WikiLeaks has published what it described as the biggest ever leak of confidential documents from the CIA detailing the tools it uses to break into phones, communication apps and other electronic devices. In all, there are 8,761 documents that account for “the entire hacking capacity of the CIA”, Mr Assange claimed in a release, and the trove is just the first of a series of “Vault 7” leaks. Already, the files include far more pages than the Snowden files that exposed the vast hacking power of the NSA and other agencies.
Please see below for a few comments on this from security experts:
Jim Walter, a Senior Researcher with Cylance, explained that early research indicates that efficiency is a top priority. “There are clear instances where the owner of this code is inspired by (and sometimes borrowing directly from) well-known malware. Familiar names like HiKit, Shamoon, and Nuclear EP appear multiple times, so it is interesting to see what threats the owner is taking cues from. Beyond that we have a great deal of analysis to do when it comes to putting this dataset into context with previous dumps pertaining to government techniques, tactics, and procedures.”
Brian Vecci, Technical Evangelist, Varonis
“It’s too easy for data to be stolen, even—allegedly—within the CIA’s Center for Cyber Intelligence. The entire concept of a spook is to be covert and undetectable; apparently that also applies to actions on their own network. According to WikiLeaks, this treasure trove of files was given to them by a former U.S. government contractor. The CIA is not immune to issues affecting many organizations: too much access with too little oversight and detective controls. A recent Forrester study found that 59% of organizations do not restrict access to files on a need to know basis.
“In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organizations in the world. Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organization but once stole and made public turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.
“Organizations need to get a grip on where their information assets are, who is using them, and who is responsible for them. There are just too many unknowns right now. They need to put all that data lying around in the right place, restrict access to it and monitor and analyze who is using it.”
Mike Ahmadi, global director – critical systems security at Synopsys
“Unfortunately, US Government computer systems, policies, and procedures are largely outdated in today’s hostile world of connected technologies. The moment anything with either external connectivity or mobility (e.g. a USB memory stick) gets near such systems, the game is over. The software running on legacy government computer systems is so fraught with vulnerabilities that any level of access creates the potential for a security breech. The government needs to take a closer look at their exposure if they hope to defend against what is becoming an embarrassing regular occurrence.”
Lee Munson, security researcher at Comapritech.com:
“Wikileaks’ disclosure of what it claims are wide-ranging CIA hacking tools is hardly likely to surprise anyone in the post-Snowden world we now live in.
“Whether the alleged cyber weapons exist or not is largely immaterial at a time when I assume most people believe they do.
“What the Vault 7 leaks should do, however, is confirm that, while taking a nothing to hide, nothing to fear approach is hopelessly out of date, most citizens should not be any more concerned about surveillance today than they were yesterday.
“While exploits across a range of devices and the ability to turn on cameras and microphones is a touch chilling, they’re nothing new, and anyone with real concerns should already be going about their business with those possibilities in mind.
“The really interesting aspect to this leak, however, is how the alleged cyber spying tools all appear to have one thing in common – the need to acquire information over the wire.
“That means, for now at least, we can assume that messaging systems with strong end-to-end encryption are beyond the reaches of the security services; a win for everyone who is truly concerned about protecting their privacy today.”