Wikileaks Vault 7 And The CIA Hacking Arsenal

It’s a cliché of political scandals that “the cover-up is worse than the crime”. Attempts to conceal misconduct, because they’re easier to prove and provide otherwise elusive evidence of a guilty mind, often end up being more politically damaging than the underlying misconduct would have been. 

In the case of the latest Wikileaks document dump, the first in a planned series from a cache the site has dubbed “Vault 7,” we have an apparent reversal of the formula: The un-cover-up, the fact of the leak itself, is probably more significant than the substance of what has thus far been revealed.

There are, of course, some points of real interest in the archive of documents, mostly concerning an array of hacking tools and software exploits developed or used by the Central Intelligence Agency’s Engineering Development Group, and it’s likely more will emerge as reporters and analysts churn through more than 8,000 files and documents. 
 
It has been confirmed that the CIA has hung onto and exploited at least a handful of undisclosed “zero day” vulnerabilities in widely-used software platforms, including Apple’s iOS and Google’s Android, the operating systems on which nearly all modern smartphones run.

However, Google and other dismiss Wikileaks...

Apple first dismissed the majority of the listed iPhone vulnerabilities in a statement last night, and now Google and other firms are following suit.

“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections. We’ve always made security a top priority and we continue to invest in our defenses,” Google’s director of information security and privacy Heather Adkins said in a statement.

Finding flaws in iPhones and Android devices was important to the CIA’s mission of surveilling targets because the security problems could allow the agency to eavesdrop on users’ communications.

What has also surfaced is that the obstacles to conventional wiretapping posed by the growing prevalence of encryption have spurred intelligence agencies to hunt for alternative means of collection, which include not only compromising communications endpoints such as smartphones, but also seeking to repurpose networked appliances on the Internet of Things as surveillance devices.  The latter goal has even spawned its own research department, the Embedded Development Branch.

Still, in light of what we already knew about the National Security Agency’s own efforts along similar lines, thanks to Edward Snowden’s disclosures about the agency’s Tailored Access Operations division, this is, at least from a policy perspective, not so much revelation as confirmation.  

Moreover, there’s little here to suggest surveillance that’s either aimed at Americans or indiscriminate, the features that made Snowden’s leaks about NSA surveillance so politically explosive.  

One of the more widely-reported projects in Vault 7, for instance, has been the Doctor Who–referencing “Weeping Angel” implant, which can turn Samsung televisions into surveillance microphones even when they appear to be turned off.  

Yet, at least at the time the documentation in the Wikileaks release was written, Weeping Angel appeared to require physical access to be installed, which makes it essentially a fancy and less detectable method of bugging a particular room once a CIA agent has managed to get inside.  

This is all fascinating to surveillance nerds, to be sure, but without evidence that these tools have been deployed either against inappropriate targets or on a mass scale, it’s not intrinsically all that controversial. Finding clever ways to spy on people is what spy agencies are supposed to do.

What is genuinely embarrassing for the intelligence community, however, is the fact of the leak itself, a leak encompassing not only thousands of pages of documentation but, according to Wikileaks, the actual source code of the hacking tools those documents describe.  

While Wikileaks has not yet published that source code, they claim that the contents of Vault 7 have been circulating “among former US government hackers and contractors in an unauthorised manner,” which if true would make it far more likely that other parties, such as foreign intelligence services, had been able to obtain the same information.  

Worse, this comes just months after the even more disastrous Shadow Brokers leak, which published a suite of exploits purportedly used by the NSA-linked Equation Group to compromise the routers and firewalls relied upon by many of the world’s largest companies to secure their corporate networks.

The Equation's cyber-espionage activities were documented in February 2015 by researchers from antivirus vendor Kaspersky Lab. It is widely considered to be the most advanced cyber-espionage group in the world based on the sophistication of its tools and the length of its operations, some possibly dating as far back as 1996.

From the start, the tools and techniques used by the Equation bore a striking similarity to those described in secret documents leaked in 2013 by former NSA contractor Edward Snowden. This relationship was further strengthened by the similarity between various code names found in the Equation malware and those in the NSA files.

That’s of great significance also for the ongoing debate over how intelligence agencies should respond when they also discover vulnerabilities in widely-used commercial software or firmware. Do they inform the vendor that they’ve got a security hole that could put their users at risk, or do they keep quiet and make use of the vulnerability to enable their own surveillance?  If the latter, how long do they wait until disclosing?  

