Diplomat Loses Top Secret Clearance for Linking to WikiLeaks

U.S. State Department veteran Peter Van Buren has lost his Top Secret security clearance after linking to WikiLeaks. Photo courtesy of Van Buren

A veteran U.S. State Department foreign service officer lost his security clearance and diplomatic passport this week while the department investigates him over linking to a WikiLeaks document on his blog and publishing a book critical of the government.

Peter Van Buren, who is 51 and has worked for the department for 23 years, had his Top Secret security clearance suspended indefinitely for what the department calls his unwillingness to comply with rules and regulations regarding “writing and speaking on matters of official concern.” This is according to a memo the State Department sent Van Buren.

The move is purely vindictive, according to Van Buren.

“I’m fairly close to retirement [from government work] and this is a way of not allowing me to retire with a security clearance,” he said. “It’s like having a big scarlet ‘loser’ painted on my forehead.”

Van Buren said the State Department is deliberately suspending his clearance, instead of revoking it, in order to place him in limbo and deny him the ability to appeal the decision.

“If they go as far as revocation, that can be challenged right up through federal court,” he said. “The problem is the diplomatic security people know the rules, so they use temporary suspension as a way of taking away security clearance in a way that is unchallengeable.”

Until his case is closed, he can’t do anything about it, and investigators have been known to leave cases open for years, he said, denying workers the ability to appeal and effectively ending their careers.

“This is just their way of sending a message and creating an extrajudicial punishment that can’t be questioned or challenged,” he said.

Van Buren, whose new book is critical of U.S. reconstruction projects in Iraq, revealed last month that the State Department had launched an investigation against him for disclosing classified information.

The investigation started shortly before his book was to be released and right after he posted a link in an August 25 blog post about the hypocrisy of recent U.S. actions against Libyan leader Muammar Qadaffi. The link went to a WikiLeaks-published 2009 U.S. State Department cable about the sale of U.S. military spare parts to Qadaffi through a Portuguese middleman.

State Department investigators interrogated him twice, demanding to know who had helped him with his blog post and also drilling him about the details of the publishing contract for his book We Meant Well: How I Helped Lose the Battle for the Hearts and Minds of the Iraqi People, according to Van Buren.

Van Buren was warned that his refusal to answer questions would lead to his firing and that he could be charged with interfering with a government investigation if he wrote publicly about the investigation against him, which he did anyway.

The Principal Deputy Secretary of State subsequently wrote Van Buren’s publisher demanding three small redactions from a chapter of his book, which had already shipped to bookstores. The chapter, titled “Spooky Dinner,” is about a dinner Van Buren and other Department staff had with the CIA in Baghdad long after the fall of Saddam Hussein.

The meeting took place in one of Hussein’s former palaces, which the CIA had taken possession of, and dinner was served with Hussein’s former chinaware and stemware. The chapter discussed speculation about what secrets the dinnerware could reveal if it could talk — among them what Hussein and his CIA handlers might have said to each other when they met in 1983 to discuss the Iran-Iraq War.

The cable to which Van Buren linked in August was just one in a cache of more than 250,000 cables that WikiLeaks began publishing last November in concert with media partners in the U.S. and Europe. WikiLeaks had allegedly obtained the cables from former Army intelligence analyst Bradley Manning, who is currently awaiting trial on charges that he passed classified material to a third party.

In December 2010 the White House issued a directive warning federal employees not to access the government documents WikiLeaks published online.

“Classified information, whether or not already posted on public websites or disclosed to the media, remains classified, and must be treated as such by federal employees and contractors, until it is declassified by an appropriate U.S. Government authority,” the directive said.

Ironically, Van Buren had worked across the hallway from Manning for about six months in Iraq in 2009 and 2010 at Forward Operating Base Hammer, he told Wired in a phone interview Wednesday.

That’s where Manning allegedly downloaded the cables to a CD-Rom while pretending to lip-sync to Lady Gaga music that was supposedly on the disc. Now Van Buren is being punished for linking to something that Manning allegedly downloaded from the Army’s classified network and leaked to WikiLeaks.

“I literally had my office across the hall from where he worked,” Van Buren said. “I don’t think I actually ever met the guy. The last time I had access to U.S. government secrets was on the Army system that Bradley Manning used.”

Van Buren said State Department security staff who informed him of his suspension this week didn’t even know who Manning was when he mentioned the name. The security guys, Van Buren said, thought he was trying to brag about his department connections.

“Don’t try to impress me with the people you know,” he says one of the staffers told him. “You could work for Secretary [of State Hillary] Clinton; the rules are the same.”

According to the memo announcing his suspension, Van Buren’s failure to obtain the department’s review before publishing his blog posts raised “serious security concerns” about his judgment in handling protected information and about his continued access to classified material and the safety of national security interests.

“These considerations dictate that, in the interim, you must, at a minimum, remain assigned to a position that does not include sensitive duties,” the memo reads.

Strangely, Van Buren works in the human resources division of the State Department – a job that doesn’t involve sensitive duties or classified information, he says. Although he doesn’t need a Top Secret security clearance for the work he currently does, the fact that the Department has suspended his clearance makes him look like a troublemaker to potential future employers.

“It’s a way of bending the rules and hiding behind security to slap down an employee whose done something that they don’t like,” he said.

Security 101: Vulnerabilities, Part 2

In my last post we discussed the most dangerous kind of vulnerabilities that we classify at McAfee Labs: remote code execution and denial of service. Today, we’ll talk about vulnerabilities that are not so dangerous, those we classify as Medium or Low Risk. These threats still require our attention because they can create a chain reaction in our metaphorical building, as we discussed last time. Let’s see why that’s the case.

Medium-Risk Vulnerabilities

These vulnerabilities are like a group of siblings, all very similar but with slight differences in context. We have the Privilege Escalation twins and their brother the Security Bypass.

  • Privilege Escalation (PE): This vulnerability allows an attacker to take actions not usually permitted to a legitimate user. They are twins because there are two types: horizontal PE and vertical PE. A Horizontal PE allows an attacker to have the same privileges that another user of the same level has. The easiest example of this would be in a forum. An attacker can “jump” from one user account to another, read and modify information or posts, but always at the same level of privileges. In the context of our building, this vulnerability allows an attacker to have the freedom of movement of a legitimate inhabitant, sometimes impersonating one, sometimes without the need. A vertical PE, on the other hand, gives an attacker more privileges that its actual state enjoys. This happens, for example, when the attacker jumps from a local user to an administrator. Thus the attacker now has partial or total access to some restricted areas of the building, where he or she can change things.
  •  

  • Security Bypass (SB): In the broadest sense, a security bypass is the same as a PE, meaning that the attacker can take actions not usually allowed. The difference is that in a good part of the cases, the bypass is valid for rooms that have contact with the exterior (the Internet). Nowadays, a lot of rooms are protected by a sandbox, which forms a cubicle around the room and its windows. The sandbox allows a secure communication with the environment because only permitted traffic goes through the sandbox to the rest of the room. When a program has a security bypass, the cubicle has imperfections that allow unsafe traffic to slip through.

 

Medium-risk vulnerabilities are not too dangerous by themselves. If the building is well protected, then someone’s operating with increased privileges is not the disaster it could be. The danger is that the PE and the SB can create a chain reaction: The attacker enters as a normal user or guest, overcomes security measures, and then installs or changes programs to cause a lot of damage. PE and SB are a more difficult way to enter our building than remote code execution, but it can happen.

Low-Risk Vulnerabilities:

  • Information Disclosure (ID): This flaw allows an attacker to read information that is otherwise inaccessible. Think of this as a bulletin board in some part of the building, with ads and information for everyone to see. The kind of information on the board depends on the type of room it is in: It can be a memory dump, configuration files, directory structures, etc. ID is a low-risk vulnerability because attackers can only see, they can’t do anything to the building. If attackers want to use the information, they must exploit other vulnerabilities or find critical information such as a password file. However, ID must be reviewed case by case, as its risk level can be very volatile, depending on the vulnerable program, the information disclosed, and the network environment. An ID in a Certificate Authority, such as Comodo or DigiNotar, can be a disaster, as we have seen. The same danger applies to critical networks or machines that store highly valuable information. Even if ID might appear a lesser evil, never take it at face value.

 

Even though medium- and low-risk vulnerabilities are less dangerous than remote code execution or denials of service, they are still important. An experienced attacker sometimes doesn’t need more than one of these to cause damage, such as stealing intellectual property. And although these attacks leave a noticeable trail, the amount of information stored in the activity logs is so big that to find the suspicious trail would require a slow and detailed search, which we don’t usually do as a preventive measure. We tend to look closely only as a reaction to damage already done.

This finishes our two posts on vulnerabilities; I hope they were valuable for you. Next time: Attack vectors–how an attacker can enter the building.

Supreme Court of Canada OKs Internet Linking

Justice Abella

University of Ottawa legal scholar Michael Geist points out a major court ruling Wednesday for internet freedom.

The Supreme Court of Canada today issued its much anticipated ruling in Crookes v. Newton, a case that focused on the issue of liability for linking to allegedly defamatory content. The court provided a huge win for the internet as it clearly understood the significance of linking to freedom of expression and the way the internet functions by ruling that there is no liability for a mere hyperlink.

“I would conclude that a hyperlink, by itself, should never be seen as ‘publication’ of the content to which it refers,” Justice Rosalie Silberman Abella wrote.

It’s alarming that the legality of linking was uncertain in Canada until Wednesday.

via Michael Geist – Supreme Court of Canada Stands Up for the Internet: No Liability for Linking.

Photo: Supreme Court of Canada