Cyberdefense and Information Assurance

Worst Practices: Learning the Wrong Lessons from WikiLeaks « Unisys Security Blog

This post can be read in its entirety over at the  Unisys Security Blog, where it was contributed as a guest blog.

 

The dark cloud of the WikiLeaks debacle should have a bright silver lining. The exposure of classified Department of Defense and State Department data by WikiLeaks gives us a teachable moment on information security — not just for government agencies, but for any organization that stores, handles, and processes sensitive information.

The vast amount of classified data — over 75,000 Defense Department incident reports and more than 115,000 classified diplomatic cables — and the damage caused by their exposure reveals common flaws in how organizations typically handle sensitive information. But as with past data breaches, many organizations will learn the wrong lessons. And the actions they take as a result will make their organizations less productive and, perhaps, even less secure.

Read the rest here.

 

Standard
US Cyber Command

Manning alleged to have loaded software onto SIPRNET

The Army announced additional charges against PFC Bradley Manning, who is accused of being the source of the classified material from the DoD and State Department passed to Julian Assange’s Wikileaks. According to the new charges, Manning introduced software onto an analyst workstation connected to SIPRNET, which collected classifed information and packaged it for download.

Here’s the release:

FORT LESLEY J. MCNAIR, D.C., March 2, 2011 – After seven months of additional investigation by the U.S. Army Criminal Investigation Command and other investigative agencies, the Army has added 22 charges in the case of a military intelligence analyst accused of leaking classified material.

The new charges against Pvt. 1st Class Bradley E. Manning allege that he introduced unauthorized software onto government computers to extract classified information, unlawfully downloaded it, improperly stored it, and transmitted the classified data for public release and use by the enemy. The investigation remains ongoing, officials said. “The new charges more accurately reflect the broad scope of the crimes that Private 1st Class Manning is accused of committing,” said Capt. John Haberland, a legal spokesman for U.S. Army Military District of Washington. “The new charges will not affect Private 1st Class Manning’s right to a speedy trial or his pretrial confinement.”

U.S. military officials in Baghdad preferred two charges consisting of 12 specifications against Manning on July 5. Officials said the commander of U.S. Army Headquarters Command Battalion preferred the new charges yesterday. In addition to a charge of aiding the enemy in violation of Article 104 of the Uniform Code of Military Justice, the new charges include 16 specifications under the UCMJ’s Article 134: — One specification of wrongfully causing intelligence to be published on the Internet knowing that it is accessible to the enemy; — Five specifications of theft of public property or records, in violation of 18 U.S. Code 641; — Eight specifications of transmitting defense information in violation of 18 U.S.C. 793(e); — Two specifications of fraud and related activity in connection with computers in violation of 18 U.S.C.1030(a)(1); and — Five specifications in violation of Article 92 of the UCMJ for violating Army Regulations 25-2, “Information Assurance,” and 380-5, “Department of the Army Information Security Program.”

The charge of aiding the enemy under Article 104 is a capital offense, officials said. However, they added, the prosecution team has notified the defense that the prosecution will not recommend the death penalty to the convening authority, Maj. Gen. Karl R. Horst, commanding general of the U.S. Army Military District of Washington. Under the UCMJ, the convening authority ultimately decides what charges to refer to court-martial, and whether to seek the death penalty if Article 104 is referred. Therefore, if convicted of all charges, Manning would face a maximum punishment of reduction to the lowest enlisted pay grade,; total forfeiture of all pay and allowances, confinement for life, and a dishonorable discharge.

At the request of Manning’s defense attorneys, the trial proceedings have been delayed since July 12, pending the results of a defense-requested inquiry into Manning’s mental capacity and responsibility, pursuant to Rule for Courts-Martial 706. Depending on the results of the inquiry, an Article 32 hearing may follow, officials said. An Article 32 hearing is the civilian equivalent of a grand jury, with additional rights afforded to the accused, they explained. Manning remains confined in the Marine Corps Base Quantico brig in Quantico, Va. He was notified of the additional charges in person during a command visit today, officials said. Officials emphasized that Manning is presumed innocent until proven guilty, and added that the Army is committed to ensuring his continued safety and well-being while in pretrial confinement.

