Hackers treated as credible sources of information (D’oh!)

by Russell on November 22, 2009

The Wall Street Journal and 103 hundreds of other news outlets have published articles about the stolen/leaked email files from the Hadley Climate Center University of East Anglia (UEA) Climate Research Unit, in the UK.  The blogs are going nuts.  Sadly, there is no critical investigation or reporting about the credibility of the leaked email files.  Instead, all the news outlets are all caught up in the debate over whether this proves that the Global Warming science is a con job and conspiracy.  (A sampling of the more moderate reports: Washington Post, Associated Press, and Christian Science Monitor.   The blogs and tweets are more rabid:  e.g. proof that “Al Gore lied!”)   

DohEveryone is treating these stolen/leaked documents as real and undoctored, without any real evidence.  I couldn’t find any critical/questioning articles when I did a web search.  To this, I can only repeat Homer Simpson’s exclamation when he is hit in the face with (his own) stupidity:  “D’oh!!“.

For example, the WSJ blog stated that the emails were confirmed as “genuine” by the Director of the breached organization, but a close reading of the source news article shows that the Director only states that the files “appear” to be from his organization.   Hadley Climate Center UEA Climate Research Unit hasn’t actually had a chance to review the posted files or even investigate the breach. 

Also, no one has questioned the claim that this was the act of “hackers”.   The WSJ blog called them “Russian Black Hats”  based on the report that the ZIP file first appeared on an FTP server hosted in Russia.  Ridiculous!    It is easy for anyone located anywhere to upload files to an FTP server with a Russian domain name. 

I did find a few security bloggers commenting on this incident, e.g. Graham Cluley, and they are more reserved about the implications of this incident, given the lack of real information.  Hopefully, more security experts will speak out on this in the coming days.

Now a rant for the uncritical news organizations and bloggers:

NEWSFLASH — Anyone who has the motives and skills to steal private documents and to upload them on a Russian FTP server in order to generate a public scandal also has the motives and skills to “doctor” those documents .  DO NOT trust their content until it is proven genuine!

This is news/publicity incident is just more evidence of wide-spread misunderstanding about trust and credibility regarding online information, and also misunderstandings about nature of security breaches, Black Hats vs. White Hats, etc.    This is another case of the meme: “If it’s on the Internet, it must be true”.  Sadly, the “echo chamber” of free Internet news media and “advocacy journalism” only makes it worse.   Takeaway: This is yet another call-to-arms to security experts to provide evidence-based analyisis that educates the broad public and the institutions that serve them.

[Update — Corrected the name of the breached organization]

[Update 2:   See Comment #2 below for additional “connect the dots” that make the insider attack most plausible, not a “Russian Black Hat”.]

8 comments

It looks like the emails are valid thus far. But let’s not forget the fact that even if a few scientists deviated from solid scientific practice (so as to, for example, head off the delaying tactics of global warming deniers at the pass), this does not negate the entire preponderance of the evidence.

This goes to an underlying problem that has not been resolved in the overlap between scientific circles and the broader public discourse: Agenda-driven factions are able to effectively filibuster reality-based action.

Standards need to be set such that claims advanced by individuals or groups with a demonstrated *systemic* track record of intellectually dishonest behavior (fact-denial, truth-distortion, opinion/fact conflation, etc.) needn’t be taken seriously on a case-by-case basis.

Of course, the veracity of the emails should be investigated. But so should the implications of them if they are genuine. It would be unacceptable to simply unquestioningly accept cherry-picked conclusions about an entire field of research based on the actions of a few individuals.

by perspicio on November 22, 2009 at 5:53 pm. Reply #

(This is my last comment/edit… I swear!)

I found some key “dots” that cry out for “connecting”:

1. There was a previous data breach/leak in July 2009 or before. It appears that just one person was the recipient of the stolen data: Stephen McIntyre, who says he got them anonymously. The breach was due to an insider (“mole”) in the UK. http://www.climateaudit.org/?p=6644 http://www.climateaudit.org/?p=6634 (esp. comment #3)

(McIntyre is a skeptic of human-caused Global Warming, not a denier. He focuses on problems/weaknesses he sees in the data and methods.)

2. McIntyre has been in a long-running battle with the UEA HCC/CRU over access to their data, their “code” (data analysis software), and even their emails http://www.climateaudit.org/?p=3234. Here’s McIntyre’s philosophy and goals in this quest: http://www.climateaudit.org/index.php?p=66 . Here’s a short summary of the conflict, published just a day before the recent breach hit the wires: http://online.wsj.com/article/SB10001424052748704335904574496850939846712.html

3. McIntyre was actively monitoring defensive actions by UEA HCC/CRU over the summer, including “massive data purges”: http://www.climateaudit.org/?p=6673 (Is “Climate Audit reader Super-Grover” an insider, given the comment “worse than we expected”??).

4. McIntyre has just recently been denied in his appeal of the rejection of his most recent FOI. http://camirror.wordpress.com/2009/11/21/test/

Putting these together, plus imminent start of the Copenhagen Climate Summit…

… it doesn’t take a detective genuis to see that the current data breach/theft/leak is probably just a continuation of this on-going war between these parties. It’s also likely that the same “mole” is also responsible or involved in this breach.

RUSSIAN BLACK HATS, MY ASS! 🙂

As far as I know, none of the mainstream or alternative news articles have connected these dots. Ditto for the blogs.

