WikiLeaks about to hit the fan

DO WIKILEAKS IMITATORS PUT YOUR E-MAIL AT RISK?
(Bob Sullivan, MSNBC.com, March 1, 2011)

Imagine having every e-mail you've written published by hackers for the entire world to see. You don't have to stretch your imagination very far -- it's already happening to some folks.

Meet the new face of computer hacking. Inspired by the success of WikiLeaks, stealing and disclosing data is the new form of Internet revenge -- and chaos. There's concern that a new generation of WikiLeaks imitators will come along and use widespread dissemination of embarrassing information as its weapon of choice.

Hackers who call themselves Anonymous -- the group that has gained notoriety for attacking Visa and MasterCard in defense of WikiLeaks -- broke into computers operated by a government contractor named HBGary Federal in early February. Once inside, Anonymous members wreaked all kinds of electronic havoc, including the theft of thousands of employee e-mails. These were then published in searchable form on a Web site similar to WikLeaks, leading to a host of embarrassing disclosures for HBGary employees. The incident drew so much attention that it was featured in a recent segment on “The Colbert Report.”

At the world’s largest computer security conference in San Francisco last month -- RSA USA -- the attack dominated conversations outside meeting rooms.

But lost in the noise and the embarrassment was this chilling truth: It could happen to you. In the old hacker world, it was enough to deface a company's Web site and put up a sarcastic, embarrassing message. The HBGary e-mail history incident -- stealing data, publishing it online, and creating an easy-to-use search engine that encourages its spread -- takes the game to a whole new level.

“Leaking has gone mainstream,” said Mikko Hypponen, chief research officer at Finland-based F-Secure.com. “It's likely this phenomenon isn't going to go away, and we will be seeing leak sites for years to come.”

In the aftermath of the WikiLeaks controversy over the release of secret U.S. diplomatic cables last fall, security research firm McAfee predicted that so-called hacktivism would take an aggressive new turn this year. Traditional electronic activists were generally content to perform online versions of sit-ins, temporarily disabling Web sites of targeted entities with denial-of-service attacks. The spreading of previously non-public information through a sophisticated network of Web sites beyond the reach of law enforcement is a far more effective -- and potentially damaging -- form of online protest.

In fact, security experts openly fretted at the security conference that WikiLeaks imitators will soon become commonplace. And unlike WikiLeaks, not all imitators will consider their work to be goal-oriented hacktivism. In other words, they may not go to any trouble to redact information prior to publication in an attempt to avoid collateral damage to innocent bystanders. Some may simply be motivated by creation of pure anarchy.

"The question is, will the advent of WikiLeaks trigger a mass distribution of information from the hidden depths of public and private entities?" said Jeff Bardin, founder of security research firm Treadstone LLC.

Most who examined the HBGary incident came away with the view that CEO Aaron Barr willingly put a target on his own back by threatening to publicly expose members of Anonymous. And since the release of the e-mails, several important discoveries have been made, suggesting the firm was part of a conspiracy to discredit WikiLeaks in advance of upcoming data leaks that could embarrass prominent U.S. companies.

On the other hand, many of the e-mails contained innocuous information, such as personal life details, information that could lead to identity theft, or potentially humiliating online purchases. It’s important to note that both senders and recipients of the e-mails were made public, meanings hundreds -- if not thousands -- of outsiders were also dragged into the HBGary disclosure. Nearly everyone interviewed at the RSA conference in February had searched the database to see if their name and e-mail was in it.

"This goes way beyond exposing wrongdoing, though there was wrongdoing exposed by the e-mail," said Kevin Poulsen, author of the new book “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground.” Poulsen is also senior editor at Wired.com

Stealing someone's e-mail and publishing it online, regardless of the impact on innocent bystanders, is hardly new. It happened when a criminal stole Sarah Palin's e-mails during the last presidential campaign, and it's happened to plenty of so-called "white hat" security researchers in the past. The Anonymous incident is different, however, because the group made it so easy for others to search the e-mails for embarrassing details.

"It's the sophistication with which they put it out there that's different," Poulsen said. "That was clearly WikiLeaks-inspired."

Gregg Housh calls himself an Internet activist who has been associated with Anonymous in the past. He describes himself as an avid observer of Anonymous, and he has at times served as the group’s public face. He said Anonymous had no concerns about such collateral damage when it published the data, and probably won't think much about that going forward.

"That's just the way it’s going to have to be now," he said. "It didn't have to go this way, but many people in your field (journalism) failed us. ... It was only natural that something would show up and replace it. I don’t see anyone at all, even slightly, caring about what happened. For the most part the Anons who did it feel like messengers. It's Aaron's (Barr) fault it happened and all blame should be put squarely on his shoulders."

Housh agreed to act as a go-between for msnbc.com to get thoughts from Anonymous members, and said a spokesman from the group offered this response: "In all honesty, we didn't care what was in these e-mails, let alone what damage they might have caused. We were focused on getting revenge on Aaron Barr, everything else was just a bonus -- we don't regret what was uncovered and we'd do it again a thousand times over."

Barr resigned from HBGary on Monday, according to Forbes.com. Anonymous, meanwhile, knocked the website for Americans for Prosperity offline. That conservative organization has been very active in the Wisconsin standoff over collective bargaining rights, spending more than $400,000 in TV ads in support of Republican Gov. Scott Walker's plan to take away union bargaining rights.

In a press release attributed to the group, Anonymous said it was taking on the billionaire Koch brothers, who fund Americans for Prosperity.

"Their actions to undermine the legitimate political process in Wisconsin are the final straw. Starting today we fight back," the press release said.

Anonymous acts much like a traditional hacktivist group, having planned several old-fashioned denial-of-service attacks in support of WikiLeaks and other causes. But theft and distribution of data as a method for revenge will likely bleed into pure anarchy, experts worry.

"The evidence is thin at this point but I think we will see a lot of that in the future," Poulsen said. "Intruders motivated by ideology and revenge, hacking for the purpose of shaming."

Such groups will be particularly troublesome because, unlike WikiLeaks, they will have little to lose. WikiLeaks had donors to please, Poulsen said, and leader Julian Assange showed signs that he was motivated by a quest for credibility. As a result, the Web site improved efforts over time to remove information that might cause collateral damage from its releases, at one point experimenting with eliminating all proper nouns from some document dumps.

"We will not see that from copycat groups,” Poulsen said. “They don't care about respectability. They have no interest in fundraising."

One reason Poulsen thinks a rash of copycats might be coming: It's often easier to hack into mail servers than other computer targets. Until recently, hackers seemed primarily interested in stealing financial information for personal gain. That means computer firms have spent most of their energy protecting computers which host that valuable data. But it also means that many have taken their eye off the ball when it comes to other servers, which were thought to be unattractive targets.

Until now.

Internet users have always been told that anything they write in an e-mail could end up in court, or in front of a boss's prying eyes. Now more than ever, that warning should be heeded: Don't type anything on a keyboard that you wouldn't want the entire world to see. Even if you feel like your company’s servers could never be hacked, can you trust every company you ever e-mail?

And here's another piece of advice from Poulsen.

"Don't piss off Anonymous," he said.

Bardin is not quite as pessimistic as some of his peers. He thinks the current trend of leaked and hacked information being splattered all over the Internet will not continue unabated. A combination of improved security techniques, and the establishment of alternate channels for airing government and corporate gripes, will ultimately slow down WikiLeaks imitators, he thinks.

"We are seeing the spikes of those releases until controls are put in place and it becomes a method of ethical disclosure as opposed to a state of information disorder," he said.

Hypponen said that even though he believes the likelihood that the average Internet user will get caught up in an Anonymous-style disclosure is small, there are some common-sense steps users can take to protect themselves.

“It might be worth considering deleting all e-mails that would be older than, say, six months. You could archive older e-mails to an offline storage that could not be reached by an online attacker. This would at least limit the amount of damage that could be done,” he said. “And of course, create a smart password and authentication policy and follow it through.”

Imagine having every e-mail you've written published by hackers for the entire world to see.

Quote:

Imagine having every e-mail you've written published by hackers for the entire world to see.”

Public role for privacy officers
(By Stanley Pignal, Financial Times, February 23 2011)

When Bojana Bellamy first explored the career possibilities open to someone with her legal training, privacy issues looked like a niche – if promising – speciality. Back then, in the mid-1990s, the European Union was examining how to regulate the way companies handled the sensitive information they collected in the course of doing business, amid growing concern from consumers.

Ms Bellamy’s move into the realm of privacy paid off. Information technology’s invasion of almost every area of business has brought with it a burgeoning profession: now thousands of professionals are devoted to helping companies navigate the complex legal waters around handling sensitive data.

