CISOs shouldn’t sweat about the latest allegation by Wikileaks that the CIA has the ability to hack almost anything – so long as they’re prepared with defence in depth, says a Canadian international security expert.
“What they [the CIA] have? God knows,” said Richard Zaluski, CEO of the Centre for Strategic Cyberspace and Security Science. “What you can do as a CIO is get a game plan. You have to do your homework … Bring in third parties to do security tests.
“How you handle this really depends on what your resources are. A basic plan can really save your bacon. If you have the funds do due diligence. Bring in a third party audit, pen testers.” In addition, locking down workstations so staff — or visitors — can’t plug in USB keys and copy data is vital.
He also said CISOs that allow data to be stored in the cloud have to take care of where the provider is located and what security standards are adhered to.
Similarly, Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, said the report is “a timely reminder” that infosec pros have to look after basic security, including regular patching.
“By definition, there’s nothing you can do about zero days (exploits) until you know about them,” he said in an interview. But, he added, some the vulnerabilities the CIA allegedly can exploit that are described by WiikiLeaks are old and by now have been closed by software updates. “These are things we should all be doing anyway.”
“The main takeaway for me from this story is the basics are still important, regardless of whether you’re concerned about this story or any other form of cyber crime, espionage or hacking.”
To some degree that was supported by statements from some vendors about the security of their products. For example, Kaspersky Lab told Securityweek.com that one of the vulnerabilities the CIA allegedly could take advantage of was patched in 2009, while another was addressed in December 2015.
“The products mentioned in the Wikileaks report (Kaspersky Internet Security 7, KIS 8, WKSTN MP3) are outdated versions of Kaspersky Lab software and have been out of the technical support lifecycle for several years,” it told Security Week.
Comodo, which makes remote monitoring and endpoint protection solutions, and BitDefender, maker of endpoint and enterprise security solutions, both said the WikiLeaks documents suggest the CIA has problems evading their products. Avira also told Security Week the CIA’s Entropy Defeat bypass technique does affect its products, but classified it as a “minor vulnerability” that it patched within a few hours after the WikiLeaks release.
What is worrisome is that the CIA techniques so far disclosed might be adopted by criminals or nation-states — or that WikiLeaks might release details of the code allegedly used by the CIA, which would give attackers even more knowledge.
But a former Canadian national security analyst told the Toronto Star there’s another concern: That the lead could damage Canada’s security agencies if they use any of the tools and techniques. That’s not impossible because Canada is part of the Five Eyes intelligence partnership along with the U.S., the expert noted. The Star story also points out one of the WikiLeaks files suggests intelligence agencies met in Ottawa in 2015 for sharing some information.
Meanwhile, a U.S. federal criminal investigation has been opened into the disclosures.
On Tuesday WikiLeaks revealed 8,761 documents and files — but not source code, names, email addresses and external IP addresses — from what is said is “an isolated, high-security network” inside the CIA. Dubbed a “hacking arsenal,” it allegedly includes malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation that can be used by agency staff for spying on a range of products using Apple’s iOS, Google’s Android and Microsoft’s Windows operating systems, as well as Internet-connected Samsung TVs.
WikiLeaks, which calls the archive “Vault 7,” accuses the CIA of breaking a promise not to hoard vulnerabilities it has discovered or learned about but to disclose them to vendors so they could be patched.
“The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive,” WikiLeaks said in a press release.
Some of the tools were described by their code names, such as “Weeping Angel” (someone at the CIA apparently watches Doctor Who , or is close to a church), which “infests smart TVs, transforming them into covert microphones” while making the television appear as if it is off.
UPDATE: WikiLeaks said Thursday that it will provide information it has on the vulnerabilities to vendors so they can patch their software. And the CIA issued a statement saying it while it’s mandate is to collect foreign intelligence is forbidden from hacking Americans.
Meanwhile security vendors have been quick to take advantage of the headlines on the WikiLeaks allegation to issue warning statements. “The real danger here is the potential for a tidal wave of Zero Day attacks aimed at enterprises, especially enterprise web applications,” said Dublin-based Waratek Inc. It advises CISOs to prioritize patches, harden applications, use a rules-based approach to security and look for and protecting against vulnerabilities in every part of your software stack.
Omer Schneider, CEO of CyberX, which makes industrial Internet security solutions, said in a release that the main issue is not that the CIA has its own hacking tools or has a cache of zero-day exploits. Most nation-states have similar hacking tools, he argued, and they’re being used all the time — for example there have been reports on a massive cyber-reconnaissance operation in the Ukraine. The Hacking Team data breach showed there’s a huge, global market for hacking tools which are sold to the highest bidders, he added. In 2014, the Department of Homeland Security confirmed the U.S. electrical grid was compromised by industrial malware.
“What’s surprising is that the general public is still shocked by stories like these. Regardless of the motives for publishing this, our concern is that Vault7 makes it even easier for a crop of new cyber-actors get in the game,” he says.