10:41 AM

WikiLeaks Sues Guardian, Cables Controversy Grows

WikiLeaks alleges that the newspaper violated its confidentiality agreement by publishing a password to a file containing unredacted versions of 251,000 State Department cables.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
WikiLeaks on Thursday announced that it's suing the Guardian newspaper in Britain for facilitating the leak of unredacted U.S. diplomatic cables.

"A Guardian journalist has negligently disclosed top secret WikiLeaks' decryption passwords to hundreds of thousands of unredacted unpublished U.S. diplomatic cables," according to a statement released by WikiLeaks.

"WikiLeaks has commenced pre-litigation action against the Guardian and an individual in Germany who was distributing the Guardian passwords for personal gain," it said. In particular, WikiLeaks alleged that the Guardian violated the confidentiality agreement that it signed with the whistleblowing group, which dictated that the cables be published by groups in exchange for their "local knowledge," which would be used to "remove the names of persons reporting unjust acts to U.S. embassies."

The suit marks an abrupt change in the tenor of WikiLeaks with the Guardian, which along with the New York Times, Der Spiegel, Le Monde and El Pais were selected by the group to help study, redact, release, and publicize the sensitive diplomatic cables.

The Guardian, however, has denied the WikiLeaks allegations. "It's nonsense to suggest the Guardian's WikiLeaks book has compromised security in any way," according to a statement released by the paper.

"Our book about WikiLeaks was published last February," according to the statement. "It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours."

The password in question--ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#--appears on page 148 of WikiLeaks: Inside Julian Assange's War On Secrecy written by David Leigh and Luke Harding, and published in February 2011.

Earlier this week, news reports cited rumors that WikiLeaks had lost control of a password-protected archive containing unredacted versions of all 251,287 cables in its possession. Rumors also suggested that the password was circulating separately, and available via the Internet. Some news reports cited WikiLeaks rival OpenLeaks, founded by WikiLeaks defector Daniel Domscheit-Berg, as the source of the tip-offs. A resident of Germany, he may be the "individual in Germany" mentioned by WikiLeaks as a target of its "pre-litigation action."

Over the past nine months, just a fraction of the 251,287 cables that WikiLeaks obtained had been released. But the availability via BitTorrent of the "cables.csv" file, containing all of the cables, as well as accessibility of the password, led WikiLeaks to last week to suddenly release 134,000 new cables. Those cables included the names of at least 100 diplomatic sources that had been marked for "special protection," meaning that the State Department didn't want the names to be disclosed publicly.

WikiLeaks said that it's known of the existence of the BitTorrent file, as well as the "passwords" for accessing it, for the past month, but avoided commenting on the matter, in an attempt to not draw attention to the passwords.

WikiLeaks blames the Guardian for causing it to rush its cable-release program. "Over time WikiLeaks has been building up, and publishing, the complete Cablegate 'library'--the most significant political document ever published," it said. "The mammoth task of reading and lightly redacting what amounts to 3,000 volumes or 284 million words of global political history is shared by WikiLeaks and its partners. That careful work has been compromised as a result of the recklessness of the Guardian."

These days, of course, data breaches--or in this case at least, loss of data control--are nothing new. Furthermore, numerous breaches can be traced to insiders who release, maliciously or inadvertently, sensitive information. Accordingly, was it reasonable for WikiLeaks to expect that it could maintain full control over a sensitive cache of all of the cables, many of which it's already shared with more than 90 media and human rights groups worldwide? Perhaps the group can consider itself lucky that it managed to control its publication schedule for as long as nine months.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.