Should be part of their threat model
Not warning users is a serious oversight.
WikiLeaks is hosting 324 confirmed instances of malware among its caches of dumped emails, a top Bulgarian anti-malware veteran says. Random checks of reported malware hashes find the trojans are flagged as malware by Virus Total's static analysis checks. Much of the malware appear to be attachments emailed by black hats in a …
"Not warning users is a serious oversight."
Truly, but it is also vital for any user to check files they download, and I would say especially anything to do with Wikileaks, given their attitude to not redacting location information for Afghan informants and Assange's reasoning for this. I check anything I download with 3 packages I've installed. There are also the on line checkers for more paranoid people.
"The version I was taught was "I before E except after C, but only when the sound is E"
There are a few exceptions:
- If the combination is pronounced like an A ("weight") or an I ("height").
- Imported words. Many words of the first type are this type as well (in particular, a lot of the I-types come from Germanic languages where this combination is much more common, like "poltergeist").
- Diphthongs where the letters sit next to each other but are on different syllables so they're pronounced distinctly (like "agreeing").
And BTW, words like "ancient" and "science" that supposedly break the "except after C" exception I believe are also diphthongs, with the I and E belonging to different syllables. In the case of "ancient" and similar words (like "prescient", "omniscience", etc.), we tend to pronounce the CIENT as "shent" though this is probably a corruption of "si" followed by a distinct "ent".
It's not the file thats the problem so much as the fact that 99% of users can be expected to use the same software to open the file, ie a monoculture... If you have an exploit for a vulnerability in that software you have a very high chance of success.
That's why monoculture software is almost always the primary target of malware... Think of all the browser exploits which targeted IE when it had over 90% of market share, and how most of these attacks moved to Flash, Java, Acrobat etc once the browser market became more diverse.
"In 2003, Geer's 24-page report entitled "CyberInsecurity: The Cost of Monopoly" was released by the Computer and Communications Industry Association (CCIA). The paper argued that Microsoft's dominance of desktop computer operating systems is a threat to national security. Geer was fired (from consultancy @Stake) the day the report was made public."
OpenOffice/LibreOffice might not render documents faithfully, but then MS Word does not have a good track-record in that respect either (between versions). I'm not sure either whether Word will cope with printer drivers and fonts on the source machine differing with those loaded onto a target machine, which would cause rendering to be affected..
There shouldn't really be a need, other than collaboration on document assembly, for documents to be sent in docx format anyway. That's what pdf is for. Having said that, Adobe have shot themselves in the foot for enabling the possibility for malware to be embedded in that format.
So you'd prefer that they explicitly tamper with the files they receive, rather than uploading them as is where is?
Frankly the fact that there is malware like this present in the files is a better indicator that they are probably genuine.
Anyone downloading the files should be running them through antivirus etc as a matter of course, but other than flagging the file with a warning, I don't see how this is a wikileaks problem (or that of any other disclosure site)
"Anyone downloading the files should be running them through antivirus etc as a matter of course, but other than flagging the file with a warning, I don't see how this is a wikileaks problem (or that of any other disclosure site)"
Indeed it is ultimately the downloader's responsibility, but many will not be so savvy as we might hope. I think it is a WikiLeaks oversight that they're not giving warnings, or even any suggestions at all, for those who would download files. Taking the high road because "it is not their responsibility" is not consistent with being responsible and doing a good job. Hopefully they will add some general warning, and perhaps a suggestion or two, after this incident.
Well, it's not so much that they need to remove the malware.
Wikileaks likely has all kinds of viewers/readers, as they're mentioned in the general (non-IT) press reasonably often.
Not all of those users will have the depth/understanding needed to realise "hey, some of these files might not be safe...".
So, as others here have mentioned adding prominent warnings about malware being in some of the downloads sounds like a good idea. It would help clue in the people that don't realise.
So was Julian Asshole’s big idea just to establish Wikileaks as the worlds largest malware market? Ecuador have got a real prize on their hands.
Snowden, for all his faults, seems to have his heart in the right place and seems to be working from the best of intentions. Assange, by contrast, is Donald Trump’s nerdy firestarting alter ego.
"So was Julian Asshole’s big idea just to establish Wikileaks as the worlds largest malware market?"
I think there's a little more to it than that. The main problem is tampering: if they removed all the attachments then they're basically changing the e-mails contents. Which raises an obvious question: if they think it's ok to alter e-mails like that (remove attachments) then what guarantees are left that they didn't change even more?
So I don't think they have much other alternatives here. But I fully agree that more and better warnings should have be put in place.
Pardon me if someone already proposed this. A general site warning "Files here may contain malware..." is useless. Instead, scan the files for nasties! Then stick an insect icon on each file that comes up positive. This allows the informed and brave to download them if they have sufficient cause, while keeping those of us without an airgapped sandboxed throwaway PC to steer clear.
Now that I think of it, a Search filter could be offered as well to include or exclude files with bugs.
anything reported that has been altered does not have integrity. wikileaks would be pretty shit if it didn't have integrity. it HAS to be complete. yes. fair warning should be given.. something like:
"what you are about to receive may not be entirely safe. scan scan scan and then double scan. the contents are sourced from real life situations and that includes secuirty risks and other threats in the wild"
sorry for lack of grammar.
Untouched means greater integrity.
The same has happened with digital collections of old software. A number of pieces of Amiga, PC and ST software were sold at retail with viruses on the floppies. To ensure integrity and an accurate representation of the product that was sold the copies of these disks made by digital archivists for long-term preservation contain the same viruses, they're 1 to 1 copies of the original media.
Other groups can cleanse datasets in cases like this, including this one, but having access to the original untouched data is vital, it's evidence, and tampering with evidence is not considered to be a good idea.
Unless you know when the signature was added to the AV apps database you cannot say that 80% of them would have been caught at the time. The signatures may have been added to the av apps and thus virustotal after they were read originally.
Do exploits, such as the recent NSA Cisco and others firewall tools, get flagged as malware of something.hacktools and still get included i the stats?
Too many unknown variables at the moment making this story potentially interesting but at present nothing surprising.
Biting the hand that feeds IT © 1998–2021