I like reading Brian Krebs’ blog. Brian is awesome at tracking hackers and writing about it. While reading his latest post, Blowing the Whistle on Bad Attribution, my internal response was to keep repeating, “yes yes yes”.
I’m not going to get into his blog post other than recommend it as a good read about attribution. Now…about kicking in the wrong doors….
My #1 concern as a police officer and detective was arresting the right bad guy. The last thing I ever wanted was to arrest the wrong person (aka.. an innocent person). I took more steps to verify that probable cause existed than was probably legally required to arrest the right person, but arresting the wrong person is way worse than missing the right person. Police work was my entry into attribution.
I experienced the effects of wrongful attribution in police work by other investigators. On one occasion, a detective in a task force I was assigned had worked a drug case that was at best described as a disaster. This detective that I shall not name typed up an affidavit, swore to it, had the judge sign the search warrant, and gave that search warrant to the SWAT team to serve on an early morning. After the SWAT team secured the house, I went in to help with the search. Guess what. Wrong house. Wasn't even close. I could tell as soon as I walked inside. The ‘right’ house was a block away.
This particular case was due to a single and sole factor of not doing a good job. The detective never visually identified the right house (and never even looked at the wrong house either). The work was lazy; the detective assumed that she had the right house because the informant told her it was the right house. The funny thing was…the informant gave the correct address but the detective even got that wrong and never corroborated the right address or the wrong address. Didn’t even check any records to see who lived at the address to which the affidavit attested or even the right address.
And yes, a friend of mine who was in a different drug unit presented me with a sarcastic, yet humorous, certificate for the detective’s work in the drug case…I still have it as a reminder to never let this happen to me.
Oh well…that doesn’t happen much..right?
Turns out that I saw this happen on more than a few occasions, where the wrong door was kicked in, or the wrong person was arrested, or evidence that was seized and used against someone actually turned out not to be evidence at all. It happens, but it really shouldn’t. I know a prosecutor who had been chilling after work in her living room when her door was kicked in by police error...whups. Bad attribution with a quick legal settlement.
On the cyber aspect of attribution, the job is way harder than a traditional criminal case such a bank robbery or burglary. Traditional crimes require the physical person to be physically present to physically commit the crime on a physical person or physical item of property. The amount of evidence left behind ranges from fingerprints to security camera videos that captures the entire crime as it happens. With digital crimes, not so much. With digital crimes, we get deep in guesswork without the benefit of getting our hands on the tools used in the crime, other than the electronic data we can find.
Let’s get to the point.
Wrongful attribution is more than just wrong; it is dangerous. Attribution of digital crimes is also easy to get wrong, because not only is there less evidence, but the evidence left behind can be intentionally or inadvertently misleading. A malware that looks Russian does not mean that Russia did it. Maybe "Russia" did, maybe they didn’t. Even then, to broadly state that a nation-state, organization, group, or specific person did it, cannot be taken as totally accurate without a lot of corroborating evidence. Maybe the allegation is correct. Maybe it is not.
Even if attribution is spot on (in that you guessed correctly), unless you have the actual devices used and the person in cuffs admitting to it, you really only have assumptions that are difficult at best to prove or disprove. IP addresses can be misleading or intentionally deceptive. MAC addresses can be spoofed. Caller ID can be spoofed. Malware can be modified to appear to originate from a specific person or organization. Online claims can be false (where someone else takes the credit to get ‘street cred’ or fake online accounts can be created to point to innocent persons taking the blame).
At best, we can only say things like, “Based on what we found, the incident points to Suspect A”, and certainly should not state that “Suspect A did it because our electronic evidence proves it”. Proving a crime was committed by a specific suspect is a leap beyond believing that a specific suspect did it if you don't have enough direct and circumstantial evidence that can convince a judge or jury of peers.
I don’t fault anyone making bad attributions as long as everyone knows that without hard evidence, we are only making assumptions. It’s only human nature to assume, especially if emotions and bias is involved. I can’t remember the number of times where a victim told me that he knew who victimized him but in actuality, the victim was only assuming who did it based on his emotion of who he thought did it, not on any evidence. If police officers ran out and arrested people based on their feelings or mere suspicions, we’d be living a way different country. We shouldn’t be doing that in the cyber cases either.