How to escape the online police

Despite the Cameron government's promise to publish more government data, it is unlikely to publish everything, especially where publication might prove damaging or embarrassing.

Despite the Cameron government's promise to publish more government data, it is unlikely to publish everything, especially where publication might prove damaging or embarrassing.

Online skills are essential for whistleblowers and corporate spies, as well as those responsible for protecting corporate information and hunting those who steal it. The usual way of acquiring these skills is to go on relevant university or supplier courses. However, these leave a trail that forensic 'bloodhounds' can pick up. Those who want to remain anonymous in cyberspace must forego such formal training or use the skills they have acquired to avoid suspicion.

When the US Department of Defense (DoD) investigated the Wikileaks whistleblower website it revealed a range of techniques used by those trying to get secret information out, as well as by those hunting them.

In a secret 2008 report, subsequently posted on Wikileaks, investigators found Wikileaks and its sources used its own coded software combined with Wiki, MediaWiki, OpenSSL, FreeNet, TOR (an onion ring network that hides the source of online messages), and PGP (a free public encryption system).

This made it harder for governments, security, law enforcement agencies and businesses to identify the source and destination of a leaked document, and who was responsible for leaking it.

The DoD also found that Wikileaks distributed leaked information widely on the internet. "Once a leaked document is placed on the internet it is extremely difficult to remove the document entirely," it said. This also helped to disguise the source.

Wikileaks vulnerabilities

Even so, the "obscurification technology" used by Wikileaks had "exploitable vulnerabilities", the DoD said. Organisations with properly trained cyber technicians, appropriate equipment and the correct technical software could probably "conduct computer network exploitation (CNE) operations (ie hack) or use cyber tradecraft to obtain access to Wikileaks' website, information systems, or networks," it said. This could unmask both the leakers and their methods.

Forensic analysis of the DoD's networks could reveal the location of the information systems used to download the leaked documents, it said. "The metadata, MD5 hash marks, and other unique identifying information within digital documents may assist in identifying the parties responsible for leaking the information," it said.

"In addition, patterns involving the types of leaked information, classification levels of the leaked information, development of psychological profiles, and inadvertent attribution of an insider through poor operational security could also assist in the identification of insiders," the DoD said.

The report quoted Wikileaks saying that historically, information that lets citizens and institutions hold a government to account had been costly in terms of human life and human rights.

"But with technological advances - the internet and cryptography - the risks of conveying important information can be lowered," Wikileaks said.

For Wikileaks, indeed a free society, to work, whistleblowers must trust that they won't be traced.

Whistleblowers beware

According to the DoD, "Wikileaks' claims that any attempt at trace routing of IP addresses, MAC addresses, and other identifying information of a home computer submissions (as opposed to cyber café submissions) through Wikileaks' internet submission system would require a knowledge of information available only to Wikileaks programmers... or would require specialised ubiquitous traffic analysis of internet messages and routing systems.

"Nevertheless, it remains technically feasible for (security agencies), law enforcement organisations, and ... businesses that have the motivation, intentions, capability, and opportunity to gain online access or physical access to Wikileaks' information systems to identify and trace whistleblowers through cyber investigations, advanced cyber tools, and forensics."

Projects such as inter-government Echelon and the UK's £12bn Interception Modernisation Programme would have made this easier. Given that Wikileaks might be hacked or otherwise compromised by a determined adversary, leakers have turned to using cut-outs, usually volunteers in various countries, the DoD said.

Safe leaking advice

The cut-outs have agreed to receive and forward encrypted CDs and DVDs that contain the secrets to designated Wikileaks agents who then to upload the data to Wikileaks' servers.

To protect or mask their identity, leakers are advised to use Wikileaks' own encryption protocols when writing CDs and DVDs. They are also advised to use protective clothing while wrapping, taping, handling, and mailing packages to avoid being traced by fingerprint or DNA analysis. They should also use a fake return address on packages that contain leaked information.

These moves should protect the data and sender while the discs are in transit. Encryption also protects the cut-outs, provided they don't read the information before they encrypt it.

Even then, it might still be tough to get the information to the public. The DoD said China, Israel, North Korea, Russia, Vietnam, and Zimbabwe had denounced or blocked access to the Wikileaks website.

States might also invoke a distributed denial of service attack against the Wikileaks website. "China, Israel, North Korea, and Russia are assessed to have state-sponsored CNE, computer network attack and cyber forensics capabilities that would most likely allow penetration or disrupt viewing of the Wikileaks website," the DoD said.

It seems likely that most North American and Western European states have similar capabilities.

Ironically, institutions with something to hide are likely to benefit from the growing information deluge and consequent short attention span of citizens. Even if damaging information gets out, it will be harder for most people to find, and fewer still might care enough to do anything about it.

The question is, how well will you sleep knowing that somewhere, sometime, Google may trawl that injudicious expense claim, that buried report, that discreet appointment, that compromising photograph?

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.