Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:37 PM

WikiLeaks And Anonymous: A Forced Standard Of Corporate Accountability?

The Anonymous-WikiLeaks alliance will amplify the call for public disclosures of private data. For security professionals, the lesson is to not give in

Before I ever stepped into my first server room, I spent the better part of my post-grad life as a PR professional thoroughly vested in making sure all of the great things our clients did, whether humanitarian or self-serving (and, believe me, there were far more examples in the latter camp than the former), reached the ears, eyes, and editors' discretion of select media outlets. In fact, our agency's tagline was "don't hide your light under a bushel" and included (really!) line drawings of an apple tree and basket to complete the metaphor.

Fast forward many years later to an older and hopefully wiser IT emissary and advocate, but a slightly more cynical one as well. I'm now convinced there are more businesses that prefer to hide, even bury their light, far underground, away from prying eyes and a public with its insatiable appetite to surface what would ordinarily be appropriate to keep hidden than there are businesses that abide by public disclosures required by such governing bodies as the SEC or measures or policies such as Sarbanes-Oxley, PCI-DSS, or HIPAA/HITECH.

Let me be clear. There's nothing at all wrong in keeping what is and should remain confidential. After all, if there's one thing we need more of in this world, it's trust, especially when it comes to our data and those to whom we convey, share, and entrust it. Besides, there are already far too many examples of how quickly trust erodes when the latest data breach is made public. Think Heartland Payment Systems, TJX, Epsilon, and countless others.

Still, there are forces (mostly hidden) who believe otherwise: that all data should be public and the public's right to know transcends the organization's right for it to remain confidential.

Take the recent revelation that Anonymous, in the words of Andy Greenberg from Forbes, has "upgraded its relationship with WikiLeaks from friendly acquaintance to partner" -- this as the Julian Assange-led whistleblower site is set to release beginning this week a collection of 5.5 million emails from Stratfor, the privately held but recently breached global intelligence firm.

The timing of this news is interesting, especially since WikiLeaks' relevance has, at least in my opinion and many others, waned of late. Yes, there is the ongoing army court martial of Pfc. Bradley Manning, widely alleged to have been the source of hundreds of thousands of military intelligence documents about the Iraq and Afghanistan wars online and to The New York Times and Washington Post, among other media outlets. There are also Assange's own legal problems as he remains under house arrest and continues to fight extradition to Sweden to face accusations of assault. Still, this loosely termed "partnership" between these two shadow organizations is troubling on multiple levels. And, in this case, perception may indeed be reality.

For example, there's tacit acknowledgement from sources within its collective that Anonymous supplied WikiLeaks with the December 2011 leaked Stratfor emails. As reported by Forbes, the collective's "news service" is quoted as saying "YES, #Anonymous gave the STRATFOR emails obtained in the 2011 LulzXmas hack to WikiLeaks."

According to Wired.com, among the first group of leaked emails is evidence Stratfor monitored the activities of a loose collective known as The Yes Men on behalf of its client Dow Chemical. It may have engaged in insider trading, payment-laundering, as well as extortion in order to secure intelligence from sources. Others, according to CNN, focused on speculation about the health of Venezuelan President Hugo Chavez and who may have been behind a suspected campaign of sabotage against Iran's nuclear program.

The reason Anonymous shared these with WikiLeaks? According to the Anonymous source quoted in Wired, "the site was more capable of analyzing and spreading the leaked information than Anonymous would be ... it has a great means to publish and disclose and work with media in a way we don't." In other words, we (being Anonymous) do all the hacking and you (being WikiLeaks) leak it and is not responsible for how the business it's stolen from is impacted.

Indeed, as Greenberg soundly suggests, with no public, secure conduit for whistleblowers, a massive collective of nameless hackers might be WikiLeaks' most prolific new source, an infusion of data that could very well vault the increasingly failing and self-proclaimed source protection organization back into some level of prominence and likely subject to, of course, further government scrutiny.

The kicker? Neither of these groups -- either WikiLeaks or "the collective" -- are accountable to anyone else, except their own sense of what passes among them as righteous -- e.g., the right thing to do, a one-upmanship "play" that serves only to foster their individual agendas. Moreover, this limited partnership may play to the more conspiratorial-minded among us, eliciting sympathy or support for either or both groups. I'm not suggesting mainstream support -- just enough of a push by select members of the media (as well as so-called "fringe" groups) to assert the WikiLeaks-Anonymous association as the new norm in business checks and balances.

As a security professional, I think there is a pair of takeaways from this news. One, the collaboration between Anonymous and WikiLeaks represents a troubling new direction for those of us charged with protecting our companies' intellectual property.

Suddenly, satisfying SEC rules and regulations and the ongoing requirements of our shareholders and board of directors is not enough. Now there's a constant undercurrent of hacktivists -- the new "Barbarians at the Gate" -- who threaten to plunder our IP and data and then use an offshore portal in order to disseminate and publicize it, all of it, by the way, against our will and all for the sake to feign accountability to or force it on individuals with absolutely no ties to the business, no dog in the fight.

In fact, this whole scenario is similar to my colleague Chet Wisniewski's recent post on the Nortel Networks data breach, when corporate accountability went out the window when the company's patents came up for auction to the highest bidder. Indifference to public humiliation because, ultimately, no one will hold you accountable. Or, tying it back to my public relations roots, publicity for the sake of publicity.

The second takeaway is far more sublime. That no matter in what industry you ply your trade, or the size or scope of your company, firewall, or level of security, whether the data you store is in a private or public cloud or secreted in an underground facility, you are always just on the verge of having your data breached. The lesson here is to accept that as fact (not paranoia) and take every precaution from your data being exploited. Apply role-based access controls. Encrypt data in-flight and at rest. Deploy a robust firewall. Treat every endpoint as a potential leak. Patch regularly. Password protect at every turn. Keep BYOD in check. Monitor Web traffic. Centralize security policies and then enforce them. Authenticate every user. Be accountable. Remain vigilant.

And always remember that someone, somewhere, doesn't want you to keep your light under a bushel. It's really all up to you whether at the end of the day you wind up giving them an apple, a bushel, a single tree, the entire orchard, or, ideally, nothing at all.

Brian Royer, a security subject matter expert with Sophos U.S. is partnering with SophosLabs to research and report on the latest trends in malware, Web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...