Categories: Blog Central, Capital Read, Inside the Queensway

(UPDATED) PMO: Do you think it's easy to secure a mailing list?

by kadyomalley on Sunday, September 21, 2008 5:59pm - 65 Comments

The following email turned up in my mailbox earlier today, but I didn’t actually get around to opening it until I was alerted to the contents by a clearly-far-more-vigilant-than-me-on-a-Sunday ITQ reader, who is also subscribed to the PMO media distribution list, and was somewhat distressed by the contents:

from Stephen Harper <pm@pm.gc.ca>
to ALLNEWS_E@lserv.pmo-cpm.gc.ca
date Sun, Sep 21, 2008 at 3:34 PM
subject Why you shouldn’t fear me

Hi The Average Canadian,

Stephen Harper wanted to tell you…

My name is Stephen Harper. I am an ALBERTAN, here me roar! My goal is to make Canada America’s 51st state and destroy health care that all Canadians cherish by infusing my propaganda with hard core ad hominem attacks. Please vote for me, because if you do, I promise you’ll be able to vote for McCain 2012!

We are a tar sands level party, not a grass roots party. We consider anything with the word \”Green\” offensive, except for the almighty American dollar, which we hope to be able to implement in the coming months! We shall first have to make sure that American and Canadian jelly beans have the same standards, and then we shall proceed.

I hope everyone has a great weekend,

Take care,

Stephen \”I can lead you to Hell but not back\” Harper

If you agree click here.

Now, the link may go to a site owned and operated by the Conservative Party — good ole Oily the Splot’s domain of willyoubetricked.ca — but the rest of the email makes it pretty clear that this email was not sent out by the Prime Minister’s Office — or even the party.

Instead, it appears to be the work of a politically-attuned prankster who – it seems – took advantage of a security hole that allowed a non-authorized client to send out a message on the media listserv. But who? I’ve included the full headers under the jump for anyone who wants to play IP detective – feel free to leave your theories in the comments.

UPDATE: Well, this is — I don’t exactly know what this is, actually. “Odd” doesn’t seem to go nearly far enough these days. Anyway, a cursory googling turns up this intriguing tidbit, which may just be coincidence, but could also be a genuine clue: the same trick seems to have been used to send out (obviously fake) email from Stephane Dion earlier this year — email that also, curiously, directed recipients to the Oily the Splot site.

UPDATEDIER: Stephen Taylor, who is far less amused than ITQ, was also far swifter to determine that it was actually the willyoubetricked.ca website that was used to spoof the headers through its remailer service, which, sadly, has now been taken offline; memories of notaleader.coms past, anyone? Anyway, what I find remarkable is the fact that the media listserv was – in fact, may still be – free for the spamming by anyone who knew the main address, which really doesn’t speak well of the mad sendmail skillz of whoever set it up in the first place. Someone taking advantage of that gaping security hole to send out a fake email from “Stephen Harper”? Not all that shocking. In fact, I’m surprised it hasn’t happened before.

Full headers below:

Delivered-To: kady.omalley@gmail.com
Received: by 10.67.98.12 with SMTP id a12cs203552ugm;
Sun, 21 Sep 2008 12:51:27 -0700 (PDT)
Received: by 10.65.112.18 with SMTP id p18mr5404936qbm.38.1222026686234;
Sun, 21 Sep 2008 12:51:26 -0700 (PDT)
Return-Path:
Received: from SNETMAILER.s.net ([198.103.112.201])
by mx.google.com with ESMTP id s35si4296924qbs.13.2008.09.21.12.49.16;
Sun, 21 Sep 2008 12:51:26 -0700 (PDT)
Received-SPF: neutral (google.com: 198.103.112.201 is neither permitted nor denied by best guess record for domain of owner-allnews_e@lserv.pmo-cpm.gc.ca) client-ip=198.103.112.201;
Authentication-Results: mx.google.com; spf=neutral (google.com: 198.103.112.201 is neither permitted nor denied by best guess record for domain of owner-allnews_e@lserv.pmo-cpm.gc.ca) smtp.mail=owner-allnews_e@lserv.pmo-cpm.gc.ca
Received: from LSERV ([172.27.252.59]) by SNETMAILER.s.net with InterScan Message Security Suite; Sun, 21 Sep 2008 15:48:47 -0400
Received: by LSERV.PMO-CPM.GC.CA (LISTSERV-TCP/IP release 15.5) with spool id
24569 for ALLNEWS_E@LSERV.PMO-CPM.GC.CA; Sun, 21 Sep 2008 15:34:58
-0400
Received: from [172.27.110.114] by LSERV.PMO-CPM.GC.CA (SMTPL release 1.0w)
with TCP; Sun, 21 Sep 2008 15:34:58 -0400
Received: from qmail-cgi-norm-0.netfirms.com (60-m.netfirms.com
[38.113.189.60])by mxtreme2.pco.gc.ca (mxtreme2.pco.gc.ca) with SMTP
id A8230DA71Afor ; Sun, 21 Sep 2008
15:49:18 -0400 (EDT)
Received: (qmail 94677 invoked from network); 21 Sep 2008 19:34:54 -0000
Received: from unknown (10.8.8.2) by 0 with QMQP; 21 Sep 2008 19:34:54 -0000
X-IP: 142.161.178.253
X-URI: /reachout.php?task=sendmail
X-ID: 3011848
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-BTI-AntiSpam: score:14,sta:40/028,dcc:passed,dnsbl:passed,sw:passed,bsn:22
/passed,spf:none,dk:passed,pbmf:none,ipr:0/1,trusted:no,ts:no,bs:no,ubl:passed
Received-SPF: none
X-imss-version: 2.051
X-imss-result: Passed
X-imss-approveListMatch: pm@pm.gc.ca
Message-ID: <20080921193454.77052.qmail@cgi2>
Date: Sun, 21 Sep 2008 19:34:54 -0000
From: Stephen Harper
Subject: Why you shouldn’t fear me
To: ALLNEWS_E@LSERV.PMO-CPM.GC.CA
Precedence: list
List-Help:
List-Unsubscribe:
List-Subscribe:
List-Owner:

Tags: fun with sendmail, hacked!, more interesting than a lot of the other stuff they sen, pmo security follies, prime minister's office, Stephen Harper

More by kadyomalley

ci

To the folks who are getting their shorts in a knot over the security implications of this prank, relax. Anyone who actually trusts directions that can affect health, security, or finances given in email that isn’t digitally signed clearly doesn’t understand how easy it is to spoof email addresses.

The mailing list in question probably isn’t an open list and it’s probably configured so that only a limited number of people can post to it. However, anyone who understands how most list servers work would know that once you figure out the email address from which one can post, one can just spoof that email address and the list server will blithely accept it and distribute the spoofed message to all the subscribers. I’ll bet that’s what happened here.

In one of the more popular list servers, Mailman, it’s dead easy to thwart that by expecting that the poster has to provide some secret key in the subject line in order for the message to get through. Mailman will strip out that secret key before forwarding the message out to the subscribers so it will remain a secret. Someone who manages to spoof the email address is presumably not going to know the key, and would not have any way of even knowing of the requirement for such a key, so even if they posted, the message would be either silently discarded, or it would be held for moderator approval.
cf. GREEN PARTY INVOLVED?

re:

2nd hacked email about “Serbia-Kosovo = Canada-Quebec”, i.e. insult to Canadians’ intelligence…

Now compare with this from FACEBOOK as of around March 28, 2008:

Group Info Name: Serbian-Canadian Voting Alliance

Type: Organizations – Political Organizations

Description:

In light of the Government of Canada’s decision to recognise the illegal and unilateral declaration of independence of Kosovo, and the Government of Canada’s refusal to consider views of 200,000 Serbian-Canadians, in addition to the large Russian, Greek, Ukrainian communities and others, this group has been created for the following purposes:

I) To help depose the current Conservative Government of Stephen Harper which has recognized Kosovo’s illegal declaration of independence

II) Further weaken the Liberal Opposition Party of Stephane Dion who is also for recognition

This will be done in the following ways:

I) By recruiting as many voters as possible to vote for the Green Party in the next federal election, who do not presently have any seats in the House of Commons. This will give a strong message to the Canadian government that they cannot easily ignore us.

