"UEA succeeds in Quest for secure IT access"

On Nov. 12, 2009, CBR Networking has an article here entitled “UEA succeeds in Quest for secure IT access”.

A university spokesman said:

This gives us peace of mind – for example, we have considerably more confidence that a student is unable to gain unauthorised access to sensitive systems such as the university’s finance system – and simplifies the auditing process.


  1. Calvin Ball
    Posted Nov 28, 2009 at 1:15 PM | Permalink

    I guess this increases the odds that it was an insider, but nothing is hack proof.

  2. Rich
    Posted Nov 28, 2009 at 2:12 PM | Permalink

    Sorry guys and gals, I do this for a living and I need to call bologna. Having a single sign on system is great for user management, and gives control of what machine a user can be logged into. We use Single Sign On through ldap, openldap, etc.

    What this doesn’t solve is every other type of hack out there. What this also doesn’t solve is simple password guessing. It also opens up the system to mistakes. We’ve had instances where people have logged into machines they were not supposed to have access to. Doing some investigation revealed simple typos in the wrong field that gave them login access to ALL the boxes controlled by LDAP.

    So, having a SSO system is great. But doesn’t solve most problems. Sounds good though. Not to mention they should have had this set up years ago.

  3. P Gosselin
    Posted Nov 28, 2009 at 3:00 PM | Permalink

    How much peace of mind do they have now? 🙂

  4. Ted
    Posted Nov 28, 2009 at 3:09 PM | Permalink

    What comes to mind for me when I read this, is the ongoing tension between security and accessibility (or ease of use) among universities, companies, etc. When an entity implements security that is overly-protective – making it hard to use – oftentimes the people that actually have to *use* the system will ignore the new procedures any way they can, using shortcuts and bad security practices to get around the new system.

    Perhaps the new IT security was somewhat onerous to use. The timing of it makes me think the new security system indirectly played a part in the data leak, simply because the UEA researchers didn’t like using new procedures in the proper way.

  5. Bryan H.
    Posted Nov 28, 2009 at 3:20 PM | Permalink

    It also doesn’t prevent a whistle-blower responsible for assembling an FOI package from uploading said file to an FTP server who’s admin included a username and password in one of the emails in which you compiled.

  6. rephelan
    Posted Nov 28, 2009 at 3:40 PM | Permalink

    I’m still in favor of the inside job. The e-mails were mostly topical and on-target (not to mention that they were all in separate .txt files, most e-mail clients store them in a single file and to get them in .txt files you have to export them) and the other files had to have pulled from other areas. It looks like the leaker was quite familiar with the topography. If it didn’t sound so outlandish, I’d suggest that the archive was created by Dr. Jones himself…

  7. MarkB
    Posted Nov 28, 2009 at 3:47 PM | Permalink

    “and simplifies the auditing process.”

    If only that were true.

  8. 2dogs
    Posted Nov 28, 2009 at 4:16 PM | Permalink

    A correction required, the date on the article is 2008.

  9. Buddenbrook
    Posted Nov 28, 2009 at 4:23 PM | Permalink

    If the data was leaked by an insider, what to think of the realclimate hack story? The story that on November 17th someone managed to revoke the admin rights of the RC admins for a few hours, managed to put the file on their site, and that 4 people did actually download it from the hacked RC?

    If the data was leaked by a whistleblower, he would have no need nor intention to hack into RC, and would unlikely be capable of such a feat.

    It feels it’s impossible to logically connect these two accounts. Something is missing.

    Some people probably are suspicious that the RC hack story could be a smokescreen, but it seems unlikely for several reasons. One is the criminal investigation into the alleged hacking. Investigators are likely to ask UEA and RC for details and evidence. And that is something you cannot make up as easily as you can make up robust and peer-reviewed climate data.
    So it seems plausible to believe them on that account.

    Obviously the “hack” had some idea what he was looking for. And the short statement from the “hack” proves what his motives were. But I don’t think the hastily compiled file does in itself suggest an insider anymore than it suggests a relatively well informed climate skeptic with good hacking skills. And if what UEA and RC are saying in this matter are true, and it seems plausible to believe then on that account, then the latter, i.e. a hack, seems more likely.

