Andrew Montford has posted briefing materials handed out to the press when Norfolk Police released the decision to close the investigation yesterday. Like everything else with this investigation, the people most in the know (the bloggers) were left out of the loop while the spinners (Richard Black of BBC for example) get this info straight away.
Operation Cabin
Background Information
Introduction
Operation Cabin is the name of Norfolk Constabulary’s investigation into the unauthorised data breach at the Climate Research Unit (CRU) at the University of East Anglia (UEA) in Norwich and the subsequent publication of some of this data on the internet.
The publication of the data in close proximity to the COP 15 and COP17 climate change conferences in Copenhagen and Durban appears to have been done in order to influence global debate around anthropogenic climate change.
The investigation has been undertaken by Norfolk Constabulary, with some support from SO15 (Metropolitan Police Counter Terrorism Command), the National Domestic Extremism Team (NDET) and the Police Central e-Crime Unit (PCeU). Technical support was provided by online security and investigation experts, QinetiQ.
The investigation
The security breach was reported to Norfolk Constabulary by the UEA on 20 November 2009, following publication of CRU data on the internet from 17 November onwards.
An investigation was launched by the joint Norfolk and Suffolk Major Investigation Team (MIT), led by Senior Investigating Officer (SIO) Detective Superintendent Julian Gregory, supported by Detective Inspector Andy Guy as Deputy SIO. Strategic oversight was provided by Gold Group, initially chaired by then ACC Simon Bailey and latterly by ACC Charlie Hall.
Strategy and Parameters
The primary offence under investigation was the unauthorised access to computer material under s.1 Computer Misuse Act 1990.
The aim was to conduct an efficient, effective and proportionate investigation into the circumstances surrounding the unauthorised access with a view to:
- Establishing what data was accessed and/or taken and published
- Establishing who was responsible
- Securing sufficient evidence to mount a successful prosecution if appropriate
Lines of enquiry
At the outset it was not known if there had been a physical breach of security at the UEA or whether the data had been taken as a result of an external attack via the Internet. It was also not known if the offender(s) had connections with or was assisted by members of staff from the UEA and, as a consequence, a number of lines of enquiry were pursued to cater for these eventualities.
Summary of findings
- That the data was taken between September 2009 and November 2009 during a series of remote attacks via the Internet, which accessed an internal back-up server.
- That a large amount of data was taken and subsequently published on the Internet in two separate files in 2009 and 2011. The first was entitled FOIA 2009 and contained 3480 documents, 1000 e-mails and 1073 text files. The second was entitled FOIA 2011 and contained 23 documents, 5292 e-mails and 220,000 files. Much of the data published in FOIA 2011 was protected by an unknown password.
- That the data was not obtained via physical access of the CRU back-up server.
- That there is no evidence to suggest that anyone working at or associated with the University of East Anglia was involved in the crime.
- The offender (s) had used methods common in unlawful internet activity to obstruct enquiries, by planting a false trail and utilising a series of proxy servers located around the world.
- That the attack was highly sophisticated and was undertaken by a person or persons who were highly competent and who knew how to conceal their activity.
Limitation on proceedings
The Computer Misuse Act 1990 provides a limitation on commencing criminal proceedings in that criminal proceedings must be brought within six months from the date on which evidence sufficient to bring a prosecution comes to light, and that no such proceedings will be brought more than three years following the commission of the original offence
In relation to Operation Cabin, this means that proceedings would need to be commenced in the autumn of this year. This means that the police investigation would need to have been concluded by late summer in order to prepare a case for prosecution within this time constraint. It has been determined that this is an unrealistic prospect.
Resource and costs
The Constabulary carried out a proportionate investigation led by officers from the joint Norfolk and Suffolk Major Investigation Team, with some additional support internally and some assistance also provided by national and external agencies and services.
Officers assigned to this case worked on a number of other investigations simultaneously and, while specific activities relating to this and other investigations may be recorded in their pocket note books, the exact time spent on each activity is not recorded. It is therefore not possible to isolate accurately the overall hours worked by officers and staff on this investigation nor the total salary cost for this.
Over and above this, the cost for over-time and expenses in relation to this enquiry alone has been recorded against a specific cost-code. For the period December 2009 to March 2012 inclusive, this figure stands at £84,871.77.
Further information
Further information in relation to this enquiry has been published by the Constabulary under the Freedom of Information Act.
This material can be found at:
http://www.norfolk.police.uk/aboutus/yourrighttoinformation/freedomofinformation/disclosurelog.aspx
============================================================
One of the things I find most interesting in that disclosure log page is that for all the caterwauling that went on about “death threats” sent to Phil Jones, and the news repeated worldwide by the spinners that he was “depressed and suicidal”, the Norfolk police provided this statement which tells the real story Bold is mine:
| 69/12/13 (PDF) | Threats to life or threats of bodily harm reported to Norfolk Constabulary by members of the Climatic Research Unit at the University of East Anglia. | No information held |
The PDF reads:
June 2012
Dear whatdotheyknow.com
Freedom of Information Request Reference No: FOI 69/12/13
I write in connection with your request for information received by the Norfolk Constabulary on the 14th May 2012 in which you sought access to the following information:
Please provide a breakdown per month, the number of:
A threats to life
B threats of bodily harm
which were reported to Norfolk Constabulary by members of the University of East Anglia Climatic Research Unit in the period 1st November 2009 to 30th April 2012, inclusive.
