John R. Houk
© January 1, 2017
Ever heard of Eric Braverman? I have not myself noticed the
name. Evidently, he WAS the CEO for the Clinton Foundation.
Eric Braverman was chief
executive officer of the Clinton Foundation from 2013 to 2015. At the
Foundation, Braverman led an effort to help ensure long-term
sustainability—securing an endowment, transforming the organization’s use of
data, establishing governance practices to reflect changing laws and public
expectations, consolidating entities, and creating professional development for
staff.
Previously, Braverman served as
a partner at McKinsey & Company, where he advised leaders in the public,
private, and non-profit sectors on strategy, organization, and operations.
Named by Fortune magazine in 2010 as one of the “40 Most Influential
Leaders in Business” worldwide under 40 years old, Braverman co-founded
McKinsey’s public sector practice and directed its work on government
innovation globally. He also served as an advisor on performance management and
technology for President Obama's transition team in 2008.
Braverman is a frequent speaker
on government at events, conferences, and seminars around the world—both in
academic and practitioner-oriented settings—focusing particularly on innovation
in government and the importance of partnership between the public, private,
and nonprofit sectors to improve lives.
The Angry Patriot has
noticed that Braverman not only resigned from the Clinton Foundation but has
seemingly disappeared from public view. Angry Patriot then goes into
educated speculation mode.
As we know the Democratic National Committee (DNC)
either had their email server hacked or someone leaked server info to
Wikileaks. The Dems say the Russians hacked their servers and released the data
to Wikileaks.
Julian Assange of Wikileaks says the Russians didn’t do the whistleblowing but
a disgruntled Clinton insider gave the data
to Wikileaks. (See Also 12/14/16 Washington Times report)
Angry Patriot wonders if Eric Braverman was the disgruntled
insider because of the timing of Braverman going off the public grid.
With Clintons’ history of potential
finger-pointers disappearing by prison or death, I wonder if
Braverman was disposed by the Clintons or if Wikileaks helped him disappear to
protect him from nefarious designs by the Clintons or Dem Party Cleaners.
On December 29, 2016 a Joint Analysis Report (JAR) was
released as the combine work of the FBI and Department of Homeland Security
(DHS) entitled, “GRIZZLY STEPPE – Russian Malicious Cyber
Activity”. The report definitely fingers Russian hacking. Here
is the PDF first paragraph:
This Joint Analysis Report (JAR)
is the result of analytic efforts between the Department of Homeland Security
(DHS) and the Federal Bureau of Investigation (FBI). This document provides technical
details regarding the tools and infrastructure used by the Russian civilian and
military intelligence Services (RIS) to compromise and exploit networks and
endpoints associated with the U.S. election, as well as a range of U.S.
Government, political, and private sector entities. The U.S. Government is referring
to this malicious cyber activity by RIS as GRIZZLY STEPPE.
“RIS” is the acronym for Russian Intelligence Services.
Meaning more than one specific Russian intelligence agency was involved in
hacking the DNC.
Here are some articles that does a decent job in translating
the technical language of the report into normal English:
The Guardian:
…
The government report follows
several from the private sector, notably a lengthy section in a Microsoft
report from 2015 on a hacking team referred to as “advanced persistent threat
28” (APT 28), which the company’s internal nomenclature calls Strontium and
others have called Fancy Bear. Also mentioned in the government document is
another group called APT 29 or Cozy Bear.
…
The Microsoft report contains a history
of the groups’ operation; a report by security
analysts ThreatConnect describes the team’s modus operandi; and competing firm
CrowdStrike detailed the attack on the
Democratic National Committee shortly before subsequent breaches of the
Democratic Congressional Campaign Committee and the Hillary Clinton campaign
were discovered.
Security experts on Twitter
criticized the government report as too basic. Jonathan Zdziarski, a highly
regarded security researcher, compared the joint action report to a child’s activity center.
Tom Killalea, former vice-president
of security at Amazon and a Capital One board member, wrote: “Russian attack on DNC similar to so many other
attacks in past 15yrs. Big question: Why such poor incident response?”
…
READ ENTIRETY (FBI
and Homeland Security detail Russian hacking campaign in new report; By Sam Thielman; The
Guardian; 12/29/16 17.19 EST)
…
If anyone is like me, when I read
the above I became very excited. This was a clear statement from the White
House that they were going to help network defenders, give out a combination of
previously classified data as well as validate private sector data, release
information about Russian malware that was previously classified, and detail
new tactics and techniques used by Russia. Unfortunately, while the intent was
laid out clearly by the White House that intent was not captured in the DHS/FBI
report.
…
The report is intended
to help network defenders; it is not the technical evidence of attribution
There is no mention of the focus of
attribution in any of the White House’s statements. Across multiple statements
from government officials and agencies it is clear that the technical data and
attribution will be a report prepared for Congress and later declassified
(likely prepared by the NSA). Yet, the GRIZZLY STEPPE report reads like a poorly
done vendor intelligence report stringing together various aspects of
attribution without evidence. The beginning of the report (Figure 2)
specifically notes that the DHS/FBI has avoided attribution before in their
JARs but that based off of their technical indicators they can confirm the
private sector attribution to RIS.
