How can we know if the #Wikileaks emails are authentic?

Many years ago, email spam and phishing attacks via email became a big problem. Most such attacks originate from email servers other than the one they pretend to be from.

For example, you receive an email that purports to be from the IRS (irs.gov) but in reality, came from a server named irs.gov.uk, located in another country.

To detect this, the industry adopted a method to detect fraudulent or altered emails using a concept somewhat like a “digital signature” stamped on to each email message.

If genuine emails originating at irs.gov are digitally signed, with an exclusive code, then receivers can determine if the email is authentic.

In practice, what happens is a computation is performed on all or most of the email content using a method that is unique to the genuine server. This computation produces something similar to a very large number, which is then attached to the end of the email message.

The recipient of the email message also performs the computation and compares the result to the value that was attached to the email message. If the result is different, then this means the message did not originate from the genuine server or the content of the message has been tampered with.

Exactly how this works is beyond the scope of what I write here (I do have a BS in computer science and an MS in software engineering, but boring you to death is not the purpose of this web site!)

The emails in the hacked John Podesta  email accounts are signed with the Google GMail DomainKeys Identified Mail (or DKIM) signature. These values can be re-computed to determine if the emails have been altered after leaving the GMail server.

In this way, the authenticity of the documents in the Wikileaks database can be determined. Could the digital signature be faked? Yes, but this is computationally time consuming and is not a simple process, especially now that DKIM usually uses 2048-bit long keys. The basic answer then is, yes, it is possible, but in practice, requires immense computing horsepower and lengthy time periods on the order of days to weeks for every message in the database.  The Wikileaks database is said to contain 50,000 emails related to the John Podesta Gmail account hack.

Related: Did the John Podesta Gmail Attack Require the power of a government agency?

No, absolutely not.

The hackers logged into a single Gmail account. This did not require a complex attack through firewalls and server security. All this required was the user name and password.

How to get the password? The easiest way is through a social engineering approach called “phishing”. A hacker sends an email that looks legitimate, to the target, perhaps advising of a potential security breach and asking the user to click on a link to re-login in to their account.

The link, however, goes through an obfuscated URL that superficially resembles the correct URL. Victims do not notice the URL has extra characters, taking them to a fake web site that that looks like a legitimate login page. Here, the target enters their login and password information – which is then recorded by the hacker.

In the Wikileaks documents is a phishing email message that, if clicked, took the user to a web page to log in. It appears this link was clicked on. Emails were then stolen from the account up to and just past the days this phishing email was received, implying this was the “hack” that gained access to the Gmail account.

This is not a sophisticated attack. Teen hackers all over the world are capable of launching this type of attack.

Did the Russian government or agents perform this hack? No evidence has been provided to support this assertion. None. In fact, the link in the email went to a server in Ukraine. However, even that tells us little as the IP address may have been spoofed through a proxy server.

Advertisements