Attacks/Breaches
9/1/2011
10:41 AM
50%
50%

WikiLeaks Sues Guardian, Cables Controversy Grows

WikiLeaks alleges that the newspaper violated its confidentiality agreement by publishing a password to a file containing unredacted versions of 251,000 State Department cables.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
WikiLeaks on Thursday announced that it's suing the Guardian newspaper in Britain for facilitating the leak of unredacted U.S. diplomatic cables.

"A Guardian journalist has negligently disclosed top secret WikiLeaks' decryption passwords to hundreds of thousands of unredacted unpublished U.S. diplomatic cables," according to a statement released by WikiLeaks.

"WikiLeaks has commenced pre-litigation action against the Guardian and an individual in Germany who was distributing the Guardian passwords for personal gain," it said. In particular, WikiLeaks alleged that the Guardian violated the confidentiality agreement that it signed with the whistleblowing group, which dictated that the cables be published by groups in exchange for their "local knowledge," which would be used to "remove the names of persons reporting unjust acts to U.S. embassies."

The suit marks an abrupt change in the tenor of WikiLeaks with the Guardian, which along with the New York Times, Der Spiegel, Le Monde and El Pais were selected by the group to help study, redact, release, and publicize the sensitive diplomatic cables.

The Guardian, however, has denied the WikiLeaks allegations. "It's nonsense to suggest the Guardian's WikiLeaks book has compromised security in any way," according to a statement released by the paper.

"Our book about WikiLeaks was published last February," according to the statement. "It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours."

The password in question--ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#--appears on page 148 of WikiLeaks: Inside Julian Assange's War On Secrecy written by David Leigh and Luke Harding, and published in February 2011.

Earlier this week, news reports cited rumors that WikiLeaks had lost control of a password-protected archive containing unredacted versions of all 251,287 cables in its possession. Rumors also suggested that the password was circulating separately, and available via the Internet. Some news reports cited WikiLeaks rival OpenLeaks, founded by WikiLeaks defector Daniel Domscheit-Berg, as the source of the tip-offs. A resident of Germany, he may be the "individual in Germany" mentioned by WikiLeaks as a target of its "pre-litigation action."

Over the past nine months, just a fraction of the 251,287 cables that WikiLeaks obtained had been released. But the availability via BitTorrent of the "cables.csv" file, containing all of the cables, as well as accessibility of the password, led WikiLeaks to last week to suddenly release 134,000 new cables. Those cables included the names of at least 100 diplomatic sources that had been marked for "special protection," meaning that the State Department didn't want the names to be disclosed publicly.

WikiLeaks said that it's known of the existence of the BitTorrent file, as well as the "passwords" for accessing it, for the past month, but avoided commenting on the matter, in an attempt to not draw attention to the passwords.

WikiLeaks blames the Guardian for causing it to rush its cable-release program. "Over time WikiLeaks has been building up, and publishing, the complete Cablegate 'library'--the most significant political document ever published," it said. "The mammoth task of reading and lightly redacting what amounts to 3,000 volumes or 284 million words of global political history is shared by WikiLeaks and its partners. That careful work has been compromised as a result of the recklessness of the Guardian."

These days, of course, data breaches--or in this case at least, loss of data control--are nothing new. Furthermore, numerous breaches can be traced to insiders who release, maliciously or inadvertently, sensitive information. Accordingly, was it reasonable for WikiLeaks to expect that it could maintain full control over a sensitive cache of all of the cables, many of which it's already shared with more than 90 media and human rights groups worldwide? Perhaps the group can consider itself lucky that it managed to control its publication schedule for as long as nine months.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.