UPDATED: Posted the full Pointman article instead of the much abbreviated edit version. Thanks to Pointman.
Hacked or leaked?
Pointman argues the case for the emails being leaked from inside. Part I of his thesis is that an expert hack takes a lot of money, patience and a rare personality. (And after reading his article I believe him.) In Part II Pointman suggests that there is not a lot of money or inclination to pay such an expert. Call me unconvinced on this second clause. Even though I’ve seen no evidence of big dollars at work in the skeptic case* I can imagine in any market worth 130 odd billion per annum that there would be players with handy shorts-ready-to-place who might like to pull some strings.
That said, the fact that the police investigation into the leak or hack has failed to find any answers combined with the obvious motivation for any half honest civil servant with a modicum of altruistic honor to act as a whistle-blower, means I find the whistle-blowing theory much more believable.
The ilk of the money-driven sociopathic derivative trader who makes money from shorting markets, and would have the balls to organize an illegal hack, doesn’t strike me as the type of person who also read Watts Up With That or Climate Audit on their weekends. Without the in-depth knowledge of what they were looking for in the emails, it seems a tad hard to believe the money market would be hunting for ten year old messages from mediocre scientists who might be hiding measurements from Sweden that are recorded in degrees Celsius.
What makes Pointman’s post especially rewarding is the rich insight into the hacker world – – and explained so well. It’s clear he has an unusual expertise, and I appreciated the detail.
Did you know in hacker land there are script kiddies, ascendants, and invisible great white sharks?
The difference between an internal security breach and a carefully coordinated external breach is vast.
Guest post by Pointman
Copied from the original with permission
Why Climategate was not a computer hack
Industry numbers say that 80% of all reported security breaches are internal but I and most other people with knowledge of the area would say the real figure is nearer 90% or upwards. If one of the Great Whites out there in cyberspace comes after you, it’s because you have information or a particular dataset that is of real value to them and they’re prepared to work very very hard to get it. They have the patience of Job.
Despite what Hollywood and the movies would have you believe, pulling off a successful external hack is far from easy. It requires skill, talent, detailed technical knowledge and above all, patience. Hackers come in three flavours; script kiddies, ascendants and what I like to call the Great Whites. Script kiddies just find scripts laying about the internet and run them, hoping they’ll achieve whatever it says on the can. Ascendants are graduate script kiddies who’re learning to write their own scripts and are perhaps delving deeper into the manuals. They tend to trade scripts with each other and to share some of them with the kiddies for reasons of ego and status. It’s a King of the Kids thing. The overwhelming majority of them never graduate to Great White simply because it requires a massive amount of effort to master the technical requirements and, I would have to say, dedication. They also lack that last but most important ingredient; the nerve to go after hardened targets with a jail sentence attached as the punishment for failure.
The very few who make it to Great White drop off everyone’s radar and are never heard from again, except for their work but only when it’s detected. If I have to go looking for them, I usually start with their juvenile activities because that’s where they’ll have made the mistakes I can use to start locating them. The art of course, is matching the adult’s style with the juvenile’s exploits, their ‘fist’ if you will. That’s why I spend some time watching the ascendents I think are showing some promise.
If the Climategate breach was a result of a hack, then it would have to have been done by a Great White.
This outline analysis of a classical frontal assault on an organisation should make that point. I’ve organised it into distinct phases, giving an insight into what each one is about. There are some things to bear in mind while reading this article. The intended audience is the general reader; no great knowledge of IT is assumed. Where it’s come down to technical accuracy or clarity, I’ve chosen the latter. It’s about technique rather than bits or bytes. It is not intended to be nor can it be used as a guide to hacking. Finally, it is not definitive in the sense that there are a myriad of other ways of achieving the same end.
A well constructed attack will begin with a non-invasive reconnaissance phase for information. The objective of this phase is to build up a detailed view of the organisation; its departmental structure, where its buildings are located, who works in the organisation and their roles, who their external suppliers are and the services supplied, any other organisations they interact with and pretty much anything else that can be found out. Google is the prime attack tool here. It will be used in a totally exhaustive search to find every piece of information on the organisation. As each new item of information is found, it in turn is used to find out more. For example, when a name is found, an effort would be made to get that person’s resume or CV, especially for IT personnel. Their areas of technical expertise are a good guide to the exact type of systems running inside the organisation. Why recruit them otherwise? Slightly more intrusive “social engineering” techniques may also be used. Social engineering is essentially tricking information out of people and is an art form in its own right. For example, to obtain CVs one could set up a minimal but very discreet headhunting recruitment site and simply request the CVs (under the strictest of confidence, of course). That one nearly always works.
Mapping and finger printing
The next phase is to build a detailed technical picture of all the networks and computer systems of the target organisation. This would include determining all services running and each service’s manufacturer and the exact software version, all network connections; internal and external and of course all communications protocols in use.
All computers have what are called ports. Think of them as doorways into and out of the computer through which packets of data flow. The standard Intel chip has sixty-four thousand of these and usually a service operates using one or more of these ports. For instance, email usually uses two of these ports, one for incoming and one for outgoing email. Some other services only use one. There are several methods used to map the internal layout of the target but they all rely largely on sending small ‘signals’ or IP packets to selected ports and examining the result. The IP packets transmitted may be standard or deliberately malformed to provoke a response.
