all. Since when is it odd or otherwise unusual that a server belonging to a billionaire talks to a server belonging to a bank in a foreign country? That's like saying that it's odd that there's dog piss on a fire hydrant.

  8. Re:I've seen things at least that strange by russotto · · Score: 4, Informative

    There's spikes all over the graph. Very few correspond with anything election related. The spike during the RNC platform committee is from Michigan (Spectrum Health), not either of the Alfas.

  9. Um... you do know he's part of the oligarchy by rsilvergun · · Score: 2, Informative

    right? Both he and his father were slum lords for Christ sakes. Seriously. One of the Guthrie's (Woody I think) had a song about Frank Trump.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  10. Re:Election season is Silly Season by ShakaUVM · · Score: 4, Informative

    >FTA: "Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence." Oh, you mean like the SSH setup I have for all my servers to only listen to known IPs for shell access? Uh, yeah, no kidding. Geez, politics can make people so stupid.

    According to known right-wing rag, the New York Times, the FBI investigated this alleged connection for weeks and decided it was nothing.

    http://www.nytimes.com/2016/11...

  11. Re:possibily illegal by Aighearach · · Score: 4, Informative

    Their audience is apparently morons who don't know what a ping is.

    Well, as an actual software developer who has worked with network protocols I can assure you that there are lots of different types of ping, TCP ping, etc.

    Furthermore, those in doubt can just check the RFC for ICMP and discover that it includes echo packets with an arbitrary payload. That should get a person one dim lightbulb away from realizing that you can tunnel other things on top of ICMP, and then from there they might do a search of the interwebs and discover that is old hat.

    The pedants in this article are mostly a bunch of tools who don't know an ICMP echo packet from a Russian in a fur hat! Worse, they don't know a Russian ICMP packet in a squirrel toupee from a Brazilian SSH attack!

    So even though they're possibly not even talking about ICMP, if they were it would all make sense. But DNS is also used for tunnels, so that's probably what it really is. Also, DNS is more likely to make it into logs that people have legit access to and aren't private.

  12. Re:I've seen things at least that strange by Xenographic · · Score: 4, Informative

    Almost... just for giggles, it looks like it isn't even his:

    https://pbs.twimg.com/media/Cw...

  13. This has been debunked by TomGreenhaw · · Score: 4, Informative

    The server belonged to an email marketing company. In this case here isn't a big deep dark secret Trump-Russian conspiracy.

    If you want an insight into Trump's ties with Russia, look at Paul Manaforte and read Time magazines article on the subject http://time.com/4433880/donald...

    --
    Greed is the root of all evil.