  10. Calvin Ball
    Posted Nov 28, 2009 at 4:30 PM | Permalink

    Ted has an interesting point. The fastest way to lose the cooperation of users is to create an obnoxiously unfriendly system. This attempt to improve security may have actually backfired, and made it easier to hack.

    Nothing winds me up faster than some login page that tells me that my password has to have upper and lower and numeric, and at least 10 characters, etc. Those are the kinds of passwords that end up on a sticky on the user’s monitor.

  11. stevemcintyre
    Posted Nov 28, 2009 at 4:36 PM | Permalink

    Buddenbrook, earlier commenters discussed this issue on other threads. One theory was that one of the CRU emails contained a login and password so that a CRU author could directly author posts and upload data to realclimate. There are at least 5 other emails containing passwords to one place or another. So the holder of the zipfile may have also had a RC password. To my knowledge, Schmidt has not commented on whether he had sent a password by email to CRU; it would be worth asking him.

  12. MikeE
    Posted Nov 28, 2009 at 4:52 PM | Permalink

    Well according to the following article in the Guardian, Saturday 28th Nov 2009, the “hackers” are supposed to have had access for a month:

    Climate email hackers had month of access

    (online version of the article went up the previous evening)

    This supposition is based on the fact that BBC weatherman Paul Hudson had been forwarded a small subset of the emails on 12th October (only those pertaining to his article on 9th October).

    From the article:

    The university declined to answer questions about the setup and security of the computers used by CRU scientists, but security experts say there are only three tenable explanations for how the server was hacked: a determined break-in by an external hacker; that one of the CRU or university systems was accidentally “compromised” by a computer virus or other “malware”; or it was an “inside job” by a disaffected member of university staff. The latter is viewed as the least likely.

    My personal opinion is that the fact that Hudson received these emails in advance of the main release supports the idea that it was an inside job, a leak in other words. What we don’t know is where the emails to Hudson were forwarded from. Whether it is considered a hack or a leak may play an important part in how this plays out: if Hudson believes it was a hack, he may feel duty bound to give the authorities as much information as possible about the forwarding. If he considers it to have been a whistleblower, he may feel it his duty as a good reporter to protect his sources. A tough position to be in.

  13. Ed
    Posted Nov 28, 2009 at 5:46 PM | Permalink

    Paul Hudson of the BBC has since written that his comments were misinterpreted; he did not have the full email archive as of Oct 12th. What he intended to mean, he says now, was that the emails he had sent/received to/from CRU regarding an article he published around Oct 12th were part of the archive that was subsequently released/hacked/escaped/leaked from CRU.

  14. Bob Koss
    Posted Nov 28, 2009 at 5:49 PM | Permalink

    Professor Trevor Davies, the university’s Pro-Vice-Chancellor, Research Enterprise and Engagement, said yesterday: “CRU’s full data will be published in the interests of research transparency when we have the necessary agreements. It is worth reiterating that our conclusions correlate well to those of other scientists based on the separate data sets held by the National Oceanic and Atmospheric Administration and the NASA Goddard Institute for Space Studies.


  15. Ben
    Posted Nov 28, 2009 at 6:28 PM | Permalink

    I would like to recall that the text accompanying the files on The Air Vent was : “We feel that climate science etc., We hereby release etc.”
    There could be more than one people involved.

  16. David L. Hagen
    Posted Nov 28, 2009 at 6:54 PM | Permalink

    The Telegraph reports:
    Climategate: University of East Anglia U-turn in climate change row

    Leading British scientists at the University of East Anglia, who were accused of manipulating climate change data – dubbed Climategate – have agreed to publish their figures in full.

    By Robert Mendick

    Professor Trevor Davies, the university’s Pro-Vice-Chancellor, Research Enterprise and Engagement, said yesterday: “CRU’s full data will be published in the interests of research transparency when we have the necessary agreements. It is worth reiterating that our conclusions correlate well to those of other scientists based on the separate data sets held by the National Oceanic and Atmospheric Administration and the NASA Goddard Institute for Space Studies.

    (Emphasis added).
    Sounds wonderful. Now how long is it going to take to obtain the “necessary agreements”?
    See: “in 2005 Warwick asked Phil for the dataset that was used to create the CRU temperature record”

    How about publishing all the raw data NOW that is NOT affected by “necessary agreements”? Or would that be too embarrassing?

