Climategate – whodunnit?
Well, according to this story in Help Net Security, the Information Technology people might be good candidates to see what has been going on behind the scenes at UEA’s Climate Research Unit, since it seems that they have broad access and according to a recent survey, many in IT positions can’t resist peeking:
“IT security staff will be some of the most informed people at the office Christmas party this year. A full 26 per cent of them admit to using their privileged log in rights to look at confidential information they should not have had access to in the first place. It has proved just too tempting, and maybe just human nature, for them to rifle through redundancy lists, payroll information and other sensitive data including, for example, other people’s Christmas bonus details.”
Here’s some eye opening survey stats about what IT people do with that access:
- 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications
- 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information
- 48 percent of respondents work at companies that are still not changing their privileged passwords within 90 days – a violation of most major regulatory compliance mandates and one of the major reasons why hackers are still able to compromise the security of large organisations.
Remember the HARRY READ ME file from Climategate 1? That programmer was bemoaning the sad state of the database an methodologies because he had a broad view afforded by working with the data within the organizational group. He knew more than any single person he was doing work for.
In the case of the UEA Climategate 1 and 2 emails, it seems clear now that to gather up as much information as has been shown to be available, it wasn’t likely a quick in and out job. As this WUWT guest post by David M. Hoffer shows that this wasn’t just a simple hack. He wrote:
So…who had administration rights on the email system itself? There’s reason to believe that it was not any of the researchers, because it is clear from many of the emails themselves that they had no idea that things like archives and backup tapes existed.
Whoever did it likely got it from the email archive system, knew what they were doing, and they had to have broad access to get all these emails gathered together.
Then, when we see that 256 bit AES encrytion was the choice to secure the remaining nearly 1/4 of a million emails, we know that “FOIA” whoever he/she is, knows enough to choose the kind of security that would not likely be cracked in any reasonable amount of time. This probably rules out script kiddies and students at UEA who might have had accidental network access and just grabbed a few files when they thought nobody was looking.
And what about the original first “hack” of the RealClimate.org server that Gavin Schmidt squelched? When we see survey results like 42 percent of those surveyed said that in their organisations’ IT staff are sharing passwords or access to systems or applications and we know how close and interconnected UEA/CRU and GISS staff are, the likelihood that whomever left that first drop of emails on the RealClimate server probably had some shared password or other sort of access.
The sharing of system access in emails was broadly demonstrated in Climategate 2.0. For example, Dr. Phil Jones and others at CRU sent some emails out years ago that linked to papers under review at the Journal of Geophysical Research. Some WUWT readers found these early on, and sure enough, such links from years ago in the CG2 emails still worked.
A few days ago I made the issue known to Dr. Phil Jones and to the JGR journal staff so they could close this security hole. As far as I know, all have been closed. I’ve tested again tonight and the live link fails now. Now that they have been closed, I can talk about it safely without putting JGR’s manuscript system at risk.
Sent: Thursday, November 24, 2011 5:10 PM
Cc: firstname.lastname@example.org ; email@example.com
Subject: password enabled JGR links in Climategate 2 files
Dear Dr. Jones,
I know that you know me, and probably do not like me for my views and publications. Regardless of what you may think of me and my work, it has been brought to my attention by a reader of my blog that there are open access links to your manuscripts at JGR included in the email that are now in the public view.
Therefore, it is my duty to inform you that in the recent release of Climategate 2 files there are links to JGR journal review pages for your publications and also for the publications for Dr. Keith Briffa.
For example, this link:
http://jgr-atmospheres-submit.agu.org/cgi-bin/main.plex?el=[access code redacted]
I have verified that in fact that link opens your JGR account and provides full access to your JGR account.
In fact there are 35 different emails in this release that contain live links to JGR/AGU author pages. Similar other links exist, such as for Dr. Keith Briffa and others at CRU.
This of course is an unintended and unacceptable consequence of the email release.
I am cc:ing Joost de Gouw Editor, JGR Atmospheres in hopes that he can take action to close this open access to these accounts. It is a holiday here in the USA (Thanksgiving) and there may not be office hours on Friday but hopefully he is monitoring emails.
JGR should immediately change all passwords access for these CRU members and I would advise against allowing transmission of live links such as the one above in the future. JGR might also consider a more secure method of manuscript sharing for review.
The open nature of these links is not publicly “on the radar” even though they are in fact public as a part of the email cache, and I do not plan on divulging them for any reason. Any mention of these links will be deleted from any public comments on my blog should any appear.
Dr. de Gouw (or anyone at JGR) and Dr. Jones, please acknowledge receipt of this email.
Thank you for your consideration.
So clearly, CRU and others in the emails didn’t think twice about sending around open access live links. As David M. Hoffer points out in his article, the researchers don’t seem to have a clue about security. They also leave “sensitive” files they don’t want to share under FOIA requests lying about on open FTP servers. Based on what I’ve seen so far, I don’t think any of the research staff at CRU had either broad access nor the specific tech knowledge to pull this “hack” off.
Somebody who had the ability to peek at these emails as part of their job might just as easily have had access to the RealClimate Server too. Remember there’s almost a quarter million emails we haven’t seen. Chances are, one of those contained the key to the RC server, which allowed them to become an RC administrator and post the original FOIA story which Gavin Schmidt caught and squelched.
I and others I correspond with have our theories about who the leaker might be. From my perspective now, someone with broad system access looks to be a more likely candidate than a malicious outsider.
UPDATE: Many people in comments think I’m doing something wrong by writing to Phil Jones and AGU/JGR. In Phil Jones reply to me, he wrote: A couple of other people sent me emails about this issue.
So clearly I wasn’t the first to notify him of the open links to AGU. But more importantly, my email was also sent to AGU editors and the editor of JGR Atmospheres. Despite what troubles Jones and his group have caused over the year with skeptics, AGU/JGR has been a reasonable journal that has published skeptical papers, including my own. Protecting that relationship with skeptics who publish is valuable and the last thing we need is a scandal where papers submitted to AGU/JGR are showing up on other skeptic websites before they are reviewed because Jones sent active links around in emails. Having the knowledge of the security holes was a damned if I do damned if I don’t proposition, but I opted on the side of doing what I felt was the right course of action. If that upsets a few people, so be it. – Anthony