Vulnerabilities / Threats
08:48 AM

Hackers Turn On Each Other

WikiLeaks fumbles the disclosure of sensitive government cables, while hacking competition website finds little honor among members.

Is there no honor among hackers, or information leakers?

Last week, even got hacked. The website, which awards points for proof that you've hacked particular websites, isn't the first such leaderboard. But the site had grabbed a lot of attention in a short period of time for listing hacking point values for prominent websites, such as the White House's (34,594 points).

Not everyone, however, was content to play by the site's rules. Instead of hacking third-party sites and submitting proof to earn points, two hackers decided instead to hack itself. How many points was that worth? Only 717, apparently.

But to look up any more point values, you'll need to join--and submit evidence of hacking prowess--since after all of the "media" interest, the site's administrators said they're restricting access to the URL input page to confirmed members only. Membership, in other words, has its privileges--unless, of course, the players turn against you.

On a related note, the limelight-loving Julian Assange, founder of WikiLeaks, posted an "editorial" last week on the WikiLeaks site in which he announced that he had "commenced pre-litigation action" against two former partners: the Guardian newspaper, after its reporter "recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian"; and a German programmer, Daniel Domscheit-Berg.

The Guardian, in a statement sent in email, noted that this is the third time Assange has threatened suit against it, following previous accusations of loss of earnings (November 2010) and of libel after the Guardian released a WikiLeaks book in February 2011. Neither of those suits has come to pass.

As for Domscheit-Berg, he met Assange in 2007 and rose to become the No. 2 person inside WikiLeaks, before parting bitterly with Assange, whom he labeled an "autocratic ruler" pursuing a "cult of stardom." Assange this week accused Domscheit-Berg of revealing a WikiLeaks security vulnerability.

But that vulnerability may have begun with Assange, who lost control of a "cables.csv" file containing un-redacted versions of all 251,287 State Department cables obtained by the group. Evidently, he forgot to delete the password-protected file from the secure WikiLeaks server, after telling two Guardian reporters that it would be shared only with them and online only for a few hours. The reporters, no doubt seeking additional color for the WikiLeaks book they penned, included the password in their book--also a security misstep. But they had no way of knowing that later on, not only had someone else (by some accounts, a WikiLeaks supporter) obtained a copy of the same file, but that person had also released it on BitTorrent.

In Assange's reading, however, his former partners are turning against him. In particular, he said, the Guardian failed to play by his rules, violating a confidentiality agreement it had signed. (Although as an astute reader noted, can WikiLeaks sue someone for disclosing government communications it illegally obtained?) That agreement dictated that the cables be released only in thematic batches, after being arduously read and redacted by people with local knowledge.

So, in a logical leap, two weeks ago, Assange chose to release 134,000 new cables--over six times what had been previously released--without redaction. In other words, Assange appears to have rushed the cable release not in the spirit of responsible disclosure, but rather to beat perceived rivals at a game of his own devising. Unfortunately, the cables also included the names of at least 100 confidential diplomatic sources, triggering criticism from both the U.S. State Department and the news organizations that have been devoting months to read, redact, and release the cables.

Next, Assange turned democratic, putting the question of un-redacted cable disclosure to his Twitter followers. Their response, he said, was 100 to 1 in favor of releasing all of the un-redacted versions.

On Friday he released every cable, without redaction. The move drew swift condemnation from five former media partners: the Guardian, Le Monde, the New York Times, El Pais, and Der Spiegel. They issued a joint statement saying that "we deplore the decision of WikiLeaks to publish the un-redacted state department cables, which may put sources at risk," and they noted that "the decision to publish by Julian Assange was his, and his alone."

Interestingly, according to the Guardian, Assange didn't start out as a proponent of redaction. "Initially, as has been widely reported, Assange was unwilling to remove material to protect informants, but the Guardian and its media partners persuaded him that the diplomatic cables should be carefully redacted before release, and this editing process was carried out by the newspapers."

Did his information-leaking partners turn against him? In the end, the security-paranoid Assange found himself in this situation by fumbling some security basics, including failing to compartmentalize sensitive information and delete copies of it in a timely manner.

In its statement, the Guardian also called attention to the date when the cables.csv file was first shared on BitTorrent, after its reporters accessed it in July 2010. "It appears that two versions of this file were subsequently posted to a peer-to-peer file sharing network using the same password. One version was posted on December 7, 2010--a few hours before Julian Assange was arrested following an extradition request," the newspaper said.

To recap: Assange set the rules of the game but seems to have tripped himself up. Then, before he could be widely scooped, he opted instead for a scorched earth policy and released all of the cables himself.

Now, will anyone want to play with WikiLeaks again?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-08-30
The IPsec SA establishment process on Innominate mGuard devices with firmware 8.x before 8.1.7 allows remote authenticated users to cause a denial of service (VPN service restart) by leveraging a peer relationship to send a crafted configuration with compression.

Published: 2015-08-30
Buffer overflow in the HTTP administrative interface in TIBCO Rendezvous before 8.4.4, Rendezvous Network Server before 1.1.1, Substation ES before 2.9.0, and Messaging Appliance before 8.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vect...

Published: 2015-08-30
Cross-site request forgery (CSRF) vulnerability in the web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2015-08-29
Use-after-free vulnerability in the CanvasRenderingContext2D implementation in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to execute arbitrary code by leveraging improper interaction between resize events and changes to Cascading Style Sheets (CSS) token...

Published: 2015-08-29
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point i...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.