…
But why is this so bad? Because it
does not follow the intent laid out by the White House and confuses readers to
think that this report is about attribution and not the intended purpose of
helping network defenders. The public is looking for evidence of the
attribution, the White House and the DHS/FBI clearly laid out that this report
is meant for network defense, and then the entire discussion in the document is
on how the DHS/FBI confirms that APT28 and APT29 are RIS groups that
compromised a political party. The technical indicators they released later in
the report (which we will discuss more below) are in no way related to that attribution
though.
Or said more simply: the written
portion of the report has little to nothing to do with the intended purpose or
the technical data released.
Even worse, page 4 of the document
notes other groups identified as RIS (Figure 4). This would be exciting
normally. Government validation of private sector intelligence helps raise the
confidence level of the public information. Unfortunately, the list in the
report detracts from the confidence because of the interweaving of unrelated
data.
As an example, the list contains
campaign/group names such as APT28, APT29, COZYBEAR, Sandworm, Sofacy, and
others. This is exactly what you’d want to see although the government’s
justification for this assessment is completely lacking (for a better
exploration on the topic of naming see Sergio
Caltagirone’s blog post here). But as the list
progresses it becomes worrisome as the list also contains malware names (HAVEX
and BlackEnergy v3 as examples) which are different than campaign names.
Campaign names describe a collection of intrusions into one or more victims by
the same adversary. Those campaigns can utilize various pieces of malware and
sometimes malware is consistent across unrelated campaigns and unrelated
actors. It gets worse though when the list includes things such as “Powershell
Backdoor”. This is not even a malware family at this point but instead a
classification of a capability that can be found in various malware families.
Or said more simply: the list of
reported RIS names includes relevant and specific names such as campaign names,
more general and often unrelated malware family names, and extremely broad and
non-descriptive classification of capabilities. It was a mixing of data types
that didn’t meet any objective in the report and only added confusion as to
whether the DHS/FBI knows what they are doing or if they are instead just
telling teams in the government “contribute anything you have that has been
affiliated with Russian activity.”
…
In some locations in the CSV the indicators are IP
addresses with a request to network administrators to look for it and in other
locations there are IP addresses with just what country it was located in. This
information is nearly useless for a few reasons. First, we do not know what
data set these indicators belong to (see my previous point, are these IPs for
“Sandworm”, “APT28” “Powershell” or what?). Second, many (30%+) of these IP
addresses are mostly useless as they are VPS, TOR exit nodes, proxies, and
other non-descriptive internet traffic sites (you can use this type of
information but not in the way being positioned in the report and not well
without additional information such as timestamps). Third, IP addresses as
indicators especially when associated with malware or adversary campaigns must
contain information around timing. I.e. when were these IP addresses associated
with the malware or campaign and when were they in active usage? IP addresses
and domains are constantly getting shuffled around the Internet and are mostly
useful when seen in a snapshot of time.
…
So what’s the problem? All but the
two hashes released that state they belong to the OnionDuke family do not
contain the appropriate context for defenders to leverage them. Without knowing
what campaign they were associated with and when there’s not appropriate
information for defenders to investigate these discoveries on their network.
They can block the activity (play the equivalent of whack-a-mole) but not
leverage it for real defense without considerable effort. Additionally, the
report specifically said this was newly declassified information. However,
looking the samples in VirusTotal Intelligence (Figure 7) reveals that many of
them were already known dating back to April 2016.
…
The
only thing that would thus be classified about this data (note they said newly
declassified and not private sector information) would be the association of
this malware to a specific family or campaign instead of leaving it as
“generic.” But as noted that information was left out. It’s also not fair to
say it’s all “RIS” given the DHS/FBI’s inappropriate aggregation of campaign,
malware, and capability names in their “Reported RIS” list. As an example, they
used one name from their “Reported RIS” list (OnionDuke) and thus some of the
other samples might be from there as well such as “Powershell Backdoor” which
is wholly not descriptive. Either way we don’t know because they left that
information out. Also as a general pet peeve, the hashes are sometimes given as
MD5, sometimes as SHA1, and sometimes as SHA256. It’s ok to choose whatever
standard you want if you’re giving out information but be consistent in the
data format.
…
The report goes beyond
indicators to include new tradecraft and techniques used by the Russian
intelligence services
The report was to detail new
tradecraft and techniques used by the RIS and specifically noted that defenders
could leverage this to find new tactics and techniques. Except – it doesn’t.
The report instead gives a high-level overview of how APT28 and APT29 have been
reported to operate which is very generic and similar to many adversary
campaigns (Figure 8). The tradecraft and techniques presented specific to the
RIS include things such as “using shortened URLs”, “spear phishing”, “lateral
movement”, and “escalating privileges” once in the network. This is basically
the same set of tactics used across unrelated campaigns for the last decade or
more.
