Vulnerabilities / Threats

9/6/2011
08:48 AM
50%
50%

Hackers Turn On Each Other

WikiLeaks fumbles the disclosure of sensitive government cables, while hacking competition website RankMyHack.com finds little honor among members.

Is there no honor among hackers, or information leakers?

Last week, even RankMyHack.com got hacked. The website, which awards points for proof that you've hacked particular websites, isn't the first such leaderboard. But the site had grabbed a lot of attention in a short period of time for listing hacking point values for prominent websites, such as the White House's (34,594 points).

Not everyone, however, was content to play by the site's rules. Instead of hacking third-party sites and submitting proof to earn points, two hackers decided instead to hack RankMyHack.com itself. How many points was that worth? Only 717, apparently.

But to look up any more point values, you'll need to join--and submit evidence of hacking prowess--since after all of the "media" interest, the site's administrators said they're restricting access to the URL input page to confirmed members only. Membership, in other words, has its privileges--unless, of course, the players turn against you.

On a related note, the limelight-loving Julian Assange, founder of WikiLeaks, posted an "editorial" last week on the WikiLeaks site in which he announced that he had "commenced pre-litigation action" against two former partners: the Guardian newspaper, after its reporter "recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian"; and a German programmer, Daniel Domscheit-Berg.

The Guardian, in a statement sent in email, noted that this is the third time Assange has threatened suit against it, following previous accusations of loss of earnings (November 2010) and of libel after the Guardian released a WikiLeaks book in February 2011. Neither of those suits has come to pass.

As for Domscheit-Berg, he met Assange in 2007 and rose to become the No. 2 person inside WikiLeaks, before parting bitterly with Assange, whom he labeled an "autocratic ruler" pursuing a "cult of stardom." Assange this week accused Domscheit-Berg of revealing a WikiLeaks security vulnerability.

But that vulnerability may have begun with Assange, who lost control of a "cables.csv" file containing un-redacted versions of all 251,287 State Department cables obtained by the group. Evidently, he forgot to delete the password-protected file from the secure WikiLeaks server, after telling two Guardian reporters that it would be shared only with them and online only for a few hours. The reporters, no doubt seeking additional color for the WikiLeaks book they penned, included the password in their book--also a security misstep. But they had no way of knowing that later on, not only had someone else (by some accounts, a WikiLeaks supporter) obtained a copy of the same file, but that person had also released it on BitTorrent.

In Assange's reading, however, his former partners are turning against him. In particular, he said, the Guardian failed to play by his rules, violating a confidentiality agreement it had signed. (Although as an astute reader noted, can WikiLeaks sue someone for disclosing government communications it illegally obtained?) That agreement dictated that the cables be released only in thematic batches, after being arduously read and redacted by people with local knowledge.

So, in a logical leap, two weeks ago, Assange chose to release 134,000 new cables--over six times what had been previously released--without redaction. In other words, Assange appears to have rushed the cable release not in the spirit of responsible disclosure, but rather to beat perceived rivals at a game of his own devising. Unfortunately, the cables also included the names of at least 100 confidential diplomatic sources, triggering criticism from both the U.S. State Department and the news organizations that have been devoting months to read, redact, and release the cables.

Next, Assange turned democratic, putting the question of un-redacted cable disclosure to his Twitter followers. Their response, he said, was 100 to 1 in favor of releasing all of the un-redacted versions.

On Friday he released every cable, without redaction. The move drew swift condemnation from five former media partners: the Guardian, Le Monde, the New York Times, El Pais, and Der Spiegel. They issued a joint statement saying that "we deplore the decision of WikiLeaks to publish the un-redacted state department cables, which may put sources at risk," and they noted that "the decision to publish by Julian Assange was his, and his alone."

Interestingly, according to the Guardian, Assange didn't start out as a proponent of redaction. "Initially, as has been widely reported, Assange was unwilling to remove material to protect informants, but the Guardian and its media partners persuaded him that the diplomatic cables should be carefully redacted before release, and this editing process was carried out by the newspapers."

Did his information-leaking partners turn against him? In the end, the security-paranoid Assange found himself in this situation by fumbling some security basics, including failing to compartmentalize sensitive information and delete copies of it in a timely manner.

In its statement, the Guardian also called attention to the date when the cables.csv file was first shared on BitTorrent, after its reporters accessed it in July 2010. "It appears that two versions of this file were subsequently posted to a peer-to-peer file sharing network using the same password. One version was posted on December 7, 2010--a few hours before Julian Assange was arrested following an extradition request," the newspaper said.

To recap: Assange set the rules of the game but seems to have tripped himself up. Then, before he could be widely scooped, he opted instead for a scorched earth policy and released all of the cables himself.

Now, will anyone want to play with WikiLeaks again?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1060
PUBLISHED: 2018-06-18
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
CVE-2018-1090
PUBLISHED: 2018-06-18
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
CVE-2018-1152
PUBLISHED: 2018-06-18
libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.
CVE-2018-1153
PUBLISHED: 2018-06-18
Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate the server certificate in a couple of HTTPS requests which allows a man in the middle to modify or view traffic.
CVE-2018-12530
PUBLISHED: 2018-06-18
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.