Vault7 by WikiLeaks

https://wikileaks.org/ciav7p1/

Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7″ by WikiLeaks project claims that recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.

36 Comments

  1. Tomi Engdahl says:

    WikiLeaks: The CIA is using popular TVs, smartphones and cars to spy on their owners
    https://www.washingtonpost.com/news/the-switch/wp/2017/03/07/why-the-cia-is-using-your-tvs-smartphones-and-cars-for-spying/?utm_term=.10d94cf852a9

    Televisions, smartphones and even anti-virus software are all vulnerable to CIA hacking, according to the WikiLeaks documents released Tuesday. The capabilities described include recording the sounds, images and the private text messages of users, even when they resort to encrypted apps to communicate.

    Reply
  2. Tomi Engdahl says:

    Kaveh Waddell / The Atlantic:
    WikiLeaks press release hints at “impactful stories” in its document cache as reporters wrestle with how to approach the information — Since around the time of the presidential election in November, the U.S. media has taken a hard look at its tumultuous love affair with WikiLeaks.

    Should Journalists Be More Cautious of WikiLeaks?
    With its latest leak, the site is daring reporters to go on a scavenger hunt for scoops.
    https://www.theatlantic.com/technology/archive/2017/03/should-journalists-be-more-cautious-of-wikileaks-cia-dump/518832/

    Since around the time of the presidential election in November, the U.S. media has taken a hard look at its tumultuous love affair with WikiLeaks. News organizations had lapped up the documents that the site was churning out: first, thousands of emails from the Democratic National Committee, then thousands more from the personal Gmail account of Hillary Clinton’s campaign manager, John Podesta.

    As the source of the leaked information came into focus, some news organizations began to rethink their eager participation in amplifying it.

    So when WikiLeaks dumped thousands of electronic documents stolen from the CIA on its website on Tuesday—a leak it called “the largest intelligence publication in history”—the media got its first chance since the election to try out their new skeptical approach.

    At first blush, the new WikiLeaks reporting didn’t look much different than the old WikiLeaks reporting.

    The Times published a piece written by three journalists that repackaged the contents of a WikiLeaks press release announcing the CIA document dump. The story’s breathless second paragraph read: “If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the CIA, which maintains its own hacking capabilities to be used for espionage.”

    To be fair, the WikiLeaks dump is momentous, and the Times and the Post published stories about it before it was more than a few hours old. They attempted to check whether the leak was genuine, and made it clear that their determinations of the leak’s authenticity were only preliminary. It is, after all, easy to slip in a few fabricated documents in a trove of thousands.

    The question of how to approach WikiLeaks seems yet unsolved. Should journalists absolve the site of its apparent participation in a Russian campaign to tip the results of the U.S. election? Does the gravity of the documents contained in the CIA leak necessitate reporting on them, even before they’re thoroughly vetted? If these documents appear genuine, how much should news articles question why WikiLeaks published them?

    Reply
  3. Tomi Engdahl says:

    WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents
    https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html

    In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.

    The documents amount to a detailed, highly technical catalog of tools. They include instructions for compromising a wide range of common computer tools for use in spying: the online calling service Skype; Wi-Fi networks; documents in PDF format; and even commercial antivirus programs of the kind used by millions of people to protect their computers.

    A program called Wrecking Crew explains how to crash a targeted computer, and another tells how to steal passwords using the autocomplete function on Internet Explorer. Other programs were called CrunchyLimeSkies, ElderPiggy, AngerQuake and McNugget.

    The document dump was the latest coup for the antisecrecy organization and a serious blow to the C.I.A., which uses its hacking abilities to carry out espionage against foreign targets.

    Reply
  4. Tomi Engdahl says:

    Joe Uchill / The Hill:
    WikiLeaks releases large cache of alleged CIA classified documents, detailing hacking tools for iPhones and Android phones, Samsung smart TVs, and more — WikiLeaks on Tuesday published a massive trove of documents purportedly pertaining to the CIA’s hacking programs …

    WikiLeaks releases massive CIA hacking document archive
    By Joe Uchill – 03/07/17 09:23 AM EST
    http://thehill.com/policy/cybersecurity/overnights/322672-wikileaks-releases-massive-cia-hacking-document-archive

    WikiLeaks on Tuesday published a massive trove of documents purportedly pertaining to the CIA’s hacking programs — the first of many document dumps the site says it has coming on the intelligence agency.

    The documents contain descriptions of hacking tools, engineering notes, internal communications and more. The release did not immediately appear to have included the tools themselves, and agent names have been redacted.

    This is the first leak from a CIA project the site is calling “Vault 7.” WikiLeaks first released an encrypted version of this batch of documents, nicknamed “Year Zero,” on Twitter late Monday.

    The site provided a password for the documents around 8 a.m. Tuesday, about an hour before the documents’ intended release time, due to alleged cyberattacks on the online press conference that WikiLeaks head Julian Assange tried to host in advance of the release.

    “‘Year Zero’, comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virgina [sic],” a press release accompanying the leaks read.

    The leaks reveal a hacking operations center called the Center for Cyber Intelligence Europe based out of the Frankfurt Consulate.

    Hacking tools detailed in the leaks include mobile device breaching tools for both iPhone and Android, defeating antivirus programs and a program developed with Britain to hack Samsung smart televisions known as “Weeping Angel.”

    “Weeping Angel” lets the television appear off while actually being on.

    WikiLeaks’s press release cites an executive order it claims President Trump signed in February “calling for a ‘Cyberwar’ review to be prepared within 30 days.”