Today, Ms Bellamy is director of data privacy at Accenture, the professional services group. She oversees a team of six people, with a further 60 or so embedded within the business to ensure that personal data – whether of employees, customers or its clients’ customers – is handled appropriately.

The growth of the profession has seen its status change, and the C-suite is open to those at the top of their game – the chief privacy officers. “The issue has become unavoidable for business,” Ms Bellamy says. “Strategically, you need to be seen to care about it.”

Now the EU, which already has some of the most stringent data privacy rules in the world, is drafting new legislation. Some people are pushing for the role of chief privacy officer to be made mandatory for large organisations.

The new rules would tackle complex issues such as whether a company can send an internal human resources database overseas for processing. Or whether a joint venture partner should be allowed access to a company’s marketing database?

“Data protection has become a huge issue for business,” says Christopher Kuner, a partner at Hunton and Williams, a law firm. “Data is the raw material for many companies, like steel used to be in the old days. You have to have procedures when handling private information, like you need to have procedures when handling chemicals.”

This is no longer true just for companies dealing with cutting-edge technological developments, such as cloud computing, which kick up very complex privacy issues, says Mr Kuner. “Every company has an HR database, and most have customer lists, all of which are tightly regulated.”

How to prevent that database ending up, WikiLeaks-style, on the internet, is one of the issues a privacy officer must deal with.

Nearly all large companies now have a lead privacy officer role, says Trevor Hughes, head of the International Association of Privacy Professionals, a US trade group with about 8,000 members worldwide.

*********************************************************

“In the EU, the law calls for ‘adequate protection’, so you can’t undermine data protection laws when you send the data overseas,” says Gabriela Krader, corporate data protection officer of Deutsche Post DHL, the logistics group.

“You need to show that you have a working data protection framework.”

Companies are also likely to have sector-specific issues. Many in the technology sector are grappling with how to offer location-specific services via smartphones, for example, while at the same time not breaching their customers’ privacy.

Banks or health insurance companies handle particularly sensitive information that their clients expect will not be used for marketing reasons. Others, such as delivery companies, accumulate reams of addresses as a byproduct of their operations.

“Everybody has a slightly different privacy challenge, but everybody has a challenge of some sort,” says Mr Hughes.

Much of the day-to-day job of a privacy officer involves helping to raise awareness within an organisation of laws on data, says Ms Krader.

“The main task we have is communicating. What you need to bring across is what the legislation actually means,” she says.

The principle function is, of course, to stem privacy breaches, however they might occur. Systems must be in place to ensure that a junior employee cannot download lots of sensitive files without being questioned, for example. Or that the loss of an employee laptop – a common occurrence in any business – does not degenerate into a full-blown crisis when it is discovered that it contains an unencrypted list of, say, employees’ personal details.

One law being considered by the EU is to force companies that lose personal data to notify those who might be affected by the breach. The idea comes from the US, where such laws have been adopted by most states in recent years.

In 2007, a privacy breach at TJX, the US retail group that owns TK Maxx, was widely publicised because of such a notification system. It had to pay $24m to banks after it was forced to reveal publicly that more than 45m credit and debit card numbers had been stolen from its system.

By increasing the visibility – and financial costs – of privacy blunders, the rules strengthen the business case for companies to strengthen their compliance efforts.

According to Ms Bellamy, it often takes an incident involving a data breach to galvanise a company to hire its first chief privacy officer, or to bolster its existing capabilities.

Beyond the legal and reputational threats associated with data protection blunders, privacy officers say their job is also about improving the way data are used in an organisation.

“It is as much a strategic as a preventive role,” says Ms Bellamy. “We can add value, for example, by incorporating privacy in our product offering. For clients that entrust us with a huge amount of information, how we handle their data is of critical importance.”

That echoes calls made by Brussels for companies to adopt a “privacy-by-design” approach, where data protection is considered during the design process of a new product or service, rather than as an afterthought.

It is a line that the public sector is now pushing, with some tenders both in the US and Europe specifying data protection as a precondition for companies looking to provide services to the government.

From the legal side, the swell of concern around handling personal data is unlikely to go away.

“Privacy protection is like environmental compliance: you need to show you’re on top of it,” says Mr Kuner.

New charges filed in U.S. WikiLeaks case
(United Press International, March 3, 2011)

The U.S. Army notified the soldier who is a key suspect in the WikiLeaks case that he faces 22 new charges in the alleged downloading of secret information.

The most serious new charge against Pfc. Bradley Manning, a junior intelligence analyst suspected of leaking thousands of documents released by WikiLeaks, is aiding and giving intelligence to the enemy, the Los Angeles Times reported Thursday.

In their notification Wednesday, Army prosecutors said Manning "wrongfully and wantonly" caused intelligence to be published on the Internet, knowing the material would be "accessible to the enemy."

Aiding the enemy is a capital offense under the Uniform Code of Military Justice. However, the Army said in a statement prosecutors didn't intend to recommend Manning get the death penalty if convicted. Still, he could face life in prison.

Manning, the only person charged so far in the case, is being held at a Marine base in Virginia during the U.S. investigation into the release by WikiLeaks of hundreds of thousands of military and diplomatic documents on the wars in Iraq and Afghanistan, and U.S. diplomatic relations.

Manning now faces 34 charges, CNN reported, including:

-- wrongfully causing intelligence to be published on the Internet,

-- theft of public records,

-- transmitting defense information,

-- transferring classified data to his personal computer and

-- disclosing classified information on national defense.

David Coombs, Manning's attorney, did not comment on the new charges but said in a statement posted on his blog, "Over the past few weeks, the defense has been preparing for the possibility of additional charges in this case."

A military think tank -- an oxymoron, but regardless -- is tasked with sitting around thinking up new charges to bring against a national hero

Karl jtt Popper (sometime last century - who knows when)

Now the preacher looked so baffled,
When I asked him why he dressed,
With twenty pounds of headlines,
Stapled to his chest.

Hacker group vows 'cyberwar' on US government, business
(By Michael Isikoff, NBC News, March 8, 2011)

A leader of the computer hackers group known as Anonymous is threatening new attacks on major U.S. corporations and government officials as part of at an escalating “cyberwar” against the citadels of American power.

“It’s a guerrilla cyberwar — that’s what I call it,” said Barrett Brown, 29, who calls himself a senior strategist and “propagandist” for Anonymous. He added: “It’s sort of an unconventional, asymmetrical act of warfare that we’ve involved in. And we didn’t necessarily start it. I mean, this fire has been burning.”

A defiant and cocky 29-year-old college dropout, Brown was cavalier about accusations that the group is violating federal laws. He insisted that Anonymous members are only policing corporate and governmental wrongdoing — as its members define it.

“Our people break laws, just like all people break laws,” he added. “When we break laws, we do it in the service of civil disobedience. We do so ethically. We do it against targets that have asked for it.”

And those targets are apparently only growing in number. Angered over the treatment of Bradley Manning, the Army private who is accused of leaking classified U.S. government documents to WikiLeaks and who is currently being held in solitary confinement at a military brig in Quantico, Va., Brown says the group is planning new computer attacks targeting government officials involved in his case.

Among the methods the group is vowing to use: posting personal information about the officials on the Internet, a method known as “doxing.” The group also this week issued a threat over the Internet to “harass” the staff at Quantico “to the point of frustration,” including a “complete communications shutdown” of its Internet and phone links.

In recent months, Anonymous — a loose collection of tech-savvy hackers or “hacktivists” — has threatened some of the biggest corporations in the country. The group is also the target of a major FBI investigation that has included dozens of subpoenas and raids on the homes of suspected members.

(In the interview, Brown, a sometimes freelance journalist, said he is not personally involved in hacking computers, stressing that he only advises the group, participates in its internal strategy sessions and serves as its spokesman. An FBI spokeswoman on Tuesday described the bureau’s investigation of Anonymous members as “ongoing,” but declined further comment.)

Anonymous has been blamed by senior U.S. government officials — including Deputy Defense Secretary William Lynn — with mounting so-called “distributed denial of service” (DDoS) attacks on major corporate and government targets. The group is believed to do this by mobilizing thousands of so-called “zombie” computers, which have been infected with viruses, and directing them to flood a targeted website simultaneously, creating such a huge demand for service that the site shuts down.

Anonymous is believed to have used this method in December, when it took credit for crashing the websites of MasterCard and Visa in retaliation for their decision to cut off service to WikiLeaks. It also claimed credit for shutting down government websites in Tunisia, Egypt, and Libya, which it thereby helping to stoke the uprising in those countries.

