Report Says CIA's Hacking Unit -- Home To The Vault 7 Exploits -- Deployed Almost No Internal Security Measures
from the no-one-would-dare-cross-the-CIA...-would-they? dept
More details about the leak of CIA hacking tools are coming to light. And they're not making the CIA look any more deserving of its "Intelligence" middle name.
The "Vault 7" leak detailed the CIA's exploits -- ones targeting cellphones and a variety of smart devices. Encryption still works, though, but devices have to remain uncompromised by exploits. Since they aren't, encryption won't stop agencies like the CIA from intercepting communications or inserting themselves into private conversations.
The prosecution of the accused Vault 7 leaker has been a nightmare of its own, with the government having difficulty pressing its case even as it uncovers evidence the leaker continued to leak sensitive information after being incarcerated.
The latest report, by Ellen Nakishima and Shane Harris of the Washington Post, shows the CIA was far more interested in developing tech weapons than ensuring its hoard of exploits remained in its possession.
The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.
[...]
The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.
Information wants to be leaked, apparently. Maybe not innately, but when the culture says the best defense is a good offense, chances are sensitive tools and tech are going to go wandering off.
The CIA knows how exploitable pretty much everything is. That it deployed nearly no security measures to ensure its exploit stash remained on the premises is an indictment of every bureaucracy that thinks merely being a big government agency will deter people -- both on the inside and outside -- from screwing with it. According to this report, the CIA didn't even employ bush-league, mom-and-pop-store-level security measures. There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network, which has prevented the CIA from determining the size of the breach or enumerating what was actually taken.
This crucial job was outsourced, which apparently contributed to the problem. The job was too important to be left undone. But the CIA apparently didn't feel it was important enough to handle itself so it gave it to someone else, resulting in this:
The computer network was maintained by contractors, the former official added. “There was a misunderstanding between the people who ran the unit and people who ran and maintained the network.”
Give an agency more money than oversight and it can perform any task poorly. Exploits are truly useful but they're only useful if they remain undisclosed and unpatched. Treating security cavalierly has paid off about as well as anyone outside the agency would have imagined. The tools were leaked. Only after that did anyone decide to check the latches on the Vault's doors. Proactive is better than reactive, as any intel operative should know. While this may be a great way to inadvertently comply with the Vulnerability Equities Process, it's no way to run an intel agency's tech black ops program.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cia, hacking tools, security, vault 7, vault7
Reader Comments
Subscribe: RSS
View by: Time | Thread
They had an Air Force psychologist with no cybersecurity experience in charge of cybersecurity. He's presently waterboarding the servers while CIA leadership calls and hangs up on the FBI over and over.
[ link to this | view in chronology ]
Re:
We're getting reports that Dick Cheney is certain this method is working, while Donald Trump has weighed in to assert that there are "very fine comploo, clo, complooters, machines on both sides."
[ link to this | view in chronology ]
When you are pretty sure you bought all of the exploits so no one shoudl be able to break into our stuff.
[ link to this | view in chronology ]
Bad concept.
We created the best progs to get into anything, why secure our own systems, if it wont help.
designing security to defend against Ourselves, means someone will find a way to defeat our progs.
Protecting our systems from our progs, means Someone will figure out how we did it and protect themselves.
Since the USA has privacy laws, that we cant go against, WHO can we give these to? Who can sit outside the USA and do the things WE WANT TO DO.
Age old problem. 1/2 hardware problem, and 1/2 software. Which is easiest to break into. Such as using a Flash drive to boot a system and NOT let the Hard drive boot. So that you can scan and fix a failure or Scan everything on that drive. Linux has been ahead on allot of things because everyone can Improve the software and make things better and better, in steps, where MS thinks everyone is abit stupid and cant tell the difference.
Hardware can only do what its programmed to do. And if you confuse it or use it Against the system the system has to Stop. If long ago, a certain little thing was added tot he Hardware, it would not be easy to find. All it would take is a Exit from the programming on the chip that would LET an invading software Control what was to be done, rather then let the internal hardware do it.(abit simplified) Insted of failing a Check on commands send and Stopping processing, that it would Exit and give control to the software trying to be used. Shouldnt be to hard. Esp when Most CPU's now have integrated most of the Hardware controls. The Chips are almost fully 'All in one' devices. There are so many protocols in-bedded in them, that taking advantage of the confusion in the chip Can be fairly easy, as the chip has to figure out what you want, and decides Wrongly/rightly.
I love the idea that Someone or some group thinks they are the only ones to be able to do something. And then you look at the net and all the Software that can DO the same thing, and its Free or cheaper.
[ link to this | view in chronology ]
Damn...to bad they didn't have something like strong encryption to protect the data instead of relying on the CFAA to make it illegal to hack them.
/sarcasm
[ link to this | view in chronology ]
Re:
or create a secondary server to verify the connection tot he Correct person/company.. 1 that IF hacked, it would lead nowhere or into a honey pot.. Kinda simple really.
Never a direct connections to the Main, until verified.
Then monitor what is done by that person and PRINT IT OUT..
And if they Hang around for a long period, THE sysop should verify them AGAIN..
No reason Sony should loose 18 terabytes of data, because of HACKER.
[ link to this | view in chronology ]
'Are they attacking us? No? Then why would we care?'
Potentially worse than arrogance is indifference, as I could easily see them not bothering with security simply because they don't care if the exploits are leaked/'borrowed', as it's unlikely that the exploits will be used against them.
[ link to this | view in chronology ]
CIA's Hacking Unit
Far too many people have acquired their weapons and intelligence training from Hollywood, but the real world does not work that way.
Anyone with vetted access and doing active work with, let's say non-standard software, is and has to be capable of walking out of the facility with that software. That's the purpose of vetting, these are trusted people working with sensitive access content.
You can't run best practice malware scanners on a system full of, and actively creating malware. You have to be able to extract the tools for testing on example target machines.
It's not Hollywood, there are no body scanners or magic detectors. The normal work process must allow for developers to off load the tools for testing. At that point, it's entirely possible for a vetted person to walk out with tools. In fact, many test procedures require walking out with tools in order to test them in a realistic environment.
It's not a technical protection failure, it's a personnel failure. By definition, authorized people are authorized and no amount of rules can account for that and still be functional.
[ link to this | view in chronology ]
Re: CIA's Hacking Unit
Are you trying to tell us that Hollywood epitomizes a better security regime than is actually in practice? If the want to test their new toys, I am sure they could get access to a separate IP address or VPN or proxy server from which to launch their test attacks.
It goes along the lines of that truism. If you want to keep something secret, tell one person, if you must. There is no second option.
If they actually wanted to keep the stuff in their possession, and their possession only, then they should not let it out of the building, at least until they use it, and that should be done under very controlled circumstances. At least as controlled as the best controlled networks allow these days.
Trusting people, you make me laugh.
[ link to this | view in chronology ]
Re: Re: CIA's Hacking Unit
"Are you trying to tell us that Hollywood epitomizes a better security regime than is actually in practice?"
Well, he's right. Some of it might be from Hollywood usually employing theoretical utopias of security backed in no small measure by what appears to be actual magic.
And although he's a bit off when it comes to personnel being able to walk out while carrying advanced malware constructs on USB sticks his theory still applies. The people employed must at least be able to walk out of the building and an actual invasive body search is probably not required to get in or out for even the harshest secure sites.
Similarly just having access to upload or download data from a network which isn't airgapped means the ability to upload the malware to a folder accessible from elsewhere does exist.
So in the end it all boils down to having to trust people which is why every candidate for intelligence employment is so carefully vetted for patriotic values and behaviors.
(Which backfired, of course, when Snowden saw what was being done and felt he was obligated to blow the whistle over the various forms of mass surveillance he felt was unconstitutional. They should have changed their vetting program to include "Do you actually give a shit about the nation and constitution?" and only hired those saying "hell no").
[ link to this | view in chronology ]
Re: Re: CIA's Hacking Unit
I was trying to tell you that Hollywood is fictional and unrealistic, but your take away was Hollywood does it better?
[ link to this | view in chronology ]
Re: CIA's Hacking Unit
There is a difference between a malicious authorized user and a complete lack of security.
There is no excuse for this level of apathy, especially for the CIA.
[ link to this | view in chronology ]
This level of apathy.
CIA just hasn't been itself since the cold war ended.
[ link to this | view in chronology ]
Wasn't there one of those Russian GRU hackers who had poor infosec also? His password was something like his name and birthday? Seems like all the people who are supposed to know better don't actually use good security.
Define irony.
[ link to this | view in chronology ]
I'm pretty sure this is on brand for the US
Are there any government servers that are properly secured? I mean we pretty much assume Russia and China have access to the big NSA internet-traffic database in Utah because it's that easy to hack.
As are your FBI files.
As are all our space program stuff.
Maybe the air force keeps Area 51 stuff off the servers, but then again maybe not.
None of this is news here on Techdirt.
[ link to this | view in chronology ]
Almost correct
None of this is news here on Techdirt.
Which itself is part of the problem. 'Government agencies involved in sensitive stuff display stunning lack of concern over security' should be news, huge news, due to it's rarity and the concern shown by all when discovered. As it is though it's just another tuesday as those paying attention aren't surprised in the least.
[ link to this | view in chronology ]
For the argument against backdooring encryption, see vault 7
Considering that both the CIA and worse, the bloody NSA have proven highly fallible against persistent crackers...what does this tell us about Bill Barr's persistence to have smartphone OEMs backdoor their encryption and hand government the magic key unlocking every phone?
I keep coming back to that. The Wcry trojan was bad enough but was, after all, "only" what criminals used the exploit and leaked malware for.
Once Barr gets his way and every smartphone in the US is suddenly wide open to China, Russia, North Korea, and every major organized crime ring in the G20, how does he think he'll un-open that can of worms?
[ link to this | view in chronology ]
'Not like they're peeking into my device, I have encryption.'
Once Barr gets his way and every smartphone in the US is suddenly wide open to China, Russia, North Korea, and every major organized crime ring in the G20, how does he think he'll un-open that can of worms?