    Reply
  5. Tomi Engdahl says:

    Vault 7: CIA Hacking Tools Revealed
    https://wikileaks.org/ciav7p1/

    The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

    As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified

    The CIA’s Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user’s geolocation, audio and text communications as well as covertly activate the phone’s camera and microphone.

    CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop.

    CIA malware targets Windows, OSx, Linux, routers

    CIA ‘hoarded’ vulnerabilities (“zero days”)

    Reply
  6. Tomi Engdahl says:

    any of the vulnerabilities used in the CIA’s cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.

    ‘Cyberwar’ programs are a serious proliferation risk

    Cyber ‘weapons’ are not possible to keep under effective control.
    Cyber ‘weapons’ are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.

    Source: https://wikileaks.org/ciav7p1/

    Reply
  7. Tomi Engdahl says:

    WikiLeaks Unveils Treasure Trove of CIA Documents
    http://hackaday.com/2017/03/08/wikileaks-unveils-treasure-trove-of-cia-documents/

    The latest from WikiLeaks is the largest collection of documents ever released from the CIA. The release, called ‘Vault 7: CIA Hacking Tools Revealed’, is the CIA’s hacking arsenal.

    While Vault 7 is only the first part in a series of leaks of documents from the CIA, this leak is itself massive. The documents, available on the WikiLeaks site and available as a torrent, detail the extent of the CIA’s hacking program.

    Of note, the CIA has developed numerous 0-day exploits for iOS and Android devices. The ‘Weeping Angel’ exploit for Samsung smart TVs

    Additionally, the CIA has also developed tools to take over vehicle control systems.

    It is not an exaggeration to say this is the most significant leak from a government agency since Snowden, and possibly since the Pentagon Papers. This is the documentation for the CIA’s cyberwarfare program, and there are more leaks to come.

    Reply
  8. Tomi Engdahl says:

    WikiLeaks Releases Details on CIA Hacking Tools
    http://www.securityweek.com/wikileaks-releases-details-cia-hacking-tools

    WikiLeaks revealed on Tuesday that it has obtained thousands of files allegedly originating from a high-security network of the U.S. Central Intelligence Agency (CIA). The leak, dubbed “Vault 7,” apparently exposes the CIA’s vast hacking capabilities.

    WikiLeaks said the files come from the CIA’s Center for Cyber Intelligence (CCI) in Langley, Virginia, and they have been circulating among former U.S. government hackers and contractors. One of these individuals provided the data to the whistleblower organization, which has called it “the largest intelligence publication in history.”

    Following the Edward Snowden leaks, the U.S. government has promised to disclose serious vulnerabilities that represent a high risk or affect a product that is widespread in critical infrastructure. If the files obtained by WikiLeaks are genuine, the CIA breached that commitment.

    Security Firms Assess Impact of CIA Leaks
    http://www.securityweek.com/security-firms-assess-impact-cia-leak

    Security firms have started assessing the impact of the CIA hacking tools exposed on Tuesday by WikiLeaks as part of the leak dubbed “Vault 7.”

    Files allegedly obtained from a high-security CIA network appear to show that the intelligence agency has tools for hacking everything, including mobile devices, desktop computers, routers, smart TVs and cars.

    The published files also appear to show that the CIA has targeted the products of many security solutions providers, including anti-malware and secure messaging applications. The list of affected vendors includes Symantec, Kaspersky, Avira, F-Secure, Microsoft, Bitdefender, Panda Security, Trend Micro, ESET, Avast, AVG, McAfee, Comodo and G Data.

    While WikiLeaks has not released any of the exploits it has obtained, an initial investigation conducted by security firms indicates that the CIA’s capabilities may not be as advanced as some have suggested.

    Bitdefender told SecurityWeek that the public Vault 7 files show that the CIA had been having problems evading the company’s products.

    “All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release.”

    Comodo also said its product appeared to pose problems to the CIA.

    Microsoft, whose EMET and Security Essentials products are mentioned in the leak

    F-Secure has assured customers that the bypass method described in CIA documents does not affect its DeepGuard and Security Cloud products.

    Panda Security says it has yet to find exploits or tools targeting its products in the publicly available files.

    Avira said the CIA’s Entropy Defeat bypass technique does affect its products, but classified it as a “minor vulnerability” that it patched within a few hours after the WikiLeaks release. The company has not found any malware samples that used this technique.

    ESET told SecurityWeek that the bugs described in the leak are all “known and very old”; they were patched several years ago. Symantec said there is “no evidence of the ability to bypass or exploit vulnerabilities in Symantec products and services.”

    Juniper Networks has not found any evidence that its products have been targeted

    WikiLeaks reported that the CIA had found a way to bypass the encryption of Signal, Telegram, WhatsApp and other secure messaging applications.

    Reply
  9. Tomi Engdahl says:

    Wikileaks: CIA has tools to snoop via TVs
    http://www.bbc.com/news/technology-39193008

    Wikileaks has published details of what it says are wide-ranging hacking tools used by the CIA.

    The alleged cyber-weapons are said to include malware that targets Windows, Android, iOS, OSX and Linux computers as well as internet routers.

    Some of the software is reported to have been developed in-house, but the UK’s MI5 agency is said to have helped build a spyware attack for Samsung TVs.

    A spokesman for the CIA would not confirm the details.

    “We do not comment on the authenticity or content of purported intelligence documents,” he said.

