Preventing your own WikiLeaks

Preventing your own WikiLeaks

Summary: Security is only as strong as your weakest link, and that 'link' is probably already is in your pocket or laptop bag.

SHARE:
TOPICS: Networking, Hardware
32

As I continue to watch the WikiLeaks saga, I can' t help thinking, no matter what you think of WikiLeaks, it never would have gotten so big if it wasn't for some dumb security mistakes. It's not, as Jason Perlow pointed out, that the system design itself was defective, it was how it was managed in the field that lead to a flood of secret documents being revealed.

No, Secret Internet Protocol Router Network (SIPRNet) is about as secure as any network can be. But, US Army intelligence analyst, Private First Class Bradley Manning showed how even the best laid security plans are useless if they're not followed. While SIPRNet materials seemed to have been shared over a secured network, the laptops that Manning used to vacuum down the gigabytes of data, now in WikiLeak's hands, had a CD/DVD burner on it. According to a Wired report, Manning said, "I would come in with music on a CD-RW labeled with something like 'Lady Gaga,' erase the music then write a compressed split file."

There was no need for any sophisticated network tapping or Mission Impossible heroics here; all he needed was a PC and a blank optical disc and he was in business. Argh!

Before you shake your head at how foolish the government can be, have you considered your own network's protection? Even if your Wi-Fi is locked down with WPA2/CCMP (Wi-Fi Protected Access/Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) and your wired network is secured with 802.1X Port-Based Authentication what makes you think your typical office PC is really secure?

I'm sitting at my office looking at one of my old workhouse PCs, a Dell Inspiron 530S. It has a DVD+/-RW drive, six USB 2.0 ports, and four memory card readers. By my count that eleven different ways that I can, with no thought at all, pull data from my network.

In my laptop bag, sitting by my side, I have two-blank DVD RW discs; half-a-dozen USB drives that can hold from 512MBs to 4GBs of data; a first-generation iPod Touch with 16GBs of storage; and a Droid II Android phone with 8 GB of internal memory plus an 8 GB microSD memory card. Were I in your office, with a similar PC in front of me, I could walk out in a few hours with 40 gigabytes of your data.

I'm sure I could do that because I almost never run into a business that realizes that any PC, once logged into the system, is a de facto security hole All those electronics that we carry with us every day-USB sticks, MP3 music players, smartphones, cameras-can be used to grab data.

The U.S. Government does realize that. As a friend who's in the intelligence community recently told me, "I don't own an iPod, because I can't take it, or my phone, in to work. Or a writable CD, or a USB stick, or ... well you catch the drift."

Exactly. If you really want your data to be secure, you need to make sure that no one walks in or out of the office with any memory storage device. In the 21st century that means pretty much any modern electronic device. You can also try to lock down all but essential ports on your PCs. Either 'solution' has its own set of problems

So, the next time, you think "How could they be such idiots!" just keep in mind that, with today's technology, how hard it is to keep data from being stolen. Sure, in the WikiLeaks case, there were lots of mistakes and that was dumb--I mean, come on, why didn't anyone notice just how much sensitive network traffic was going to one location outside of Baghdad?--but it only takes one mole in your company for gigabytes of data to walk out the door. Consider yourself warned.

Topics: Networking, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • RE: Preventing your own WikiLeaks

    Zafesoft.com offers a data security solution by securing sensitive files wherever they are located or copied, while maintaining a transparent, nonrestrictive user interface. This technology provides full control of your data, whether it?s stored on your hard drive, copied to a server, or transmitted via USB, CD, or sent in an email. This can prevent you from being the victim of a Wikileak.
    RobertSiciliano
    • RE: Preventing your own WikiLeaks

      @RobertSiciliano ... If anyone buys that, please contact me. I have a used bridge in NYC available cheap.
      twaynesdomain-22354355019875063839220739305988
      • RE: Preventing your own WikiLeaks

        @twaynesdomain you are welcome to try and poke holes in it. Sounds difficult to believe but the company has very satisfied and secure customers, you check it out. Ultimately the ability to easily access large amounts of data is created by technology, so it will have to be technology that solves the challenge of securing it.
        RobertSiciliano
    • RE: Preventing your own WikiLeaks

      @RobertSiciliano I've got a digital camera with enough megapixels to photo any doc on my screen. That's plenty enough to leak info, and I'm sure those who want to leak documents will indeed resort to photo/video capture with an uncontrolled device if need be.<br><br>In the end, this isn't a tech problem: It's a people problem. You have to make sure you can trust the people that work for you.
      CobraA1
  • RE: Preventing your own WikiLeaks

    Every time you enter a national lab, you have to be free from: cell phones, USB drives, CDs, and laptops. Only authorised computers are allowed, with proper security software that either disable or check for any illegal activity.
    feranick@...
    • RE: Preventing your own WikiLeaks

      @feranick@... I agree, I find it odd that not only a bone head like this private was allowed to take in anything, let alone they had a burner in the room. My brother works for the FBI, he cannot take any computer device what-so-ever into work, and his personal phone music players etc. have to stay in the car. His computer does not have a burner nor does he have outside access to the internet, all internal secure network.
      ItsTheBottomLine
  • I think you are missing the point

    Its not that the guy was able to sneak in writable media, it's that he was was able to access data he had no need to be accessing. My understanding of the case is that this guy just copied what he had access to, he did not do any hacking etc. If that was truly the case then its just a matter of controlling access at a system or file level instead of assuming that everyone connected to the network is authorized. I can't see any reason why a lower enlisted would need access to that much data, so that leaves me believing that there was little to no access controls on the data beyond the physical ones.
    themp
  • Step Zero In Avoiding Your Own Wikileaks

    Don't go out and murder 800,000 innocent human beings in furtherance of theft.
    HollywoodDog
    • RE: Preventing your own WikiLeaks

      @HollywoodDog

      Yep, you can prevent Wikileaks by not doing anything evil in the first place.

      How many times do we have to say Americans apparently can't handle the truth.
      tonymcs@...
      • RE: Preventing your own WikiLeaks

        @tonymcs@...
        We can handle the truth just fine, thank you. The trouble is, we're so rarely given the truth, even more rarely by our own government.

        Of course, the USA hardly has a monopoly on lying governments, and we're STILL the best place on earth to live even with all our faults. And I notice also that we're awfully handy to have around when somebody needs money or a nice, well-armed combat force.

        Nobody, least of all me, is saying the USA is perfect. It's far from it, especially right now, and we HAVE acted in a heavy-handed manner all too often, and too often for the wrong reasons. But to think, even for a minute, that everyone here behaves that way, or even that we support our government's heavy-handed actions, betrays something awfully ugly about you, not about us.
        clfitz
    • Saddam Hussein is dead, so that's not a problem

      anymore.
      frgough
      • RE: Preventing your own WikiLeaks

        @frgough - Thank you.
        ItsTheBottomLine
    • Sure, of course, it's just that simple.

      Gee HollywoodDog, if that's all that was in the wikileaks documents, maybe I'd agree with you. But there were quite alot of [b]non-evil, non-illegal, rightfully clasified[/b] data in there too.
      Does someone trying to hack into military computers [i]really[/i] need to know what we're doing to stop them? Do leaders in other countries really need to know [i]our assesments of them[/i]?

      I love how you keep so much of your life secret, all in the name of protecting what little advantage it gives you in protecting yourself, yet you somehow feel that the US government should give away that same protection of it's citizens by letting other governments have access to their private thoughts and classified info?

      Why are you so against people in our government having honest, confidential assessments of a country or leader of another government? You do that everyday in your own life, or will you say that you tell your boss exactly what you think of hime or her? Why not?

      It really sounds like your against having private thoughts alltogether. Do you think the government should have absolutelly [b]no[/b] secrets? Maybe we should just tell the smugglers and pirates what we're doing to stop drugs or human traficing, let the Pirates off the coast of Somolia who in their government is helping us stop them because you're saying you can't see any reason whatsoever why letting that information out into the world is a bad thing.

      IMHO, I think you have absolutelly no idea of what you're talking about here, but to each his own.

      Ironic: I could have kept that opinion of you to myself, and not offeded you, but now that you know, what's your next step? It doesn't change my assesment of you, yet it [b]will[/b] change your response.
      John Zern
      • RE: Preventing your own WikiLeaks

        @John Zern Consider the source of the comments...there's a BIG leak there already.
        ItsTheBottomLine
      • Thanks for your opinion

        @John Zern On August 11, even the DOD was forced to admit to The Washington Post the complete absence of any evidence to support its wild accusations: "'We have yet to see any harm come to anyone in Afghanistan that we can directly tie to exposure in the WikiLeaks documents,' [Pentagon spokesman Geoff] Morrell said." <br><br>It would be extremely difficult to establish that any one of the 612 redacted cables released by Wikileaks (after they were published in Der Spiegel, NY Times, Guardian, LeMonde, etc) did anything other than embarass certain government officials. The UK is storing cluster bombs for us in violation of international agreement, for instance. That might embarrass politicians, but how does that assist America's enemies?<br><br>The store of cables was not operational intelligence. It wasn't CIA reports. It was stuff that embarrassed politicians. I'm surprised that someone who usually thinks somewhat critically would swallow unchallenged the standard lip music that always comes out of politicians mouths than anything which embarrasses them will get somebody killed.<br><br>About myself, I would remind you that I'm constantly under surveillance - from my employer, phone company, ISP, email providers, credit card companies, anybody I do any business with. Google. The government can surveil me 24 hours a day if they want. They assert a right to plant GPS trackers on my car without any probably cause. And they're currently pushing legislation in congress to require any provider of any encryption whatsoever to provide the government a back door to get in to it. If your assertion is that we as individuals are luxuriating in a warm blanket of privacy, I wonder where you've been for the last 20 years.<br><br>Notice how quickly the "If-you're-not-doing-anything-wrong-then-you-have-nothing-to-hide" mentality evaporates when it's *their* privacy and communications being invaded.<br><br>I suppose you'll now call for me to be assassinated for possession of an opinion the Government doesn't like.
        HollywoodDog
      • Wikileaks and confidentiality

