Why Climategate was not a computer hack.
Why Climategate was not a computer hack.
In the year since the Climategate material became public, I’ve read many articles on the effect the publication has had on the AGW debate. When it is referred to as a hack in them, I usually don’t bother reading any further. If the writer of the article is gullible enough to accept the silly proposition that it was a hack, then it won’t contain anything much in the way of insight; just the usual alarmist party line. If the writer does know better, then the article is disingenuous and the writer is being fundamentally dishonest.
The Climategate material proved to be explosive but I seriously doubt that prior to its publication, anyone would have thought it could be. None but the most hardened campaigners on the skeptic side of the debate had ever heard of the Climate Research Unit (CRU) of the University of East Anglia (UEA). It really wasn’t on anyone’s radar and neither was its email correspondence. There was simply no good reason to do a hack into their systems but in an effort to dispel that myth, I’ll sketch out the amount of work such a hack would have entailed.
The publication of the Climategate material represents a breach of security. For this to have occurred, one or more parties would need to have had gained access to the material. Such access could have been obtained legally by an internal party in the normal course of their duties or by an external party, who had no legal right to the material. The respective terms are internal or external security breach though in the context of Climategate, they are usually described as either the leak or the hack of the Climategate emails.
Industry numbers say that 80% of all reported security breaches are internal but I and most other people with knowledge of the area would say the real figure is nearer 90% or upwards. If one of the Great Whites out there in cyberspace comes after you, it’s because you have information or a particular dataset that is of real value to them and they’re prepared to work very very hard to get it. They have the patience of Job.
Despite what Hollywood and the movies would have you believe, pulling off a successful external hack is far from easy. It requires skill, talent, detailed technical knowledge and above all, patience. Hackers come in three flavours; script kiddies, ascendants and what I like to call the Great Whites.
Script kiddies just find scripts laying about the internet and run them, hoping they’ll achieve whatever it says on the can.
Ascendants are graduate script kiddies who’re learning to write their own scripts and are perhaps delving deeper into the manuals. They tend to trade scripts with each other and to share some of them with the kiddies for reasons of ego and status. It’s a King of the Kids thing.
The overwhelming majority of them never graduate to Great White simply because it requires a massive amount of effort to master the technical requirements and, I would have to say, dedication. They also lack that last but most important ingredient; the nerve to go after hardened targets with a jail sentence attached as the punishment for failure.
The very few who make it to Great White drop off everyone’s radar and are never heard from again, except for their work but only when it’s detected. If I have to go looking for them, I usually start with their juvenile activities because that’s where they’ll have made the mistakes I can use to start locating them. The art of course, is matching the adult’s style with the juvenile’s exploits, their ‘fist’ if you will. That’s why I spend some time watching the ascendents I think are showing some promise.
If the Climategate breach was a result of a hack, then it would have to have been done by a Great White. This outline analysis of a classical frontal assault on an organisation should make that point. I’ve organised it into distinct phases, giving an insight into what each one is about.
There are some things to bear in mind while reading this article. The intended audience is the general reader; no great knowledge of IT is assumed. Where it’s come down to technical accuracy or clarity, I’ve chosen the latter. It’s about technique rather than bits or bytes. It is not intended to be nor can it be used as a guide to hacking. Finally, it is not definitive in the sense that there are a myriad of other ways of achieving the same end.
A well constructed attack will begin with a non-invasive reconnaissance phase for information. The objective of this phase is to build up a detailed view of the organisation; its departmental structure, where its buildings are located, who works in the organisation and their roles, who their external suppliers are and the services supplied, any other organisations they interact with and pretty much anything else that can be found out.
Google is the prime attack tool here. It will be used in a totally exhaustive search to find every piece of information on the organisation. As each new item of information is found, it in turn is used to find out more. For example, when a name is found, an effort would be made to get that person’s resume or CV, especially for IT personnel. Their areas of technical expertise are a good guide to the exact type of systems running inside the organisation. Why recruit them otherwise?
Slightly more intrusive “social engineering” techniques may also be used. Social engineering is essentially tricking information out of people and is an art form in its own right. For example, to obtain CVs one could set up a minimal but very discreet headhunting recruitment site and simply request the CVs (under the strictest of confidence, of course). That one nearly always works.
Mapping and finger printing.
The next phase is to build a detailed technical picture of all the networks and computer systems of the target organisation. This would include determining all services running and each service’s manufacturer and the exact software version, all network connections; internal and external and of course all communications protocols in use.
