US Government Changes Security Following WikiLeaks Debacle
As WikiLeaks supporters fight back, the US federal government has ordered new rules to prevent future breaches
As cables continue to trickle out of WikiLeaks in the second week since the site began posting, it appears that WikiLeaks and the United States government have learned some hard lessons.
“Previously with security breaches, the focus has been on the outside threat,” said Darren Hayes, Computer Information Services Program Chair at New York’s Pace University. Companies have been worried about other organisations trying to steal corporate secrets and the government has been protecting against foreign countries trying to breach US security and defenses, Hayes said. There hasn’t been “enough mention of internal threats, in the past”, he said.
Data leaks
The “WikiLeaks debacle” essentially boils down to an insider data breach, according to Hayes, as it involves a user with access leaking the data to someone else. Organisations – business and the federal government – are reviewing their policies to prevent similar breaches in the future.
As for US military analyst Army Private Bradley Manning, the one suspected of leaking the cables to WikiLeaks, “he simply had too much access to sensitive government information”, said Thom VanHorn, vice president of global marketing at Application Security. If employees “only have access to the information necessary to do their jobs” and access privileges are properly assigned, “sensitive information doesn’t get into the wrong hands”, VanHorn said.
The US Office of Management and Budget ordered each agency that handles classified information to perform a security review of its procedures.
The US Department of Defense will “rethink computer security procedures and change their policies in a revolutionary way”, said Hayes. At the moment, the changes are fairly straightforward: banning all removable devices on classified systems. The Defense Department said there will be other changes as well, such as a network monitoring solution that will identify anomalous network activity and changes in how data is transferred between classified and unclassified computers.
For WikiLeaks, the question is no longer about whether it will get shut down soon, but about money. Instead of a single DNS provider, the site now has a round-robin setup of at least 14 DNS providers directing traffic to its domain name, of which it now has several.
Resilience
Despite losing the wikileaks.org domain name, web hosting, ongoing denial-of-service attacks and getting blacklisted by some countries in the first week, the site remains up, bolstered by nearly a thousand mirror sites around the world keeping the content online.
“The harder you hit them, the bigger they get,” said James Cowie, a security researcher with Renesys.
But PayPal, MasterCard and Visa have all suspended accounts, and Switzerland’s PostFinance suspended one of the bank accounts set up for founder Julian Assange’s legal bills. Even if donations don’t come in, the bills are going to mount, and the site needs a legal fund for when the United States lawyers come knocking. US Attorney General Eric Holder has made no secret of his desire to prosecute Assange.
“To the extent that we can find anybody who was involved in the breaking of American law, who put at risk the assets and the people I have described, they will be held responsible; they will be held accountable,” Holder said at a news conference.
The controversy around Assange appears to be too much for some WikiLeaks staffers, as they resigned to launch a rival whistle-blower site OpenLeaks.
Even though PayPal released all the funds to the foundation that was raising funds for the site, PayPal said the accounts will remain inaccessible. The donations are right now limited to going through Flattr, a web-based donation system run by a British-Swedish firm. “We will never stop this as long as WikiLeaks’ operations are legal,” said Leif Hogberg, a system developer and co-owner of the small firm, to AFP. He noted that WikiLeaks is not yet illegal in Great Britain or Sweden.
Prosecution
As the lawyers work out how to prosecute Assange, some government officials are denying charges of censorship or pressuring companies to sever ties with Assange’s operation.
“We have not pressured anybody to do anything,” Holder said at a news conference in San Francisco when asked if the government had tried to influence companies.
Shortly after a statement by PayPal’s vice president of platform, Osama Bedier, that the “State Department told us these were illegal activities,” at Paris’ LeWeb conference, both PayPal’s general counsel and the State Department denied the conversation ever took place. Bedier was referencing a letter sent by the State Department to WikiLeaks, not PayPal, according to TechCrunch.
As for WikiLeaks supporters, there are some lessons learned there as well. An Internet gathering, commonly referred to as “Anonymous”, has launched a series of distributed denial-of-service attacks against WikiLeaks enemies, such as PayPal, PostFinance, Visa, MasterCard and the Swedish Prosecution Authority. Called Operation Payback, Anonymous posted target sites and instructions on how to participate in the DDOS (distributed denial of service) attacks on Twitter. Unlike usual botnets controlling computers belonging to innocent users, there are “no victimised machines” in Operation Payback as “the participants knowingly engage” in the DDOS attack, said Noa Bar Yossef, a senior security strategist at Imperva.
While the group trumpeted victories about knocking PayPal, Visa and MasterCard offline, the fact remains that they were “brochure sites”, said Jason Hoffman, co-founder and chief scientist at public cloud provider Joyent. The DDOS attacks didn’t disrupt actual payment services but the corporate sites, he said. A “vigilante DDOS attack” of several hundreds of machines can’t do a lot of damage to core services – a “botnet of millions of machines” would be needed, he said.
Even Anonymous appeared to understand its limitations, posting on Twitter: “We can not attack Amazon, currently. The previous schedule was to do so, but we don’t have enough forces.”
Payback
Within the Anonymous IRC chat rooms, there was a lot of discussion about whom to target next, but also about halting DOS attacks and focusing on publicising the contents of the leaked cables. Some participants in the chat rooms seemed aware they were losing the propaganda war and were being painted as criminals out to steal credit card information.
In a press release, Anonymous said, “Our current goal is to raise awareness about WikiLeaks,” and called itself “Internet Citizens” who are “fed up with minor and major injustices”.