    Reply
  10. Tomi Engdahl says:

    Worried the CIA Hacked Your Samsung TV? Here’s How to Tell
    https://www.wired.com/2017/03/worried-cia-hacked-samsung-tv-heres-tell/

    The Telltale LED

    In Fake Off mode, the screen appears off and the LEDs on the front of the set change color and dim, as you’d expect if you’d turned off your TV. Yet the TV remains powered and capable of recording conversations. Want to know if Big Brother is listening in? Look at the back of your set. The blue LED back there should be off. It remains illuminated in Fake Off mode, according to the documents WikiLeaks released.

    Be Seeing You

    The companies making internet-connected smart televisions have drawn criticism for collecting and sharing user data. If you want effective protection from unscrupulous companies, shifty hackers, and government spies, simply disconnect your TV from the internet.

    Reply
  11. Tomi Engdahl says:

    Federal Criminal Probe Being Opened Into WikiLeaks’ Publication of CIA Documents
    https://politics.slashdot.org/story/17/03/08/1759203/federal-criminal-probe-being-opened-into-wikileaks-publication-of-cia-documents

    A federal criminal investigation is being opened into WikiLeaks’ publication of documents detailing alleged CIA hacking operations, CNN reports citing several U.S. officials.

    The officials said the FBI and CIA are coordinating reviews of the matter. The investigation is looking into how the documents came into WikiLeaks’ possession and whether they might have been leaked by an employee or contractor. The CIA is also trying to determine if there are other unpublished documents WikiLeaks may have.

    Federal criminal probe being opened into WikiLeaks’ publication of CIA documents
    http://edition.cnn.com/2017/03/08/politics/wikileaks-cia-investigation/

    A federal criminal investigation is being opened into WikiLeaks’ publication of documents detailing alleged CIA hacking operations, several US officials told CNN Wednesday.
    The officials said the FBI and CIA are coordinating reviews of the matter.

    The investigation is looking into how the documents came into WikiLeaks’ possession and whether they might have been leaked by an employee or contractor. The CIA is also trying to determine if there are other unpublished documents WikiLeaks may have.
    CIA spokesman Ryan Tripani said the agency had “no comment on the authenticity of purported intelligence documents released by WikiLeaks or on the status of any investigation into the source of the documents.”

    Reply
  12. Tomi Engdahl says:

    CIA hacking dossier leak reignites debate over vulnerability disclosure
    Spy agencies more interested in stockpiling bugs than closing the gaps
    https://www.theregister.co.uk/2017/03/08/cia_hacking_tool_dump_vuln_disclosure_debate/

    WikiLeaks’ dump of CIA hacking tool documents on Tuesday has kicked off a debate among security vendors about whether intel agencies are stockpiling vulnerabilities, and the effect this is having on overall security hygiene.

    The leaked documents purport to show how the intel agency infiltrates smartphones, PCs, routers, IoT gear, potentially smart TVs, and other gear, using a range of hacking tools, as previously reported. These capabilities are hardly surprising to anyone who remembers the disclosures from former NSA contractor Edward Snowden back in 2013.

    The CIA’s abilities are more aligned toward targeted attacks rather than mass surveillance and bulk data collection – the stock in trade of the NSA, GCHQ and other signals intelligence agencies.

    Reply
  13. Tomi Engdahl says:

    The CIA Leak Exposes Tech’s Vulnerable Future
    https://www.wired.com/2017/03/cia-leak-exposes-techs-vulnerable-future/

    Yesterday’s Wikileaks dump reiterated something we already knew: Our devices are fundamentally unsafe. No matter what kind of encryption we use, no matter which secure messaging apps we take care to run, no matter how careful we are to sign up for two-factor authentication, the CIA—and, we have to assume, other hackers—can infiltrate our operating systems, take control of our cameras and microphones, and bend our phones to their will. The same can be said of smart TVs, which could be made to surreptitiously record our living-room conversations, and internet-connected cars, which could potentially be commandeered and even crashed.

    Previous security revelations told us that our data wasn’t safe. The Vault 7 leak reminded us that our machines aren’t secure—and, because those machines lived in our homes and on our bodies, they rendered our homes and bodies insecure as well. There is a word for these flaws and holes in code that leave us open to harm, and it’s the same word for the unease that accompanies them: vulnerability.

    If we feel freshly vulnerable, we are not alone. The darlings of the tech industry—which for much of the past decade have convincingly presented themselves as swaggering inevitabilities—are showing signs of vulnerability as well.

    The more powerful and inevitable something appears, the more startling and devastating its weaknesses are when they are exposed. Or, to borrow a phrase, the harder they come, the harder they fall.

    That’s useful to remember when you consider the transformation we are currently undergoing, one in which more and more of our devices become connected to the internet. Whether you call it the “Internet of Things” or the “Internet of Everything” or the “Third Wave” or the “Programmable World,” the long-predicted moment when connectivity becomes as ubiquitous as electricity is nearly upon us. The benefits will be staggering—a world that will know us and adjust to our needs and desires, a universe of data that will impart new wisdom. But so will the vulnerabilities, the opportunities for our worlds to be penetrated, manipulated, and even destroyed by malevolent intruders.

    The Vault 7 leak is not the tech industry’s fault, exactly, but we must ask at what point we stop placing our trust in devices, systems, and people that are inherently undeserving of it? Actually, never mind, we’re past it already. The most troubling aspect of the latest revelations is that there is no way to protect yourself beyond not buying a smartphone

    Reply
  14. Tomi Engdahl says:

    How the CIA’s Hacking Hoard Makes Everyone Less Secure
    https://www.wired.com/2017/03/cias-hacking-hoard-makes-everyone-less-secure/

    When WikiLeaks yesterday released a trove of documents purporting to show how the CIA hacks everything from smartphones to PCs to smart televisions, the agency’s already shadowy reputation gained a new dimension. But if you’re an average American, rather than Edward Snowden or an ISIS jihadi, the real danger clarified by that leak wasn’t that someone in Langley is watching you through your hotel room’s TV. It’s the rest of the hacker world that the CIA has inadvertently empowered.

