Internet security company Tiversa says WikiLeaks may be exploiting a feature in peer-to-peer file-sharing applications to search for classified data
In April 2009 the whistle-blower website WikiLeaks published a secret U.S. military document detailing technological capabilities of the U.S. Navy's Pacific Missile Range Facility on Kauai. In an online post explaining how it obtained the information, WikiLeaks indicated only that it came from "a source." It was another coup for WikiLeaks and its founder, Julian Assange, who describes the far-flung organization—it has no fixed domicile—as a secure digital drop box for disaffected insiders. He has repeatedly said WikiLeaks doesn't actively obtain classified documents but rather provides a platform for others who have confidential information to reveal for the public good.
Except that WikiLeaks, according to Internet security company Tiversa, appears to have hunted down that military document itself. Tiversa says the group may have exploited a feature of file-sharing applications such as LimeWire and Kazaa that are often used to swap pirated copies of movies and music for free. If, for example, a Pentagon employee were to log on to such a peer-to-peer network (an array of disparate computers with no central hub) to download a movie, he could possibly expose every last e-mail and spreadsheet on his PC to prying eyes. That's because some peer-to-peer, or P2P, applications may scan users' hard drives for shareable files. Not turning that feature off, or specifying which parts of the hard drive may be searched, leaves the door wide open.
In the missile-range case, Tiversa's systems noticed unusual activity coming from a cluster of computers in Sweden, where until December WikiLeaks had some of its key servers. The cluster was furiously searching P2P networks around the world. It hit pay dirt in the form of a file blandly labeled BPL_HI.pdf, available for download from a computer in Hawaii. The Swedish computers downloaded the document, and two months later it was posted on WikiLeaks.
Executives at Tiversa, which is hired by governments and corporations to use the same loophole to find exposed documents and figure out who might be accessing them, say the Hawaii incident wasn't an isolated case. Its technology has detected the mysterious Swedish computers downloading gigabytes of data, much of which soon appeared on WikiLeaks. "WikiLeaks is doing searches themselves on file-sharing networks," says Robert Boback, Tiversa's chief executive officer. "It would be highly unlikely that someone else from Sweden is issuing those same types of searches resulting in that same type of information." A spokesman for WikiLeaks declined to discuss the sources of its secrets or its policy for verifying information it receives. Mark Stephens, WikiLeaks's London attorney, called the claim "completely false in every regard."
Dozens of P2P networks sprang up in the wake of Napster a decade ago. Teenagers use them to get Justin Bieber songs; grown-ups download episodes of Mad Men. The networks are especially popular with soldiers in Iraq and Afghanistan, who use them to swap music and porn. Boback says it's an open secret among researchers, financial fraudsters, and intelligence agencies that many of these networks are rich sources of confidential documents the networks' users accidentally share—pirates can easily be pirated, as it were. According to Tiversa, in 2009 a Maryland defense contractor got on a P2P network and exposed the designs for Marine One, the Presidential helicopter; that data wound up on a computer in Iran. To sift through one network, all an intruder needs is a basic understanding of P2P, says Boback. To conduct a massive search of networks around the world, huge amounts of computing horsepower and bandwidth are required.
Tiversa has plenty of both. In a secure room at the company's headquarters in Cranberry Township, Pa., banks of servers create a minute-by-minute map of what is effectively a global treasure trove of secrets. In a brief demonstration of what's out there for the taking, a Tiversa analyst taps a few keys, and up pops the cell phone number of actress Lucy Liu along with the pseudonym she uses to check into hotels—attached to a production company document clearly labeled "not to be made public." There are several draft chapters of a book by white supremacist David Duke, as well as a spreadsheet of all the donors to his cause. Assange has told interviewers that his group has damaging information on pharmaceutical, energy, and financial companies; Boback confirms that confidential corporate documents are readily accessible.
In November 2009, WikiLeaks published a spreadsheet detailing potential terrorist targets in Fresno County, Calif., compiled by state and federal security officials. The document noted locations of bomb-grade fertilizer caches, large gasoline and propane reserves, and the coordinates of key military and law enforcement sites and their functions. Tiversa found the spreadsheet was inadvertently exposed by a California state employee using the FrostWire peer-to-peer network in August 2008, more than a year before WikiLeaks posted it. Army intelligence documents posted by WikiLeaks in 2009 that included reports on Taliban leaders and their movements were accidentally leaked by a P2P user eight months earlier. For a list of every Chevron (CVX) property in the U.S. and Canada, the gap was two months—from March to May 2009, Tiversa says.
Could those Swedish computers belong to other hackers, who then deposit the documents in WikiLeaks's drop box? Highly unlikely, says Boback. "There are not that many whistle-blowers in the world to get you millions of documents," he says. "However, if you are getting them yourselves, that information is out there and available."
A federal grand jury in Virginia is examining WikiLeaks's publication of U.S. diplomatic cables, a case unrelated to file sharing. The possibility that the site is systematically ransacking computers may offer prosecutors an alternate path to get the group and its founder into a U.S. courtroom. "There is a difference between being given information that may have been obtained in violation of some agreement or law, vs. the media itself violating the law or an agreement in order to obtain information," says Sandra Baron, the executive director of the Media Law Resource Center in New York. "The media is not allowed to steal."
The case law is murky. A federal prosecutor in Seattle successfully argued two cases recently involving individuals who retrieved financial information through LimeWire "in excess of authorization." (LimeWire's parent company ceased operations in December, although the network lives on.) Other federal courts have found that law enforcement searches of private computers through LimeWire and other networks were perfectly legal.
More likely is that WikiLeaks's legions of fans among professional journalists will have to rethink their view of WikiLeaks and its founder as the Second Coming of Woodward and Bernstein. That duo famously cultivated Deep Throat as a source for articles that exposed the Watergate scandal. "This," says Mark Jurkowitz, associate director for the Project for Excellence in Journalism, "would be more akin to wiretapping Deep Throat's phone."
The bottom line: WikiLeaks, which says it's a passive drop box for whistle-blowers, is accused of searching hard drives for classified documents.