Vulnerabilities / Threats
7/28/2010
11:14 AM
Connect Directly
RSS
E-Mail
50%
50%

WikiLeaks Tests Feasibility Of Government Data Security

Governments will always face the twin challenges of balancing the need for secrecy with the need to collaborate, say experts.

In the wake of the release by WikiLeaks on Sunday of more than 90,000 documents pertaining to the war in Afghanistan, will government data ever be safe again? In other words, can the U.S. government -- or for that matter, any government, corporate entity, or organization -- prevent a similar mass document disclosure in the future?

"Of course not, because remember this isn't technical, this is a human problem," said Bruce Schneier, chief security technology officer of managed computer network security service provider BT Counterpane. "The technical thing is that WikiLeaks enables this to happen easily and relatively safely, but fundamentally, human beings read these messages." When they have concerns, such as over the missile attack in Iraq, or this release of documents [from Afghanistan], then the related information may well find its way public.

WikiLeaks founder Julian Assange, who has talked about the global network of servers and technology that make his site "uncensorable," hammered that ease-of-submission point home yesterday. "We never know the source of the leak," he told reporters in London, according to published accounts. "Our whole system is designed such that we don't have to keep that secret."

"Fundamentally, this is about a whistle-blower," said Schneier. "No government or company can ever protect or defend against that. You can make it harder -- disable print, e-mail forwarding -- but at worst, I can take a photograph of the screen and mail it to you," he said.

In other words, the WikiLeaks phenomenon is primarily about people, not technology.

"In general, at any company and any government agency, authorized insiders have access to information, and if they decide to violate laws and policy and make inside information public, there is no 100% foolproof way of stopping them," said John Pescatore, VP and research fellow at Gartner Research. "That is why companies and government agencies spend a lot of time on background checks and personnel vetting, but that is not foolproof either -- as just about every spy case points out."

If you overly restrict access to information, such as the from-the-battlefield communications released by WikiLeaks, people can die, and do. "A good example is how much information the U.S. actually had prior to the terrorist attacks of September 2001 that were strongly protected and weren't shared, leading to a major failure of the intelligence community," said Pescatore.

Even so, he predicts that the fallout from the WikiLeaks disclosure, like the Pentagon Papers before it, may lead government agencies toward "an over-reaction towards too much secrecy, which then impedes real need for collaboration."

The real lesson, he said, should be about always trying to find the right balance between "need to know" with "need to share," which the private sector seems to do relatively well, said Pescatore. "Notice you don't tend to see, say, Cisco or SAP having corporate secrets released, but they do a very good job of collaborating across their companies. They balance security with usability -- it is not impossible to do so."

Unfortunately, he said, "governments tend to not be able to easily define that middle ground."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Listen Now Botnet Takedowns: Who's Winning, Who's Losing
Sara Peters hosts a conversation on Botnets and those who fight them.