    As security researchers and policy analysts dig through the latest WikiLeaks documents, the sheer number of hacking tools the CIA has apparently hoarded for exploiting zero-day vulnerabilities—secret inroads that tech firms haven’t patched—stands out most. If the US intelligence community knows about them, that leaves open the possibility that criminal and foreign state hackers do as well.

    “If the CIA can use it, so can the Russians, or the Chinese or organized crime,”

    A World of Hacks

    It’s no surprise, of course, that one of America’s most well-resourced spy agencies can hack its foreign adversaries. The shock, says Johns Hopkins cryptographer Matt Green, comes instead from the sudden spill of those hacking tools onto the web. “In the same way the military would probably have one technique for killing every single tank in an enemy’s arsenal, you would expect the CIA to collect the same thing,” says Green. “What’s different is that we’re seeing them out in public.”

    “The default position is that the government will disclose, but that doesn’t mean that will happen on every occasion,”

    It’s still unclear whether the Trump administration will continue the previous White House’s Vulnerabilities Equities Process, or how it will address the question of government hacking versus civilian security.

    Reply
  15. Tomi Engdahl says:

    FBI and CIA launch criminal investigation into ‘malware leaks’
    http://www.bbc.com/news/world-us-canada-39210628

    US federal agencies have launched a criminal investigation into the public release of documents said to detail CIA hacking tools, US officials say.

    They told US media that the FBI and CIA were co-ordinating the inquiry after Wikileaks published thousands of files.

    A CIA spokesperson told the BBC on Wednesday: “The American public should be deeply troubled by any Wikileaks disclosure designed to damage the intelligence community’s ability to protect America against terrorists and other adversaries.

    “Such disclosures not only jeopardise US personnel and operations, but also equip our adversaries with tools and information to do us harm.”

    ‘Incredibly damaging’

    On Wednesday, the US officials – who spoke on the condition of anonymity – told US media that the criminal investigation was looking into how the files came into Wikileaks’ possession.

    The inquiry would also try to establish whether the disclosure was a breach from inside or outside the CIA, the officials added.

    The CIA has not confirmed whether the documents – said to date between 2013 to 2016 – are real.

    But one of its former chiefs was concerned by their publication.

    “If what I have read is true, then this seems to be an incredibly damaging leak in terms of the tactics, techniques, procedures and tools that were used by the Central Intelligence Agency to conduct legitimate foreign intelligence,” ex-CIA director Michael Hayden told the BBC.

    Reply
  16. Tomi Engdahl says:

    “Vault 7″ Leak Shows CIA Learned From NSA Mistakes
    http://www.securityweek.com/vault-7-leak-shows-cia-learned-nsa-mistakes

    WikiLeaks’ “Vault 7” release appears to confirm that the U.S. National Security Agency (NSA) was behind the threat actor tracked as the “Equation Group.” Documents also show that the Central Intelligence Agency (CIA) learned from the NSA’s mistakes after its activities were exposed by security researchers.

    Files allegedly obtained from a high-security CIA network provide details on the intelligence agency’s vast hacking capabilities. One of the files made available by WikiLeaks contains a discussion thread titled “What did Equation do wrong, and how can we avoid doing the same?”

    The operations of the Equation Group and its links to the NSA were detailed by Kaspersky Lab in February 2015, and the discussion made public by WikiLeaks was initiated a few days later.

    Participants in the discussion pointed out that one of the NSA’s biggest mistakes was that its tools shared code, including custom cryptography, giving researchers the data needed to connect different malware to the same group.

    In addition to using the same custom cryptographic algorithm, the CIA identified several other mistakes made by the NSA, including the reuse of exploits, use of internal tool names in the code, and the use of a unique mutex.

    “All their tools shared code. The custom RC5 was everywhere.”

    “The shared code appears to be the largest single factor is allowing [Kaspersky Lab] to tie all these tools together.”

    The Vault 7 files show that in addition to learning from the NSA’s mistakes, the CIA “borrowed” techniques from in-the-wild malware and tools, including Shamoon, UpClicker and the Nuclear exploit kit.

    Reply
  17. Tomi Engdahl says:

    Fighting Cyber Security FUD and Hype
    http://www.securityweek.com/fighting-cyber-security-fud-and-hype

    Dr. Ian Levy is technical director at the UK’s National Cyber Security Center (NCSC), which is part of GCHQ. It is fair to say that the NCSC will play a major part in defining and delivering the UK government’s cyber security policy over the next few years.

    The security industry stands accused by the UK’s leading cyber security agency of over-hyping the cyber security threat to sell under-achieving products. It does this in two stages: firstly by defining the threat (by manipulating the media); and secondly by positioning its own product as the sole effective cure (by manipulating the buyer).

    Manipulating the Media

    The vendor/media relationship is a complex symbiosis. In the age of free news, each needs the other ― but there are well-known, if unspecified, rules. The primary rule is that the media must appear to be entirely independent of vendor influence, even when largely funded by vendor advertising.

    The vendor industry is forced to manipulate the media subliminally ― and different parts of the media accept this subliminal manipulation to differing degrees.