Response to your Request
Norfolk Constabulary were made aware of emails that had been received by a member of the staff at the University of East Anglia Climatic Research Unit. No specific complaint or report was made to the Constabulary and no crimes were recorded detailing threats to life or threats of bodily harm.
This response will be published on the Norfolk Constabulary’s web-site www.norfolk.police.uk under the Freedom of Information pages at Publication Scheme – Disclosure Logs.
================================================================
Bottom line- Phil Jones and UEA weren’t concerned enough with these “death threats” to bother filing a police report or complaint, but they sure talked it up in the press, just like the whiners at ANU and those supposed “death threats” that never materialized.
But when the police say:
No specific complaint or report was made to the Constabulary and no crimes were recorded detailing threats to life or threats of bodily harm.
It rather deflates the whole episode.
I’m sure David Appell will get right on this to prove otherwise.
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Couple of things:
As a long time computer consultant, I’ve been “inside” a lot of shops and seen a lot of ways things can be set up. Often they are set up poorly, even in good shops. The worst are truly horrendous (and schools are often deliberately very open on security issues and often have “volunteer” or intern staff doing the work, not folks with 20 years experience. Though management often will have ‘time in grade’.)
Doing “Security Audits” of sites, I typically found SOME way in or SOME things left unsecured. It only takes one…
The argument that it took a lot of time to assemble the files misses the point that this looks like an archive being prepared BY the FOIA officer for the FOIA request (that was about to be canceled.) Whoever pulled the data off, had to pull down a large block of data, but not select or assemble it.
On the question of “inside job”: You can’t know and can’t even speculate well. It is common practice (though a bad one) to have an internal backup server that pulls backups from the remote / outside the firewall machines. These programs often run as ‘root’ to be able to read all data files. So a machine behind a modest firewall issues a remote “run FOO as root” command. A simple hack is to replace “FOO” with your desired code (that then grants you root access on that box). It then also copies data back to a machine inside the firewall – that gives an open pipe to swim up… Depending on just how tight it is, and how secured the machine at the other end, you may or may not have relatively easy access. Anyone remember the “Internet Worm” from the ’80s? Didn’t even need that much access to break in (and it is now 1/4 century old kit…)
I’d guess that the root kit on the external server let the hack reach back through the firewall and crack into the box doing the backups. Then you just have a nice little look around… Find a FOIA request archive and suck it out.
Yes, it could be ‘inside push’ with distractors; but nearly as easily (and via known methods of exploit) it could be a “crack the external server swim up the backup pipe / code”. (In sites I’ve audited, I’ve recommended a dedicated backup system for boxes outside the firewall or in the DMZ. It’s just too easy to have a firewall rule that says something like “Root allowed from that box” or “Backserve ID allowed” and then all your security hangs on the outside box.) Yes, there are ways to do remote backup safely; but they are often not what is done.
Furthermore, I’d speculate that the FOIA file was to be put onto that external server for distribution (if the request were approved). In that case, there may well have been a variety of “fetch” scripts on the box for shuttling things back and forth from inside to outside. (Too many times I’ve seen that). Now a compromise of the external box lets you ‘go fish’ in ‘the usual directories’ to see what might be there…
Heck, I’ve even had to argue with folks a dozen times about NOT “dual homing” external servers. LOTS of folks have Email, Backup, FTP, HTTP, etc. servers that have a DMZ or Public interface AND a NIC plugged into the private side “for administration”. Yes, you really do need to explain to folks that this makes their firewall kind of pointless as EVERY dual homed box is now “the weakest link”… So given how often I’ve seen this, it could simply be that the “internal backup server” had one NIC on the internal side and one on the external side…
In an ideal shop, none of that would be done. In The Real World, it is more often than not done that way.
And all that is before you get to more unusual approaches… At one site I had someone set up a wireless access point in their office. In one moment they made the entire corporate network accessible to anyone in a large area around that building… A corporate network that spanned several places in the State and a couple of foreign offices… So it could simply be someone leaving wireless bridging turned on in their office anywhere on the network, and someone wanders in, compromises a boundary box and drops some holes in it; then later comes in from remote using the holes.
So while you can speculate on “who might have done it”, without the logs and data you are just making up fairy tails… I see no evidence for making the odds anything other than 50/50 for inside vs outside (at this time).
Oh, and ‘backup servers’ are often left in states of lower vigilance than regular production servers. That they say a ‘series of remote attacks’ implies to me that they have a log file showing several attacks that eventually make it in. That, then, implies that the site did not have enough ‘tripwires’ and ‘early warning’ gizmos to raise an alarm on first intrusion attempts.
A decent “Honey Pot” with LOTS of intrusion detection modifications would catch that… (We would make ‘custom code’ for all the shells and most of the ‘navigation’ commands ( things like ls and cd that let you look around or move) and if you ran them as root but had not set a magic cookie via a secret method, it would page staff and light up monitors… Caught a lot of attempted intrusions at a very early stage that way. BUT, you must be willing to write some hidden code yourself… and have a custom OS built…
So absent indications to the contrary ( i.e. Real Data and Logs) we can’t choose between “bad security” and “high class attack” and “inside help”. Best we have is that the posting makes it look like the break in took some time, and that argues for ‘not an insider’ (or a very very clever one who know they could try for a while and not set off any alarms…)