II) By recruiting new candidates who will run for the Green Party or be independent and who do NOT support the Government of Canada’s decision which recognises Kosovo

Contact Info

City/Town: Ottawa, ON
Media, Stop silence on Threats from LIBs

1) Saturday Sept 6, 30 hrs before Elections officially called,

Globe and Mail story
“Fearing Harper could win a majority, rivals sound early alarm”,
by CAMPBELL CLARK AND DANIEL LEBLANC,

Lots of Comments, new posters supporting elections being called, H., CPC, …

Then Liberano threats started, such as:

Vern McPherson [long time, well-known Lib commenter there]:

harper isn’t much more than … …
And know wht ??
The bully/control freak is going to get his……….. like all bullys do …… ‘

06/09/08 at 5:32 AM

Then, e.g., this one appeared:

Mrs Patrick Campbell from United States:

Harper is a shitstain. I hope he gets cancer and dies.

06/09/08 at 9:44 AM

Then suddenly – all 364 comments gone, blog closed. Here is file with comments up to 9:52 AM (including above):
http://www.keepandshare.com/doc/view.php?id=788410&da=y

2)

Best to bomb the other party’s weakest link

Sep 07, 2008, Angelo Persichilli, Toronto Star

http://www.thestar.com/comment/article/491830

… If you are weaker than the opponent and are forced to go to war, you resort to the weapons you have.

You don’t attack the bridge with Stealth bombers you don’t own;

you resort to suicide bombers against the strongest link in the enemy’s ‘chain’ hoping for the best. ….

Conservatives don’t have ‘Roman guards,’ as the Liberals called those around former prime minister Jean Chrétien, to protect Harper.

If Conservatives don’t devise a mechanism to protect him
from the Liberal suicide bombers, the next election will be the most unpredictable we have had in the last few decades …
. . .
=========

[note the absence of 'figuratively speaking' single quotation marks ...]
Ben Hicks

Now that’s a mission statement I can get behind!After weeks on the fence, I’m totally voting Conservative.

Palin/Harper 2016!
http://www.macleans.ca Kady O’Malley

CI – I sort of almost wish someone had tested that theory and sent something to the list from a non-pm.gc.ca address. (For a moment, I actually considered doing it myself via a secure anon remailer, purely as an investigative journalist-y experiment, but then realized that I can serve my craft far better outside the deepest, darkest reaches of the Langevin dungeons.) I’m assuming that by now, the list has been locked down.
Pingback: Law and Order: PMO Mailing List Unit : Capital Read : Inside the Queensway : Macleans.ca Blog Central
http://www.arsimpulsum.blogspot.com Miss Marlene

Hi Katey
not sure if this will help. did a whois lookup on that IP address. It’s an older IPv4 assigned internet protocol. You’ll see that the IP block is reserved for ‘special purposes’ but that doesn’t mean this email came from IANA – they only administer the addresses. (this link http://iana.org/assignments/ipv4-address-space/
takes you to the names of organizations with special assignments) You can contact IANA to find out perhaps, their phone number is below.

Here’s what ARIN had to say:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 – 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information:
Comment: http://www.arin.net/reference/rfc/rfc1918.txt
RegDate:
Updated: 2007-11-27

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2008-09-21 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
http://www.arsimpulsum.blogspot.com Miss Marlene

Katey,
sorry, I entered in the wrong IP I put in the received IP not the sent. but ARIN can be contacted noc@arin.net

It came from the privy council (obviously)whatever Privy Council 3 means

GTIS NETBLK-CDAGOVN-C (NET-198-103-0-0-1)
198.103.0.0 – 198.103.255.255
Privy Council Office PRIVY-COUNCIL-3 (NET-198-103-112-0-1)
198.103.112.0 – 198.103.112.255

# ARIN WHOIS database, last updated 2008-09-21 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.
http://www.abandonedstuff.com/ saskboy

Heh, I didn’t even notice my post was linked to in the update until this morning when I had hits coming from MacLeans!
I was out having fun last night and didn’t have time to do techy research into this. But there are capabable bloggers on the trail, along with the ‘spies that shall not be named’ apparently too. Too cool.
http://streetadvisorconsulting.blogspot.com Mark-Alan Whittle

According to Jared at MTS they have identified the suspect but will not reveal his identity until forced to by a court order. Shouldn’t take too long I imagine. Some poor lefty slob is about to have his day completely ruined when the RCMP come knocking at his door and confiscate his computer. This guy is in deep do-do.
ci

Kady – Point of clarification: you just need to create a personality/profile/identity, depending on what your email client calls it, purporting to be “Stephen Harper ” in order to be able to play all sorts of pranks on those who would expect or welcome a message from the PM. If a reporter received an email from the PM inviting them to 24 Sussex for an exclusive interview, or some other equally plausible thing, how would they know that it’s legit and not the result of some prank?

