Categories: Blog Central, Capital Read, Inside the Queensway

(UPDATED) PMO: Do you think it's easy to secure a mailing list?

by kadyomalley on Sunday, September 21, 2008 5:59pm - 65 Comments

The following email turned up in my mailbox earlier today, but I didn’t actually get around to opening it until I was alerted to the contents by a clearly-far-more-vigilant-than-me-on-a-Sunday ITQ reader, who is also subscribed to the PMO media distribution list, and was somewhat distressed by the contents:

from Stephen Harper <pm@pm.gc.ca>
to ALLNEWS_E@lserv.pmo-cpm.gc.ca
date Sun, Sep 21, 2008 at 3:34 PM
subject Why you shouldn’t fear me

Hi The Average Canadian,

Stephen Harper wanted to tell you…

My name is Stephen Harper. I am an ALBERTAN, here me roar! My goal is to make Canada America’s 51st state and destroy health care that all Canadians cherish by infusing my propaganda with hard core ad hominem attacks. Please vote for me, because if you do, I promise you’ll be able to vote for McCain 2012!

We are a tar sands level party, not a grass roots party. We consider anything with the word \”Green\” offensive, except for the almighty American dollar, which we hope to be able to implement in the coming months! We shall first have to make sure that American and Canadian jelly beans have the same standards, and then we shall proceed.

I hope everyone has a great weekend,

Take care,

Stephen \”I can lead you to Hell but not back\” Harper

If you agree click here.

Now, the link may go to a site owned and operated by the Conservative Party — good ole Oily the Splot’s domain of willyoubetricked.ca — but the rest of the email makes it pretty clear that this email was not sent out by the Prime Minister’s Office — or even the party.

Instead, it appears to be the work of a politically-attuned prankster who – it seems – took advantage of a security hole that allowed a non-authorized client to send out a message on the media listserv. But who? I’ve included the full headers under the jump for anyone who wants to play IP detective – feel free to leave your theories in the comments.

UPDATE: Well, this is — I don’t exactly know what this is, actually. “Odd” doesn’t seem to go nearly far enough these days. Anyway, a cursory googling turns up this intriguing tidbit, which may just be coincidence, but could also be a genuine clue: the same trick seems to have been used to send out (obviously fake) email from Stephane Dion earlier this year — email that also, curiously, directed recipients to the Oily the Splot site.

UPDATEDIER: Stephen Taylor, who is far less amused than ITQ, was also far swifter to determine that it was actually the willyoubetricked.ca website that was used to spoof the headers through its remailer service, which, sadly, has now been taken offline; memories of notaleader.coms past, anyone? Anyway, what I find remarkable is the fact that the media listserv was – in fact, may still be – free for the spamming by anyone who knew the main address, which really doesn’t speak well of the mad sendmail skillz of whoever set it up in the first place. Someone taking advantage of that gaping security hole to send out a fake email from “Stephen Harper”? Not all that shocking. In fact, I’m surprised it hasn’t happened before.

Full headers below:

