Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank

In light of the Democratic National Committee hack by the Russians earlier this year, a "tightly knit community of computer scientists" working in a variety of fields came up with the hypothesis, "which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump's many servers." In late July, one of the scientists who asked to be referred to as Tea Leaves discovered possible malware emanating from Russia, with the destination domain having Trump in its name. What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": Slate Magazine reports: More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues. The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn't the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation -- conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The server was first registered to Trump's business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. That wasn't the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health.

I've seen things at least that strange

[ScentCone]

I have customers with nearly-abandoned dedicated servers on their own IPs and with some project-related whitelist rules that act very much like what's described in the summary. Those servers do things like wasting their time checking for updates from some custom module authors (some overseas), and some try to connect to long-gone services that have had their domains scooped up by (ready?) Russian typo-squatters and the like, but with IPs that resolve somewhere else entirely because they've been re-assigned to entirely different companies. And no, nobody dares to approve changing the configuration on these legacy servers ... and they keep paying to keep them online, despite the crickets chirping instead of activity on whatever legacy task they once did.

There are all sorts of reasons this sort of behavior might materialize. You know, sort of like there might be all sorts of reasons that Huma Abedin's trove of email - in the hundreds of thousands - might bey on her creepy, estranged husband's laptop. I'm sorry, did I use her name? Woopsie! Hillary Clinton now calls her "a staffer."

Re:I've seen things at least that strange

[hey!]

From a logical standpoint this really tells us nothing. Just like existing the Abedin "trove" really tells us nothing. It's just a tabula rasa onto which people can project what they already believe.

It wouldn't be surprising for Trump to have some kind of relationship with a Russian bank; that's not necessarily illegal. Now if you were looking for dirt, that'd be a good place to start looking, because there are sanctions against certain Russian firms and individuals. But it doesn't mean you'd find any.

Re:I've seen things at least that strange

[LordLucless]

Read the whole story. It wasn't "typo-squatters" it was a Russian bank owned by oligarchs that was connecting to Trump's secret private email server.

Uh, by "secret, private email server", do you mean the server openly and publicly registered to the Trump Organisation?

Re:I've seen things at least that strange

It's a well-researched and written story.

What a fucking joke. This is still slashdot, right? There are still people here that understand TCP/IP and DNS, right? I only ask because the author of the slate article makes it abundantly clear that he is unaware of the difference between a server and a domain.

The server was first registered to Trump’s business in 2009

Does that look well researched to anyone here? If you were consulting with a reporter writing a story about servers and DNS, would you let him leave that sentence in the story? Or would you correct him?

More:

But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue.

What is on 5th Avenue? I'll give you a hint, it isn't the bank, the server or the domain. Someone go stop the presses, I think we just found the mailing address of Trump's office.

But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. “I get more mail in a day than the server handled,” Davis says.

That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses.

Ok, so the server isn't advertising itself with a banner that says "I am a beowolf cluster, and these chumps have be running 5 emails a day." How do these "researchers" know what it is inside? Did they commit some felonies to find out? Do I sense yet another batch of Democrats taking the 5th in the near future?

Assuming they get in through some means, what do they find? Is it a capacious server with huge operating costs, like geothermal liquid cooling? Or is it a 1U stuffed into a rack somewhere and forgotten until someone walks past and notices that the idiot light is lit, 6 months after it shuts itself off because the PSU fan failed? Or is this server just an A record in DNS somewhere, in a domain that exists mostly so that recipient mailservers have a SPF record to look at? They don't tell us any specifics. My guess is that the "well-researched" writer thinks that each domain name needs a big dedicated server, at least to the extent that he is able to recognize them as distinct concepts and objects.

I don't know about you guys, but I check my domain names and purge stale domains about once per decade. The $15 per year to leave them on autopilot autorenewal mode is literally less expensive than my effort to sift through the list plucking out the ones that I no longer need.

Election season is Silly Season

[davide+marney]

FTA: "Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence." Oh, you mean like the SSH setup I have for all my servers to only listen to known IPs for shell access? Uh, yeah, no kidding. Geez, politics can make people so stupid.

Re:Election season is Silly Season

[ScentCone]

Geez, politics can make people so stupid.

