Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/6/2011
08:48 AM
50%
50%

Hackers Turn On Each Other

WikiLeaks fumbles the disclosure of sensitive government cables, while hacking competition website RankMyHack.com finds little honor among members.

Is there no honor among hackers, or information leakers?

Last week, even RankMyHack.com got hacked. The website, which awards points for proof that you've hacked particular websites, isn't the first such leaderboard. But the site had grabbed a lot of attention in a short period of time for listing hacking point values for prominent websites, such as the White House's (34,594 points).

Not everyone, however, was content to play by the site's rules. Instead of hacking third-party sites and submitting proof to earn points, two hackers decided instead to hack RankMyHack.com itself. How many points was that worth? Only 717, apparently.

But to look up any more point values, you'll need to join--and submit evidence of hacking prowess--since after all of the "media" interest, the site's administrators said they're restricting access to the URL input page to confirmed members only. Membership, in other words, has its privileges--unless, of course, the players turn against you.

On a related note, the limelight-loving Julian Assange, founder of WikiLeaks, posted an "editorial" last week on the WikiLeaks site in which he announced that he had "commenced pre-litigation action" against two former partners: the Guardian newspaper, after its reporter "recklessly, and without gaining our approval, knowingly disclosed the decryption passwords in a book published by the Guardian"; and a German programmer, Daniel Domscheit-Berg.

The Guardian, in a statement sent in email, noted that this is the third time Assange has threatened suit against it, following previous accusations of loss of earnings (November 2010) and of libel after the Guardian released a WikiLeaks book in February 2011. Neither of those suits has come to pass.

As for Domscheit-Berg, he met Assange in 2007 and rose to become the No. 2 person inside WikiLeaks, before parting bitterly with Assange, whom he labeled an "autocratic ruler" pursuing a "cult of stardom." Assange this week accused Domscheit-Berg of revealing a WikiLeaks security vulnerability.

But that vulnerability may have begun with Assange, who lost control of a "cables.csv" file containing un-redacted versions of all 251,287 State Department cables obtained by the group. Evidently, he forgot to delete the password-protected file from the secure WikiLeaks server, after telling two Guardian reporters that it would be shared only with them and online only for a few hours. The reporters, no doubt seeking additional color for the WikiLeaks book they penned, included the password in their book--also a security misstep. But they had no way of knowing that later on, not only had someone else (by some accounts, a WikiLeaks supporter) obtained a copy of the same file, but that person had also released it on BitTorrent.

In Assange's reading, however, his former partners are turning against him. In particular, he said, the Guardian failed to play by his rules, violating a confidentiality agreement it had signed. (Although as an astute reader noted, can WikiLeaks sue someone for disclosing government communications it illegally obtained?) That agreement dictated that the cables be released only in thematic batches, after being arduously read and redacted by people with local knowledge.

So, in a logical leap, two weeks ago, Assange chose to release 134,000 new cables--over six times what had been previously released--without redaction. In other words, Assange appears to have rushed the cable release not in the spirit of responsible disclosure, but rather to beat perceived rivals at a game of his own devising. Unfortunately, the cables also included the names of at least 100 confidential diplomatic sources, triggering criticism from both the U.S. State Department and the news organizations that have been devoting months to read, redact, and release the cables.

Next, Assange turned democratic, putting the question of un-redacted cable disclosure to his Twitter followers. Their response, he said, was 100 to 1 in favor of releasing all of the un-redacted versions.

On Friday he released every cable, without redaction. The move drew swift condemnation from five former media partners: the Guardian, Le Monde, the New York Times, El Pais, and Der Spiegel. They issued a joint statement saying that "we deplore the decision of WikiLeaks to publish the un-redacted state department cables, which may put sources at risk," and they noted that "the decision to publish by Julian Assange was his, and his alone."

Interestingly, according to the Guardian, Assange didn't start out as a proponent of redaction. "Initially, as has been widely reported, Assange was unwilling to remove material to protect informants, but the Guardian and its media partners persuaded him that the diplomatic cables should be carefully redacted before release, and this editing process was carried out by the newspapers."

Did his information-leaking partners turn against him? In the end, the security-paranoid Assange found himself in this situation by fumbling some security basics, including failing to compartmentalize sensitive information and delete copies of it in a timely manner.

In its statement, the Guardian also called attention to the date when the cables.csv file was first shared on BitTorrent, after its reporters accessed it in July 2010. "It appears that two versions of this file were subsequently posted to a peer-to-peer file sharing network using the same password. One version was posted on December 7, 2010--a few hours before Julian Assange was arrested following an extradition request," the newspaper said.

To recap: Assange set the rules of the game but seems to have tripped himself up. Then, before he could be widely scooped, he opted instead for a scorched earth policy and released all of the cables himself.

Now, will anyone want to play with WikiLeaks again?

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16192
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...