Wikileaks: What Went Wrong

Submitted by Syv Ritch on 1. December 2010 - 7:33

As most of you know by now, the Wikileaks leaks of US diplomatic information is on, almost full speed. It's pretty much the daily headlines.

Actual Information

The documents that have been leaked so far are pretty innocuous. These are document from the SIPRNet, an adjunct mostly “secured” network for sharing intelligence. The documents are from “not even rated” up to “confidential”. No document leaked is supposed to be rated secret. There hasn't been any earth chattering news:

  • Sarkosy, the French president, is an arrogant peacock.
  • Merkel, the German prime minister, is cautious and risk averse.
  • The whole of the middle-east is afraid of a nuclear Iran.
  • The Karsai government in Afghanistan is corrupt.
  • Pakistan actively supports the Taliban.

The only surprising news, so far, is that some officials in China wouldn't be against the collapse of North Korea. But nothing else will change anything. A few red faces, but that's it.

How it's been done

Here's what's been made public. A low level “security peon” private Bradley Manning stole all that information. Private is the lowest army rank that you can start with. Bradley Manning has been arrested and is in jail in Virginia. He used an MP3 music player that he hooked to his computer via the USB port, to record all those documents. He downloaded close to ½ million documents.

The incompetents at the helm

  1. Downloading ½ million documents to an MP3 via USB takes a vast amount of time. Didn't the guy have some supervisor? Didn't anybody notice that the guy wasn't doing any work for weeks and months on end?
  2. Downloading ½ million documents to an MP3 via USB takes a huge amount of network resources. Didn't the network administrators notice the amount of traffic to just this one computer / one IP address?
  3. All the documents are on central server. That's for “security” and backups. Didn't the network administrators notice the fact that one computer/one IP address access all these documents?
  4. All these documents were accessed by a private, the lowest rank of a soldier. And nobody asked any question about what or why?
  5. Almost all security experts have spoken for the last few years about the potential of data theft through the USB ports. It's such a gapping hole, that even Microsoft has policies on their Windows to disable all the USB ports and the CDs/DVDs. Why wasn't it done?

In case, you wondered what wasn't this done? It's because the people in charge are incompetents. Why? It's all in the logs. Somebody must be in charge of reviewing the logs on a daily basis. Obviously this wasn't done. The same should apply to your website and your web server.

There are companies/industries that do it right and are “secured”. Banks and financial institutions do it right. How do we know? You don't hear of their breaches. Their breaches can't be hidden. They transfer trillions of dollars and euros across the world, every day. You can hide a “few millions”. Some have successfully hidden a few billions, but you can't hide trillions. Missing trillions have a tendency of getting noticed very quickly.

What's that got to do with me? You say

  1. People need to learn that the Internet is a giant copy machine. This applies to our photos. Any photo on the Internet can be easily copied. Even the ones within Adobe Flash streams. There are many softwares available that will take the Adobe Flash stream and convert them to static jpegs.
  2. Many photographers earlier this year got their blogs hacked, because they were using WordPress. Especially the photographers that were using GoDaddy to host their website. They were, they are using GoDaddy because it's on the cheapest hosting company.
  3. Ask yourself the question: “Can I trust the privacy of…” Like the private galleries just for the client so they can review…
  4. Ask yourself the question: “Can I trust my backups when…” What would happen if somebody stole the hard drive or a fire or a flood… Would you lose all of your photos?
  5. Every week, I check the logs summaries 3 to 4 times. I do not check the actual logs, just the summaries.
  6. Every week, I check at least once per week that the backups worked and that they are valid.