The well-publicised Wikileaks release of information was preceded by a ‘mass distributed denial-of-service attack' yesterday.
A political hacker claimed responsibility for a distributed denial-of-service (DDoS) attack that took down Wikileaks on Sunday shortly before the whistleblower site began releasing the cache of confidential cables containing revelations about the US government's foreign activities.
The hacker, who tweets under the handle ‘th3j35t3r' took credit for the attack, saying he took it down ‘for attempting to endanger the lives of our troops and other assets'. Wikileaks announced the outage on Facebook and Twitter at around 11am EST on Sunday but promised that the cables would still be released.
After the attack began, Wikileaks redirected DNS configurations from its Swedish hosting provider to sites hosted by Amazon's Elastic Cloud Computing (EC2) service in Ireland and later the United States, according to researchers. Despite the attack, Wikileaks began publishing the cables at cablegate.wikileaks.org on Sunday.
Craig Labovitz, chief scientist at Arbor Networks, confirmed the attack hours ahead of ‘Cablegate', which Wikileaks announced on Facebook and Twitter. He said that traffic to one of Wikileaks' primary hosting provider abruptly jumped by 2-4Gbps at approximately 10:05am EST.
He said: “Overall, at 2-4Gbps the Wikileaks DDoS attack was modest in the relative scheme of recent attacks against large websites. Though, the transmission control protocol and application level attacks generally require far lower bps and pps rates to be effective. Engineering mailing list discussion also suggests the hosting provider and upstreams decided to blackhole all Wikileaks traffic rather than transit the DDoS.”
Amichai Shulman, CTO of Imperva, said: “Any user retrieving large numbers of documents a day should raise an alert on a good business IT security system. This presumes, of course, that the organisation is not pre-occupied with conventional security and has ignored the abuse of data access privileges.
“This embarrassing fiasco - which is certain to drag on for some time - shows that the internal threat is not necessarily about unauthorised access to data, but rather the abuse of legitimate access. Organisations need to wake up to the complexities of internal threats, rather than simply relying on conventional IT security systems.”
Alan Bentley, VP international at Lumension, said: "Data leakage has proven to be costly and damaging for a number of years to both government and commercial organisations around the world, but as Wikileaks has demonstrated it can have far reaching consequences. Placing restrictions on the ability to access classified information and more importantly its placement onto removable media is critical.
“The insider is by far the biggest threat to data security and this is unlikely to change as there has to be a level of trust assigned to employees to enable them to be productive. However, a better balance needs to be found between giving data access rights and restricting access to sensitive data.
“Control of inbound and outbound data from all endpoints needs to be a priority. When developing a data protection posture, it is important to balance the rewards of accessible data (and the collaboration it enables) with the risks (and costs) of losing your data.”
Looking at the lessons learned from the incident, Chester Wisniewski, senior security advisor at Sophos Canada, said: “Firstly you should ensure that information that is valuable is protected with strong cryptography and cannot be transferred in bulk to Wikileaks (or your competitors).
“Second, when developing a nuclear strategy (or protecting networks that you don't want infected with malware) you should run pro-active anti-malware products which use HIPS, device control and network monitoring. Critical systems should both run anti-malware and be air-gapped from the internet.
“This is sounding old hat. The advice for nuclear powers, diplomats and militaries is the exact same advice as all of the rest of us should heed. This is not about cyber war; it is about cyber insecurity. Nations potentially using malware to attack one another, spies, thieves and turncoats will always be used to get an advantage, and the same thing that motivates nation-states motivates criminals and competitors, power and wealth.”
Update - Wikileaks has confirmed in the last hour, via its Twitter feed, that it is experiencing another DDoS attack. It later said that the DDoS attack was now exceeding 10Gbps.