Vulnerabilities / Threats
9/6/2011
08:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Turn On Each Other

WikiLeaks fumbles the disclosure of sensitive government cables, while hacking competition website RankMyHack.com finds little honor among members.

Is there no honor among hackers, or information leakers?

Last week, even RankMyHack.com got hacked. The website, which awards points for proof that you've hacked particular websites, isn't the first such leaderboard. But the site had grabbed a lot of attention in a short period of time for listing hacking point values for prominent websites, such as the White House's (34,594 points).

Not everyone, however, was content to play by the site's rules. Instead of hacking third-party sites and submitting proof to earn points, two hackers decided instead to hack RankMyHack.com itself. How many points was that worth? Only 717, apparently.

But to look up any more point values, you'll need to join--and submit evidence of hacking prowess--since after all of the "media" interest, the site's administrators said they're restricting access to the URL input page to confirmed members only. Membership, in other words, has its privileges--unless, of course, the players turn against you.

On a related note, the limelight-loving Julian Assange, founder of WikiLeaks, posted an "editorial" last week on the WikiLeaks site in which he announced that he had "commenced pre-litigation action" against two former partners: the Guardian newspaper, after its reporter "recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian"; and a German programmer, Daniel Domscheit-Berg.

The Guardian, in a statement sent in email, noted that this is the third time Assange has threatened suit against it, following previous accusations of loss of earnings (November 2010) and of libel after the Guardian released a WikiLeaks book in February 2011. Neither of those suits has come to pass.

As for Domscheit-Berg, he met Assange in 2007 and rose to become the No. 2 person inside WikiLeaks, before parting bitterly with Assange, whom he labeled an "autocratic ruler" pursuing a "cult of stardom." Assange this week accused Domscheit-Berg of revealing a WikiLeaks security vulnerability.

But that vulnerability may have begun with Assange, who lost control of a "cables.csv" file containing un-redacted versions of all 251,287 State Department cables obtained by the group. Evidently, he forgot to delete the password-protected file from the secure WikiLeaks server, after telling two Guardian reporters that it would be shared only with them and online only for a few hours. The reporters, no doubt seeking additional color for the WikiLeaks book they penned, included the password in their book--also a security misstep. But they had no way of knowing that later on, not only had someone else (by some accounts, a WikiLeaks supporter) obtained a copy of the same file, but that person had also released it on BitTorrent.

In Assange's reading, however, his former partners are turning against him. In particular, he said, the Guardian failed to play by his rules, violating a confidentiality agreement it had signed. (Although as an astute reader noted, can WikiLeaks sue someone for disclosing government communications it illegally obtained?) That agreement dictated that the cables be released only in thematic batches, after being arduously read and redacted by people with local knowledge.

So, in a logical leap, two weeks ago, Assange chose to release 134,000 new cables--over six times what had been previously released--without redaction. In other words, Assange appears to have rushed the cable release not in the spirit of responsible disclosure, but rather to beat perceived rivals at a game of his own devising. Unfortunately, the cables also included the names of at least 100 confidential diplomatic sources, triggering criticism from both the U.S. State Department and the news organizations that have been devoting months to read, redact, and release the cables.

Next, Assange turned democratic, putting the question of un-redacted cable disclosure to his Twitter followers. Their response, he said, was 100 to 1 in favor of releasing all of the un-redacted versions.

On Friday he released every cable, without redaction. The move drew swift condemnation from five former media partners: the Guardian, Le Monde, the New York Times, El Pais, and Der Spiegel. They issued a joint statement saying that "we deplore the decision of WikiLeaks to publish the un-redacted state department cables, which may put sources at risk," and they noted that "the decision to publish by Julian Assange was his, and his alone."

Interestingly, according to the Guardian, Assange didn't start out as a proponent of redaction. "Initially, as has been widely reported, Assange was unwilling to remove material to protect informants, but the Guardian and its media partners persuaded him that the diplomatic cables should be carefully redacted before release, and this editing process was carried out by the newspapers."

Did his information-leaking partners turn against him? In the end, the security-paranoid Assange found himself in this situation by fumbling some security basics, including failing to compartmentalize sensitive information and delete copies of it in a timely manner.

In its statement, the Guardian also called attention to the date when the cables.csv file was first shared on BitTorrent, after its reporters accessed it in July 2010. "It appears that two versions of this file were subsequently posted to a peer-to-peer file sharing network using the same password. One version was posted on December 7, 2010--a few hours before Julian Assange was arrested following an extradition request," the newspaper said.

To recap: Assange set the rules of the game but seems to have tripped himself up. Then, before he could be widely scooped, he opted instead for a scorched earth policy and released all of the cables himself.

Now, will anyone want to play with WikiLeaks again?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio