Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/5/2012
04:37 PM
50%
50%

WikiLeaks And Anonymous: A Forced Standard Of Corporate Accountability?

The Anonymous-WikiLeaks alliance will amplify the call for public disclosures of private data. For security professionals, the lesson is to not give in

Before I ever stepped into my first server room, I spent the better part of my post-grad life as a PR professional thoroughly vested in making sure all of the great things our clients did, whether humanitarian or self-serving (and, believe me, there were far more examples in the latter camp than the former), reached the ears, eyes, and editors' discretion of select media outlets. In fact, our agency's tagline was "don't hide your light under a bushel" and included (really!) line drawings of an apple tree and basket to complete the metaphor.

Fast forward many years later to an older and hopefully wiser IT emissary and advocate, but a slightly more cynical one as well. I'm now convinced there are more businesses that prefer to hide, even bury their light, far underground, away from prying eyes and a public with its insatiable appetite to surface what would ordinarily be appropriate to keep hidden than there are businesses that abide by public disclosures required by such governing bodies as the SEC or measures or policies such as Sarbanes-Oxley, PCI-DSS, or HIPAA/HITECH.

Let me be clear. There's nothing at all wrong in keeping what is and should remain confidential. After all, if there's one thing we need more of in this world, it's trust, especially when it comes to our data and those to whom we convey, share, and entrust it. Besides, there are already far too many examples of how quickly trust erodes when the latest data breach is made public. Think Heartland Payment Systems, TJX, Epsilon, and countless others.

Still, there are forces (mostly hidden) who believe otherwise: that all data should be public and the public's right to know transcends the organization's right for it to remain confidential.

Take the recent revelation that Anonymous, in the words of Andy Greenberg from Forbes, has "upgraded its relationship with WikiLeaks from friendly acquaintance to partner" -- this as the Julian Assange-led whistleblower site is set to release beginning this week a collection of 5.5 million emails from Stratfor, the privately held but recently breached global intelligence firm.

The timing of this news is interesting, especially since WikiLeaks' relevance has, at least in my opinion and many others, waned of late. Yes, there is the ongoing army court martial of Pfc. Bradley Manning, widely alleged to have been the source of hundreds of thousands of military intelligence documents about the Iraq and Afghanistan wars online and to The New York Times and Washington Post, among other media outlets. There are also Assange's own legal problems as he remains under house arrest and continues to fight extradition to Sweden to face accusations of assault. Still, this loosely termed "partnership" between these two shadow organizations is troubling on multiple levels. And, in this case, perception may indeed be reality.

For example, there's tacit acknowledgement from sources within its collective that Anonymous supplied WikiLeaks with the December 2011 leaked Stratfor emails. As reported by Forbes, the collective's "news service" is quoted as saying "YES, #Anonymous gave the STRATFOR emails obtained in the 2011 LulzXmas hack to WikiLeaks."

According to Wired.com, among the first group of leaked emails is evidence Stratfor monitored the activities of a loose collective known as The Yes Men on behalf of its client Dow Chemical. It may have engaged in insider trading, payment-laundering, as well as extortion in order to secure intelligence from sources. Others, according to CNN, focused on speculation about the health of Venezuelan President Hugo Chavez and who may have been behind a suspected campaign of sabotage against Iran's nuclear program.

The reason Anonymous shared these with WikiLeaks? According to the Anonymous source quoted in Wired, "the site was more capable of analyzing and spreading the leaked information than Anonymous would be ... it has a great means to publish and disclose and work with media in a way we don't." In other words, we (being Anonymous) do all the hacking and you (being WikiLeaks) leak it and is not responsible for how the business it's stolen from is impacted.

Indeed, as Greenberg soundly suggests, with no public, secure conduit for whistleblowers, a massive collective of nameless hackers might be WikiLeaks' most prolific new source, an infusion of data that could very well vault the increasingly failing and self-proclaimed source protection organization back into some level of prominence and likely subject to, of course, further government scrutiny.

The kicker? Neither of these groups -- either WikiLeaks or "the collective" -- are accountable to anyone else, except their own sense of what passes among them as righteous -- e.g., the right thing to do, a one-upmanship "play" that serves only to foster their individual agendas. Moreover, this limited partnership may play to the more conspiratorial-minded among us, eliciting sympathy or support for either or both groups. I'm not suggesting mainstream support -- just enough of a push by select members of the media (as well as so-called "fringe" groups) to assert the WikiLeaks-Anonymous association as the new norm in business checks and balances.

As a security professional, I think there is a pair of takeaways from this news. One, the collaboration between Anonymous and WikiLeaks represents a troubling new direction for those of us charged with protecting our companies' intellectual property.

Suddenly, satisfying SEC rules and regulations and the ongoing requirements of our shareholders and board of directors is not enough. Now there's a constant undercurrent of hacktivists -- the new "Barbarians at the Gate" -- who threaten to plunder our IP and data and then use an offshore portal in order to disseminate and publicize it, all of it, by the way, against our will and all for the sake to feign accountability to or force it on individuals with absolutely no ties to the business, no dog in the fight.

In fact, this whole scenario is similar to my colleague Chet Wisniewski's recent post on the Nortel Networks data breach, when corporate accountability went out the window when the company's patents came up for auction to the highest bidder. Indifference to public humiliation because, ultimately, no one will hold you accountable. Or, tying it back to my public relations roots, publicity for the sake of publicity.

The second takeaway is far more sublime. That no matter in what industry you ply your trade, or the size or scope of your company, firewall, or level of security, whether the data you store is in a private or public cloud or secreted in an underground facility, you are always just on the verge of having your data breached. The lesson here is to accept that as fact (not paranoia) and take every precaution from your data being exploited. Apply role-based access controls. Encrypt data in-flight and at rest. Deploy a robust firewall. Treat every endpoint as a potential leak. Patch regularly. Password protect at every turn. Keep BYOD in check. Monitor Web traffic. Centralize security policies and then enforce them. Authenticate every user. Be accountable. Remain vigilant.

And always remember that someone, somewhere, doesn't want you to keep your light under a bushel. It's really all up to you whether at the end of the day you wind up giving them an apple, a bushel, a single tree, the entire orchard, or, ideally, nothing at all.

Brian Royer, a security subject matter expert with Sophos U.S. is partnering with SophosLabs to research and report on the latest trends in malware, Web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.