Tuesday, November 24, 2009

Climategate hack used open proxies

More details are emerging about the "Climategate" hack. It appears that the hacker used an "open proxy" in order to hide the origin of the attack. However, the hacker may have made a mistake, and a review of the logs at RealClimate and ClimateAudit may reveal his/her identity.

As this post describes, the hacker made a comment to a ClimateAudit blog post from IP address 82.208.87.170. If we Google that IP address, we see that it is indeed an open proxy. We don't know the hacker's real IP address.

An "open proxy" is a machine that has been misconfigured to forward requests back out to the Internet. Hackers constantly rescan the Internet looking for these open proxies, usually HTTP proxies at ports 80, 8080, and 3127, or SOCKS at port 1080. Hacker websites maintain lists of active misconfigured proxies. When hackers want to be anonymous, they choose one of these proxies at random, they configure their web browser to go through the proxy. In this manner, anything they do appears to come from the proxy's IP address, and not from the hacker's IP address.

You can use this open proxy yourself to hide your identity. In Firefox, go to "Tools", "Options", "Adanced", "Network", "Settings" to open the proxy dialog box. Then do a "Manual proxy configuration", setting the "HTTP Proxy" to 82.208.87.170, and the port to 8080.

After that, you should be able to browse the Internet just fine (albeit slowly). I went to the Google search page, but was redirected to the Russian version. Open proxies are a great way to see how the rest of the world browses the Internet.

However, there is a flaw. Most proxies also forward the original IP address as a separate field in the web request. I set my browser to the above proxy, and looked at the resulting HTTP request headers. I found the proxy added the header "X-Forwarded-For:" with my original IP address.

Most web server logs ignore the "X-Forwarded-For:" header, which means that this information is lost forever. However, if RealClimate or ClimateAudit has some advanced logging enabled, then they might be able to discover the original IP address.

The RealClimate website (which was attacked by the hacker) makes this claim:
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge.
This is not true. Using open proxies requires no sophisticated knowledge at all - as this blog post shows.

So, the timeline appears to be:
  • Oct 12: somebody sends the same e-mails to BBC journalist Paul Hudson.

  • Nov 12: sometime after this data, the hacker grabs the files and puts them into a ZIP.

  • Nov 17 6:20am: Hacker uploads the file to http://www.realclimate.org/FOIA.zip from an IP address "somewhere in Turkey".

  • Nov 17 7:24am: Hackers posts a comment to the ClimateAudit blog saying "A miracle just happened" with a link back to the RealClimate ZIP file. Hacker proxied through 82.208.87.170:8080.

  • Nov 17 "a few hours later": RealClimate admins discover the hack and remove the file.

  • Nov 19: Hackers posts file to open FTP server in Russia.

  • Nov 19: Hacker posts to Air Vent blog pointing to the FTP ZIP. Hacker uses proxy 212.116.220.100:443, an open proxy in Saudi Arabia.

RealClimate hasn't said exactly how their website was "hacked into". I'm guessing a PHP bug found by an average webapp scanner. Their Archive page appears broken, giving the following raw PHP code instead. I assume that's where the hacker broke in:
Archives by Month: <?php wp_get_archives(’type=monthly’); ?> Archives by Category: <?php wp_list_cats(); ?>
UPDATE: Commenters at ClimateAudit point out a simpler explanation of the RealClimate hack: several of the people at CRU post at RealClimate. The hacker could simply have pretended to be one of those people requesting to reset the password, then intercepted the e-mail with the new password. This is a common hack: once you have access to a person's e-mail account, you can probably get the password an every other account (banking, blogging, facebook, twitter, etc.) that uses that e-mail address.

CONTEXT

It's useful to repeat some of the context I described in my previous post on this event. Phil Jones, CRU, and the guys at RealClimate produce the most commonly cited papers "proving" that current warming is historically unprecedented. However, they refuse to share their data with critics (in violation of scientific principles). Their biggest critic is Steve McIntyre at ClimateAudit, who has been trying for years to get the data, including most recently, using the Freedom of Information Act (FOI).

9 comments:

Francis Turner said...

Minor nit - the BBC reporter must have had just some of the emails since the zip file contains emails dated November 2009.

The way I read his post is that he was sent the specific thread of emails referring to his article on climate - see http://di2.nu/foia/foia.pl?t=Hudson

Andy said...

The "not sharing" thing is easily explained (see RC's comment threads for details). In a nutshell, some of the data was commercially valuable so they got it with an NDA.

Other data sets *are* freely available and they don't contradict the seekrit squirrel one.

Robert Graham said...

