whatareyoulookingat

Police Want To Link Your Identity To An IP Address – But Don’t Like It When You Do It To Them

It was reported today that Theresa May is intending to introduce new measures requiring Internet Service Providers to keep data that identifies online users.

Obviously most ISPs will retain some information such as the authenticated credentials, IP issued (if DHCP or similar) MAC addresses of the modem etc but the article doesn’t make it clear exactly what information ISPs are to be ordered to retain. It’s likely to be the public IP and possibly the NAT ports if the ISP is using CGN.

The only mention of retention is in regards to the original snoopers bill.

Between this website, the DRIP websites and RoutingPacketsIsNotACrime certain IPs kept appearing and a bit of research showed that these might be Police IP addresses so a Freedom Of Information Request was sent.

Unfortunately the Police denied the request for reasons of National Security and so as not to compromise “ongoing investigations” but given that the surveillance state has continued to grind forward let’s even the playing field a little bit;

Response to the Freedom of Information Request

Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties on public authorities. Unless exemptions apply, the first duty at Section 1(1)(a) is to confirm or deny whether the information specified in a request is held. The second duty at Section 1(1)(b) is to disclose information that has been confirmed as being held. Where exemptions are relied upon s17 of FOIA requires that we provide the applicant with a notice which: a) states that fact b) specifies the exemption(s) in question and c) states (if that would not otherwise be apparent) why the exemption applies.

City of London Police can neither confirm nor deny that it holds any information relevant to your request as the duty in s1(1)(a) of the Freedom of Information Act 2000 does not apply, by virtue of the following exemptions:

- Section 24 (2) National Security
- Section 30(3) Investigations
- Section 31(3) Law Enforcement

Information is exempt by virtue of section 24 where the exemption is required for the purpose of safeguarding national security. The duty to confirm or deny does not arise if, or to the extent that, exemption from section 1(1) (a) is required for the purpose of safeguarding national security. This is a prejudice-based exemption and the potential harm in confirming or denying that the information is held or not held is detailed below. It is also a qualified exemption subject to an assessment of the public interest and the factors favouring confirmation and non-confirmation that the information is held or not held are listed below.

Information is exempt by virtue of section 30 where it has, at any time, been held for the purpose of an investigation. The duty to confirm or deny does not arise in relation to information which is exempt by virtue of this section. This is a class-based exemption and it is not necessary to demonstrate the potential for harm to occur. It is however a qualified exemption subject to an assessment of the public interest and the factors favouring confirmation and non-confirmation that the information is held or not held are listed below.

Information is exempt by virtue of section 31 where its disclosure would, or would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the administration of justice. This is a prejudice-based exemption subject to the identification of harm, which is detailed below. It is also a qualified exemption subject to an assessment of the public interest and the factors favouring disclosure and non-disclosure are listed below.

Identification of harm – s.24 and s.31
Confirmation or denial that the IP addresses mentioned are owned by the Police Service could affect the Police’s ability to effectively carry out operations and investigations as well as compromising the security of the United Kingdom.

Confirmation or denial of this information could be used to plan and execute an attack on police systems. Such attacks are not often ‘frontal attacks’, but rather are iterative in nature where attackers test a number of approaches over a period of time. As such, even discrete elements of a force IT platform could provide enough information to formulate an attack. IP addresses are not publicly available, and would normally be hidden behind layers of security. The information could be used to gain access to force systems, and affect the Police’s ability to carry out its core functions which would then have implications for National Security.

Factors favouring confirmation or denial – s.24
The threat from national and international terrorism is ever present and the public are entitled to know how the police operate. In the current financial climate of cuts and with the call for transparency, confirmation or denial would enable improved public debate.

Factors against confirmation or denial – s.24
Confirmation or denial cannot be in the public interest if ongoing or future operations or investigations to protect the security of the United Kingdom would be compromised as outlined in the identification of harm paragraph.

Factors favouring confirmation or denial – s.30
Confirmation or denial would highlight where public funds are being spent and where resources are being distributed within a specific area of policing which would reinforce the City of London Police’s commitment to openness and transparency.

Factors against confirmation or denial – s.30
Confirmation or denial would identify the current status of an ongoing investigation. Revealing the details requested could hinder the prevention or detection crime as the investigation could be prejudiced by disclosing details into the public domain before the investigation has concluded.

Factors favouring confirmation or denial – s.31
Confirmation or denial would show which IP addresses are used by the police service and (by way of version numbers) reassure the public that these systems are up to date.

Factors against confirmation or denial – s.31
Confirmation or denial cannot be in the public interest if ongoing or future operations or investigations would be compromised as outlined in the identification of harm paragraph.

Balancing the public interest
On review, there is very little to indicate that the public interest would be better served by confirming or denying the information is held. The public rightly expects the police service to ensure that all of its systems are secure so that the information it holds maintains its value and integrity. Confirmation or denial would be detrimental to these aims and therefore, at this moment in time, it is our opinion that for these issues the balance test for confirming nor denying that information is held is not made out.

No inference can be taken from this refusal that information does or does not exist.

The First Thread

The first IP addresses that piqued our attention were 212.137.45.109 and 212.62.5.158 so lets see what ASN they belong to and what the RIPE description is;
inetnum: 212.137.45.96 - 212.137.45.111
netname: CW-AMLPID739647-NET
descr: AML PID 739647
country: GB
admin-c: CHCP1-RIPE
tech-c: CHCP1-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTING
source: RIPE # Filtered
 
role: CW Hosting Centre Park Royal
address: 900 Coronation Road
address: NW10 7PQ
address: London
remarks: trouble: abuse@cw.net
admin-c: CLAU1-RIPE
tech-c: AA3670-RIPE
tech-c: CLAU1-RIPE
tech-c: SYLV-RIPE
nic-hdl: CHCP1-RIPE
mnt-by: EXODUS-MNT
mnt-by: CW-IPGNOC-MNT
abuse-mailbox: abuse@cw.net
source: RIPE # Filtered
 
% Information related to '212.137.32.0/20AS1273'
 
route: 212.137.32.0/20
descr: CWC-SWINDONWEBHOST
origin: AS1273
mnt-by: CW-EUROPE-GSOC
source: RIPE # Filtered


inetnum: 212.62.5.0 - 212.62.5.255
netname: CW-AMLPID739647-NET
descr: AML PID 739647
country: GB
admin-c: CHCP1-RIPE
tech-c: CHCP1-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTING
mnt-domains: CW-DNS-MNT
source: RIPE # Filtered
 
role: CW Hosting Centre Park Royal
address: 900 Coronation Road
address: NW10 7PQ
address: London
remarks: trouble: abuse@cw.net
admin-c: CLAU1-RIPE
tech-c: AA3670-RIPE
tech-c: CLAU1-RIPE
tech-c: SYLV-RIPE
nic-hdl: CHCP1-RIPE
mnt-by: EXODUS-MNT
mnt-by: CW-IPGNOC-MNT
abuse-mailbox: abuse@cw.net
source: RIPE # Filtered
 
% Information related to '212.62.0.0/19AS1273'
 
route: 212.62.0.0/19
descr: CH-EXODUS
origin: AS1273
mnt-by: CW-EUROPE-GSOC
source: RIPE # Filtered

Well there’s the first clue, we know that the National Policing Improvement Agency signed a deal with Cable & Wireless to provide elements for the national communications network (a.k.a PNN3) so we’re onto a good start.

The Overlooked Vector; DNS

Hurricane Electric provide a brilliant service at http://bgp.he.net/ which allows you to see a variety of information about IP blocks including ASN, RPKI status and forward/reverse DNS.