In 2014, the White House’s cyber-security czar attempted to reassure the public that the government’s mechanism for making such decisions, an informal “Vulnerability Equities Process” designed to weigh the intelligence benefit of keeping an exploit against the public’s interest in closing security holes, was strongly biased in favor of disclosure.  

The number of critical vulnerabilities we now know have remained undisclosed, sometimes for years, should cast serious doubt on that assertion.  But the means by which we know it should strengthen the case for disclosure still further.

Prior to the Shadow Brokers leak, the primary concern of security experts had been that the longer a software vulnerability is kept secret by spy agencies, the greater the risk that some malicious actor, whether a criminal hacker or another intelligence agency, would independently discover and use it.  

Now, however, we need to factor in the growing evidence that the Intelligence Community cannot properly secure its own hacking tools.  

And breaches this sort create significantly higher risks, because they result in the wide circulation, not just of individual vulnerabilities that might be of limited use to an attacker in isolation, but whole suites of them, already in weaponised form, and conveniently chained together for easy one-stop hacking.  

One such breach might be shrugged off as an aberrant lapse. 

Two, that the public is aware of, in the span of eight months suggest a more systematic problem. And since foreign intelligence agencies are likely to be more interested in using stolen cyber weapons than gifting them to the world, it seems a reasonable inference that the two publicly known instances of large-scale exfiltration aren’t the only such cases.

That ought to make the public a whole lot more skittish about the prospect that a myopic focus on maintaining intelligence accesses is making all of us significantly less secure on net. 

And it ought to prompt some serious reevaluation within the government about whether their purported bias in favor of disclosure shouldn’t be a whole lot stronger.

Just Security:        Techcrunch:          PCWorld

WikiLeaks Will Share CIA's Hacking Secrets:

WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy:

The CIA Has Lost Control Of Its Cyber Weapon Documents:

Meet The Fancy Bears:


 

« DeepMind Uses Blockchain To Track Health Data
No Easy Fix For SME Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

My Data Recovery Lab

My Data Recovery Lab

We recover data from: HDDs, RAIDs, NAS, SSDs, USB Flash Devices, Desktop Computers, Mobile devices and other data storage media.

Data Shepherd

Data Shepherd

Data Shepherds primary focus is to protect your business. We achieve this by offering extensive and unique expertise in innovative IT and Cyber security solutions.

OneVisage

OneVisage

Our award-winning 3DAuth digital identity platform turns any consumer mobile device into a real-time 3D facial scanner that securely authenticates the user in seconds.

Inogesis

Inogesis

Inogesis helps blue-chip organisations harness disruptive technologies and thinking to drive new revenues or overcome challenges by connecting them with dynamic small companies.

Irish National Accreditation Board (INAB)

Irish National Accreditation Board (INAB)

INAB is the national accreditation body for Ireland. The directory of members provides details of organisations offering certification services for ISO 27001.

National Cybersecurity Student Association (NCSA) - USA

National Cybersecurity Student Association (NCSA) - USA

The National Cybersecurity Student Association is a one-stop-shop to enhance the educational and professional development of cybersecurity students through activities, networking and collaboration.

Beosin

Beosin

Beosin is a blockchain security company providing cybersecurity services including security audits, on-chain asset investigation, threat intelligence and wallet security.

CHT Security

CHT Security

CHT Security is a Managed Security Service Provider (MSSP) specialized in cyber security technologies enabling enterprises to defense against cyber threats to networks, gateways and endpoints.

Crosspring

Crosspring

Crosspring is an incubator/accelerator for people who have the ambition to start a successful business or want to extend their existing business in the areas of FinTech, AR, VR, Cybersecurity and SaaS

Secure-IC

Secure-IC

Secure-IC provide end-to-end, best-of-breed security expertise, solutions, and hardware & software technologies, for embedded systems and connected objects.

GuardSight

GuardSight

GuardSight is a provider of specialized cybersecurity services to safeguard businesses, government, and remote workers against sophisticated cyber threats.

HB-Technologies

HB-Technologies

HB-Technologies is pioneer in Africa, in digital security, embedded electronic and IT solutions based on highly secure smart cards that comply with international standards and norms.

QAlified

QAlified

QAlified offer independent testing and quality assurance services for software projects including security testing.

Cyber News Live

Cyber News Live

Welcome to Cyber News Live (CNL), we are dedicated to keeping everyone safe online. We provide vital information.

Redefine

Redefine

Redefine are Crypto-Native, Cyber Experts, and Blockchain Believers. We are here to make Web3 anti-fragile, safe and accessible to all.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.