Mayor reports on alleged email espionage
MONDAY, MARCH 25, 2019 —The city council chambers was packed with his supporters, along with the usual collection of city government monitors, while Mayor Orlyn Kringstad concluded the regular second Tower City Council meeting of March on Monday by detailing his investigative findings about his claim that someone has surreptitiously read his emails.
The Mayor reported earlier in March that he would notice that when emails came into his official Tower Mayor email inbox they would change from the original “unread status” to a “read” status—suggesting to him that someone was accessing the City of Tower email server and “illegally” reading his mail.
Having sought permission from the city council, Kringstad engaged his friends Michael Wood and Kjell Mathiesen to assist him during his investigation. Kringstad reported that he once was “Information Security—worldwide” for Honeywell International Inc.
The Mayor identified that authorized internet access which retrieved his emails came from servers at his retail location on Main Street, his Tower home, his daughter’s Vadnais Heights, Minnesota home, the Marjo Motel, his truck, and on two occasions, while he was traveling, from Verizon Wireless.
Two weeks ago the Mayor reported that he had never accessed his email on his cell phone. The Verizon wireless requests and the one identified as coming from his truck may well have originated in a smart device, such as a tablet or laptop computer rather than a cellular telephone. No other detailed information was reported in spite of The Tower News seeking a public information request to the Mayor, at city hall two weeks ago.
Ten sources originating unauthorized access were also discovered. The first, and only identified unauthorized source (according to Mayor Kringstad) was from Tower’s City Hall. Kringstad reported nine other, as yet, unidentified sources.
People communicate on the internet via computers, smart phones, tablets, and other smart devices through certain and specific “Internet Protocols (IP).” It is just how it works, in layman’s terms.
Devices and computers are assigned a unique numeric “IP” address which informs the internet how to route requested data. Each device is given a specific “IP” address. However these addresses can, and often do, change many times—particularly when it comes to mobile devices. For instance, every time a mobile device is turned on, a new “IP” address may be assigned to the device by internet protocols. Moving out of range from one cellular communications tower, into another cellular tower’s zone might also cause a different “IP” number to be assigned.
Indeed— it is complicated. To determine exactly where, and who, if anyone, accessed the Mayor’s emails will take further forensic data investigation.
It is true, to have an internet presence, including email, in today’s world is to be under constant internet hacker assault. It is also true that a majority of this hacker activity originates in Russia or its former satellite nations.
While Kringstad has made it clear that he was making no accusations he did specifically state that City Clerk-Treasurer Linda Keith was the only person with his email account password other than himself.
To date, the evidence presented is still clearly underwhelming and certainly inconclusive. It might well signify nothing more than an opportunity to acquire an entry level education about “IP” addresses. It might, however, portend a serious call for greater concern—the information released by Mayor Kringstad on Monday does not yet included a complete and thorough story.
When he was consulted, City Attorney Andy Peterson told him that these types of matters were “not in his pervue” Kringstad reported.
”I then contacted Mark Rubin (St. Louis County Attorney). He was very interested and assigned two sheriff’s—investigators, one of whom has cyber experience and knowledge,” Kringstad said.
“The saga is over, as far as the break-ins occurring. I found out from Justin (TechBytes) the email provider how to change my own email password. I passed that information on to Terri (Joki-Martin, the city’s Deputy Clerk) so she can pass that information on to others who want to protect their email,” Kringstad said.
* * * *
The Mayors report:
Forensic Investigation into email security breach — final report
A security breach was discovered by Orlyn Kringstd (OAK) when he realized that the read status of some of the emails in the account orlyn*AT*cityoftower.com went from “unread” to “read” without any action on his behalf. There is computer “Screen Recorder” video evidence of this.
With approval from the Tower City Council, OAK has obtained a log the email provider which shows the activity on this account from Feb 10 to Mar 13. By studying the video evidence and the log we have reached the following conclusions.
A large number of IP-addresses have been used to access (log into) the email account (see list of IP-addresses below.) [1] A large proportion of these addresses are legitimate addresses used by OAK in various locations he visits regularly (his own home, Nordic Home North (Kringstad retail store), Marjo Motel etc.). Some are used during his travels and some are still unidentified. Two addresses have been used for illegitimate logging into and downloading emails from the account.
There are three IP-addresses that have accessed and downloaded emails from the account Orlyn*AT*cityoftower.com. These are [redacted]. The first (96..) is the public IP address of the Kringstad residence in Tower and the second (64…) is the public IP address of the Tower City Hall network. The third address (172…) has not yet been identified. These addresses have all been accessing the account consistently throughout the period covered by the log.
In order to log into and download emails from an email account one must know the account’s password. Only two people (should) have known the password to the above account during this period, Tower City-Clerk Linda Keith (LK) who requested the account and password from the City of Tower ISP service (TechBytes) and OAK who was provided with the password by LK. No one else knew the password.
This makes it clear that somebody with knowledge of the password to orlyn*AT*cityoftower.com has used a computer connected to the Tower City Hall network to log in and retrieve emails from this account. This has been going on for the whole duration of the time covered by the log. More than 50 emails were retrieved by the City Hall IP-address during this period. OAK has not had access to the City Hall network before Mar 19 when he obtained the necessary WiFi password while working for the first time in the Tower City Hall “Mayor’s Office, outside of the general CC/T. That leaves LK as the only one with knowledge both of the email password and access to the City Hall computers.
The last login from the City Hall IP-address is on Mar 11 at 8:36 PM. There are no illegal attempts from any IP-address after that time. This was about the same time the council meeting was adjourned after OAK announced the security breach.
The third IP-address that has been downloading emails from the account (172.**.**.**), has consistently been logging into the account throughout the log period. A few emails (we have found three) have been downloaded from this address (On Feb 27 and Mar 1). This address, which is on a Frontier connection, has not been identified.
Another two IP-addresses which would be of interest to identify are 96.****.** (used on Feb 13 & 16) and 184.**.**.*** (used Feb 14 & 26, Mar 5). They are both located in or near Tower. Both of these addresses have logged into the account over a short period but have not been found to have downloaded emails.
The underlying evidence for this report can be made available upon request.
2019.03.20/KM
//Orlyn Kringstad//
//Michael Wood//
//Kjell Mathiesen//
****
[1] — all “IP” address have been redacted from this report to protect the integrity of the Mayor’s investigation. Redacted numbers are represented by: * (an asterisk).
All other material presented is presented sic erat scriptum (SIC)