International Journal of Inactivism (now supplanted by Decoding SwiftHack)

2009/12/04

What we know about the CRU attacker, part 3.2: the 3 odd files

Filed under: Climatic Research Unit crack — stepanovich @ 13:48

[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.2: the 3 odd files. Intl. J. Inact., 2:104–105]

Regarding the cyber-attack on the Climatic Research Unit of UEA: recall I mentioned that the .zip file of the cracked material contains 3 files which don’t give a -0400 or -0500 time zone. Well, here are the details of the 3 files (and some other files in their vicinity within the .zip):

local-mtime 1991-06-03,12:04:28  gm-mtime 1991-06-03,16:04:28  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/_00401.rw
local-mtime 1991-06-03,12:12:42  gm-mtime 1991-06-03,16:12:42  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/b00421.rw
local-mtime 1980-01-01,00:00:00  gm-mtime 1980-01-01,00:16:46  gm-atime 2009-09-30,02:12:17
  [ tz -0016 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00311.rw
local-mtime 1980-01-01,00:00:00  gm-mtime 1980-01-01,00:38:26  gm-atime 2009-09-30,02:12:17
  [ tz -0038 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00321.rw
local-mtime 1980-01-01,00:00:00  gm-mtime 1980-01-01,00:43:36  gm-atime 2009-09-30,02:12:17
  [ tz -0044 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00331.rw
local-mtime 1991-06-03,06:15:02  gm-mtime 1991-06-03,10:15:02  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00341.rw
local-mtime 1991-06-03,06:41:52  gm-mtime 1991-06-03,10:41:52  gm-atime 2009-09-30,02:12:17
  [ tz -0400 ]  uid 1002  gid 1002
  name FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/l00351.rw

The odd thing about the timestamps of the three files is that the modification times as local times (local-mtime) and the modification times as UTC times (gm-mtime) don’t seem to match up, no matter how one cuts it. I can’t figure out a good explanation for this that doesn’t involve the cracker messing directly with the .zip file format to doctor the timestamps.

Well, maybe the cracker did mess directly with the .zip format after all — in that case, it’ll mean that the time stamps on all the files are much less reliable indicators of actual file access times than I had thought. And even then, it still raises the question of why the cracker would want to do this. Why have these 3 timestamps stand out? What’s the significance of the time values 00:16:46, 00:38:26, and 00:43:36?

Advertisements

12 Comments »

  1. This is only half of what you need to be doing. You need to contact folks at CRU and get the original timestamps of the files, and compare them to the timestamps in the .zip file.
    Also – it seems strange that the attacker would bother modifying the format of the zip file itself. If he wanted misleading timestamps, there are far easier ways to make them – e.g. touch -t the files on any unix box, just before creating the archives.

    Comment by llewelly — 2009/12/05 @ 03:15 | Reply

    • Tried looking up http://www.cru.uea.ac.uk, but couldn’t find their contact information — it seems they’ve now taken down their entire web site and directed all links to a page on the university-wide http://www.uea.ac.uk giving announcements on the cyber-attack. Ugh ugh ugh…

      I wonder if I should now try to contact CRU through a university-wide e-mail address…

      If he wanted misleading timestamps, there are far easier ways to make them — e.g. touch -t the files on any unix box, just before creating the archives.

      I think this is what happened with the e-mail files (and possibly the other code and data files too). It’s only the 3 particular files which are especially weird.

      Comment by frankbi — 2009/12/05 @ 04:02 | Reply

    • Meanwhile, I’ve sent the question about these files to RealClimate.

      Comment by frankbi — 2009/12/05 @ 09:22 | Reply

  2. It ain’t the most credible source, but does this add anything new to the picture? (Stumbled upon it via the more credible Scholars and Rogues.)

    Comment by Brian D — 2009/12/06 @ 17:45 | Reply

    • does this add anything new to the picture?

      I’m highly doubtful. Given that the article’s ‘facts’ about the CRU e-mails are crud, I’ll not be very inclined to take its word for it when it talks about Tomsk and Siberia and Russia.

      Comment by frankbi — 2009/12/07 @ 11:52 | Reply

  3. Whats the content of the three anomalous files?

    Comment by bigcitylib — 2009/12/10 @ 11:46 | Reply

    • I’ve not looked at the contents, but maybe someone else has.

      Comment by frankbi — 2009/12/10 @ 12:05 | Reply

  4. Frank,

    The explanation for these three files is simple enough. If you look at the UTC timestamp, and convert, you will notice that the mtime in EST is pre- Jan-1-1980, which is the earliest time that can be stored in the MS-DOS time field used to store the local mod time in the zip file format. So Info-Zip has just set the local mtime to the earliest time possible.

    The file is perfectly consistent with one created by Info-Zip ZIP, version 2.3x, on a Unix or Unix-like operating system. (There’s an outside chance it was created with zip from Cygwin on Windows, but given that the UID/GID fields are equal, I don’t think that’s likely.)

    Comment by Jason Petry — 2009/12/12 @ 19:13 | Reply

    • If you look at the UTC timestamp, and convert, you will notice that the mtime in EST is pre- Jan-1-1980, which is the earliest time that can be stored in the MS-DOS time field used to store the local mod time in the zip file format. So Info-Zip has just set the local mtime to the earliest time possible.

      Aha! You’re a genius! 🙂

      (There’s an outside chance it was created with zip from Cygwin on Windows, but given that the UID/GID fields are equal, I don’t think that’s likely.)

      Hmm…

      Comment by frankbi — 2009/12/12 @ 19:57 | Reply

      • Not so much a genius as I’ve got some experience/training doing digital forensics. And I’m sorry I was a little elliptical in my comment about Cygwin, it’s not really important though. All the files in the Archive have UID=1002, and GID=1002. But Cygwin, by default, uses NT Security RID’s for UID’s & GID’s. The point being that under Unix, UID’s and GID’s are taken from independent number spaces, and they can be (and often are) identical. Under NT, Group Numbers and User Numbers come from the same number space, and so are never identical, unless someone has gone to a great deal of trouble to reconfigure cygwin.

        Comment by J Petry — 2009/12/12 @ 22:38 | Reply

    • On RedHat Linux by default you get the same UID/GID, e.g. if you create user John, RH will create a group with the same name John and same GID.

      Also the guys are talking about the files/emails as they are authentic but misunderstood, see http://www.washingtonpost.com/wp-dyn/content/article/2009/12/17/AR2009121703682.html

      Cheers, don’t think too much!

      Comment by freek — 2009/12/19 @ 21:29 | Reply

      • On RedHat Linux by default you get the same UID/GID, e.g. if you create user John, RH will create a group with the same name John and same GID.

        Hmm. But there may be other varieties of Linux (and Unix) that also have gid = uid by default.

        Cheers, don’t think too much!

        Thanks. Actually I’m more worried about thinking in the wrong directions. 🙂

        Comment by frankbi — 2009/12/20 @ 12:54 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: