Another global security mess is in the making, on the heels of the publication of thousands of sensitive security documents obtained by WikiLeaks. However, in this particular instance, WikiLeaks insists it didn’t mean to do it.
Last week, WikiLeaks reportedly made some 134,000 diplomatic cables available. Unlike earlier disclosures, though, these cables were published with the names and identities of confidential and sensitive sources fully intact.
WikiLeaks blamed UK publication The Guardian for the dump, explaining that the encrypted file containing the cables had been online, but secure — that is, until a journalist released the password in a password-decryption book published by the paper.
Knowledge of the leak has been spreading online for months, according to WikiLeaks, but only recently has it reached critical mass.
“For the past month, WikiLeaks has been in the unenviable position of not being able to comment on what has happened, since to do so would be to draw attention to the decryption passwords in The Guardian book,” reads a WikiLeaks editorial.
With the connection publicly made, WikiLeaks says it can speak about the matter now. The site has begun pre-litigation action against The Guardian and an individual in Germany it accuses of distributing the passwords for personal gain.
The Guardian has rejected WikiLeaks’ claims that it is responsible, and it has called on the site not to release the remaining cables.
The E-Commerce Times received no replies from WikiLeaks, The Guardian or the U.S. State Department to its requests for comments.
Lessons Learned
This episode would be downright amusing if the stakes weren’t so high. Potentially, lives could be at risk. WikiLeaks carved out a place for itself in the global political arena by leaking sensitive information that supposedly was secure, and now it has been tripped up in similar fashion.
“WikiLeaks is the perfect example of thieves stealing from thieves,” Prem Iyer, head of the information security practice for Iron Bow Technologies, told TechNewsWorld. “All the info that they stole from others, they decided to store online — and the password was leaked.”
Despite the unique circumstances of the leak, the players and the ramifications, there are several themes common to more mundane leaks. Observing and learning from them could help a company avoid its own corporate disaster.
“WikiLeaks learned that securing sensitive data online can be more difficult than it realized, between ever-growing sophistication of hackers and human errors,” Iyer said.
Dangers of the Cloud
Any company or government agency that is looking to store data online must realize that cloud solutions are at risk of attack.
“You cannot assume that the proper security controls are in place,” warned Iyer.
“Organizations who are considering cloud solutions must understand the security mechanisms that the cloud provider has in place,” he advised, “and then determine if public cloud is still an option or if a private cloud solution would be a more secure alternative.”
Overprivileged and Accident-Prone
Another oft-cited reason for inadvertent disclosures is the generous granting of administrative privileges to people who don’t need them, Brian Anderson, chief marketing officer of BeyondTrust told TechNewsWorld.
“You might have a secretary who has admin privileges and she accidentally copies a sensitive file and emails it to an entire client list. That has happened,” he said.
The point is that companies need to protect their systems not only from people intent on stealing information — for greed or other reasons — but also from people who are sloppy with their security practices, explained Anderson.
“Set systems so they grant the least privilege access — only what a particular individual needs and nothing more,” he advised.
The Peril of Writable Media
The motherlode of WikiLeaks’ sensitive cables came to it via U.S. Army intelligence analyst Bradley Manning, who allegedly downloaded the purloined material and handed it over to the site.
The propagation of mobile devices and writable media such as USB devices and read/write CD/DVD drives has led to an increase in productivity across organizations, but has provided an increased threat from malicious insiders, John Sennott, director of marketing for Prism Microsystems, told TechNewsWorld.
Companies need to recognize the potential threat these devices can have for their security and adopt a concept of “trust but verify,” he said. “It is important to let the users know they are being monitored, so they are afraid of getting caught if a policy is not followed.”