No, politics makes people PRETEND to be stupid so they can pretend they are outraged by things they are pretending they don't understand well enough, so they can speak their phony outrage out loud in hopes that some other ACTUALLY low-information person will pick up the outrage and run with it all the way to the voting booth. This story is bordering on that. But the credible treatment of it is definitely such.

/., where innuendo is news

[HBI]

I heard Trump used Internet Explorer once, too.

Re:BULL SH!T

It's been part of their modus operandi from day one. Whenever they're caught lying or committing crimes, they try to deflect the blame to someone else or change the topic into an attack on Trump or their accusers. The Russia boogeyman is a favorite for them.

It's so tired by now, and they've been caught lying so many times (pretty much every time they open their mouths, they're lying) that nobody believes a thing they say. The DNC could say the sun rose this morning and I'd still check out my window to verify.

Re: Temper your enthusiasm

[Bartles]

You guys nominated someone under criminal investigation by the FBI. The only people on earth who can't talk about how shitty Trump is are Clinton supporters.

Re:BULL SH!T

[Xenographic]

The evidence we're given is this:

"What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": "

A ping is an ICMP echo request. They can have data, but it's the same both ways and it's generally nothing meaningful. I get random pings and crap from everywhere, including Russia, China, etc. along with port scans and everything else. Frankly this is utter BS without more evidence than a random server responding to some pings and not others.

It's also not clear how they were able to spy on this traffic without working at an ISP (where spying on your customers is generally frowned upon). But if they were in the middle of this, they could simply have inserted their own pings by spoofing the source address of some traffic. The article was a sad waste of time. There are lots of allegations that are based on nothing at all.

Re:possibily illegal

[Xenographic]

Nah, it's worse than that, looks like they were sniffing traffic at either the ISP of one of the two endpoints or a backbone.

If there were something here, you'd expect them to talk about finding data in the ICMP echo requests. You'd expect them to communicate over something normal like SSH. You'd expect some evidence that there was something illegal or improper going on here (other than, y'know, spying on other people's network traffic....).

Their audience is apparently morons who don't know what a ping is.

Ar you people insane? Why is this in any way same?

[SuperKendall]

You have to be totally insane to think Russians possibly having malware in some bank that tried to protect itself to begin with, is anything even CLOSE to the seriousness of the Secretary of State ignoring multiple warnings about how insecure a personal email server was when inevitably she'd be sending top secret material over email...

Hillary brought all of her ills on herself and the blowback from it is not yet a hundredth of what it should be. Every single person who knows anything about computer security should be utterly ashamed at ever supporting her actions, and the fact that so many still support her makes me think there is no real hope ever for comprehensive computer security. The system is rotten to the core, many computer "professionals" willing to compromise a systems integrity at the drop of a hat.

Re:No one is flipping to the Russians...sheesh

A rich white New Yorker is the oligarchy.

Re:possibily illegal

[Xenographic]

You're right that they talk about DNS queries, but I'm pretty sure this is an actual ICMP echo:

That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses.

It can also be pretty easily explained by having a bunch of normal people on PCs behind a corporate firewall that doesn't accept traffic. Which makes sense because when they talk to the people, we find this:

“Spectrum Health does not have a relationship with Alfa Bank or any of the Trump organizations. We have concluded a rigorous investigation with both our internal IT security specialists and expert cyber security firms. Our experts have conducted a detailed analysis of the alleged internet traffic and did not find any evidence that it included any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.

So, I'm still saying this looks like BS to me. Don't get me wrong, it's entirely possible that some Russian hacked something somewhere. I just don't buy there being a story here without more evidence than a few stray DNS queries.

Re: BULL SH!T

[ArmoredDragon]

Without having read TFA, often even as a network engineer, I'll use the term "ping" even when not referring to ICMP. For example, I'll refer to an SNMP walk (of any kind) as a "ping".

Still though, this doesn't come off as suspicious to me at all. Since when is it odd or otherwise unusual that a server belonging to a billionaire talks to a server belonging to a bank in a foreign country? That's like saying that it's odd that there's dog piss on a fire hydrant.

Re: BULL SH!T

[I'm+New+Around+Here]

There's no real evidence of Hillary's lies,

You don't think Congressional testimony counts as evidence?