——————

Plenty of bloggers, including McIntyre, have suggested that the hacker/leaker would be protected by UK whistleblower laws. Given the rejection of the FOI request, and denial of appeal, that seems extremely unlikely because this leak is just an end-run around the FOI rejection. Others have suggested that this is a justifiable political act, like the leak of the Pentagon Papers. Time will tell…

——————

Regarding the substance of debate, McIntyre and his collaborators have had a fair scientific hearing for *all* of their objections and criticism about data and models. This came in 2006 with a Congressionally-initiated National Academies of Science Panel. Here is McIntyre’s submission: http://www.climateaudit.org/pdf/NAS.M&M.pdf (very detailed, thorough, and substantive), and here is the NAS report (free download with registration): http://www.nap.edu/catalog.php?record_id=11676

————-

Another takeaway message: I now believe that the frequency of ideology-based security/privacy attacks (a.k.a. “hacktivism“) will be increasing dramatically in the coming years, even for organizations who don’t know that they are in the activist’s “cross-hairs”. These may be combination of insider/outsider attacks, and also involve social networks. (Longer articles/reports on hacktivism are here, here, here, and here.)

by Russell on November 22, 2009 at 11:23 pm. Reply #

(This is my last comment/edit… I swear!)

I found some key “dots” that cry out for “connecting”:

1. There was a previous data breach/leak in July 2009 or before. It appears that just one person was the recipient of the stolen data: Stephen McIntyre. The breach was due to an insider (“mole”) in the UK: http://www.climateaudit.org/?p=6644 http://www.climateaudit.org/?p=6634 (esp. comment #3)

2. McIntyre has been in a long-running battle with the UEA HCC/CRU over access to their data, their “code” (data analysis software), and even their emails http://www.climateaudit.org/?p=3234. Here’s McIntyre’s philosophy and goals in this quest: http://www.climateaudit.org/index.php?p=66 . Here’s a short summary of the conflict, published just a day before the recent breach hit the wires: http://online.wsj.com/article/SB10001424052748704335904574496850939846712.html

3. McIntyre was actively monitoring defensive actions by UEA HCC/CRU over the summer, including “massive data purges”: http://www.climateaudit.org/?p=6673 (Is “Climate Audit reader Super-Grover” an insider, given the comment “worse than we expected”??).

4. McIntyre has just recently been denied in his appeal of the rejection of his most recent FOI. http://camirror.wordpress.com/2009/11/21/test/

Putting these together, plus imminent start of the Copenhagen Climate Summit…

… it doesn’t take a detective genuis to see that the current data breach/theft/leak is probably just a continuation of this on-going war between these parties. It’s also likely that the same “mole” is also responsible or involved in this breach.

RUSSIAN BLACK HATS, MY ASS! 🙂

As far as I know, none of the mainstream or alternative news articles have connected these dots. Ditto for the blogs.

——————

Regarding the substance of debate, McIntyre and his collaborators have had a fair scientific hearing for *all* of their objections and criticism about data and models. This came in 2006 with a Congressionally-initiated National Academies of Science Panel. Here is McIntyre’s submission: http://www.climateaudit.org/pdf/NAS.M&M.pdf (very detailed, thorough, and substantive), and here is the NAS conclusion report (free download): http://www.nap.edu/catalog.php?record_id=11676

————-

Postscript: I now believe that the frequency of ideology-based security/privacy attacks will be increasing dramatically in the coming years, even for organizations who don’t know that they are in the activist’s “cross-hairs”. These may be combination of insider/outsider attacks, and also involve social networks.

by Russell on November 23, 2009 at 11:28 am. Reply #

As expected, countless copies of FOI2009.zip have appeared all over the net. What better vehicle for distributing malware? Imagine a 60+ MB file sprinkled with a variety of docs with known exploits, just waiting for some poor suckers who are behind on their antivirus signatures and security updates. Maybe the only thing the hackers truly care about is your program counter. Picking a hot topic of debate just helps increase the hit counts on the web searches that lead to the malware payloads.

by Tim on November 26, 2009 at 1:49 am. Reply #

[…] Hackers treated as credible sources of information (D’oh!) – New School of Information Security […]

by Black Friday Briefings – November 27th : Liquidmatrix Security Digest on November 27, 2009 at 1:58 pm. Reply #

I can’t lay claim to being a security expert, but I’ve done a bit of analyis of the .zip file. As I’ve suggested on my blog, it seems the .zip file contents were packaged on an owned (or pwn3d) machine in the timezone -0500/-0400, which is way outside of the UK.

This coupled with the fact that the initial announcement was from a guy named “FOIA” (instead of “FIA”, which I’ve heard is the more common term in Britain), seems to mean that the attack involved outsiders.

Then again, perhaps Tim is right, and all this is just smoke and mirrors for distributing malware after all.

bi

by bi -- IJI on November 29, 2009 at 6:52 am. Reply #

@BI The use of “FOIA” doesn’t reveal very much, IMHO. If it *was* an insider working to support skeptics such as Steven McIntyre, the use of “FOIA” is obvious, since that is the label used on Steven McIntyre’s web site.

Also, the time zone of the computer used for creating the ZIP file is easy to manipulate by setting the time and timezone manually on the computer before creating the ZIP file.

I’m not an expert in forensic analysis or cybercrime, but I’d bet my money on *motives* and *patterns of behavior* rather than superficial and easily manipulated digital data such as timestamps, IP addresses (could easily be proxies), or FTP server domain names.

My main complaint is with so-called news sources and reporters who draw conclusions from such things, as if they prove anything.

by Russell on November 30, 2009 at 8:47 am. Reply #

Thanks, I’ll give a reply on my blog.

bi

by frankbi on November 30, 2009 at 12:02 pm. Reply #

Leave your comment

Not published.

If you have one.