  17. curious
    Posted Nov 28, 2009 at 8:18 PM | Permalink

    “Now how long is it going to take to obtain the “necessary agreements”?”

    I’d say half a dozen quick phone calls should sort it out?:

    “Hi data partner, you’ve probably heard – future of the world is at stake. Do you mind if we put your temp. no’s into the public domain for a quick double check that all is well?… thanks, that’s great, we couldn’t see any reason why not either … could you just pop that into an email to confirm before we issue anything?… Brilliant – it’s just come in! Great to have worked with you on the biggest issue the planet has ever faced.”

    Next call … etc etc

    I expect it’ll all be up on site by close of business on Monday..

  18. artewst
    Posted Nov 28, 2009 at 9:26 PM | Permalink

    OK – feel free to shoot down…

    The files released seem to be a strange selection. On the one hand they seem mostly relevant to, say. an FOI request, but many are far too damaging to be willingly handed over.
    What if someone, not one of the highest bods, was given the task of doing a first pass at collating relevant material – basically separating any “possibles” from the completely irrelevant – with the final selection to be made by someone higher up.

    That “possibles” folder could then have been leaked by an insider or left unwittingly on a server for anyone to find or whatever- in any case they wouldn’t have had to collate the info for themselves.

    I suppose the leaker could also have been a “semi-insider”, given that it’s a University with hundreds of students and lecturers who may have access to the wider computer system – though presumably not normally the sensitive climate stuff. A “semi-insider” coming across this material might perhaps be more likely to be shocked and feel compelled to leak than a true CRU insider who has more likely become inured to the goings on.

  19. Colin Rose
    Posted Nov 28, 2009 at 9:53 PM | Permalink

    There is a chance that the cracker used available shellcode to access CRU’s webserver which was running Apache/2.2.3 at least until 25/10/2009 on Scientific Linux(this would fit the month’s access hypothesis). They have since changed from Scientific Linux to another version of *nix and reverted to Apache/2.0.50.
    I find it hard to believe that compromising their webserver could get you the depth of access that ‘should’ be required to allow access to the data that was released (have CRU advertised for any new IT staff lately?). Though I have seen situations where people have set passwords that work on their networks globally (I would have thought that this would be a big no-no at somewhere like CRU who should have very strict password policies in place – bet they do now!).
    I strongly suspect that the data released is not all of the data ‘cracked’ and that CRU are now in a situation where they are forced to release their data before it is done for them. Interesting times ahead methinks.

  20. MrPete
    Posted Nov 28, 2009 at 9:57 PM | Permalink

    “Necessary agreements” — they only possess one confidentiality agreement, with Bahrain. (They think they had others but lost them.)

  21. Rhoda R
    Posted Nov 29, 2009 at 12:38 AM | Permalink

    While they’re going after these agreements, they might also request the original information – since they seem to have lost that also.

  22. henry
    Posted Nov 29, 2009 at 2:57 AM | Permalink

    MrPete said:

    “Necessary agreements” — they only possess one confidentiality agreement, with Bahrain. (They think they had others but lost them.)”

    Maybe what they’re gonna try and to is see how many “post-dated” agreements they can come up with. Be very suspicious if the majority of their data falls under these newly discovered agreements.

  23. jeez
    Posted Nov 29, 2009 at 5:07 AM | Permalink

    “To keep things simple for the students the IT department encouraged them to use the same password for all logins. This resulted in security, maintenance and support challenges for the department.”

    It would be even more simple for the IT department to encourage everyone at the University to use the same password. Think of the efficiency and the reduction in maintenance. If you lose your password you can ask anyone within earshot.

  24. Richard Saumarez
    Posted Nov 29, 2009 at 9:02 AM | Permalink

    Trevor Davis is Dean of Environmental Sciences and a member of the CRU (according to his web page). The response of the University of East Anglia is pathetic and lacks any credibility.

    Has the CRU’s servers ben locked down? Have the main players been suspended? Have measures been put in place to prevent further tampering?

    The admission that they have destroyed the primary data because of “lack of storage space” is really incredible. How big it this data? TBytes?

  25. D. Patterson
    Posted Nov 29, 2009 at 2:19 PM | Permalink

    artewst permalink
    OK – feel free to shoot down…

    The files released seem to be a strange selection. On the one hand they seem mostly relevant to, say. an FOI request, but many are far too damaging to be willingly handed over.