Standard
Social Networking, tech

del.icio.us Wikileaks give me attention deficit disorder

Yahoo is apparently looking to release the social linking service del.icio.us into the wild (after never really finding a way to monetize it, I suspect, and finally deciding that Yahoo is not an Internet charity but in fact a business).  Of course, since it’s the vessel for a great deal of social content, there’s obviously been some concern–if you had spent the last decade storing all your favorite web bookmarks in a cloud service, you’d be kind of upset if they were to suddenly go poof, I’m sure.

I’m not a big del.icio.us user.  Back when I worked with a certain Gillmor, he raved something about del.icio.us and the “attention-economy” and what-not.  I found it to be interesting when combined with other social media of the time (I think we called them “blogs” back then), and it demonstrated itself to be innovative enough that it gained a few copycats along the way. But I had this other way of sharing bookmarks with friends: by posting them to my blog and tagging them.  That way, I owned the data, and it was searchable, and anyone who cared about what I thought could subscribe to my RSS feed or see it on my blog (or eventually on Facebook or Twitter). And I had permalinks and all that jazz. Oh, and I could do that for free with several blog platforms. But that wasn’t playing in the attention-stream, I was told.  I guess I have attention deficit disorder or something.

Fast forward 10 years.  We have so many cloud-based social media tugging at us, wanting us to connect to friends and share that del.icio.us has long been lost to most people in the din of Facebook this and Twitter that.   Del.icio.us has evolved a little, but other services like StumbleUpon and Reddit.  And, while some brave pioneers have hung around, the fickle masses have wandered on to other things.

No wonder Yahoo has gotten bored with del.icio.us and has labeled it “sunset”.   It’s that attention thing again, or a lack of it–people have stopped paying attention to what people pay attention to on del.icio.us and would now rather pay attention to what their friends are doing in Farmville.  And since  del.ico.us  lives at the whim of a provider, with no terms of service and no export tool other than code-scraping, there’s the potential for all the attention that’s been spent on curating del.icio.us — curating, the latest buzzword for collecting links –there’s the potential that it’s all been in vain, for naught, and bound for the bit bucket in the cloud.

Of course, that’s the whole problem with magical cloud services, anyway. There may be terms of service out there, but there is not a whole lot that looks like a binding contract between cloud provider and user.  I could wake up tomorrow and find that Yahoo has lost interest in Flickr, and all my photos from the last 5 years have evaporated into so many purged pixels with no contractual recourse than, say, a refund on what’s left of my annual pro fee.  Google could turn off my mail. Facebook could declare me dead and purge my page. Like the Maryland Lottery, it could happen to you.

Do I have your attention?

At least providers like WordPress let me back up and export my site, and I have the code to run the blog someplace else, where I own (or at least lease) the server. But if the cloud is going to be both a metaphor for where applications live and a description of the substantiveness of legal protection that we have as users of the thing from having our digital works exist or not at the whims of questionable business models, then we need to have a way to own our data and move it and replicate it to cover our pixilated assets.

Wikileaks adds new focus to that — it is a model of what data portability should be.  Government siezes your URL because you pissed them off? No problem! The Bolivians will gladly give you a domain, and you can mirror–because YOU own the data, and can move it or duplicate it at will.  Sure, it costs something — money, in WikiLeaks’ case, to pay for hosting and domains and lawyers to fight extradition. In your case, it might cost sharing some of your data, and maybe your…attention.  To advertisements, or to other people’s sites, or whatever.

We pay sites like Facebook with our attention and our data. Mark Z. and his crew keep our attention with new features, and extract value from our data and our ad views to pay the rent.  We should have the ability to take our social network data and replicate it elsewhere, both while we’re using Facebook and when we leave, because it’s part of our identity.  There’s phone number portability by law… why not data portability?

[Originally posted on  the dot-communist.]

Standard