Delivered-To: kady.omalley@gmail.com
Received: by 10.67.98.12 with SMTP id a12cs203552ugm;
Sun, 21 Sep 2008 12:51:27 -0700 (PDT)
Received: by 10.65.112.18 with SMTP id p18mr5404936qbm.38.1222026686234;
Sun, 21 Sep 2008 12:51:26 -0700 (PDT)
Return-Path:
Received: from SNETMAILER.s.net ([198.103.112.201])
by mx.google.com with ESMTP id s35si4296924qbs.13.2008.09.21.12.49.16;
Sun, 21 Sep 2008 12:51:26 -0700 (PDT)
Received-SPF: neutral (google.com: 198.103.112.201 is neither permitted nor denied by best guess record for domain of owner-allnews_e@lserv.pmo-cpm.gc.ca) client-ip=198.103.112.201;
Authentication-Results: mx.google.com; spf=neutral (google.com: 198.103.112.201 is neither permitted nor denied by best guess record for domain of owner-allnews_e@lserv.pmo-cpm.gc.ca) smtp.mail=owner-allnews_e@lserv.pmo-cpm.gc.ca
Received: from LSERV ([172.27.252.59]) by SNETMAILER.s.net with InterScan Message Security Suite; Sun, 21 Sep 2008 15:48:47 -0400
Received: by LSERV.PMO-CPM.GC.CA (LISTSERV-TCP/IP release 15.5) with spool id
24569 for ALLNEWS_E@LSERV.PMO-CPM.GC.CA; Sun, 21 Sep 2008 15:34:58
-0400
Received: from [172.27.110.114] by LSERV.PMO-CPM.GC.CA (SMTPL release 1.0w)
with TCP; Sun, 21 Sep 2008 15:34:58 -0400
Received: from qmail-cgi-norm-0.netfirms.com (60-m.netfirms.com
[38.113.189.60])by mxtreme2.pco.gc.ca (mxtreme2.pco.gc.ca) with SMTP
id A8230DA71Afor ; Sun, 21 Sep 2008
15:49:18 -0400 (EDT)
Received: (qmail 94677 invoked from network); 21 Sep 2008 19:34:54 -0000
Received: from unknown (10.8.8.2) by 0 with QMQP; 21 Sep 2008 19:34:54 -0000
X-IP: 142.161.178.253
X-URI: /reachout.php?task=sendmail
X-ID: 3011848
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-BTI-AntiSpam: score:14,sta:40/028,dcc:passed,dnsbl:passed,sw:passed,bsn:22
/passed,spf:none,dk:passed,pbmf:none,ipr:0/1,trusted:no,ts:no,bs:no,ubl:passed
Received-SPF: none
X-imss-version: 2.051
X-imss-result: Passed
X-imss-approveListMatch: pm@pm.gc.ca
Message-ID: <20080921193454.77052.qmail@cgi2>
Date: Sun, 21 Sep 2008 19:34:54 -0000
From: Stephen Harper
Subject: Why you shouldn’t fear me
To: ALLNEWS_E@LSERV.PMO-CPM.GC.CA
Precedence: list
List-Help:
List-Unsubscribe:
List-Subscribe:
List-Owner:

Tags: fun with sendmail, hacked!, more interesting than a lot of the other stuff they sen, pmo security follies, prime minister's office, Stephen Harper

More by kadyomalley

Bryan

I also received the same email, in addition to one on Kosovo’s independence, both from PMO’s office.

Serbia’s Southern province of Kosovo declared independence in February 2008. Harper’s government recognized it’s independence. Does this lead to slowly accepting sovereignty for Quebec? Here’s why Canada must follow International Law, the UN Chart, UNSC Resolution 1244 and the Final Helsinki Act of 1975.

concerned citizen
Mike

Kady:

“But who will look after the Protocols of the Elders of Zigiorno now?”

Issue No. 200 of the Protocols was published on September 20, 1903 (Gregorian Calendar)in Znamya (the Banner). Bell’s new ads emphasize the ‘er’ in Banner.

Coincidence? Cue theme music to the Twilight Zone with Carl Sagan.
http://www.macleans.ca Kady O’Malley

Mike G: Sadly, I *am* that geeky. I have no excuse, and will now retire for the evening, head bowed in shame.

MYL: Actually, neither was swiped, but from what I can see, the PMO email list was set up so that anyone could send to the general address – even without being subscribed to the list. Usually, one-way lists like that only accept messages from a specific address, and everything else is either automatically discarded, or held for moderation.

It’s not clear whether this list required a (spoofed, in this case) pmo-cpm.gc.ca from: line to accept an email for distribution, but in this case, thanks to the de facto anon remailer provided by willyoubetricked.ca, whoever sent it out was able to do so from an apparently whitelisted domain. There’s something rather poetically just about that, considering that someone was using the same remailer to send fake email from “Stephane Dion” earlier this year.
madeyoulook

Thank you for the geek consult, KO. So that means a “gc.ca” email address was “corrupted” in the sense that email that came from some hacking jackass had the “look” of a government message. That is NOT trivial.
http://www.macleans.ca Kady O’Malley

Well, actually, what happened was that whoever filled in the sendmail form at willyoubetricked.ca just put “pm@pm.gc.ca” as his or her address, and as the recipient, the general distribution list for the PMO media list. A properly set up listserv would have rejected the email as coming from a non-regular address — since as far as I know, it doesn’t actually exist except as a receptacle for general delivery at PMO. It actually *is* fairly trivial, if only because it is so very avoidable with even the most cursory security checks in place.
madeyoulook

Kady, sorry, I did not express myself well. I meant to imply that such a trivial (as in “easy”) hijacking of a legitimate media email list “from gc.ca” with a message that was not from the government body in question is not trivial (as in “bloody serious”): to government credibility, foreign policy interests, maybe even national security.