We’ve all seen spam where the “From” address is an address we recognize, sometimes even our own. Clearly, it doesn’t take make to spoof an email address.

This “attack” was not a work of great genius and it did not require any technical skills beyond the abilities of a capable 14 year-old. If someone is apprehended, it will be interesting to see what, if any, charges are laid.

Personally, I cannot see political opponents from any of the parties doing something like this. There is no “win” in this for political opponents and anyone with even half a brain could tell the message was a spoof. It’s more likely just a prank rather than an action intended to gain political advantage, though it could be a misguided supporter of one of the political opponents of the Conservatives.

Either the author of the message was deliberately trying to come across as an adolescent or it is really an adolescent with the poor writing skills that is all-too-common amongst the youth of today, viz, “here me roar”. I found the escaping of the double quotes with backslashes to be interesting. I wonder if that is what was really sent in the original message or if the backslashes were added along the way. If they were in the original, it suggests someone with just enough tech skills to be dangerous. Normally, one would never have to worry about escaping punctuation in email messages.

If there is a lesson in all this, it should be that we all need to start using strong cryptography to digitally sign messages. That is the only way to establish the true identity of the sender. If we became accustomed to receiving only digitally signed messages, anything that wasn’t would be suspect by default.
Liz

ci brings clarity.

Pity. All his contributors’ money Harper has spent on attacking opponents, and pennies spent on his own flanks, and on protecting the people Harper maintains an email list of.

Sad sort of economics Harper’s got. Seems like he thinks burning people is almost as good as getting their cold hard cash. Not enough cash to use a secure list to protect the donor/supporter/or mere correspondent ‘s identity.

Do you think it is easy to make priorities?

Apparently not for Harper, since his email list is now likely all over the WWW. And it’s no fault but his own.

If Harper can’t handled 20th century technology, how bad is he gonna blow up in the 21st?

You’ve got mail!
http://www.arsimpulsum.blogspot.com Miss Marlene

Mark Allan Whittle, what are you talking about? That BS might go over well with the Hamilton Spectator or CH News but some outside of Hamilton have a small bit of intelligence

It takes one person amongst thousands who thinks their clever enough to ping an IP address and get a spoofing program to change the packet info on the TCP/IP protocol from that Privy Council email server. According to IT security specialists its a loophole in the older version 4

According to the G&M, the PM asked the ‘spooks’ to see if there ‘might’ be a way to access their server but the G&M used language that indicated an’investigation’ – not that there was one. That’s probably their own hype.

There’s a difference between email spoofing on the outside of an organization’s network which isn’t illegal (unless they are asking for money or your credit card info) and access to internal servers from the outside with malicious intent, which is. That’s something the Privy Council’s IT specialists would be investigating themselves

There is no way in hell I’ll believe the IT security people within the Privy
Council office would leave themselves that vulnerable and not put in spoof filters.
Pingback: Stephen Harper’s email hacked | Blog
ci

Why is it that people have a tendency to go to unlikely scenarios first before considering more likely ones? This is *very* unlikely to be a sophisticated hack. This is much more likely the work of a prankster who found out the address of an account that could post to the list server in question, which if it is configured like most list servers, is not hard to do. The people who are fulminating about “nation at war”, etc. need to keep in mind the value of the information disseminated on that list. With no disrespect to journalists, the information that would be posted to that list I presume would amount to PR and not of great value. That is hardly the stuff of state secrets. What was compromised here? Not much. Sure, it embarrassed some people but there was no real harm done. Prior to this incident, expending any great effort in securing this list would have been akin to putting high-security locks on an outhouse. Even now, I wouldn’t take the same measures to protect the integrity of this list as say, securing the communications of the Minister of Finance. A cardinal rule of security is that you take measures commensurate with the value of the assets being protected. This is why most of us live in homes “protected” by locks and not in fortified bunkers.

If this happens again, those of you who are carrying on over the national security implications of this incident will have some justification for your feigned or real outrage.