Security Experts:

Industry Reactions to CIA Hacking Tools: Feedback Friday

WikiLeaks this week released information on what it claims to be a trove of CIA hacking tools. The documents made public appear to show that the intelligence agency has had the tools and capabilities to hack a wide range of systems, including mobile devices, routers, TVs and even cars.

An initial analysis conducted by tech companies, including security firms, showed that a majority of the disclosed vulnerabilities have already been patched by vendors.

Industry reactions to CIA hacking tools

WikiLeaks initially refused to release any of the actual tools and exploits, but it has now promised to share more information with tech firms in an effort to help them protect their customers. However, the White House warned that there could be legal repercussions considering that the information is classified.

The CIA has not made any comments on the authenticity of the leak, which have been dubbed “Vault 7,” but the agency pointed out that it’s legally prohibited from spying on individuals in the United States.

Contacted by SecurityWeek, industry professionals shared some thoughts on the Vault 7 leak and its implications.

And the feedback begins…

Ilia Kolochenko, CEO, High-Tech Bridge:

"I am bit surprised that this particular incident has attracted so much attention. The CIA, like any other governmental intelligence agency, uses and will continue using various hacking tools and techniques to obtain any information they need to protect the country. This is their duty. So far, we don't have any evidence that these capacities were used unlawfully, for example to violate reasonable expectation of privacy of innocent US citizens or for illicit interference with elections.

 

It's also at least incorrect to speak about the CIA's inability to defend itself, as the source of the leak remains unknown. This can be an insider incident, against which - no large companies or governmental agencies are protected in any country. It can also be a honeypot - to distract someone's attention from the real arsenal of the US cyber warfare. I am pretty confident that US intelligence have much bigger technical resources than the garbage exposed in the leak.

 

Also, intelligence agencies cooperate in many areas, including cybersecurity and cyber warfare. Therefore, the CIA's collaboration and knowledge sharing with other agencies, such as the MI5, is obvious and is a common practice."

Tom Kellermann, CEO, Strategic Cyber Ventures (SCV):

“These exploits and attack platforms allow for an actor to become telepathic. It is quite obvious that this was an act of tradecraft by a foreign power to discredit the US government and to endow dangerous attacks capabilities to the cybercriminal community. The blatant pillaging of the US cyber armory will result in a dramatic escalation of the cyber-insurgency which is raging in US cyberspace. These cyber weapons will be used by the Russian cyber militias against NATO and Western targets. Wikileaks has expanded her arms bazaar and is now distributing digital grenade launchers and uzis to the malcontents and anti-American non-state actors of the world. Cyberspace is about to become a free fire zone.”

Rick Hanson, EVP, Skyport Systems:

“This is just another clear example where an organization that conducts breaches and leaks can not be praised under ANY circumstance. Donald Trump previously praised Wikileaks during his campaign. When an organization like WikiLeaks is lauded in any forum there is reason to be concerned. The fact that Wikileaks claims to have critical CIA information should put our intel community on record.

 

The protection of sensitive tools and data by our intel community should be a top priority. If this leak turns out to be a reality, our governmental cybersecurity policy and implementation needs to be called into question. A key reason our intel community needs to operate only on"Zero Trust" systems with a hardware root of trust."

Ayal Yogev, VP of Product Management, SafeBreach:

“Any type of device you add to the network can be used by an attacker. This isn't new, but the information shared by Wikileaks about SmartTVs reinforces this. Additionally, while most may consider this a consumer-focused issue, in fact, SmartTVs are used by many enterprises in conference rooms and common areas. Imagine the types of executive level conversations an attacker might be privy to.

 

These new IoT devices are prime targets for an attacker since in many cases they are less protected than existing devices on the network and an attacker always looks for the weakest link. This is why knowing exactly what can be done from any point in your environment by a hacker is crucial. Understanding the kill chain can help enterprises prevent attacks, for example - a SmartTV may be hacked, but because there is no way to exfiltrate information from the segment the TV is in, you're breaking the kill chain, and containing the problem.”

Alex Rice, CTO, HackerOne:

"Vulnerabilities are difficult to keep as a secret, and this news break shows they don’t remain secret for long. The longer these vulnerabilities remain unpatched, the more dangerous they become because they can fall into criminal hands. The CIA put consumers at risk by not reporting these bugs to their vendors. Similarly, Wikileaks is no better at keeping secrets than the CIA and should immediately disclose any known vulnerabilities to the appropriate vendors so they can be fixed.

 

If there is a known vulnerability and it is not making it into the hands of the vendor so it can be resolved, something is broken. Companies and consumers should encourage the active disclosure of vulnerabilities no matter their source, this includes security researchers, active security teams, and the U.S. government. At minimum, this means a thorough review of the U.S. Government's Vulnerabilities Equities Process, which appears to have not been honored. This ultimately strains tech companies relationship with the US government. The economy relies significantly on the trust of its consumers and if consumers can’t trust U.S. made tech products, this harms competitiveness in the market."

Mikko Hypponen, Chief Research Officer, F-Secure:

“It’s no surprise that the CIA is using these hacking techniques. What is unsuspected is the leak, and it’s huge. So the question is who leaked it to Wikileaks? The Russians, an insider? We don’t know the answer. Another question we need to ask us, why was it leaked now? We don’t know this either.

 

In countries like the US, the Intelligence Agency’s mission is to keep the citizens of their country safe. The Vault7 leak proves that the CIA had knowledge of iPhone vulnerabilities. However, instead of informing Apple, the CIA decided to keep it secret. So the leak tells us a bit about how the CIA decided to use its knowledge: it considered it more important to keep everybody unsecure than protecting its citizens from the vulnerability, and maybe use the vulnerability for its own purposes or counter terrorism purposes.”