All computers have what are called ports. Think of them as doorways into and out of the computer through which packets of data flow. The standard Intel chip has sixty-four thousand of these and usually a service operates using one or more of these ports. For instance, email usually uses two of these ports, one for incoming and one for outgoing email. Some other services only use one.
There are several methods used to map the internal layout of the target but they all rely largely on sending small ‘signals’ or IP packets to selected ports and examining the result. The IP packets transmitted may be standard or deliberately malformed to provoke a response.
Determining what services are running is done in a similar manner but something called banners can be a help here. When an external server, such as an email server, gets in touch with an internal server, they have to first make contact with each other and establish a communications protocol. At the start of the conversation, normally called handshaking, a banner displaying who developed the server’s software may be shown, thus giving away details of the software’s manufacturer and possibly its version. Even though the banners can be suppressed and although the protocols are of course standardised, there are other nuances in the conversation which can be used to identify exactly the software and its version.
Using these and other methods, the services detected would be “finger-printed” and the exact manufacturer and software versions determined.
Now that all the technical details of the target’s systems are known, the actual breach can be attempted. It is the most dangerous phase since being noisy or clumsy will set off alarms. Like all internal work, it’s done in the middle of the night in the timezone of the target, allowing some time to recover from any mistakes. There are a number of ways of doing this but I’ll outline just two of the approaches. There are a lot more.
The classic technique is that since they now know the versions of the software, they consult the relevant manufacturer’s website to determine what security patches the version should have to cover loopholes. Armed with this information, they next try to exploit each vulnerability in turn, hoping the security patch has not been applied to the software. If just one works, they’re into the system.
The quality end of the market, tend to take a more difficult but safer approach. They obtain, usually by purchase, the relevant software, install it on a machine and proceed to find a new way to break into it. Having found the weakness, they’ll use it to gain entry to the target’s system. They never share the weakness they’ve found, of course.
If the break-in fails on a particular server, they’ll move their attention to a different one.
Concealment and promotion.
Once in, the next phase begins immediately because they need to conceal the break-in as soon as possible. They will install what’s called a “toolkit” or a “rootkit”, which is essentially a set of programs they can run inside the target’s systems. These are used to “climb the privilege ladder”, which means getting themselves an administrator’s account, the one with the most privileges. Having done this, they will create legitimate logon accounts for themselves and alter all audit logs to hide the break-in.
A quick way of getting an administrator’s account, is to install a keystroke logging utility or modify the log in software and then create a minor problem with the server which will oblige an administrator to log onto it to investigate. When they log out, the intruder has his logon Id and password, which he uses to create a new administrator’s account. So, the system is now their bitch? No, not yet and not by a long chalk
All that’s been achieved so far is the Great White now owns a single server which is, to some extent or another, inside the organisation. The next step is to extend ownership or at least access to other servers. This is yet another very delicate technical gavotte whose precise steps I won’t burden you with but take it from me; it’s an even more difficult and time-consuming process.
Paradoxically, system administrators pay more attention to what’s happening in internal systems than they do to perimeter systems. Anything strange occurring or anything new in the audit logs gets noticed, so even more care must be taken to make everything appear normal. It only ends when they’ve got access to the data they came in for and it’s been extracted but it isn’t over yet.
An orderly withdrawal.
The final phase is always the cleanup and it’s done very carefully for two very good reasons. Firstly, if confidential information is known to have been accessed, it loses value. Secondly, and just as important, any traces left behind of the break-in will be used in any attempt to find the Great White.
They will back out of the target’s systems, server by server, altering logs and closing down any accounts they’ve created. Any code injections will be removed as will all the trip wires they will have strung across the systems. Any internal programs they’ve had to modify will be restored from copies previously taken.
At every point during the run, they will never have used an IP address that can be traced back to them and they will never ever use any of those IP addresses again. Any identities stolen will be relinquished, never to be used again. The hard drive of the attack computer used will be extracted from the machine and smashed to bits before the machine with any attendant routers and modems is consigned to the nearest furnace.
All but the first phase of such an attack can be detected by firewalls and Intrusion Detection Systems (IDS). Their answer is to do the subsequent phases very very slowly. Typically, they will ping one of the ports they’re interested in of the available 64,000 on your server in a day. This will not set off any alarms.
As I said, the patience of Job. All this concerted effort to get at one mail server? Then more traversal work, to get at the backed up emails from a decade ago on a different server? And then yet another huge effort to hack across from the operations area over to the development area to get at the program source library? Simply no way. An insider job.
Anyone who thinks all of the above effort was expended to obtain apparently innocuous material from an obscure unit of an equally academically obscure university, needs an introduction to William of Occam’s razor.
Related topic : A profile of the Climategate whistleblower.