    Historically, the vendor’s primary tool has been the ‘press release’; but this is now supplemented by the vendor blog. The former is used to frame the company and its product; while the latter is used to frame the threat. The ultimate aim is to define the vendor as the sole cure for a dire threat; and to get the media to describe both in the vendor’s terms.

    The serious media will genuinely seek the underlying truth in all it receives. But journalists have their own pressures: the need to write compelling copy that will attract the largest possible readership, and to do so repeatedly to very tight deadlines.

    The first requirement (compelling copy) leads to the simple acceptance of new buzz words framed by the vendor to define a major new threat that it discovered, and by implication is best positioned to counter.

    The second requirement (tight deadlines) is probably the primary cause of what is now known as ‘fake news’. For the most part, this is not a conspiracy to spread false rumors, but a failure to take sufficient time to check facts rather than simply trust sources.

    Fake news is not new — it has existed for as long as there have been reporters.

    Manipulating the Buyer

    It is easy to forget that vendors are businesses, and their primary purpose is to make a profit.

    “The primary goal is not to solve the security problems, but sell you a product that you think can solve your security problems.”

    It is the methods used to sell the product regardless of effectiveness that worry some buyers; and the ability to see through these methods only comes with experience.

    One vendor told him to use FUD (fear, uncertainty and doubt) to get budget to buy product. It didn’t work: “I never have and never will. The reality is the business relies on its professionals to act as such. If there is a real risk, we need to attack it. If there is perceived risk, we need to evaluate it.”

    A second problem is that salesmen do not necessarily understand either the technicalities of the product they must sell, or the specific demands of the security market ― and resort to their own version of FUD or fibs to make a sale.

    Marketing budgets

    Surprisingly, the size of security product marketing budgets is also seen as an issue. “Vendor marketing budgets are a massive problem,” says security author Raef Meeuwisse; “especially as the largest budgets are often backing the most out of date and ineffective security technologies. It often feels like the larger the ads, the less the vendor has to sell.”

    Fighting the F.U.D.

    “It is the business, guided by our experience and input, which needs to make the final decision,” says Zinaich. “The fact is, more squirrels have taken out power around the globe than any hacker has to date. It is not even close. Yet, the fragile ‘House of Internet Things’ we are rapidly building is full of risk. That risk has to be managed in the light of reality, not by carnival barkers.”

    There is an acceptance among security leaders that security vendors will hype the products and FUD the threat; and that it is down to the professionals’ own knowledge and experience to get to the right product for the right price for their own environment. “I’ve found the best approach is to leverage proof-of-concepts on every solution we are considering,”

    The Ultimate Solution

    There is no ultimate solution. Salesmen will continue to sell the products they represent rather than the correct solutions. Publications will continue to seek readers by making their news stories as ‘interesting’ as possible. The combination will always drift towards Ian Levy’s winged ninja cyber monkeys; but if Bill Burns is correct, the new Information Age may make it a self-correcting issue through the democratization of information. The new element is the citizen journalist ― the independent blogger who does not hesitate to correct the professional journalist who makes a mistake, nor criticize a product that is over-hyped or inadequate. Independent blogs will keep both publications and vendors honest.

    Over time, bloggers like Harley could disarm, if not remove, the winged cyber ninja monkeys by keeping journalists honest and vendors truthful.

    Reply
  18. Tomi Engdahl says:

    Google Has Few Leads As It Starts Investigation Into Huge Leak Of CIA Android Hacks
    https://www.forbes.com/sites/thomasbrewster/2017/03/08/google-android-wikileaks-cia-cyber-attacks/#5b67ec375496

    It’s been less than 24 hours since Wikileaks released files it claims contain information on the myriad tools used by the Central Intelligence Agency (CIA) used to hack and surveil Android cellphones, as well as iPhones, TVs, cars and more. Google is yet to officially comment, but Forbes understands the company’s researchers are busy scouring the 8,000-page data dump as they try to determine if they need to get working on patches.

    It’s not yet clear how bad the damage is. Exacerbating Google’s pain is the knowledge that any triage and subsequent patching will be extraordinarily difficult, given the lack of any code showing just where weaknesses lie. So whilst the Wikileaks release has made it apparent there are multiple, possibly previously-unknown vulnerabilities (known as zero-days) that now need fixing, Google staff have few leads to go on.

    Alongside exploits for Apple’s iOS, there are many named CIA Mobile Device Branch tools specifically for breaking Android security with little detail on how they might work. For instance, there are at least 10 remote code execution bugs, the most critical weaknesses where a hacker can run malicious code from anywhere on the planet. There’s the BaronSamedi hack, which targeted a specific code library that Google can at least investigate. Then there’s the EggsMayhem hack created by the NSA and GCHQ that appears to target the Chrome browser. Or the Dragonfly attack, for which there’s next to no information available. Going right to the heart of Android, there’s an exploit called Sulfur for the operating system’s kernel to force it into leaking information, affecting versions 3.10 and later.

    There’s slightly more comprehensive information on a tool called RoidRage, a malware that appears to allow some remote control over Android devices.

    Paying for Android vulnerabilities

    Android security expert at CloudFlare, Tim Strazzere, said the more interesting aspect of the Wikileaks release was the number of exploits the CIA purchased. Such vulnerabilities can fetch upwards of $1 million per bug, though only iOS hacks have been known to cost so much. As with Apple’s OS, the CIA ostensibly used codenames for its cyberarms dealers, including Anglerfish and Fangtooth, or just simply called them a partner.