    In one of the speculative scenarios, the e-mail and documents represent files redacted from the larger main filesystem in preparation for the contingency of an imminent FOI release and investigation.

    In other words, CRU may have removed these more sensitive files from the main system and put them into a special archive file for the purpose of concealing them from any FOI releases and/or investigations while not yet deleting and wiping them altogether. If an FOI investigaton had occurred, they could simply and quickly copy the file of redacted e-mail anddocuments to offline media, wipe all the files on the main volumes and restore only the sanitized filesystem, and represent to the investigators and public that the filesystem had simply undergone some prudent maintenance to improve the performance and security of the computer systems.

    After receiving a good housekeeping seal of approval from friendly investigators who see no need to unnecessarily inconvenient the esteemed “scientists” hard at work combatting global warming, normal routines could be reestablished except for greater caution with respect to deleting sensitive e-mail and files more often as recommended before in the e-mail exchanges.

  26. Lucy
    Posted Dec 1, 2009 at 10:32 AM | Permalink

    agree with Colin Rose. bet the hacker held stuff back, and bet that what is held back comprises as a threat to CRU and friends that is as intelligent as the package itself. btw, I didn’t find the package random. I found every single document I looked at carefully selected. A lot of them comprise a tutorial in what the arguments are (the neutral ones) — still very useful if you have to engage in these arguments from time to time — I understood why I had been losing argument about UHI in London when I read about St. James’s Park/Heathrow….. ; a lot of them point to the weaknesses in CRU position (um, circulation models don’t match circulation observations), some of them point to CRU business model (take grants from Shell in return for giving them a place at the table), some to paranoia, etc. But not random. Every single one interesting.

  27. Duke C.
    Posted Dec 1, 2009 at 1:47 PM | Permalink

    There are some facts in plain sight that don’t support the theories (rumors) that are floating around regarding this topic.

    CRU has it’s own server located at cru.ac.uea.uk. All current traffic is being directed to an ad-hoc server at ac.uea.uk. due to the break-in.

    However, all of the CRU email addresses contained within FOI2009.zip/mail are * (@)ac.uea.uk

    They DID NOT have their own mail server. This is a huge fact being overlooked and has implications regarding Phil’s recent statement that he did not delete any emails.

    Phil initiated the “delete ” conspiracy on May 29, 2008 (ref: 1212073451.txt). His tone was direct and emphatic. More than likely he deleted any incriminating email in the local archive he had password access to through his client application. It is highly unlikely that he had Root Directory access to the email server at ac.uea.uk. It is likely that he wasn’t even aware of it’s existance . This would explain the presence of all those controversial emails contained in the/email folder.

  28. Sean Peake
    Posted Dec 1, 2009 at 3:36 PM | Permalink

    Pure speculation, but if it was an inside job/whistleblower, which seems more and more likely, maybe HARRY_READ_ME is behind all of this?

  29. Duke C.
    Posted Dec 2, 2009 at 1:36 AM | Permalink

    Little off topic-

    A Hex dump from the FOI2009.zip central directory contains some interesting tidbits.

    Here it is for anyone interested…

    50 4B 03 04 0A 00 00 00 00 00 00 00 21 3A 00 00
    00 00 00 00 00 00 00 00 00 00 05 00 15 00 46 4F
    49 41 2F 55 54 09 00 03 D0 4D 5C 49 D0 4D 5C 49
    55 78 04 00 EA 03 EA 03

    Converting it to text with a zipfile template reveals this:

    PK vendor signature (pkzip)
    10 version
    0 host operating system (0=MS-DOS and OS2 FAT)
    COMP_STORED (0) (no compression on central directory)
    00:00:00 msdos time
    01/01/2009 msdos date
    0h CRC
    0 compressed file size
    0 uncompressed file size
    5 short filename length
    21 extra field length

    What stands out the most is the creation/last modified date. All 4,559 files show 00:00:00 01/01/2009 in their respective local file headers, which dovetails nicely with the file name. Our leaker is a bit of a jokester.

    Checked PKZIP on Wiki. Version 10 is the Enterprise edition for i5/OS IBM server platforms.

    Combining this with the 4 hour offset in the .txt file names (GMT+4), and we come up with an IBM server somewhere in Central Russia. Case Solved!

%d bloggers like this: