- BitsBlog - https://bitsblog.com -

Greenwald, Yet Again… And Again

A reader writes:

Hello-I’m sending this as an email instead of a comment because, first of all I’m not positive I’m reading this right, and secondly, for God’s sake the last thing I want is to be misinterpreted as defending anything that Greenwald says. Please take this in the spirit of just looking at a good puzzle and wanting to know the truth.

Sure.

Parsing out the email headers, it looks like the path it shows from start to finish is:

INTZEXEVSIZN02.iraq.centcom.mil ([10.70.20.16])

INTZEXEBHIZN01.iraq.centcom.mil ([10.70.20.11])

02exbhizn02.iraq.centcom.mil [214.13.200.111]

rich.salon.com 8.12.11/8.12.11 (note that actually rich.salon.com = 206.80.4.124)

This is key, we’ll get back to it.

There countless ways to configure email servers and network multiple servers internally and externally as I’m sure you are aware. The DoD email network is certainly fairly complicated with a greater attention put into security than most simple private networks. Looking at that path, I see a couple things that could be normal, and a couple things that might be odd.

DoD may have it set to use internal relays before reaching a mail server with public access. That could explain the two internal IPs at the start. The first public address that shows up, 214.13.200.111, does appear to be allocated to DoD. That could be their external mail server that then sent the message to rich.salon.com.

Correct, it was. The trouble is, we don’t know, based on the header, that it actually came from a military computer to get to that military server.  Finding an open SMTP port on a forward facing server isn’t all that hard… particularly, as I say, a hastily set up Exchange server, which 214.13.200.111 readily ID’d itself as.

As far as a few things to question, it’s my experience that the details usually start with the computer that originates the message if they are using a client like Outlook. It could be that in this case the sender used a webmail program running on INTZEXEVSIZN02.iraq.centcom.mil ([10.70.20.16]) to compose the message. Or it could be we are not seeing the entire details. Hard to say. It looks like the public IP for rich.salon.com was obfuscated one way or another so who knows?

And why would THAT be, do you suppose?  If you figure that one out, you’ll better understand why I don’t trust a word of it. Add to that Greenwald’s history with this sort of thing [1] and the conclusion to my mind is inescapable.

The architecture of the network drives some of this as well as security concerns. When I was in IT, a message from me would have shown a path with my computer name(using outlook) and showing the public IP used by the internal network to access the DMZ where the mail server was, the next hop being the mailserver and its public IP, the next hop being to the addressee mailserver. In its simplest form.

Anyway, I think it might just be possible that the header is accurate, but I’m not sure. I thought I’d just let you know.

Thanks much for taking the time. I’ve withheld your name, because I didn’t ask to forward your note… but I thought it worthwhile to the discussion to do so.

Let me be clear, here. The header shows signs of being hacked, to my eye. The line you spec as being out of kilter, is in fact out of kilter. So, not only was the thing hacked, but it was hacked by someone who doesn’t know thing one about how the stuff works.  Greenwaldian history gives us the rest.

Background here [2], here [3] and Memeorandum [4]