WikiLeaks Attacks Reveal Surprising, Avoidable Vulnerabilities

Some online service providers are in the cross hairs this week for allegedly abandoning WikiLeaks after it published secret U.S. diplomatic cables and drew retaliatory technical, political and legal attacks. But the secret-spilling site’s woes may be attributable in part to its own technical and administrative missteps as well as outside attempts at censorship. Struggling […]

Some online service providers are in the cross hairs this week for allegedly abandoning WikiLeaks after it published secret U.S. diplomatic cables and drew retaliatory technical, political and legal attacks. But the secret-spilling site's woes may be attributable in part to its own technical and administrative missteps as well as outside attempts at censorship.

Struggling with denial-of-service attacks on its servers earlier this week, WikiLeaks moved to Amazon's EC2 cloud-based data-storage service only to be summarily booted off on Wednesday, ostensibly for violations of Amazon's terms of service. Then on Thursday its domain-name service provider, EveryDNS, stopped resolving WikiLeaks.org, amid a new DoS attack apparently aimed at the DNS provider.

While WikiLeaks was clearly targeted, its weak countermeasures drew criticism from network engineers. They questioned its use of a free DNS service such as EveryDNS, as well as other avoidable errors that seem to clash with WikiLeaks' reputation as a tech-savvy and cautious enterprise hardened to withstand any concerted technical attack on its systems.

"If they wanted to help users get past their DNS problems, they could tweet for assistance, tweet their IP addy and ask to be re-tweeted, ask owners of authorities to set up wikileaks.$FOO.com to 'crowd source' their name, etc.," observed one poster to the mailing list for the North American Network Operating Group. "So at the very least, they are guilty of not being imaginative."

"IMHO it is a gambit to ask for money," wrote another.

WikiLeaks' downtime was short-lived, with the site announcing Friday on Twitter that it was operational on WikiLeaks.de, WikiLeaks.fi, WikiLeaks.nl and WikiLeaks.ch -- the country codes respectively for Germany, Finland, the Netherlands and Switzerland. The scattering followed a Thursday outage of WikiLeaks.org and the "Cablegate" subsite, that occurred when EveryDNS cut off the secret-spilling site.

Unlike the incident this week in which Amazon unceremoniously booted WikiLeaks from its servers, the latest outage appears to have had less to do with censorship than with WikiLeaks' inattention to the more-mundane side of running an organization.

EveryDNS is a free, donation-supported service run by New Hampshire's Dyn Inc. Like thousands of other DNS providers it does the small but crucial job of mapping a user-friendly internet domain name, like wired.com, to a numeric IP address that actually means something to the internet's underlying infrastructure.

It's unclear why WikiLeaks went with a free provider, instead of paying for bulletproof DNS that could withstand attack. But according to EveryDNS, the distributed denial-of-service attacks that have been dogging WikiLeaks were threatening to overrun EveryDNS's servers, which serve some 500,000 sites.

The company responded by notifying WikiLeaks on Wednesday that it was going to drop the organization in 24 hours, according to a statement on EveryDNS' website. It reached out to WikiLeaks on the e-mail address associated with the account, on Twitter, and even visited the group's encrypted chat room to try and pass word to the staff.

That should have been more than enough time for WikiLeaks to move its DNS. Instead, Thursday night, visitors could no longer reach WikiLeaks.org.

"Any downtime of the wikileaks.org website has resulted from its failure to, with plentiful advance notice, use another DNS solution," reads EveryDNS's statement.

Rather than tweeting the IP addresses of WikiLeaks hosts, which would allow visitors to continue to reach the site uninterrupted, WikiLeaks initially used the outage to encourage donations, tweeting instead: "WikiLeaks.org domain killed by US everydns.net after claimed mass attacks KEEP US STRONG https://donations.datacell.com/".

And a follow-up tweet noted: "You can also easily support WikiLeaks via http://collateralmurder.com/en/support.html".

WikiLeaks fans on Twitter discovered and circulated WikiLeaks' working addresses on their own, until about three hours after the outage began, when the organization tweeted: "WIKILEAKS: Free speech has a number: http://88.80.13.160".

WikiLeaks followed that up by promoting WikiLeaks.ch as an alternative address, but that domain, too, turned out to be resolved by EveryDNS, which shut it down.

WikiLeaks had the four regional domains working on Friday, resolving to hosts in Sweden and France. Domain-registration records show that WikiLeaks still has control of the WikiLeaks.org, but for whatever reason, the organization still has EveryDNS set as its name server for that domain.

The incident isn't the first time WikiLeaks has suffered from a bureaucratic snafu. On June 12, WikiLeaks’ secure submission page stopped working when the site failed to renew its SSL certificate, a basic web protection that costs less than $30 a year and takes only hours to set up.

And for years WikiLeaks promised would-be leakers that they'd enjoy the protection of strong journalist shield laws in Sweden, where WikiLeaks maintains some of its servers. It wasn't until August of this year that it emerged that WikiLeaks hadn't registered as a media outlet in Sweden, and thus wasn't protected.

That latter disclosure sent founder Julian Assange to Stockholm in August in an effort to correct the oversight. His romantic entanglements on that trip led to an ongoing sex-crime investigation and the issuance this week of an Interpol "red notice" putting Assange on the international police agency's wanted list.

Photo: Julian Assange
Lily Mihalik/Wired.com