Vulnerabilities / Threats
9/6/2011
08:48 AM
50%
50%

Hackers Turn On Each Other

WikiLeaks fumbles the disclosure of sensitive government cables, while hacking competition website RankMyHack.com finds little honor among members.

Is there no honor among hackers, or information leakers?

Last week, even RankMyHack.com got hacked. The website, which awards points for proof that you've hacked particular websites, isn't the first such leaderboard. But the site had grabbed a lot of attention in a short period of time for listing hacking point values for prominent websites, such as the White House's (34,594 points).

Not everyone, however, was content to play by the site's rules. Instead of hacking third-party sites and submitting proof to earn points, two hackers decided instead to hack RankMyHack.com itself. How many points was that worth? Only 717, apparently.

But to look up any more point values, you'll need to join--and submit evidence of hacking prowess--since after all of the "media" interest, the site's administrators said they're restricting access to the URL input page to confirmed members only. Membership, in other words, has its privileges--unless, of course, the players turn against you.

On a related note, the limelight-loving Julian Assange, founder of WikiLeaks, posted an "editorial" last week on the WikiLeaks site in which he announced that he had "commenced pre-litigation action" against two former partners: the Guardian newspaper, after its reporter "recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian"; and a German programmer, Daniel Domscheit-Berg.

The Guardian, in a statement sent in email, noted that this is the third time Assange has threatened suit against it, following previous accusations of loss of earnings (November 2010) and of libel after the Guardian released a WikiLeaks book in February 2011. Neither of those suits has come to pass.

As for Domscheit-Berg, he met Assange in 2007 and rose to become the No. 2 person inside WikiLeaks, before parting bitterly with Assange, whom he labeled an "autocratic ruler" pursuing a "cult of stardom." Assange this week accused Domscheit-Berg of revealing a WikiLeaks security vulnerability.

But that vulnerability may have begun with Assange, who lost control of a "cables.csv" file containing un-redacted versions of all 251,287 State Department cables obtained by the group. Evidently, he forgot to delete the password-protected file from the secure WikiLeaks server, after telling two Guardian reporters that it would be shared only with them and online only for a few hours. The reporters, no doubt seeking additional color for the WikiLeaks book they penned, included the password in their book--also a security misstep. But they had no way of knowing that later on, not only had someone else (by some accounts, a WikiLeaks supporter) obtained a copy of the same file, but that person had also released it on BitTorrent.

In Assange's reading, however, his former partners are turning against him. In particular, he said, the Guardian failed to play by his rules, violating a confidentiality agreement it had signed. (Although as an astute reader noted, can WikiLeaks sue someone for disclosing government communications it illegally obtained?) That agreement dictated that the cables be released only in thematic batches, after being arduously read and redacted by people with local knowledge.

So, in a logical leap, two weeks ago, Assange chose to release 134,000 new cables--over six times what had been previously released--without redaction. In other words, Assange appears to have rushed the cable release not in the spirit of responsible disclosure, but rather to beat perceived rivals at a game of his own devising. Unfortunately, the cables also included the names of at least 100 confidential diplomatic sources, triggering criticism from both the U.S. State Department and the news organizations that have been devoting months to read, redact, and release the cables.

Next, Assange turned democratic, putting the question of un-redacted cable disclosure to his Twitter followers. Their response, he said, was 100 to 1 in favor of releasing all of the un-redacted versions.

On Friday he released every cable, without redaction. The move drew swift condemnation from five former media partners: the Guardian, Le Monde, the New York Times, El Pais, and Der Spiegel. They issued a joint statement saying that "we deplore the decision of WikiLeaks to publish the un-redacted state department cables, which may put sources at risk," and they noted that "the decision to publish by Julian Assange was his, and his alone."

Interestingly, according to the Guardian, Assange didn't start out as a proponent of redaction. "Initially, as has been widely reported, Assange was unwilling to remove material to protect informants, but the Guardian and its media partners persuaded him that the diplomatic cables should be carefully redacted before release, and this editing process was carried out by the newspapers."

Did his information-leaking partners turn against him? In the end, the security-paranoid Assange found himself in this situation by fumbling some security basics, including failing to compartmentalize sensitive information and delete copies of it in a timely manner.

In its statement, the Guardian also called attention to the date when the cables.csv file was first shared on BitTorrent, after its reporters accessed it in July 2010. "It appears that two versions of this file were subsequently posted to a peer-to-peer file sharing network using the same password. One version was posted on December 7, 2010--a few hours before Julian Assange was arrested following an extradition request," the newspaper said.

To recap: Assange set the rules of the game but seems to have tripped himself up. Then, before he could be widely scooped, he opted instead for a scorched earth policy and released all of the cables himself.

Now, will anyone want to play with WikiLeaks again?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: " I think Google Doodle is getting a little out of control"
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.