What makes you think he would care? I imagine so long as he can snoop through devices on a whim he might throw out some empty 'how dare those criminals break into american devices, no idea how that happened' press releases but otherwise it would likely be seen as a price he's willing to have the public pay.
[ link to this | view in chronology ]
Not EVERY smartphone
US business have demonstrated that given the choice between actually doing business and staying competitive, and staying within the confines of the law, they'll do the former.
Secure encryption for devices and computer systems is readily available, and will stay current through foreign markets and open source communities. They'll be less convenient to use.
We also have steganography and multiple-account encryption, which means it's possible to circumvent a courtroom command to unlock a device, and evidence you unlocked it wrong would be difficult to prove.
Most of the public won't care until Chinese advertisers have hacked their phones into a portable barking adbox. But those who are determined to do business, for good or ill, will continue to do so. And those who have secrets to hide, whether perverse, anarchist or industrial, will turn to legitimate offerings already available.
Such perverts and anarchists will also become much more immensely useful to the rest of us.
[ link to this | view in chronology ]
Re: For the argument against backdooring encryption, see vault 7
I, for one, am teaching the Chinese what a distraction your commentary actually is, and how to spot others like you.
And, sending "them” whoever “they” are to you doorstep.
[ link to this | view in chronology ]
Well of course not. Nobody would DARE to hack the CIA!
[ link to this | view in chronology ]
Re:
Right.
And your credentials are so, um, non-existent.
Thanks for playing!
(Send him to the circular file)
[ link to this | view in chronology ]
re: FREE CHILD PORN!
Tim, the real exploit is the human being sitting at a computer screen. In agency jargon, they are an “asset,” which is both disposable, and actionable/actuated.
Hack that asset (Schulte, and his Libertarian stance) and you own one of the most glorious "potential” machines of all technology. “It” will do what you tell “it” to do, provided it can be compromised via undue processes of agency.
Manufactured terrorists? A windfall of security state advertising for products like Carbyne911 augmented by EVEN MORE, NEW IMPROVED! Palantir.
Stop making Schulte out to be a bad guy, because your CIA/Mossad/Squad 8200 handlers insist that he is wrecking their world wide child pornography compromise operations.
The leak was a good and neccessary thing, ESPECIALLY BECAUSE
“ the government (IS) having difficulty pressing its case”
What case? That CIA handles/frames its freethinkers as if they are perverts and con men because they are atheist/unbiased/irreligious/non-conformed?
Thats the real news buddy.
[ link to this | view in chronology ]
FREE CHILD PORN! from the FBI
You inadvertently raise a valid point. The FBI keeps a database of every digital piece of child porn it encounters as part of its efforts to trace pictures to subjects and photographers. And it raises the question if that database is as securely locked away as all of our other government department assets.
Not that I think people should be consuming child porn (of real children) or those children should be subject to abuse, but the FBI's betrayal of its own mission (across multiple campaigns) warrants embarrassment and scorn.
[ link to this | view in chronology ]
Re: FREE CHILD PORN! from the FBI
Also, Uriel, why did you respond here at this post (which doesnt matter) rather than.here, where I specifically called you out, and asked for your response?
https://www.techdirt.com/articles/20200616/10401844725/minneapolis-city-council-votes-unan imously-to-disband-police-department.shtml?threaded=true#c1008
Yeah. I admit it: I started this “George Floyd” fire.
These other things are just sparks.
[ link to this | view in chronology ]
Called me out.
Oh, did you call me out?
Okay. I give up. You win. Enjoy your victory.
[ link to this | view in chronology ]
Re: FREE CHILD PORN! from the FBI
I forgot to address your contention:
re:if that database is as securely locked away as all of our other government department assets
Yeah, its locked away in Mormon Utah, (and secondarily, Israel) whose founding patriarchs are in the record AS pedophiles.
See how ”all roads lead to Rome/Israel/ Zion"?
Stop me when you start seeing “patterns”.
Seeing patterns in unrelated datsets indicates mental illness, lol.
[ link to this | view in chronology ]
Uriel, you constantly surprise me with your analysis.
But few things that I do are "inadvertant.” Google “George Floyd and Gandhi Mahal” for one recent example of my calculated, time aware, “premeditation.”
re: the FBI's betrayal
Yeah, that.
Over, and over again, as FBI heads, like James Comey and others work with zionist “security contractors" from Israel to distribute child porn (and my opinion is very clear: fewer kids die from weird contact with weird adults, than who die from depleted uranium, or US sponsored bomb droppings; or, the many sordid stories from CPS and the foster care/ Big Pharma industry beneficiaries, for that matter, the latter overseen by police and military affiliated pedophile whackjobs)
See what happens when you stack the Supreme Court with only Jews,and Catholics?
"Rome, again.”
Hey, look at us, stopping the bad guys from raping children! Whatever would you do without US!?
(Note to self: without them involved, no child actually gets raped, or exploited as a resource, because its they who hold that power, and they who begin that leveraging discussion in the first place.)
(Note to them, whoever "they” are: stop exploiting children as leverage against their parents choices to adhere/not adhere to your child-rape based society.)
[ link to this | view in chronology ]