If the PMO can allow jackass messages to sneak in and get distributed under its banner, how many other federal government email mailing lists could be hijacked in a similar manner?

How do I get the CRA’s email list to announce that the December income tax instalment will be waived, for example? Maybe tomorrow the DND will bogusly announce with great regret the loss of a dozen soldiers in an Afghan ambush? Then Health Canada will tell all Canadians via its alert-to-media-on-the-mailing-list to stop drinking milk immediately because we’ve got even more melamine than the Chinese do?

Sorry, I see this as serious. Auditor General, the RCMP, CSIS, the works. Am I missing something?
madeyoulook

I just read Stephen Taylor’s blog post. He is unamused, as am I.

The government needs to act at two levels, IMO. Federal “gc.ca” email / web security needs a major tightening up to prevent this jackassery in the first place, and the justice system needs to go to work on the jackass in question. And the Tories deserve a slap if a “public” submission from a partisan website of theirs was “permitted” to control a PMO gc.ca email server.
John D

Moderate centrism has become the “new” conservatism,

So the new conservatism is… Liberalism?
http://www.macleans.ca Kady O’Malley

MYL – I would assume that most mailing lists are, in fact, secure from outside messages; really, that’s pretty basic, as far as list admin protocol. I’m on dozens of lists – as I’m sure most of us are – and have run my own as well; it’s the standard setup. Nobody runs open mailing lists for this very reason. The fact that the media list was left gaping like this is, quite simply, absurd. Whoever originally set up the list screwed up, and what’s amazing is that it has taken this long for anyone to notice.

As for web-based mailers, the only way to secure them from this kind of abuse would be to require some sort of user authentication before allowing someone to send something out, which I suspect the admins at notaleader.com and – until tonight – willyoubetricked.ca – thought would discourage users from using it to alert their friends to the latest outrage perpetrated by Stephane Dion. (I’ve never really seen the point of them myself, and have never administered one, so I’m not sure if there’s an easy workaround to avoid these sorts of blowouts.)
madeyoulook

Kady, I have failed to get you sufficiently worked up about this. The geeky stuff is interesting and all, but THE MESSAGE DELIVERY SYSTEM OF THE LEADER OF A G8 NATION, NATO PARTNER CURRENTLY AT WAR, WAS HIJACKED (at least) TWICE BY AN IMPOSTER.

Am I the only one here, resident or visitor at macleans.ca, to think this is a big deal?
Austin So

Considering all the “effort” that the Harper gov’t has made in trying to re-brand every single website in Tory blue (hmmm…I wonder how much that vanity is costing us…), it would not surprise me if security holes were left. Afterall, one only has to glance at the CPC website to see “quality” at work.

Wasn’t it only a few months ago that personal information could be obtained from a recently revamped government website?

Austin
madeyoulook

There, caps lock. That oughta do it.
http://www.macleans.ca Kady O’Malley

MYL – I’m sorry, I know I’m disappointingly sanguine about all this; it’s just that this particular hole is so very easy to fix that I can’t imagine it hasn’t been done already. It’s literally one parameter in the standard setup for a mailing list. It would take five minutes to change it, and then we can all sleep soundly.
madeyoulook

(thoroughly deflated sigh)

Do I need to bold, italicize AND all-caps it? The easy to fix part is nice. **But it was broken!** The Office of the Prime Minister of Canada! What do I gotta do to get the nerd out of you and get the national interest spark back in?

And if the PMO’s email server had such an easy-to-fix breach, do you seriously believe no other federal department is at risk of the same sort of mischief? Or how damaging such mischief could be?

If you tease me with a reply again, Lucy, please don’t pull the football away with a mere comment on the simplicity of the patch.
Austin So

Sorry…it was passports in December 2007.