    “The bulk are bought, and bought from one source,” he said. “One could assume everyone else has also bought these.” The implication from Strazzere is that the CIA has access to the same Android attack code as other government buyer around the world.

    Reply
  19. Tomi Engdahl says:

    Zeynep Tufekci / New York Times:
    WikiLeaks’ CIA document cache, which focuses on compromising devices and not apps, underscores the strength of Signal’s and WhatsApp’s encryption

    The Truth About the WikiLeaks C.I.A. Cache
    https://www.nytimes.com/2017/03/09/opinion/the-truth-about-the-wikileaks-cia-cache.html

    On Tuesday morning, WikiLeaks released an enormous cache of documents that it claimed detailed “C.I.A. hacking tools.” Immediately afterward, it posted two startling tweets asserting that “C.I.A. hacker malware” posed a threat to journalists and others who require secure communication by infecting iPhone and Android devices and “bypassing” encrypted message apps such as Signal and WhatsApp.

    This appeared to be a bombshell. Signal is considered the gold standard for secure communication. WhatsApp has a billion users. The C.I.A., it seemed, had the capacity to conduct sweeping surveillance on what we had previously assumed were our safest and most private digital conversations.

    In their haste to post articles about the release, almost all the leading news organizations took the WikiLeaks tweets at face value.

    Yet on closer inspection, this turned out to be misleading. Neither Signal nor WhatsApp, for example, appears by name in any of the alleged C.I.A. files in the cache. (Using automated tools to search the whole database, as security researchers subsequently did, turned up no hits.) More important, the hacking methods described in the documents do not, in fact, include the ability to bypass such encrypted apps — at least not in the sense of “bypass” that had seemed so alarming. Indeed, if anything, the C.I.A. documents in the cache confirm the strength of encryption technologies.
    Continue reading the main story

    What had gone wrong? There were two culprits: an honest (if careless) misunderstanding about technology on the part of the press; and yet another shrewd misinformation campaign orchestrated by WikiLeaks.

    Let’s start with the technology. In the aftermath of Edward J. Snowden’s revelations about potential mass surveillance, there has been a sharp increase in the use of these “end to end” encryption apps, which render even the company that owns the app or phone essentially unable to read or hear the communications between the two “end” users.

    Given that entities like Signal and WhatsApp cannot get access to the content of these conversations, even in response to a warrant — WhatsApp keeps logs of who talked to whom, Signal doesn’t do even that — intelligence agencies have been looking to develop techniques for hacking into individual phones. That way, they could see the encrypted communications just as individual users of the apps would.

    These techniques are what the leaked cache revealed. Security experts I spoke with, however, stressed that these techniques appear to be mostly known methods — some of them learned from academic and other open conferences — and that there were no big surprises or unexpected wizardry.

    In other words, the cache reminds us that if your phone is hacked, the Signal or WhatsApp messages on it are not secure. This should not come as a surprise.

    If anything in the WikiLeaks revelations is a bombshell, it is just how strong these encrypted apps appear to be. Since it doesn’t have a means of easy mass surveillance of such apps, the C.I.A. seems to have had to turn its attention to the harder and often high-risk task of breaking into individual devices one by one.

    Which brings us to WikiLeaks’ misinformation campaign. An accurate tweet accompanying the cache would have said something like, “If the C.I.A. goes after your specific phone and hacks it, the agency can look at its content.”

    We’ve seen WikiLeaks do this before.
    Back then, too, the ruse worked: Many Western journalists had hyped these non-leaks.

    WikiLeaks seems to have a playbook for its disinformation campaigns. The first step is to dump many documents at once — rather than allowing journalists to scrutinize them and absorb their significance before publication. The second step is to sensationalize the material with misleading news releases and tweets. The third step is to sit back and watch as the news media unwittingly promotes the WikiLeaks agenda under the auspices of independent reporting.

    The media, to its credit, eventually sorts things out — as it has belatedly started to do with the supposed C.I.A. cache.

    Reply
  20. Tomi Engdahl says:

    SPOOKED OUT Five nightmare scenarios which show why Wikileaks’ surveillance revelations are so terrifying
    https://www.thesun.co.uk/news/3051521/five-nightmare-scenarios-which-show-why-wikileaks-surveillance-revelations-are-so-terrifying/

    With governments and corporations already watching you in unprecedented detail, is society sleepwalking into disaster?

    Reply
  21. Tomi Engdahl says:

    Thomas Fox-Brewster / Forbes:
    Sources: Microsoft and Google haven’t been contacted by Assange, two days after he said WikiLeaks would share details of CIA hacking tools with tech firms

    Google, Microsoft Still Waiting On Wikileaks To Deliver CIA Hacking Tools
    https://www.forbes.com/sites/thomasbrewster/2017/03/11/google-microsoft-waiting-on-wikileaks-cia-exploits/#9fab44254c99

    It’s been two days since Julian Assange promised Wikileaks would hand over more information on Central Intelligence Agency (CIA) hacker tools to tech giants. That pledge followed a leak of nearly 9,000 documents that Wikileaks claimed belonged to CIA hacking units.

    But while that altruistic move should help protect every one of their users from cyberattack, neither Google nor Microsoft had received details from Wikileaks on vulnerabilities in their software by Saturday morning, according to sources familiar with the companies’ security teams.

    Google did not offer official comment, but two sources close to the company’s security staff said there had been no contact. One said there was now concern Wikileaks had duped the public with a PR move of little to no substance, though on Thursday one external Android security expert who’d reviewed the CIA files said it appeared there were multiple vulnerabilities Google would need to address.