Determining what services are running is done in a similar manner but something called banners can be a help here. When an external server, such as an email server, gets in touch with an internal server, they have to first make contact with each other and establish a communications protocol. At the start of the conversation, normally called handshaking, a banner displaying who developed the server’s software may be shown, thus giving away details of the software’s manufacturer and possibly its version. Even though the banners can be suppressed and although the protocols are of course standardised, there are other nuances in the conversation which can be used to identify exactly the software and its version.
Using these and other methods, the services detected would be “finger-printed” and the exact manufacturer and software versions determined.
Now that all the technical details of the target’s systems are known, the actual breach can be attempted. It is the most dangerous phase since being noisy or clumsy will set off alarms. Like all internal work, it’s done in the middle of the night in the timezone of the target, allowing some time to recover from any mistakes. There are a number of ways of doing this but I’ll outline just two of the approaches. There are a lot more.
The classic technique is that since they now know the versions of the software, they consult the relevant manufacturer’s website to determine what security patches the version should have to cover loopholes. Armed with this information, they next try to exploit each vulnerability in turn, hoping the security patch has not been applied to the software. If just one works, they’re into the system.
The quality end of the market, tend to take a more difficult but safer approach. They obtain, usually by purchase, the relevant software, install it on a machine and proceed to find a new way to break into it. Having found the weakness, they’ll use it to gain entry to the target’s system. They never share the weakness they’ve found, of course.
If the break-in fails on a particular server, they’ll move their attention to a different one.
Concealment and promotion
Once in, the next phase begins immediately because they need to conceal the break-in as soon as possible. They will install what’s called a “toolkit” or a “rootkit”, which is essentially a set of programs they can run inside the target’s systems. These are used to “climb the privilege ladder”, which means getting themselves an administrator’s account, the one with the most privileges. Having done this, they will create legitimate logon accounts for themselves and alter all audit logs to hide the break-in. A quick way of getting an administrator’s account, is to install a keystroke logging utility or modify the log in software and then create a minor problem with the server which will oblige an administrator to log onto it to investigate. When they log out, the intruder has his logon Id and password, which he uses to create a new administrator’s account. So, the system is now their bitch? No, not yet and not by a long chalk
All that’s been achieved so far is the Great White now owns a single server which is, to some extent or another, inside the organisation. The next step is to extend ownership or at least access to other servers. This is yet another very delicate technical gavotte whose precise steps I won’t burden you with but take it from me; it’s an even more difficult and time-consuming process. Paradoxically, system administrators pay more attention to what’s happening in internal systems than they do to perimeter systems. Anything strange occurring or anything new in the audit logs gets noticed, so even more care must be taken to make everything appear normal. It only ends when they’ve got access to the data they came in for and it’s been extracted but it isn’t over yet.
An orderly withdrawal
The final phase is always the cleanup and it’s done very carefully for two very good reasons. Firstly, if confidential information is known to have been accessed, it loses value. Secondly, and just as important, any traces left behind of the break-in will be used in any attempt to find the Great White. They will back out of the target’s systems, server by server, altering logs and closing down any accounts they’ve created. Any code injections will be removed as will all the trip wires they will have strung across the systems. Any internal programs they’ve had to modify will be restored from copies previously taken. At every point during the run, they will never have used an IP address that can be traced back to them and they will never ever use any of those IP addresses again. Any identities stolen will be relinquished, never to be used again. The hard drive of the attack computer used will be extracted from the machine and smashed to bits before the machine with any attendant routers and modems is consigned to the nearest furnace.
All but the first phase of such an attack can be detected by firewalls and Intrusion Detection Systems (IDS). Their answer is to do the subsequent phases very very slowly. Typically, they will ping one of the ports they’re interested in of the available 64,000 on your server in a day. This will not set off any alarms. As I said, the patience of Job. All this concerted effort to get at one mail server? Then more traversal work, to get at the backed up emails from a decade ago on a different server? And then yet another huge effort to hack across from the operations area over to the development area to get at the program source library? Simply no way. An insider job.
Anyone who thinks all of the above effort was expended to obtain apparently innocuous material from an obscure unit of an equally academically obscure university, needs an introduction to William of Occam’s razor.
This post was updated to include the full post from Pointman’s site here. I didn’t quite capture his full expertise in the short review. Thanks for his permission to do so.
I enjoy listening to a master of any topic, and Pointman writes very well.
PS: As Colin Henderson says in comments — to the person (or people) responsible for releasing all those emails. Thank you! What a difference you’ve made.
* (If you have some, I know a blogger who’d like to hear from you) 🙂 .
Photo thanks to Futase_tdkr.
Spinifex Computing is a supporter of this site. If you are a Unix or Linux developer, install small VOIP systems, are looking for a data logger, or a low power network storage provider, Spinifex might have just what you need. Plug computers have taken off in the EU and US, but are just being discovered in Australia. Why not pop in and find out more about the plug craze?