Last month, the hackers group launched what may have been its most audacious attack to date, aiming its guns on HBGary Federal, a major cybersecurity firm and government contractor. After HBGary Federal’s CEO threatened to expose members of Anonymous, the group struck back — breaking into the cybersecurity firm’s computers, hijacking the CEO’s Twitter account and swiping tens of thousands of embarrassing emails that it later posted on the Internet.

The emails appeared to show that HBGary Federal and two other contractors were proposing a “disinformation campaign” aimed at discrediting political allies of WikiLeaks and critics of the Bank of American and the U.S. Chamber of Commerce, prompting a group of House Democrats to call for a congressional investigation into the contractors.

Asked about Anonymous, Greg Hoglund, the CEO of HBGary, the founder of HBGary Federal, said Tuesday: “These are not hacktivists. They are criminals. They are breaking into computer systems and stealing information — and that violates multiple federal statutes.”

**************************************************************

There is still much about Anonymous that remains obscure -- and which Brown would not reveal. As he tells it, the group has thousands, if not tens of thousands, of participants, including, he claims, computer managers at major corporations and government agencies and journalists. But, he says, the group’s activities are governed, or at least shaped, by a much smaller group of a “couple dozen” people that reacts to the “ebb and flow” of events. Their overarching goal, he said, “information freedom.”

But there is little doubt that they are capable of brutal actions. Hoglund, the HBGary CEO, said that as part of their attack on his corporate affiliate HBGary Federal, Anonymous members collected personal information on company employees, including Social Security numbers, home addresses and the names of their children. Some employees received death threats, he said.

“Anonymous is not what people think,” he added. “They are vicious individuals and they are having the time of their lives because of all the press they are receiving.”

Brown, for his part, makes no bones about the fact that Anonymous plays rough.

Asked about the group’s capabilities, he said, “Well, they keep increasing, but I can tell you that our capabilities are such that, we can, for instance, go into the servers of a federal contracting company … take those servers down, delete backups, take all internal emails, take documents, shut down the websites of the owners of those companies, take everything from those websites, ruin the lives of people who have done it wrong … harass them, make sure they’ll never work again in this particular industry.

“We can expose people. We can go to the media with things, we can give them scoops. We can give them information about companies and their wrongdoing. We can organize protests —anywhere across the globe. We can get the attention of the national conversation if we need to.”

As a possible example of its ability to penetrate secure information, Anonymous — in its attack on HBGary Federal -- has even claimed to have secured a version of the notorious Stuxnet computer virus, believed to have been used by Western intelligence agencies to set back Iran’s nuclear program. (U.S. officials have steadfastly refused to comment on Stuxnet.)

"Yeah, its dangerous software," Brown said when pressed about Anonymous' claims of access to the virus. "Shouldn’t have been floating around like that."

Should it have been in the hands of Anonymous?

"But it is,” he said. “C'est la vie."

Bradley Manning being mistreated, says Hillary Clinton spokesman
guardian.co.uk, Friday 11 March 2011 15.21 GMT

Hillary Clinton's spokesman has launched a public attack on the Pentagon for the way it is treating military prisoner Bradley Manning, the US soldier suspected of handing the US embassy cables to WikiLeaks. .........


........Crowley, speaking at an MIT seminar in Boston, did say he believed Manning was "in the right place". He was presumably referring to Quantico, where the intelligence specialist has been held pending a court martial since July last year.

Crowley said: "There is sometimes a need for secrets for diplomatic progress to be made." But when asked by one of the audience what he thought about the "elephant in the room" – the US "torturing a prisoner in a military brig" – he replied without pausing that he thought the Pentagon's actions were "ridiculous and counterproductive and stupid". ........

.......The UN is investigating whether the treatment amounts to torture.

Should it [Stuxnex] have been in the hands of Anonymous?

Federal judge denies bid of three linked to Wikileaks to keep Twitter information secret
(By Dana Hedgpeth, The Washington Post, March 12, 2011)

U.S. Magistrate Judge Theresa Carroll Buchanan issued a 20-page opinion Friday in Alexandria that denied the request of three people who are linked to WikiLeaks to keep the U.S. government from looking at some of their Twitter information.

The U.S. attorney’s office for the eastern district of Virginia had sought Twitter records of three people with ties to WikiLeaks, saying it was a routine part of their investigation into the anti-secrecy Web site.

But attorneys for the three argued that the release would violate their First Amendment rights.

Buchanan also issued an order that granted the release of some of the information on the case that has been unsealed.