WikiLeaks clones emerging as security game-changer

In new age of whistle-blowing where sites modeled after WikiLeaks allow anyone to disclose classified information, organizations must rethink enterprise security and risks, reveal observers.
Written by Vivian Yeo, Contributor

The rise of the Web as a communication platform as well as "hacktivism" have given whistle-blowing a makeover, and enterprises with lax security need to step up their defenses or risk putting themselves out of business.

Recent exploits of hacktivists such as LulzSec and Anonymous have highlighted glaring loopholes and vulnerabilities in the corporate networks and security practices of both public and private sector organizations. For example, LulzSec members claimed they were able to lift from SonyPictures.com customer passwords unencrypted, and in plaintext.

While such revelations are still considered few and far between, several disclosure sites modeled after WikiLeaks have since sprung up including those by media organizations such as Al Jazeera and The Wall Street Journal, CNN said in a June report. Earlier this month, Anonymous announced two sites--LocalLeaks and HackerLeaks--to allow more people to expose wrongdoing and disseminate hacked data.

Industry experts ZDNet Asia contacted noted that this growing trend of whistle-blowing is unlikely to reverse, and urged companies to understand the risks associated with the ease of data disclosure, particularly when it comes to information relating to their security posture.

According to Michael Netzley, assistant professor of corporate communication at the Singapore Management University (SMU), exposés are "just a fact of life today [and] are not going away".

"With the decentralized and relatively less-regulated arena of social media, people will 'out' you whether you like it or not," Netzley said in an e-mail. "The goal line has been moved...hacking and releasing a bit of data may seem less of an offense."

Similarly, Graham Cluley, senior technology consultant at Sophos, said there appears to be a growing trend where people think that "any information can be made public", which could be at the expense of "innocent" individuals.

Rob McMillan, Gartner's research director for security risk and privacy, pointed out that the idea of data leaking out of organizations is not new. However, the rise of sites or platforms encouraging the leakage and level of exposure of leaked information, is proving to be a "game-changer" in 2011, he said in a phone interview.

The Sydney-based analyst added that the implications are greater on businesses that have been lax in security.

Wakeup call for businesses
"Organizations [that] in the past haven't had that level of concern, and have been perhaps a bit laissez faire, are now having to pay attention because they understand the implications of being involved in this type of leak," McMillan said.

The level of concern for those that have always taken security seriously has probably not changed a lot, he added. That said, such "well-run" organizations may also look to improve their security posture in the light of these developments.

Gao Debin, assistant professor at SMU's School of Information Systems, also highlighted the positive impact security whistle-blowing might have on corporate entities, noting that traditionally, CIOs and CTOs have difficulty justifying investments in enterprise security. "These WikiLeaks-type Web sites are helping to make such justification easier," he said.

At the same time, the idea that "there are always people watching you" also means that the likelihood of security weaknesses being exploited and private data leaked will go up, Gao noted. There will be changes in the risk analysis formula for organizations, which will correspond to an eventual spike in security investment, he added.

However, Cluley warned there was a downside to publicly exposing organizational security weaknesses or bad practices--those with malicious intent would benefit from such disclosures.

"Although the protagonists behind such [disclosure] sites may feel they are raising awareness or blowing a whistle about an important security weakness that needs to be fixed, they're actually drawing the attention of malicious hackers who can then abuse the weaknesses," he pointed out in an e-mail.

What is needed, noted Cluley, is responsible disclosure which involves working with the party with the security flaws to get these fixed, or alerting the media so that there will be pressure on the organization to act and resolve the issue. This benefits the industry more than handing a "blueprint for others to take advantage of the weakness", he said.

"When some corporate information is exposed, it's often individuals inside the companies or customers of the firms who are put most at risk, as their personal details can be made public," Cluley noted. "It's hard to argue that you are doing something good if innocent parties are put at risk."

SMU's Netzley added that, ultimately, managing the trend of security whistle-blowing requires more than technology and policies. Companies, he said, should exhibit governance and pay attention to the human aspect.

"If your company engages in questionable activities and has poor employee policies, then you simply have planted a seed for some disgruntled employee to treat you in a way that feels roughly similar to the way they feel.

"If you want people to act in your best interest, you must first act in their best interest," he said. "Otherwise, you end up in an arms race of trying to stay ahead of angry people who might want to partake in WikiLeaks-type behavior. That is distracting and unproductive."

Editorial standards