Elite CIA Unit That Developed Hacking Tools Failed To Secure Its Own Systems, Allowing Massive Leak, an Internal Report Found (washingtonpost.com) 29
The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency's elite computer hackers "prioritized building cyber weapons at the expense of securing their own systems," according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director. From a report: The breach -- allegedly by a CIA employee -- was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release "Vault 7," and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA's history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency's techniques. The October 2017 report by the CIA's WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were "woefully lax" within the special unit that designed and built the tools, the report said.
Speaking of which (Score:1, Funny)
This is why backdoors don’t work (Score:4, Insightful)
Re: (Score:2)
Exactly this. Over and above concerns about abuse, we have no good reason to believe that the government won't leak the gold key to the kingdom to cybercriminals around the world.
Re: This is why backdoors don’t work (Score:2)
Backdoors work great - slogan by the Guild of Thieves.
Re: (Score:1)
There's no such thing as a backdoor that only works for the good guys.
It's like a lock company (Score:2)
not locking it's own door. Human stupidity is an unplumbed depth.
Re: It's like a lock company (Score:1)
Re: (Score:2)
You have to trust your employees to a certain extent. Sure, you can lock things down to a certain extent. But that can be circumvented by highly motivated people. So you watch people with security clearances. So the GS-6 with a summer house, yacht and Ferrari will stand out. But there's only so much you can do with ideologues. What you can do is to sniff out people susceptible to various dogmas without question. But also keep in mind that even members of the general public have some level of moral code. And
Re: (Score:2)
And then someone comes along with no outside influences or pressures and absolute uncorruptible loyalty, but he's a klutz so he misplaces a USB key with the super secret data on a commuter train and doesn't even realize it....
Carefully vetting people for security clearance only protects from them deliberately leaking.
Re: (Score:2)
Misplaces a USB key on a commuter train? So many things went wrong to get to this point I almost don't know where to start.
Putting classified information onto a USB key. Having an IT system that even allows USB keys to be plugged in and loaded. No procedures for couriering classified data between sites. No logging departure/arrival of data at source/destination. And in some cases, no second person assigned to travel with the courier. Fun times when the guy traveling with you is armed.
Re: (Score:2)
My point exactly, the background and other honesty checks are only a small part of keeping data from leaking. The leak in TFA wasn't driven by disloyalty, it was driven by sloppy procedure and no checks and balances.
Re: (Score:2)
The leak in TFA wasn't driven by disloyalty,
Somebody accidentally walked out with 34 terabytes of information? Where can I buy a USB thumb drive like that?
People with security clearances are assumed to work to a higher standard of responsibility. Sometimes the procedures are just written rules to be followed. But so many would have to be broken to get that sort of data out that this sort of thing goes way beyond accidentally slipping in in one's pocket at quitting time.
Re: (Score:2)
Some true patriot decided that the CIA was acting contrary to what makes America great. He didn't sell it on the black market, he didn't turn it over to his Russian or Chinese handler for money or payoff on extortion. In his/her mind, it was for the good of the Country.
It was possible because there were zero checks and balances in place. No enforced procedures to make the transmission of all of that data an audited event. Not even enough logging to pin it on anyone. The people who allowed that suituation to
Re: It's like a lock company (Score:2)
Yes, ish.
There are network intrusion detection systems that look for anomalous behaviour rather than specific actions. These can be used to close firewalls between segments of a corporate network.
The government also uses Class III certificates as part of the network login procedure. Ok, it mandates it. Slight difference. Has done since 2003, when Charleston Navy Base became one of the first sites to switch. That makes it easy to know who is logged in to what.
Principle of least privilege and the Rainbow Seri
Re: It's like a lock company (Score:2)
If a lockpicking firm doesn't bother with locks, one must assume one of the following:
1) locks are pointless
2) they don't know how to secure things
3) they never tested their tools except against trivial cases
None of these possibilities gives me much confidence in the unit concerned.
Government should encourage encryption (Score:3)
I long for the days when the NSA and other agencies had a mandate (maybe that's a bit much) to set standards for how the rest of us should secure and encrypt our communications and not just tasked with treating the US citizenry as the things to be monitored. If we had some sane leadership over the past 3 decades that would be their #1 priority, actually playing the role of national white hats. It's in the countries national security interest that our infrastructure and telecoms are encrypted to the best of our abilities, even if they cannot access it. They should actually be developing and encouraging such standards.
Re: (Score:2)
That happens when the country is actually pro-national security.
It stops when it turns away from serving the country and focuses on only serving government. People fundamentally do not understand that "The People" are the government the country the nation.
The government itself is just some people of that nation and the moment they start looking after their interests is the moment the country should clap back so hard that they are prosecuted for nothing other than treason with the only penalty being public
Re: Government should encourage encryption (Score:2)
The NSA used to publish some excellent guides on securing networks, operating systems and software such as MS SQL Server and MySQL.
And I'll be blunt. Although neither Flask nor SELinux have been properly security analyzed, they're still pretty damn good.
The Rainbow series is still very useful, despite its age.
Not supprising (Score:1)
Not very Elite... (Score:2)
From the looks of things... but then again... maybe my definition of elite is different from theirs...
Inside job (Score:2)
From TFA: "The breach -- allegedly by a CIA employee..."
Being betrayed by traitors within is tough to prevent. It's the reason for all the compartmentalization, need to know, and all the other impediments to communication that people working in "that sort of organization" have to deal with. (Thankfully, I've never worked in "that sort of organization". It'd drive me stark raving bonkers.)
US government sponsored hacking (Score:5, Insightful)
Re: (Score:1)
Re: (Score:1)
It's all about the $.
It would be nice if the CIA was responsible and disclosed the flaws that were weaponised rather than leaving the flaws in place and hoping no-one else discovered them so as not to invalidate their cyberweapons.
Luckily for us, Wikileaks passed the information on to vendors well ahead of publishing information on the CIA tools to allow them to close those backdoors.
I'm old enough to remember the decades of cold war bullshit we were fed whilst the US was running rampage throughout the worl
Well, that's not shocking... (Score:3)
The maintenance 'n compliance side of IT is typically viewed as an irritating, obstructionist, cost center even by nontechnical users in contexts where security requirements are pretty low, mostly just keeping malware-induced downtime below a certain threshold and ensuring that the number of installs roughly matches the number of licenses in case somebody checks. The perception intensifies in cases where security requirements cause IT to actually be hardasses; or where you have fairly technical users who want free reign.
An entire department of people chosen for skill and interest in exploiting stuff seems like it would be about the least efficient conversion of technical talent into system security one could possibly imagine.
Internal Leaks are much more difficult to prevent (Score:1)
The truth is ... (Score:2)
The CIA is trying to boost the viewer numbers of American Dad, because Our Cartoon President is making the CIA look like a tool.
Without Wikileaks they wouldn't have even known... (Score:1)
"Because the stolen data resided on a mission system that lacked user activity monitoring and a robust server audit capability, we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017."
https://www.wyden.senate.gov/i... [senate.gov]
Real Journalism helps everyone... who would have thought.