WikiLeaks suffers its own data loss incident

Creative Commons image of Julian Assange courtesy of New Media Days' Flickr photostreamDer Spiegel is reporting that WikiLeaks has had… wait for it… a data leakage accident. You might think, “So what? The data has already been leaked!”

Unfortunately, that isn’t quite as clear as it seems. WikiLeaks goes to great lengths to protect both their sources and potential informants by redacting their details from the data before publication.

Last summer Daniel Domscheit-Berg had a dispute with Julian Assange and departed with a chunk of the WikiLeaks staff to form OpenLeaks.

In the process Domscheit-Berg was reported to have taken data from a server containing the 250,000+ leaked diplomatic cables in encrypted form and left Assange without access to the contents.

Eye peering through a keyholeAssange had shared the passphrase to decrypt the cables with an external source as a protective measure and expected the source to keep the key secret.

In November of 2010 Domscheit-Berg returned the files to WikiLeaks. This prompted WikiLeaks supporters to make the contents available in a public archive.

Apparently they didn’t notice that the archive included a hidden directory that contained the encrypted file with the cables, and accidentally made the file public.

Assange’s external source, not knowing the file was accessible to the public, for some reason publicly disclosed the key this spring.

The result? The uncensored cables are now publicly downloadable and could blow the cover of American informants around the world.

The lesson? Well, even if you are in the business of leaking secrets, you need to keep secrets. I wonder if Julian sees the irony in this incident.

WikiLeaks Twitter feed has posted a message stating “There has been no ‘leak at WikiLeaks’. The issue relates to a mainstream media partner and a malicious individual.”

If, like WikiLeaks, you need to keep secrets, consider downloading our free e-book, Data Leakage for Dummies.

Creative Commons photo of Julian Assange courtesy of New Media Days’ Flickr photostream.

Sony’s cloudburst, Facebook controversy, FBI takedown, Armenia cut off – 90 Sec News – April 2011

Don’t just read the latest computer security news – watch it in 90 seconds!

This month: Sony suffers a cloudburst, Facebook courts controversy (again), the FBI busts the Coreflood botnet and Armenia gets cut off from the internet.

Watch and enjoy:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Or listen to the podcast:

10 May 2011, duration 2:11 minutes, size 2.1MBytes

Download Podcast

The New York Yankees and responsible for 30,000 more data loss victims

Yankees helmet courtesy of Mr T. in DC's Flickr photostreamThis message may repeat. This message may repeat. For those of us old enough to have fond memories of the phonograph, the phrase “broken record” may come to mind.

Yes, more user information has been leaked and in a totally preventable fashion. A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to “several hundred” affiliates with the personal details of over 21,000 Yankees ticket holders.

Screenshot of letter from New York Yankees

According to the Yankees, the spreadsheet contained customers’ names, addresses, phone numbers, fax numbers, e-mail addresses and other information like their seat numbers and which ticket packages they purchased.

Implementing data loss prevention (DLP) for sensitive customer data is easy to do. There are at least three ways this could have been prevented…

1. Encrypt the spreadsheet to prevent accidental disclosure
2. Implement endpoint DLP software to watch for the transfer of sensitive data to instant message, email and other communication tools
3. Scan outgoing email messages for personally identifiable information to prevent accidental disclosure.

Later this afternoon disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a “sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs.”

DSLReports logoStrangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.

To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports’ database were in clear text. No hashing, no salting, totally unencrypted.

Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.

They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?

Creative Commons image of New York Yankees helmet courtesy of Mr. T in DC’s Flickr photostream.