…
This ultimately seems like a very
rushed report put together by multiple teams working different data sets and
motivations. It is my opinion and speculation that there were some really good
government analysts and operators contributing to this data and then report
reviews, leadership approval processes, and sanitation processes stripped out
most of the value and left behind a very confusing report trying to cover too
much while saying too little.
We must do better as a community.
This report is a good example of how a really strong strategic message (POTUS
statement) and really good data (government and private sector combination) can
be opened to critique due to poor report writing. -READ ENTIRETY (Critiques
of the DHS/FBI’s GRIZZLY STEPPE Report; By Robert
M. Lee; 12/30/16)
So, I’m not an expert, but the JAR data suggests a
combination of RIS and private hackers. Because of the lackluster of specific
finger pointing in the JAR data made public how the DNC had their server data
dispersed is still up in the air.
A whistleblower could have sent data to a private Russian
hacker in which the RIS picked up and then either the RIS or private Russian
hacker dispersed the data to Wikileaks.
Of course, either way, there is something rotten going on in
Russia in connection American private and public organizations. As such, some
kind of American response should proceed. HOWEVER, the deed was done and the
DNC and Crooked Hillary have been exposed as just as corrupt and manipulative
as anything of Russian origin. ERGO, the DNC and the Crooked Hillary campaign
must be investigated as well. EVEN IF THE SOURCE IS AN OUTSIDE HACKER!
JRH 1/1/17
****************
REPORT – Clinton Foundation CEO Disappears, Media HIDING
What REALLY Happened
Email alert sent December 31, 2016
Someone has to step up and ask questions about the
disappearance of Eric Braverman, the Clinton Foundation CEO from 2013 to 2015,
or no one will!
Eric Braverman disappeared in October, just a few weeks
before Hillary Clinton’s defeat sent shock waves through Washington, D.C. and
liberal cities across the country. So far, few outside the political
blogosphere even knew the man existed, let alone disappeared without a trace.
Why are the mainstream media ignoring the disappearance of a
top-level Clinton Foundation official? Perhaps because many have speculated
Braverman went into hiding after an email mentioning his name surfaced on WikiLeaks just
days before he went missing.
In a leaked email from March 2015, Center for American
Progress President Neera Tanden told Hillary Clinton’s campaign manager and
longtime pal, John Podesta, that they had a mole within the Clinton
Foundation. In his responding email, Podesta told Tanden the mole was none
other than Eric Braverman, the Stream reports.
Shortly before the emails between John Podesta and Neera
Tanden had taken place, Braverman abruptly resigned as the CEO of the Clinton
Foundation. Almost immediately after WikiLeaks made the emails
public, the former executive completely vanished.
This not only sounds like a story in dire need of good old
fashioned investigative reporting—it sounds like the makings of a television
movie special. Once upon a time, a real free press would be all over the sudden
disappearance of a top official who worked for a former president and a former
Oval Office contender.
The last evidence of Eric Braverman being active on a public
level was on October 12. He made a post to Twitter, which he reportedly did
about once a month.
Braverman’s partner, Neil Brown, has reportedly not tweeted
since August. The former Clinton Foundation CEO is still listed as a lecturer
at Yale where he has given speeches for the past several years.
Craig Murray, a former British ambassador to Uzbekistan and
close friend of WikiLeaks founder Julian Assange, claims the
leaked emails from the Democrat Party were not taken by the Russians but
by a disgruntled insider. Could this have been Eric Braverman, who sadly got
caught up in his own behind-the-scenes whistleblowing on the Clintons?
Braverman was allegedly hired as the Clinton Foundation CEO
by Chelsea Clinton, who wanted to find and clean up any corruption within the
family charity. Braverman was allegedly forced out of the job by John Podesta.
Chelsea was allegedly very upset by examples of misspent
funds. One example of such corruption was the more than $1 billion Bill Clinton
raised to rebuild 100 villages in India. Reportedly, only $53 million was ever
actually spent on the project.
Please share this story on Facebook and tell us what you
think because we want to hear YOUR voice! You can also reach out to me on
Twitter at @AP_SgtFreefall to discuss
this story.
_________________
Is Braverman a Victim or Hidden?
John R. Houk
© January 1, 2017
_______________
REPORT – Clinton Foundation CEO Disappears, Media HIDING What
REALLY Happened
The Angry Patriot Copyright © 2017.
About Sgt. Freefall – Angry Patriot
The Making of Sergeant Freefall
Some people are born angry, some are made angry through tragic life
events. The latter is true for Marine Gunnery Sergeant Freefall.
While we sat in front of our TVs in horror on 9/11, a family of
American Eagles was tragically destroyed. Sgt. Freefall’s parents created a
nest at the top of the World Trade Center in early August. They thought they
had found the perfect home to raise a family. Soon thereafter, Sgt. Freefall’s
mother laid her first egg.
Unfortunately, just as the egg was ready to hatch, the terrorist
attack took place in New York City. While Sgt. Freefall’s mother and father
were killed in the bombing, the egg fell from the sky and miraculously landed
in the hands of a fireman. Inspired by these events, that fireman would join
the Marines to fight for his country.
No comments:
Post a Comment