Perimeter
3/5/2012
04:37 PM
50%
50%

WikiLeaks And Anonymous: A Forced Standard Of Corporate Accountability?

The Anonymous-WikiLeaks alliance will amplify the call for public disclosures of private data. For security professionals, the lesson is to not give in

Before I ever stepped into my first server room, I spent the better part of my post-grad life as a PR professional thoroughly vested in making sure all of the great things our clients did, whether humanitarian or self-serving (and, believe me, there were far more examples in the latter camp than the former), reached the ears, eyes, and editors' discretion of select media outlets. In fact, our agency's tagline was "don't hide your light under a bushel" and included (really!) line drawings of an apple tree and basket to complete the metaphor.

Fast forward many years later to an older and hopefully wiser IT emissary and advocate, but a slightly more cynical one as well. I'm now convinced there are more businesses that prefer to hide, even bury their light, far underground, away from prying eyes and a public with its insatiable appetite to surface what would ordinarily be appropriate to keep hidden than there are businesses that abide by public disclosures required by such governing bodies as the SEC or measures or policies such as Sarbanes-Oxley, PCI-DSS, or HIPAA/HITECH.

Let me be clear. There's nothing at all wrong in keeping what is and should remain confidential. After all, if there's one thing we need more of in this world, it's trust, especially when it comes to our data and those to whom we convey, share, and entrust it. Besides, there are already far too many examples of how quickly trust erodes when the latest data breach is made public. Think Heartland Payment Systems, TJX, Epsilon, and countless others.

Still, there are forces (mostly hidden) who believe otherwise: that all data should be public and the public's right to know transcends the organization's right for it to remain confidential.

Take the recent revelation that Anonymous, in the words of Andy Greenberg from Forbes, has "upgraded its relationship with WikiLeaks from friendly acquaintance to partner" -- this as the Julian Assange-led whistleblower site is set to release beginning this week a collection of 5.5 million emails from Stratfor, the privately held but recently breached global intelligence firm.

The timing of this news is interesting, especially since WikiLeaks' relevance has, at least in my opinion and many others, waned of late. Yes, there is the ongoing army court martial of Pfc. Bradley Manning, widely alleged to have been the source of hundreds of thousands of military intelligence documents about the Iraq and Afghanistan wars online and to The New York Times and Washington Post, among other media outlets. There are also Assange's own legal problems as he remains under house arrest and continues to fight extradition to Sweden to face accusations of assault. Still, this loosely termed "partnership" between these two shadow organizations is troubling on multiple levels. And, in this case, perception may indeed be reality.

For example, there's tacit acknowledgement from sources within its collective that Anonymous supplied WikiLeaks with the December 2011 leaked Stratfor emails. As reported by Forbes, the collective's "news service" is quoted as saying "YES, #Anonymous gave the STRATFOR emails obtained in the 2011 LulzXmas hack to WikiLeaks."

According to Wired.com, among the first group of leaked emails is evidence Stratfor monitored the activities of a loose collective known as The Yes Men on behalf of its client Dow Chemical. It may have engaged in insider trading, payment-laundering, as well as extortion in order to secure intelligence from sources. Others, according to CNN, focused on speculation about the health of Venezuelan President Hugo Chavez and who may have been behind a suspected campaign of sabotage against Iran's nuclear program.

The reason Anonymous shared these with WikiLeaks? According to the Anonymous source quoted in Wired, "the site was more capable of analyzing and spreading the leaked information than Anonymous would be ... it has a great means to publish and disclose and work with media in a way we don't." In other words, we (being Anonymous) do all the hacking and you (being WikiLeaks) leak it and is not responsible for how the business it's stolen from is impacted.

Indeed, as Greenberg soundly suggests, with no public, secure conduit for whistleblowers, a massive collective of nameless hackers might be WikiLeaks' most prolific new source, an infusion of data that could very well vault the increasingly failing and self-proclaimed source protection organization back into some level of prominence and likely subject to, of course, further government scrutiny.

The kicker? Neither of these groups -- either WikiLeaks or "the collective" -- are accountable to anyone else, except their own sense of what passes among them as righteous -- e.g., the right thing to do, a one-upmanship "play" that serves only to foster their individual agendas. Moreover, this limited partnership may play to the more conspiratorial-minded among us, eliciting sympathy or support for either or both groups. I'm not suggesting mainstream support -- just enough of a push by select members of the media (as well as so-called "fringe" groups) to assert the WikiLeaks-Anonymous association as the new norm in business checks and balances.

As a security professional, I think there is a pair of takeaways from this news. One, the collaboration between Anonymous and WikiLeaks represents a troubling new direction for those of us charged with protecting our companies' intellectual property.

Suddenly, satisfying SEC rules and regulations and the ongoing requirements of our shareholders and board of directors is not enough. Now there's a constant undercurrent of hacktivists -- the new "Barbarians at the Gate" -- who threaten to plunder our IP and data and then use an offshore portal in order to disseminate and publicize it, all of it, by the way, against our will and all for the sake to feign accountability to or force it on individuals with absolutely no ties to the business, no dog in the fight.

In fact, this whole scenario is similar to my colleague Chet Wisniewski's recent post on the Nortel Networks data breach, when corporate accountability went out the window when the company's patents came up for auction to the highest bidder. Indifference to public humiliation because, ultimately, no one will hold you accountable. Or, tying it back to my public relations roots, publicity for the sake of publicity.

The second takeaway is far more sublime. That no matter in what industry you ply your trade, or the size or scope of your company, firewall, or level of security, whether the data you store is in a private or public cloud or secreted in an underground facility, you are always just on the verge of having your data breached. The lesson here is to accept that as fact (not paranoia) and take every precaution from your data being exploited. Apply role-based access controls. Encrypt data in-flight and at rest. Deploy a robust firewall. Treat every endpoint as a potential leak. Patch regularly. Password protect at every turn. Keep BYOD in check. Monitor Web traffic. Centralize security policies and then enforce them. Authenticate every user. Be accountable. Remain vigilant.

And always remember that someone, somewhere, doesn't want you to keep your light under a bushel. It's really all up to you whether at the end of the day you wind up giving them an apple, a bushel, a single tree, the entire orchard, or, ideally, nothing at all.

Brian Royer, a security subject matter expert with Sophos U.S. is partnering with SophosLabs to research and report on the latest trends in malware, Web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.