As the e-mail show, they are going to hide behind NDAs as an excuse to prevent disclosure of the data. If they truly cannot share data, then journals should not accept the papers and the IPPC should not use it -- it's the basic principle of science.

All the data behind other sets are not publicly available either.

CanadianSense said...

If the data can not withstand scrutiny from opponents the credibility of the data is suspect.

Jason said...

OK, I find it ironical that you attack CRU for using dodgy numbers, and then casually invent your "80%" insider number. I know you're citing your "gut" here, but come on, on what possible evidence can you make that claim? You say that it looks like one user, Phil Jones, was specifically targeted, and that the attacker likely had some familiarity with the underground hacking scene, based on the use of the Russian FTP server. (Which is pretty weak, but I would agree is the best we can do with the evidence currently in the public domain.) And from that you conclude that the most likely culprit is: a UEA system administrator? I call shenanigans. An insider SA would most likely have access to far more than just one users emails, and doubtless something like Wikileaks would have been a far more plausible storage location. The evidence would rather seem to suggest a spear-phishing attack against Phil Jones as the most likely vector. That would tend to suggest hack-for-hire. But you don't entertain that possibility, even for a moment. Now you're losing credibility as an INFOSEC professional.

Robert Graham said...

I find it ironical that you attack CRU for using dodgy numbers

I don't claim their numbers are "dodgy". They may turn out to be perfectly correct. I only claim that their results cannot be reproduced. I'm astonished that the scientific method is so little respected these days that few people care whether results can be reproduced.

An insider SA would most likely have access to far more than just one users emails

The hacker released far more than just Phil Jone's e-mails. He also released source code a thousand files of climate data.

The evidence would rather seem to suggest a spear-phishing attack against Phil Jones as the most likely vector.

The FOI.ZIP file also contained a lot of data that Phil Jones did not have direct access to.

That would tend to suggest hack-for-hire.

Everything suggests a conspiracy to those looking for it.

But you don't entertain that possibility

I didn't entertain any of the equally plausible possibilities, because it would make the post a hundred pages long.

I did feel compelled to edit my post and add "could've stole e-mail credentials via public wifi at a climate conference", but only because I'm famous for that specific scenario, not because it's more likely than any other.

Jason said...

OK, apparently, I didn't make my point clearly enough: You made up a statistic. (80% of all such breaches are performed by insiders.) Admittedly, you essentially admit that it's a made up statistic, but when you're quoted, the press managed to leave off that important caveat. Apparently, we in information security have much lower standards than those you would like to impose from the outside upon the climate change community. Apparently, we can just accept what the "gut" of certain famous people tell us, and totally ignore published observational reports that say that only 20% of all data breaches are based upon insider threats. I don't know what the contents of these emails imply for client science, but I do know something about Information Security, having been a practitioner in the field for over 8 years. Let me ask you plainly, do you really stand by your claim that this is 80% likely the work of an insider, as an objective, defensible claim?

Robert Graham said...

totally ignore published observational reports [from Verizon] that say that only 20% of all data breaches are based upon insider threats

The Verizon report is awesome, although they cover all breaches, such as hackers stealing credit card numbers. This breach has more of a whistleblower/politics feel to it.

Let me ask you plainly, do you really stand by your claim that this is 80% likely the work of an insider, as an objective, defensible claim?

I'll give you $80 when the hacker is caught and found to be an outsider if you'll give me $20 when the hacker is found to have had a legitimate account or physical access to a University of East Anglia computer.

In other words, I can't say it's objective or defensible, but I will stand behind it and put up money based on those odds.

Anonymous said...

It was not the Russians. A Russian gateway/proxy was used to *conceal* identity. Do not forget, the emails were sent much earlier to the BBC who sat on the story for 3 weeks…

It was an insider/whistleblower.

They are the residual emails of a batch which had already been *sanitized* from the CRU systems, in order to illegally prepare an incomplete response for a future (likely successful) FOIA request. The emails in question were *not* going to be provided under a FOIA request.

Note that there is a very small percentage of personal-chatter emails that typically characterize friendly colleague's familiar communication. Therefore, this lack of small-talk emails points to a deliberate culling. They were going to “leave in” the harmless small talk to be produces under FOIA.

These are deleted emails from a sanitized batch which were foolishly or purposely archived and/or discovered by an insider or whistleblower (perhaps the sanitizer himself). The insider then had pangs of conscience or an axe to grind and released them surreptitiously.

If so, he may enjoy protection under the UK’s Public Interest Disclosure Act of 1998, which was enacted to protect whistleblowers.

For an interesting clue to the possible identity of the whistleblower, see: http://blogs.news.com.au/heraldsun/andrewbolt/index.php/heraldsun/comments/climategate_which_one_blew_the_whistle/