C&W make two announcements that contain one of the IPs;

AS1273 212.137.0.0/16 Cable & Wireless UK P.U.C.
AS1273 212.137.32.0/20 Cable and wireless Internet-NET

Looking at the more specific announcement we can see a variety of interesting Police National Network DNS records;
212.137.36.161 pnn-gw6.pnn.police.uk
212.137.36.163 pnn-gw.pnn.police.uk
212.137.36.164 pnn-gw.pnn.police.uk
212.137.36.165 smtp.pnn.police.uk
212.137.36.166 biscuits.pnn.police.uk
...
212.137.45.97 mail.pnn.police.uk
212.137.45.104 smtp.pnn.police.uk
212.137.45.105 smtp.pnn.police.uk
212.137.45.106 smtp.pnn.police.uk

Delving into SMTP

We’ve seen mail.pnn.police.uk before because the FOI response was sent from within PNN3 so the SMTP headers probably have some interesting information;
Received: by 10.216.16.73 with SMTP id g51csp220108weg; Mon, 13 Oct 2014 07:16:17 -0700 (PDT)
X-Received: by 10.194.21.193 with SMTP id x1mr2053266wje.135.1413209777204; Mon, 13 Oct 2014 07:16:17 -0700 (PDT)
Return-Path:
Received: from mail.pnn.police.uk (mail.pnn.police.uk. [212.137.45.97])
by mx.google.com with ESMTPS id hu8si1814120wib.9.2014.10.13.07.16.16
for
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 13 Oct 2014 07:16:17 -0700 (PDT)
Received-SPF: none (google.com: xxxxx.xxxxxxx@city-of-london.pnn.police.uk does not designate permitted sender hosts) client-ip=212.137.45.97;
Authentication-Results: mx.google.com; spf=neutral (google.com: xxxxxxx.xxxxxxxx@city-of-london.pnn.police.uk does not designate permitted sender hosts) smtp.mail=xxxxx.xxxxxx@city-of-london.pnn.police.uk
From: xxxxxx xxxxxx
To: "'xxxxxxx@xxxxxxx.co.uk'"
Subject: REQUEST FOR INFORMATION REF: COL/14/714 (NOT PROTECTIVELY MARKED)
Thread-Topic: REQUEST FOR INFORMATION REF: COL/14/714 (NOT PROTECTIVELY MARKED)
Thread-Index: Ac/m8D8M8+UzCwmmRSGWynCyQxELkw==
Date: Mon, 13 Oct 2014 14:16:15 +0000
Message-ID:
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-officeenforcer-classification-impactlevel: 0
x-officeenforcer-classification: NOT PROTECTIVELY MARKED
x-originating-ip: [172.26.4.63] MIME-Version: 1.0
X-ACL-Warn: X-Virus Scan: F-Secure 9
X-PNN3-Rtr: dnslookup

So from this we can see that the Police use the 172.16.0.0/12 RFC1918 addresses internally and elements of 212.137.45.0/24 are definitely used by the Police.

Hardly obscured by “layers and layers of security”.

Nailing down 212.137.45.109

Whilst there is HTTP traffic coming from 212.137.45.109 it doesn’t have any registered reverse DNS which could indicate it is not a normal egress gateway (or someone is lazy – hanlons razor).

A quick search finds that this IP address is certainly busy; leaving a comment here, in wikileaks, activity on the British Transport Police wikipedia page, some form of request from a Crime Prevention Adviser, an old reverse DNS lookup referring to NWIS and someone lists on old whois record;

inetnum: 212.137.45.96 - 212.137.45.111
netname: CW-PNN-NET
descr: PNN
country: GB
admin-c: CHCP1-RIPE
tech-c: CHCP1-RIPE
status: ASSIGNED PA
mnt-by: MNT-HOSTING
source: RIPE Filtered
role: CW Hosting Centre Park Royal
address: 900 Coronation Road
address: NW10 7PQ
address: London
remarks: trouble: ***@cw.net

Conclusion

It’s fairly safe to say that 212.62.5.0/24 and 212.137.45.0/24 are in some way related to the Police.

Before issuing the Freedom of Information request our servers were crawled / visited every day by these IPs.

Since issuing the request they haven’t been back…

Footnote:

Cable & Wireless are the ISP that assisted GCHQ with their “Mastering the Internet” program: http://www.wired.co.uk/news/archive/2014-11/21/cable-and-wireless-vodafone-worked-with-gchq

Anti Internet censorship trouble maker.

Leave a Reply

*

Next ArticleIntroducing ASafe.Space