    “We’ve seen Julian Assange’s statement and have not yet been contacted,” a Microsoft spokesperson said in an emailed statement Friday, originally sent to press on Thursday, the same day Assange claimed Wikileaks would help provide “antidotes” for CIA exploits before publishing them. As of Saturday, Microsoft had not provided any further update, after Forbes’ enquiries. Wikileaks had not returned requests for comment.

    While the Wikileaks Vault 7 leak also affected Apple products, from iPhones to Macs, the Cupertino firm had not provided any comment at the time of publication.

    Wikileaks ‘should publish malware’

    And while there were few examples of actually usable code in the CIA Vault 7 leak, some Windows malware was uncovered by security expert Marc Maiffret, indicating Wikileaks may have mistakenly left it unredacted.

    He urged Wikileaks to publish all malware code, however, and should “help defenders and work with technology companies affected by the vulnerabilities and exploits to produce patches for customers.”

    “It is of course very time consuming and not always easy to analyze all of this technical data to figure out what parts are malware and implants vs. vulnerabilities and exploits. This is why they seemingly redacted all of that type of data in general except for this mistake here that I wrote about.”

    Reply
  22. Tomi Engdahl says:

    CIA revelations pose no danger for ordinary users

    Wikileaks published a couple of days ago the CIA secret material from the alleged documents have launched a broad debate on mobile phones and smart TVs security.

    Web services security vulnerabilities for many years studied the Finnish Second Nature Security Ltd knocks ease of espionage and wants to placate the resurrected publicity around the case.

    - According to current data show that the CIA to install the malware on the TV would require a USB stick connected to the device, which therefore needs to be done in person, either at the factory, shop or other place where the television is installed, says 2NS’s security expert Jarmo Lahti Beach.

    - In addition, the mobile phone must be pointed out that the documents become public, the CIA has not been able to break the encryption phones, but has had to install a separate malicious program on your phone to read the messages.

    - This is actually a good knowledge and strengthen the confidence of the Signal-protocol functionality. In addition, for years has been known that if the terminal can be equipped with malware, it makes it able to spy on the user device. This is not even news, Jarmo Lahti stresses.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=5985&via=n&datum=2017-03-10_15:20:02&mottagare=30929

    Reply
  23. Tomi Engdahl says:

    CHIPSEC, Intel Security releases detection tool also for CIA EFI rootkits
    http://securityaffairs.co/wordpress/57085/hacking/chipsec-cia-efi-rootkits.html

    After CIA leak, Intel Security releases CHIPSEC, a detection tool for EFI rootkits that detect rogue binaries inside the computer firmware.
    A few days ago, WikiLeaks announced it is working with software makers to fix the zero-day flaws in Vault7 dump that impacted their products and services. The organization is sharing information on the hacking tools included in the Vault7 dump with them and IT vendors are already working to solve the problems.

    Reply
  24. Tomi Engdahl says:

    Kim Zetter / The Intercept:
    RAND study: 200 privately discovered zero-day flaws lasted an average of 6.9 years before public disclosure

    Malware Attacks Used by the U.S. Government Retain Potency for Many Years, New Evidence Indicates
    https://theintercept.com/2017/03/10/government-zero-days-7-years/

    A new report from Rand Corp. may help shed light on the government’s arsenal of malicious software, including the size of its stockpile of so-called “zero days” — hacks that hit undisclosed vulnerabilities in computers, smartphones, and other digital devices.

    The report also provides evidence that such vulnerabilities are long lasting. The findings are of particular interest because not much is known about the U.S. government’s controversial use of zero days. Officials have long refused to say how many such attacks are in the government’s arsenal or how long it uses them before disclosing information about the vulnerabilities they exploit so software vendors can patch the holes.

    Rand’s report is based on unprecedented access to a database of zero days from a company that sells them to governments and other customers on the “gray market.” The collection contains about 200 entries — about the same number of zero days some experts believe the government to have. Rand found that the exploits had an average lifespan of 6.9 years before the vulnerability each targeted was disclosed to the software maker to be fixed, or before the vendor made upgrades to the code that unwittingly eliminated the security hole.

    Some of the exploits survived even longer than this. About 25 percent had a lifespan of a decade or longer. But another 25 percent survived less than 18 months before they were patched or rendered obsolete through software upgrades.

    “The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities — in particular the ones that exploits are created for [in the gray market] — are likely old,”

    Reply
  25. Tomi Engdahl says:

    The Most Striking Thing About the WikiLeaks CIA Data Dump Is How Little Most People Cared
    https://politics.slashdot.org/story/17/03/13/1840200/the-most-striking-thing-about-the-wikileaks-cia-data-dump-is-how-little-most-people-cared

    Last week, WikiLeaks released a trove of web pages describing sophisticated software tools and techniques used by the C.I.A to break into smartphones, computers, and IoT devices including smart TVs. Despite the initial media coverage, it appears normal people don’t really care much about it, reports Quartz.

    “There’s also one other big difference between now and 2013. Snowden’s NSA revelations sent shockwaves around the world. Despite WikiLeaks’ best efforts at theatrics — distributing an encrypted folder and tweeting the password “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds” — the Vault 7 leak has elicited little more than a shrug from the media and the public,”

    The most striking thing about the WikiLeaks CIA data dump is how little most people cared
    https://qz.com/930512/the-most-striking-thing-about-the-wikileaks-cia-data-dump-is-how-little-most-people-cared/

    Reply
  26. Tomi Engdahl says:

    WikiLeaks will give tech giants CIA zero-day exploits after they meet mystery demands
    https://techcrunch.com/2017/03/17/wikileaks-tech-companies-demands/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    Now, a week has passed since Assange said he would disclose information about those vulnerabilities to the companies affected — standard practice for the discovery of zero day exploits that could threaten security for millions of users.