        @John Zern The problem with the materials now or soon-to-be on Wikilinks was in not vetting more carefully the list of the 1,000,000 people who had access to the material. Those responsible for that list should have and from now on should operate on the "need to know" principle and on the maxim "three people can keep a secret if two of them are dead."<br><br>At least one piece of information that all Americans should be aware of appears to have turned up: the use of diplomats as spies. All governments, save perhaps those of Andorra or Liechtenstein, need and use spies. But spying and diplomacy are two facets of foreign policy that must be kept separate. Stimson's remark that "gentlemen do not read one another's mail" may apply to diplomats, but it certainly doesn't apply to spies. Governments rely on the notion that their diplomats will earn the trust of the governments of the countries to which they are posted. That means that for a longer or shorter time communications between diplomats and their own government's foreign office must remain highly confidential, perhaps to be made available after 50 years, depending on the circumstances.<br><br>You may recall that Mark Twain (hardly a "diplomat") forbade the publication of his memoirs until 100 years after his death. Thus it is only now that UC/Berkeley, which holds the manuscript, has begun to publish them.
        brambeus
    • RE: Preventing your own WikiLeaks

      @HollywoodDog

      Oh, boy.

      I had a reasoned, honest reply to this, but I doubt you'd get it so I won't waste the effort.

      I assume you're American, though. I am, too, but I'm not ashamed of it, nor do I experience any guilt over it. Our country doesn't always do the right thing, I know. Neither does any other.

      And, while everyone is busy pissing and moaning over the classified documents and the identities of our operatives on foreign soil being exposed, I have a question: Remember Valerie Plame? I do believe that the person who was accused of exposing her, for purely political reasons, occupied a position of great importance in a Conservative administration. Ironically, most of the pissing and moaning about exposure of foreign operatives is coming from...Conservatives. Hmmm...

      Cue the double standards.
      clfitz
      • RE: Preventing your own WikiLeaks

        @clfitz "... but I doubt you'd get it so I won't waste the effort." LOL - very good and I"m sure accurate.
        ItsTheBottomLine
      • There isn't a double standard

        @clfitz Nobody was harmed by any Wikileaks released.

        Valerie Plame was an undercover CIA officer engaged in the business of the theft of other countries secrets on behalf of the Government. The people she had contact with were probably important government officials in Middle Eastern countries. She was operating a front company, according to the newspapers.

        Don't you imagine that after BushCo revealed her identity to our enemies that they ran down all their telephone logs and internet records to identify anybody who had anything to do with her or her company, rounded them up and tortured and/or killed them?

        According to DOD, *nobody* has been killed because of a WikiLeak. Don't you think they've been busy trying to find one to bolster their hysterical claims?
        HollywoodDog
    • Re: There isn't a double standard

      @HollywoodDog
      I know what Valerie Plame was doing, and I can without reservation promise you that whatever country she was operating in had just as many of their own operatives here, doing something close to the same thing. They ALL spy, on friends as well as enemies.

      And, I'm sure that that country did, indeed, hunt down, torture and kill her contacts and agents, many of whom were innocent, probably not even aware of whom they were giving secrets to, or possibly not aware that they were doing so. There are some here doing that right now.

      And I'm not saying we're innocent. What I AM saying is that no other country is, either. We ALL do it, and what's worse, we all know we're doing it. Another poster on this thread is busily hand-wringing over the fact that some of our operatives were posing as diplomatic agents. Guess what? Every country in the world does this.

      Lest I be misunderstood, I'd like right now to make perfectly clear that I'm mostly on WikiLeaks' side here. I think it's performing a vital function for democracy in general and for the USA in particular, especially at this pitiful moment in our history. I sometimes disagree with their lack of discretion, but I'm very happy they've made this stuff public. And I say that as the son of a former WWII infantryman who was taken POW in the Battle of the Bulge.

      But, I will never agree with those who demonize this country. Sometimes, we behave poorly, but so do all the others, and we mostly do pretty well, if the number of those willing to risk their lives to live here is any indication. Like all the others, we, too, sometimes need a reminder of how we're supposed to behave. I think WikiLeaks provides that.
      clfitz