You are viewing ijish

Diagram showing how SwiftHack archive was created (as I understand it)

February 16th, 2010 (12:57 pm)

I've drawn a diagram that tries to summarize how the FOI2009.zip -- or, rather, FOIA.zip -- containing the cracked CRU e-mails and data was created, according to the information given in the posts and comments on this sub-blog and the old IJI blog. (Click for a larger version of the diagram.) It probably needs more work, so let me know what you think.

In the meantime, feel free to spread it around!

Update 2010-04-01: The link to IJI blog post category has been updated.

Comments

Posted by: ((Anonymous))
Posted at: February 16th, 2010 03:01 pm (UTC)
Unpack in batches

Beautiful. Any theories on why the attachments would have been unpacked. That is an unecessary step,correct?

Posted by: ((Anonymous))
Posted at: February 16th, 2010 03:02 pm (UTC)
Unpack from archives

Earlier message was BCL, by the way.

Posted by: Decoding SwiftHack (ijish)
Posted at: February 16th, 2010 05:10 pm (UTC)
Re: Unpack from archives

bigcitylib:

Beautiful.
Thanks again. :)
Any theories on why the attachments would have been unpacked.
If you're referring to why they were packed and then unpacked: I guess it may have to do with the attacker's method of ripping the files.

As I mentioned in a previous post (and as shown in the diagram), the attacker seem to have ripped 5 Word documents by starting up shell sessions -- perhaps by exercising a bug in a setuid program -- and recording the sessions. Perhaps the attacker used the same method to rip several files (plus their modification times) at once, by simply putting them into one .tar file and dumping that in a single shell session.

That's just my wild theory though; I haven't exactly been able to test it to any meaningful degree.

Posted by: ((Anonymous))
Posted at: February 16th, 2010 06:49 pm (UTC)
Re: Unpack from archives

Could substes have been unpacked to, for example, be forwarded by email to a third party?

Posted by: Decoding SwiftHack (ijish)
Posted at: February 17th, 2010 11:57 am (UTC)
Re: Unpack from archives

Could substes have been unpacked to, for example, be forwarded by email to a third party?
Maybe, but the files that ended up in the .zip don't look like they were saved separately from e-mail attachments -- the access times for each batch won't all read as the exact same second. That's to say, if the files were separately attached in e-mails, then that's probably not done as part of the process of creating the .zip file.

Still, if you come across any confidential CRU documents that had been floating around before SwiftHack, I'd definitely like to know. :)

Posted by: Decoding SwiftHack (ijish)
Posted at: February 20th, 2010 09:47 pm (UTC)
From Jeff Id's blog...

Some comments and alternative theories over at Jeff Id's blog:

(1) the shell sessions might have been recorded using an xterm with logging capability;

(2) the filtering of e-mails might have been done differently, because filtering based on words like "data" and "model" may still leave lots of chatter in.

(I've not really checked (2) yet, by the way.)

6 Read Comments