The Agency today issues the following brief analysis of the information security events regarding Wikileaks.
"We have seen three major incidents, each of which has important implications for information security" said Prof. Udo Helmbrecht, ENISA's Executive Director:
• The first incident was the leakage of sensitive documents from the systems of the US Department of State - allegedly by an insider. This highlights the difficulty of defending against insider threats as well as the irreversibility of information leakage.
• The second incident was the interruption of domain name and cloud services for the Wikileaks website. Although ostensibly due to terms of service violations, this highlights the vulnerability of globally distributed IT services to regional differences in policy, regulation, the interpretation of rights and the neutrality of service providers in the face of political pressure (see also risks R21 and R22 in ENISA's cloud computing risk assessment).
• The third incident was the hacktivist attacks both against, and in support of Wikileaks. A hacker called Jester mounted a denial of service (DoS) attack against the Wikileaks website. Later, in support of Wikileaks, the group Anonymous distributed the "Low Orbit Ion Cannon" (LOIC) tool to mount distributed denial of service (DDoS) attacks against several high profile services including Visa, Paypal and governmental sites (1). These incidents highlight the following issues:
- Size doesn't matter: the number of computers used in the attacks was relatively small (in the 100’s). Some press reports claim over six times the real number, which is indicative of the unreliability of information about botnets. ENISA is currently preparing a comprehensive report on "Botnets: Detection, Measurement, Disinfection & Defence" to be published in January 2011 which addresses this issue.
- The robustness of some services in the face of these attacks has demonstrated the resilience of cloud architectures against DoS attacks (as discussed in ENISA's cloud computing risk assessment).
- The LOIC tool (in Hivemind mode (2)) allows a third party to execute commands remotely. We note that apart from the potential legal implications, users thus cede control over their computer to a potentially untrusted third party.
The denial of service attacks highlight the importance of the Commission's 2010 enhancements to the EU cybercrime directive, in enabling an efficient and effective reaction to cyber security incidents.
Prof. Helmbrecht notes: “The freedom the internet allows in moving between jurisdictions and technologies makes cyber security an asymmetric challenge. But our economy and our governments are heavily reliant on functioning and resilient systems. Therefore it is a challenge which must be met through global co-operation to strengthen all aspects of cyber security.”
1) Strictly speaking the computers running LOIC do not constitute a botnet since LOIC is installed with the consent of the user. However, LOIC does share features with botnet software, in particular the ability to respond to centrally issued commands.
2) The Hive Mind option is responsible for connecting to servers used for attack coordination.
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!
News items;
http://www.enisa.europa.eu/media/news-items/news-wires/RSS
PRs:
http://www.enisa.europa.eu/media/press-releases/press-releases/RSS