Hello Kossacks,
I felt this story has gone under-reported and analyses of it have been underwhelming, so I thought I would take a stab at it. I'm a native Tennessean and have the CompTIA Security+ certification, so I thought this story would be right up my alley.
Much of this is speculation, and I'm not betting the farm on this. I would very well be wrong and this is all indeed a complete hoax. But I think too many dismiss this story as a hoax; when you apply Occam's razor and take the simplest explanation, it points to it being more likely true than false.
Below the fold, I'll explain....
First, let's look at some of the statements released by the alleged attackers:
Romney's 1040 tax returns were taken from the PWC office 8/25/2012 by gaining access to the third floor via a gentleman working on the 3rd floor of the building. Once on the 3rd floor, the team moved down the stairs to the 2nd floor and setup shop in an empty office room. During the night, suite 260 was entered, and all available 1040 tax forms for Romney were copied. A package was sent to the PWC on suite 260 with a flash drive containing a copy of the 1040 files, plus copies were sent to the Democratic office in the county and copies were sent to the GOP office in the county at the beginning of the week also containing flash drives with copies of Romney's tax returns before 2010. A scanned signature image for Mitt Romney from the 1040 forms were scanned and included with the packages, taken from earlier 1040 tax forms gathered and stored on the flash drives.
We were able to gain access to your network file servers and copy over the tax documents for one Willard M Romney and Ann D Romney. We are sure that once you figure out where the security breach was, some people will probably get fired but that is not our concern.
Note that there is no mention of them actually "hacking" into Pricewaterhouse Coopers' computer systems by exploiting a security vulnerability or through malware. The alleged theft used old fashioned social engineering techniques from what I can see. Most articles dismiss the threat as a hoax because Pricewaterhouse Coopers released the following statement denying that they detected any hacking into their systems:
We are aware of the allegations that have been made regarding improper access to our systems. We are working closely with the United States Secret Service, and at this time there is no evidence that our systems have been compromised or that there was any unauthorized access to the data in question.
Notice how carefully parsed the words are. They mention "unauthorized access" - however, it is entirely possible that there was no hacking involved. The attackers might have discovered an employee's username and password, for example, by tricking someone into revealing their password or surfing the office for a sticky note with a password written on it (you'd be surprised how often improperly trained employees do this). Depending on how detailed the server access logs are, this may or may not have shown up on the records - but it probably would not have raised a red flag if the attackers used an employee's stolen credentials. It is also possible to edit server logs, that the attackers were incredibly skilled hackers and left no traces.
Their story seems very plausible: it is a textbook social engineering attack called tailgating. Often, the human element is the weakest chain in security. We Tennesseans are a polite, trusting folk. We'll hold a door open for someone even if it violates our company's security protocol. People in general won't question you if you look like you know what you're doing and look like you belong in a place. I wouldn't be surprised if these attackers dressed in nice business suits, ties, equipped fake badges and waltzed into the place as if they worked there or were visitors/clients. According to some other news reports on this story, they claim no one even questioned them while they were there.
There are some big questions left to answer if we assume this is just a hoax:
* It doesn't matter if they really have Romney's tax returns or not - they are committing extortion, a federal crime. They had to have known this before getting involved. They had to have known the risks and the scrutiny they'd be subject to. Even if it's just one guy at a keyboard writing up a fake threat who never even went near the Pricewaterhouse Coopers office, he would be in big trouble if caught.
* Why did the attackers leave physical evidence by dropping off packages at the Republican and Democratic party county headquarters? This is a considerably risky move - it's sticking their necks out that much farther; it provides the police/FBI/Secret Service a mountain of evidence to track them down and convict them. This is FAR more risky than simply posting an encrypted file on the internet and claiming it contains Romney's tax returns.
* If it is a indeed a hoax, then what did those packages contain? Blank sheets of paper? USB flash drives with encrypted Lady Gaga MP3s? What purpose did leaving those packages serve if it is a hoax? Even if they tried to create elaborately fake tax returns, those would have been easily identified as fakes by the Romney campaign and Secret Service. Providing fake documents and files would only expedite the conclusion that it is a hoax and nix any chance of them getting paid the ransom demand, and would abruptly end the life of the prank.
* Take all of the above into account and ask why would they take such a massive risk with an infinitesimally small chance of success (assuming it's a hoax)? They don't seem stupid; if their story is true, it would require a reasonable degree of intelligence and competence to pull off. Do you think the extremely high risk of going to jail is worth the brief moment of "lulz" it would provide if this were just a prank?
Assuming this story is true, we can conclude a few other things:
* If the tax returns had merely embarrassing, but not devastating, campaign-ending revelations, then I would expect the attackers would have just let it go and swept up their tracks. It simply wouldn't be worth the risk. But the attacker claims, "The years before 2010 will be of great interest to many."
* The timing is perfect. The attackers claim they obtained the files on August 25, but this was revealed soon after Romney accepted the nomination. Backing out and choosing an alternative candidate would be extremely messy, embarrassing and would undoubtedly lead to an Obama landslide victory.
By all accounts, the attackers pursued the method with the highest chance of success and did everything right. I would question their judgement though, on the idea that they'd get paid even if they truly did obtain Romney's tax returns. There is no guarantee that they wouldn't take the money and release the tax returns anyway, just to make Romney look like a fool, and the Romney campaign knows this. But still, if there was a way to obtain and leak Romney's tax returns, their method would have probably been the best way.
I could be wrong. But my gut feeling tells me that we may be surprised on September 28, the day the attackers allege that they will release the returns if they are not paid. Only time will tell…