ENISA statement on Wikileaks events

The Agency today issues the following brief analysis of the information security events regarding Wikileaks.

“We have seen three major incidents, each of which has important implications for information security” said Prof. Udo Helmbrecht, ENISA’s Executive Director:

• The first incident was the leakage of sensitive documents from the systems of the US Department of State – allegedly by an insider. This highlights the difficulty of defending against insider threats as well as the irreversibility of information leakage.

• The second incident was the interruption of domain name and cloud services for the Wikileaks website. Although ostensibly due to terms of service violations, this highlights the vulnerability of globally distributed IT services to regional differences in policy, regulation, the interpretation of rights and the neutrality of service providers in the face of political pressure (see also risks R21 and R22 in ENISA’s cloud computing risk assessment).

• The third incident was the hacktivist attacks both against, and in support of Wikileaks. A hacker called Jester mounted a denial of service (DoS) attack against the Wikileaks website. Later, in support of Wikileaks, the group Anonymous distributed the “Low Orbit Ion Cannon” (LOIC) tool to mount distributed denial of service (DDoS) attacks against several high profile services including Visa, Paypal and governmental sites (1). These incidents highlight the following issues:

Size doesn’t matter: the number of computers used in the attacks was relatively small (in the 100’s). Some press reports claim over six times the real number, which is indicative of the unreliability of information about botnets. ENISA is currently preparing a comprehensive report on “Botnets: Detection, Measurement, Disinfection & Defence” to be published in January 2011 which addresses this issue.
The robustness of some services in the face of these attacks has demonstrated the resilience of cloud architectures against DoS attacks (as discussed in ENISA’s cloud computing risk assessment).

The LOIC tool (in Hivemind mode (2)) allows a third party to execute commands remotely. We note that apart from the potential legal implications, users thus cede control over their computer to a potentially untrusted third party.

The denial of service attacks highlight the importance of the Commission’s 2010 enhancements to the EU cybercrime directive, in enabling an efficient and effective reaction to cyber security incidents.

Prof. Helmbrecht notes: “The freedom the internet allows in moving between jurisdictions and technologies makes cyber security an asymmetric challenge. But our economy and our governments are heavily reliant on functioning and resilient systems. Therefore it is a challenge which must be met through global co-operation to strengthen all aspects of cyber security.”

1) Strictly speaking the computers running LOIC do not constitute a botnet since LOIC is installed with the consent of the user. However, LOIC does share features with botnet software, in particular the ability to respond to centrally issued commands.

2) The Hive Mind option is responsible for connecting to servers used for attack coordination.

It is notable that on 30 September 2010 the European Commission unveiled two new measures to ensure that Europe can defend itself from attacks against its key information (IT) systems. A proposal for a Directive to deal with new cyber crimes, such as large-scale cyber attacks, is complemented by a proposal for a Regulation to strengthen and modernise the European Network and Information Security Agency (ENISA). The two initiatives are foreseen by the Digital Agenda for Europe and the Stockholm Programme to boost trust and network security (see IP/10/581, MEMO/10/199 and MEMO/10/200). Under the proposed Directive, the perpetrators of cyber attacks and the producers of related and malicious software could be prosecuted, and would face heavier criminal sanctions. Member States would be also obliged to quickly respond to urgent requests for help in the case of cyber-attacks, rendering European justice and police cooperation in this area more effective. Strengthening and modernising ENISA would also help the EU, Member States and private stakeholders develop their capabilities and preparedness to prevent, detect and respond to cyber-security challenges. Both proposals will be forwarded to the European Parliament and the EU’s Council of Ministers for adoption.