Attacks/Breaches
9/1/2011
10:41 AM
50%
50%

WikiLeaks Sues Guardian, Cables Controversy Grows

WikiLeaks alleges that the newspaper violated its confidentiality agreement by publishing a password to a file containing unredacted versions of 251,000 State Department cables.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
WikiLeaks on Thursday announced that it's suing the Guardian newspaper in Britain for facilitating the leak of unredacted U.S. diplomatic cables.

"A Guardian journalist has negligently disclosed top secret WikiLeaks' decryption passwords to hundreds of thousands of unredacted unpublished U.S. diplomatic cables," according to a statement released by WikiLeaks.

"WikiLeaks has commenced pre-litigation action against the Guardian and an individual in Germany who was distributing the Guardian passwords for personal gain," it said. In particular, WikiLeaks alleged that the Guardian violated the confidentiality agreement that it signed with the whistleblowing group, which dictated that the cables be published by groups in exchange for their "local knowledge," which would be used to "remove the names of persons reporting unjust acts to U.S. embassies."

The suit marks an abrupt change in the tenor of WikiLeaks with the Guardian, which along with the New York Times, Der Spiegel, Le Monde and El Pais were selected by the group to help study, redact, release, and publicize the sensitive diplomatic cables.

The Guardian, however, has denied the WikiLeaks allegations. "It's nonsense to suggest the Guardian's WikiLeaks book has compromised security in any way," according to a statement released by the paper.

"Our book about WikiLeaks was published last February," according to the statement. "It contained a password, but no details of the location of the files, and we were told it was a temporary password which would expire and be deleted in a matter of hours."

The password in question--ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#--appears on page 148 of WikiLeaks: Inside Julian Assange's War On Secrecy written by David Leigh and Luke Harding, and published in February 2011.

Earlier this week, news reports cited rumors that WikiLeaks had lost control of a password-protected archive containing unredacted versions of all 251,287 cables in its possession. Rumors also suggested that the password was circulating separately, and available via the Internet. Some news reports cited WikiLeaks rival OpenLeaks, founded by WikiLeaks defector Daniel Domscheit-Berg, as the source of the tip-offs. A resident of Germany, he may be the "individual in Germany" mentioned by WikiLeaks as a target of its "pre-litigation action."

Over the past nine months, just a fraction of the 251,287 cables that WikiLeaks obtained had been released. But the availability via BitTorrent of the "cables.csv" file, containing all of the cables, as well as accessibility of the password, led WikiLeaks to last week to suddenly release 134,000 new cables. Those cables included the names of at least 100 diplomatic sources that had been marked for "special protection," meaning that the State Department didn't want the names to be disclosed publicly.

WikiLeaks said that it's known of the existence of the BitTorrent file, as well as the "passwords" for accessing it, for the past month, but avoided commenting on the matter, in an attempt to not draw attention to the passwords.

WikiLeaks blames the Guardian for causing it to rush its cable-release program. "Over time WikiLeaks has been building up, and publishing, the complete Cablegate 'library'--the most significant political document ever published," it said. "The mammoth task of reading and lightly redacting what amounts to 3,000 volumes or 284 million words of global political history is shared by WikiLeaks and its partners. That careful work has been compromised as a result of the recklessness of the Guardian."

These days, of course, data breaches--or in this case at least, loss of data control--are nothing new. Furthermore, numerous breaches can be traced to insiders who release, maliciously or inadvertently, sensitive information. Accordingly, was it reasonable for WikiLeaks to expect that it could maintain full control over a sensitive cache of all of the cables, many of which it's already shared with more than 90 media and human rights groups worldwide? Perhaps the group can consider itself lucky that it managed to control its publication schedule for as long as nine months.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?