CIA's internal hacking tools rival those of the NSA

Debate and discourse around WikiLeaks’ announcement about a series of leaks from the CIA continue unabated. Codenamed "Vault 7," WikiLeaks claims this is the largest classified information leak to have come from the CIA to date. Added to that, only one percent of documents have been made public so far.

From the leaked documents it’s become clear that the CIA has created its own internal hacking capabilities to rival that of the NSA. It may be more tactical than strategic -- but with exploit sets including Android, IoS, Samsung TVs, Linux, Mac, zero day attacks and more, it could certainly give the NSA a run for its money.

What’s particularly interesting is the sheer enormity of the resources invested by the CIA. WikiLeaks reports:

"By the end of 2016, the CIA's hacking division [...] had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other 'weaponized' malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its 'own NSA' with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified."

What’s the target?

The answer is simple -- pretty much everything that connects to the Internet. Of all the tools uncovered by WikiLeaks, Fine Dining is the one that’s grabbed my attention. The name sounds like a tasty supper, but it isn’t; in fact, it’s rather more sinister than that. It aims to provide CIA field agents who already have insider access to a target organization with hacked versions of well-known apps that they can run as a decoy, to act as a cover for data-sniffing tools that run in the background at the same time. Why is this important? Because it shows that the agency is capable of breaking into a range of devices including smartphones, TVs and chat apps and tampering with their security libraries to bypass the encryption.

Surely this makes us more secure, not less?

Not really... it simply means the attack surface from compromised phones and systems has increased exponentially -- not only the CIA but also cybercriminals and other motivated entities. I readily accept that an intelligence agency is gathering intel -- and kudos to them for working to catch up with the times and investing in the right areas. What is concerning is that these toolsets are proliferating, increasingly used by governments to monitor citizens, and that more aggressive and invasive variations will result from either a release of the sources or even from clues in these documents.

The average user has no way to know if they're compromised, and even sophisticated users need to expend some effort to know. More technical details may come, but, for now, how do you know if the CIA is watching you? You don't. And to be fair it is not only the CIA you need to be worried about. All major world governments are after the bad guys for obvious reasons and their citizens for not so obvious reasons.

The silver lining?

The fact that Julian Assange has publicly stated that Wikileaks will share exploit details with the impacted vendors is a positive step (even though he has since issued demands to be met first). However, in a recent Twitter tweet survey 57 percent of the participants (out of about 52.5 thousand participants) agreed that Wikileaks should work directly with the tech vendors. The gist of Wikileaks’ conditions, while unclear, point to their desire to secure a 90-day deadline for vulnerability disclosure and patching.

However, whatever the reason is behind Mr Assange’s demands, this prolongs the existence of unaddressed security issues that expose both businesses and individuals. If the goal is to ensure resolution of the issues found in the leaked documents, it might be better to go public with his demands and pressure the vendors that way.

What’s the impact?

On the public policy front, this Wikileak points to the increasing erosion of public safety. Despite having these tools at hand, world governments (US, UK, Germany) continue to push for encryption back doors. Equation Group’s leak (NSA) late 2016 and this latest CIA leak once again prove all organizations have their OpSec issues. Backdoors, once discovered, work just as well for foreign spies, cyber-criminals and script kiddies.

Vigilance remains the default position

Today’s reality is that we are being hacked and are subject to surveillance by legitimate and illegitimate entities. Their tool sets are improving, and policy makers are doing little to provide protection. We can’t control most external factors, but we can mature our security awareness. For example, on the business side the traditional program content could be extended to cover employees’ personal technology decisions. Ultimately all users should be aware of some security awareness basis:

• Be selective on who you share your data with
• Read the user agreement, understand the terms and conditions
• Understand how the latest technology you purchased or the hippest cloud vendor you signed up with protects your privacy
• Vote with your dollars, buy from vendors with good security, who uphold privacy rights
• Practice good security hygiene -- use different passwords for different accounts, use an encrypted password manager, avoid public Wi-Fi and be suspicious of all email.

Finally, for all of us, this means a little paranoia goes a long way... people with situational awareness improve a company’s security baseline and protect their personal privacy, implicitly decreasing the attack surface with better security decisions --- overall it is a win-win situation, for individuals and the companies they support.

In short, whoever you are, at least put up a little fight before you become a statistic.

Efe Orhun, CISSP, managing partner of Derivative Technology.

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.