    As Motherboard reports, Wikileaks made contact with the tech companies this week, but it hasn’t provided any of the relevant data. Instead, it sent over a contract with a set of conditions that must be met first

    While there’s an argument for the CIA protecting its secrets, with the exploits out in the wild now, they’re of little use to anyone who doesn’t have criminal motivations. WikiLeaks has also faced criticism for how it presented the set of leaks, which it framed in sensational language in spite of the fact that the documents revealed little that was new.

    Reply
  27. Tomi Engdahl says:

    Disable TELNET! Cisco finds 0-Day in CIA Dump affecting over 300 Network Switch Models
    http://thehackernews.com/2017/03/cisco-network-switch-exploit.html?m=1

    Reply
  28. Tomi Engdahl says:

    What Businesses Can Learn From the CIA Data Breach
    http://www.darkreading.com/attacks-breaches/what-businesses-can-learn-from-the-cia-data-breach/d/d-id/1328413

    Insiders Are Hard to Catch
    Don’t Get Too Fixated on the Zero-Days
    Pay Attention to Those IoT Devices
    Vulnerability Stockpiles Merit Another Look

    So the best approach is to disclose and patch zero-days as they are found. “Practically speaking, responsible disclosure is the only way to keep Americans secure,”

    Reply
  29. Tomi Engdahl says:

    Hundreds of Cisco switches vulnerable to flaw found in WikiLeaks files
    http://www.zdnet.com/article/cisco-warns-of-critical-security-flaw-found-buried-in-wikileaks-vault-7-disclosure/

    The flaw was found by Cisco security researchers, despite WikiLeaks’ claiming that the CIA hacking unit disclosures did not contain working vulnerabilities.

    Cisco is warning that the software used in hundreds of its products are vulnerable to a “critical”-rated security flaw, which can be easily and remotely exploited with a simple command.

    The vulnerability can allow an attacker to remotely gain access and take over an affected device.

    More than 300 switches are affected by the vulnerability, Cisco said in an advisory.

    An attacker can exploit the vulnerability by sending a malformed protocol-specific Telnet command while establishing a connection to the affected device, because of a flaw in how the protocol fails to properly process some commands.

    The security flaw was discovered by the company’s own security researchers in WikiLeaks’ most recent disclosure of classified information, released last week.

    The whistleblowing site, however, said that it had carried out thousands of redactions in order to prevent the “accidental” release of exploit code found in the files, but it came under fire for missing some sensitive information, including names, email addresses, and external IP addresses of targets.

    WikiLeaks previously came under fire for inadvertently releasing malware as part of its disclosures.

    In a brief statement, WikiLeaks said the vulnerability, kept secret by the CIA, left “vast swathes of internet infrastructure vulnerable to cyber attacks,” which it called “a clear violation of the Obama administration’s 2014 commitment to not hoard pervasive vulnerabilities.”

    Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

    Reply
  30. Tomi Engdahl says:

    Cisco Patches Serious DoS Flaws in IOS
    http://www.securityweek.com/cisco-patches-serious-dos-flaws-ios

    Cisco has released updates for its IOS and IOS XE software to address a couple of high severity flaws that can be exploited to cause a denial-of-service (DoS) condition on vulnerable devices.

    The security holes were disclosed on Monday by Omar Eissa, a researcher at Germany-based security firm ERNW, at the TROOPERS conference in a talk focusing on Cisco’s Autonomic Networking Infrastructure (ANI). The ANI vulnerabilities found by Eissa allow unauthenticated attackers to cause affected devices to reload.

    One of the flaws, identified as CVE-2017-3850, can be exploited by a remote attacker simply by knowing the targeted Cisco device’s IPv6 address. The weakness can be exploited by sending a specially crafted IPv6 packet to an appliance, but the attack only works if the device runs a version of IOS that supports ANI and its IPv6 interface is reachable.

    The second vulnerability, CVE-2017-3849, can be exploited if the targeted device is running an IOS release that supports ANI, it’s configured as an autonomic registrar, and it has a whitelist configured.

    Cisco has published indicators of compromise (IoC) and the company’s IOS Software Checker can be used by customers to determine if their IOS and IOS XE software is vulnerable to such attacks. The networking giant has found no evidence of exploitation in the wild.

    Reply
  31. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    WikiLeaks releases mostly decade-old documents detailing CIA techniques for compromising Macs and iOS devices using EFI, UEFI, and firmware malware

    WikiLeaks’ New Dump Shows How The CIA Allegedly Hacked Macs and iPhones Almost a Decade Ago
    https://motherboard.vice.com/en_us/article/wikileaks-new-dump-shows-how-cia-allegedly-hacked-macs-and-iphones-almost-a-decade-ago

    The new documents show how the CIA was ahead of the curve in attacking Apple computers.

    Earlier this month, when WikiLeaks dumped a cache of hundreds of secret documents allegedly detailing the CIA’s hacking operations, Julian Assange promised that was just “less than 1%” of what the secret-spilling had in its hands. On Thursday, WikiLeaks released a new cache of twelve documents, mostly detailing how the CIA allegedly hacked Apple computers and cellphones around a decade ago.

    “These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware,” WikiLeaks stated in a press release.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*