Can we just assume at this point that there is no such thing as confidential or secret data? I mean, if it hasn’t been compromised and exposed yet, it seems like it’s only a matter of time and opportunity. The CIA is supposed to be one of the best intelligence agencies in the world, and experts in covert operations, yet WikiLeaks just unleashed thousands of pages of documents code-named “Vault 7” that it claims expose hacking tools and practices used by the CIA.
I spoke with a number of security experts, and the general consensus seems to be there isn’t anything mind blowing in the leaked data so far, and individuals can still protect themselves and their data from casual hacking and exposure using basic security and privacy best practices. In the end, though, the CIA was apparently hacked, so what are the odds you can prevent a hacker from getting into your PC or mobile device?
WikiLeaks is at it again. The website unleashed thousands of documents today that it claims are from the CIA’s deep arsenal of hacking tools and practices. According to WikiLeaks, it is the largest ever publication of confidential documents on the agency.
The website has dubbed the massive set of leaked documents “Vault 7”. WikiLeaks says that there are several hundred million lines of code among the data. If the information is a legitimate compromise of confidential data from the CIA, it could mean that much or all of the hacking tools and capabilities of the CIA are now available to the general public.
On the one hand, it’s always bad when confidential data is leaked. We can debate whether or not certain information should be classified, but information that is classified should only be available to authorized individuals, and those authorized individuals should have the integrity to safeguard that information. On the other hand, it seems like much of the data released by WikiLeaks is sort of old news, or not really a surprise.
I reached out to get feedback from security experts.
Assuming it’s legitimate, the Vault 7 dump from WikiLeaks demonstrates the conflicting challenges faced by developers in the security community. “On one hand, this has scary implications for individual privacy rights and shows how extensively some of the systems can be hacked. On the other hand, it demonstrates how hard it is to manage security for insider risk and cloud workloads today for organizations,” says Vikram Kapoor, co-founder and Chief Technology Officer of Lacework.
There’s a lot of data, and it was all just released today, so a thorough analysis will take some time. Jim Walter, a Senior Researcher with Cylance, explained that early research indicates that efficiency is a top priority. “There are clear instances where the owner of this code is inspired by (and sometimes borrowing directly from) well-known malware. Familiar names like HiKit, Shamoon, and Nuclear EP appear multiple times, so it is interesting to see what threats the owner is taking cues from. Beyond that we have a great deal of analysis to do when it comes to putting this dataset into context with previous dumps pertaining to government techniques, tactics, and procedures.”
Andrew McDonnell, President at AsTech, suggests that while it’s concerning for confidential data to be leaked, the details here do not appear to be groundbreaking. “Many of the vulnerabilities cited in this tool set are well-known. ‘Smart’ TVs, old Android phones (like the President’s), unpatched routers, and a host of other devices have known vulnerabilities that are not exclusive to the CIA. These implementations may have been exclusive, but that doesn’t mean only the CIA had exploits. If genuine, there are likely some proprietary vulnerabilities or zero-days in there. Ultimately, secret backdoors in software–whether intentional or based on an exploit–make everyone less safe: there’s no way to control who uses them.”
Slawek Ligier, VP of Security Engineering for Barracuda, stressed, “The types of capabilities described in the WikiLeaks are not new and many of the exploits were demonstrated as technically possible for a while now. There is a reason that the President of the United States is asked to carry the phone with most features we all take for granted disabled – no camera, microphone, or even a browser. While there is no way to 100 percent assure that our devices are not turned into little spies, there are things that we as a society should collectively do to make it more difficult.”
Read the full story at Forbes: Security Experts Weigh In On WikiLeaks ‘Vault 7’ Dump.