Vulnerabilities / Threats
7/28/2010
11:14 AM
50%
50%

WikiLeaks Tests Feasibility Of Government Data Security

Governments will always face the twin challenges of balancing the need for secrecy with the need to collaborate, say experts.

In the wake of the release by WikiLeaks on Sunday of more than 90,000 documents pertaining to the war in Afghanistan, will government data ever be safe again? In other words, can the U.S. government -- or for that matter, any government, corporate entity, or organization -- prevent a similar mass document disclosure in the future?

"Of course not, because remember this isn't technical, this is a human problem," said Bruce Schneier, chief security technology officer of managed computer network security service provider BT Counterpane. "The technical thing is that WikiLeaks enables this to happen easily and relatively safely, but fundamentally, human beings read these messages." When they have concerns, such as over the missile attack in Iraq, or this release of documents [from Afghanistan], then the related information may well find its way public.

WikiLeaks founder Julian Assange, who has talked about the global network of servers and technology that make his site "uncensorable," hammered that ease-of-submission point home yesterday. "We never know the source of the leak," he told reporters in London, according to published accounts. "Our whole system is designed such that we don't have to keep that secret."

"Fundamentally, this is about a whistle-blower," said Schneier. "No government or company can ever protect or defend against that. You can make it harder -- disable print, e-mail forwarding -- but at worst, I can take a photograph of the screen and mail it to you," he said.

In other words, the WikiLeaks phenomenon is primarily about people, not technology.

"In general, at any company and any government agency, authorized insiders have access to information, and if they decide to violate laws and policy and make inside information public, there is no 100% foolproof way of stopping them," said John Pescatore, VP and research fellow at Gartner Research. "That is why companies and government agencies spend a lot of time on background checks and personnel vetting, but that is not foolproof either -- as just about every spy case points out."

If you overly restrict access to information, such as the from-the-battlefield communications released by WikiLeaks, people can die, and do. "A good example is how much information the U.S. actually had prior to the terrorist attacks of September 2001 that were strongly protected and weren't shared, leading to a major failure of the intelligence community," said Pescatore.

Even so, he predicts that the fallout from the WikiLeaks disclosure, like the Pentagon Papers before it, may lead government agencies toward "an over-reaction towards too much secrecy, which then impedes real need for collaboration."

The real lesson, he said, should be about always trying to find the right balance between "need to know" with "need to share," which the private sector seems to do relatively well, said Pescatore. "Notice you don't tend to see, say, Cisco or SAP having corporate secrets released, but they do a very good job of collaborating across their companies. They balance security with usability -- it is not impossible to do so."

Unfortunately, he said, "governments tend to not be able to easily define that middle ground."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.