Austin
john g

Speaking of passports…get a load of the Globe’s/Canadian Press’ latest attempt to scrape a Tory scandal from the bottom of the scandal barrel by “outing” Peter Mackay…for the capital crime of treating 1000 government employees to lunch who were working over the weekend to get through the passport backlog.

After about 100 comments all condemning the Globe for trying to create a scandal out of nothing, the Globe refreshed the story and wiped the comments. Got 100 new ones slamming them for wiping the first comments thread.
http://www.theglobeandmail.com/servlet/story/RTGAM.20080921.wpassport0921/BNStory/National/home

But then again what do I know, I’m the paranoid guy who thinks the media is out to get the Conservatives…
Stede Bonnet

MYL – might I suggest you should direct your ire toward the appropriate, responsible persons and authorities?

If there is incompetence here it has nothing to do with Kady. I’m certain she has more pressing things to do.

[And when I say "pressing" anyone who even had the thought of shirts for Monday morning pass through their mind must surely be paid up Harper supporters and contributors?]
madeyoulook

Sigh.

Even when kody’s left-biased media could seize an opportunity to slam the Tories for a security breach in the PMO’s email server on gc.ca, no one bites? What gives?

I suppose I am the only one who sees this as a big national deal. I will have to sleep on why that is.
cwe

Hi! I just got back from Stephen Taylor’s blog, and boy, are my sides splitting! Lotsa talk about ‘they’ being desperate enough to do anything, which, besides this bit o’ e-mail mischief, includes (please everyone, make sure you’re seated) KNOCKING DOWN CONSERVATIVE CAMPAIGN SIGNS!
And yet, not even one post with a suggestion along the lines of “Lighten up, it’s only a joke.” I nominate Kody. Seconder?
http://www.wart.ca Steve Wart

Wow 44 comments on a spam message. You modern media bloggers do know that mail headers aren’t evidence of anything, right?
Jack Mitchell

MYL, I hear you. Thankfully it was an obvious spoof, eh? But what if the prankster had been more malicious and sent out a regular-looking Press Release saying something like “PM Denounces Wall Street Bailout Strategy, Announces ‘The End of Capitalism’”? Or god knows what.

Thank you, Prankster, for helping to preserve credit, world peace, etc.

Meanwhile, would somebody please select whichever PMO staffer was responsible for setting up the listserv and frog-march them twice around Langevin?
madeyoulook

Jack, thanks, man, I was worried I was losing it, being the only one to care about somebody stealing the message delivery apparatus of the PMO. Although that’s two threads where we have agreed more than disagreed. Are we both ok?

Steve, it’s not that the headers mean nothing. All the bank phishing emails are obvious proof of that. This case has some jackass manipulating the listserv of the PMO to send out a message, ostensibly “from” the PMO, to the addresses on the listserv! It’s not a random plea from a Nigerian to any possible address. It’s crap wrapped in a virtual PMO envelope sent only to a PMO mailing list.
T. Thwim

On the bright side, it was a PMO mailing list to the media, not, say, CSIS.

On the scary side, what if it was a mailing suggesting that the PMO was supporting the UN Human Rights Council in calling Israels shelling of Beit Hazoun a war crime, and would be withdrawing our dimplomats and closing our embassies there until reparations had been made.
Liz

All Harper’s horses and all Harper’s men
couldn’t find the leaker of Brody-gate.
How much is the taxpayer on the hook
For a fruitless search, again?

Maybe someone got ahold of the database Harper uses to target people, or accessed the database of an MP using the constituent data-gathering protocol in use to figure out who to target.

Harper calls the spooks in. What are the chances that the spooks will be able to spill the beans on any other data-capture or cyber-sleuthing tactics the Harper government uses? Just find the perp who stole Stephen Harper’s personality again, but get the court date set for tomorrow!

Lame.
Tim

Steve Wart: “You modern media bloggers do know that mail headers aren’t evidence of anything, right?”

Well, if you’re talking prosecution, the server logs are the evidence.

Anyway, I’d hardly want to call in the CSE geeks on this matter. It’s in-the-clear email. By it’s very nature, it’s insecure. If it was secure, we wouldn’t have phishing scams.

A lot of this problem arises from the new regime outsourcing IT to their partisan buddies. Follow the money as always.

Anyway, there are other networks that the government uses for secure communications, but if I told you about them, I’d have to kill you. :)