SBN

A quick lesson in confirmation bias

In my experience, hacking investigations are driven by ignorance and confirmation bias. We regularly see things we cannot explain. We respond by coming up with a story where our pet theory explains it. Since there is no alternative explanation, this then becomes evidence of our theory, where this otherwise inexplicable thing becomes proof.

For example, take that “Trump-AlfaBank” theory. One of the oddities noted by researchers is lookups for “trump-email.com.moscow.alfaintra.net“. One of the conspiracy theorists explains has proof of human error, somebody “fat fingered” the wrong name when typing it in, thus proving humans were involved in trying to communicate between the two entities, as opposed to simple automated systems.

But that’s because this “expert” doesn’t know how DNS works. Your computer is configured to automatically put local suffices on the end of names, so that you only have to lookup “2ndfloorprinter” instead of a full name like “2ndfloorprinter.engineering.example.com”.

When looking up a DNS name, your computer may try to lookup the name both with and without the suffix. Thus, sometimes your computer looks up “www.google.com.engineering.exmaple.com” when it wants simply “www.google.com”.

Apparently, Alfabank configures its Moscow computers to have a suffix “moscow.alfaintra.net”. That means any DNS name that gets resolved will sometimes get this appended, so we’ll sometimes see “www.google.com.moscow.alfaintra.net”.

Since we already know there were lookups from that organization for “trump-email.com”, the fact that we also see “trump-email.com.moscow.alfaintra.net” tells us nothing new.

In other words, the conspiracy theorists didn’t understand it, so came up with their own explanation, and this confirmed their biases. In fact, there is a simpler explanation that neither confirms nor refutes anything.

The reason for the DNS lookups for “trump-email.com” are still unexplained. Maybe they are because of something nefarious. The Trump organizations had all sorts of questionable relationships with Russian banks, so such a relationship wouldn’t be surprising. But here’s the thing: just because we can’t come up with a simpler explanation doesn’t make them proof of a Trump-Alfabank conspiracy. Until we know why those lookups where generated, they are an “unknown” and not “evidence”.

The reason I write this post is because of this story about a student expelled due to “grade hacking”. It sounds like this sort of situation, where the IT department saw anomalies it couldn’t explain, so the anomalies became proof of the theory they’d created to explain them.

Unexplained phenomena are unexplained. They are not evidence confirming your theory that explains them.


*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2019/03/a-quick-lesson-in-confirmation-bias.html