Nathan Wenzler, chief security strategist, AsTech:

“Could this be the age of the EULA? There have been many reports and lawsuits in recent months (Visio and Samsung come immediately to mind) of devices such as televisions recording information and potentially providing it to "third parties." Is it really any surprise to the security industry that these third parties might include government agencies such as the CIA? Where backdoors exist, there is often language present in the EULA that would suggest that the manufacturer may capture and share information.

 

We certainly want to believe that companies operate to the highest standards of protecting user's privacy, but there have simply been too many cases where intelligence agencies have publicly attempted to gain this sort of backdoor access through legal channels (FBI vs. Apple, anyone?) to think that no company is cooperating with these authorities. It may be time to make a serious review of licensing agreements and terms of service a standard part of our security programs, rather than the standard de facto process of blindly clicking "OK" at the bottom of the page. This doesn't necessarily make it right, moral or ethical, but, the writing has been on the wall the whole time, and these recent revelations should not come as a surprise, but rather serve as confirmation of what we have always believed was happening.”

Sanjay Kalra, Co-founder and Chief Product Officer, Lacework:

“There has been a lot of focus on the CIA leaks around exploits for Smart TV’s, connected vehicles and lot of new gadgetry. If you look closely at the list of projects, the majority of them were focused on Unix. The Unix systems are considered to be extremely safe, however, the CIA had tools to do keyboard logging, copy network traffic and intercept secure connections to Unix machines. Unix runs and stores the crown jewels in data center/cloud for most of the enterprises today and exploiting them is a gold mine. Enterprises need to first focus on security their core with breach detection and insider threat detection before looking to secure the next shiny object. Compromise to core can be disastrous.”

Chris Roberts, Chief Security Architect, Acalvio:

“One thing that is interesting is the mass of mis-directed social media indignation and ill-informed discussions about who’s been hacking where, what and when. The open library of “wild” code that is being attributed to various CIA branches is nothing more than data collected freely available on the Internet, therefore attributing hacks to the CIA because of the code fingerprints is woefully incorrect. That’s damaging both from a community not doing its research and the Intelligence community which is sitting there battered and bruised because of these loses AND now taking the heat for attacks it’s not likely done (Trump, DNC etc.)

 

The biggest issue is ‘we know’ most of what’s been disclosed, including hacks, code and covert operation styles. We also know what the tactics are. Heck, most of us use the very same tactical operations when engaged by clients or doing R&D. The code library is NICE to have in one place. But again, most of us have multiple snippets of various code bases.

 

What needs to happen now is that the intelligence community must stand up and simply say “yep, that’s us. We are at war in the electronic realm. Suck it up."

Willis McDonald, Senior Threat Manager, Core Security:

"The leaked CIA documents have potentially disastrous effects on ongoing CIA operations. If the tools detailed in the documents are still in use this now gives clues to targeted organizations as to what is of interest to the CIA. As a consequence this could also expose close contact human intelligence (HUMINT) operations leading to incarceration and possible harm to operatives.

 

The leak of these documents definitely has caused financial harm to the CIA. Response to the leak of the documents will require a massive research and retooling effort in the CIA. Everything from tradecraft to tools will need to be changed in order for operations to continue undetected which will cost millions of dollars and months of training and development."

Ajay Arora, CEO and Co-founder, Vera:

"If these docs prove to be authentic, everyone should once and for all throw out their blind trust that that their devices, apps or data is ever safe or private. People need to wake-up to the fact that they need to take responsibility for maintaining the privacy of their information and make no assumptions. At the end of the day, no one has your best interests in mind but you -- people can't even trust their own government any more. This is the tragic new normal we have to all unfortunately accept."

Apostolos Giannakidis, Lead Security Architect, Waratek:

"The Wikileaks release of the CIA's Vault 7 hacker tools is a dream come true for hackers and a nightmare for corporate security teams who are already under-resourced and over-stressed just trying to keep up with known threats, especially in application software.

 

This event highlights the risk of introducing new software code into an enterprise environment, especially from third-parties. Blindly putting unrestricted trust in software can greatly increase the risk of introducing new vulnerabilities and even hidden backdoors.

 

There are tools that can automate the process of identifying and increasing protection against these threats, but the attacks are likely to come faster than the defenders can implement them. It will take security teams weeks, months or even years to develop patches to address the exploits about to be unleashed into the mainstream over time.”

Gunter Ollmann, CSO, Vectra Networks:

“The CIA’s “UMBRAGE” program reveals the importance placed upon “false flag” signatures used in clandestine operations. It should be no surprise to the InfoSec community that such resources are expended to capture and duplicate the techniques used by foreign agencies and criminal organizations. It does however reinforce that the use of such techniques are, in fact, an everyday part of clandestine operational procedure – casting further doubt on public attribution disclosures – especially those quickly released and promoted by the marketing teams of commercial security vendors.”

Brian Vecci, Technical Evangelist, Varonis:

“It’s too easy for data to be stolen, even—allegedly—within the CIA’s Center for Cyber Intelligence. The entire concept of a spook is to be covert and undetectable; apparently that also applies to actions on their own network. According to WikiLeaks, this treasure trove of files was given to them by a former U.S. government contractor. The CIA is not immune to issues affecting many organizations: too much access with too little oversight and detective controls.

 

In performing forensics on the actual breach, the important examination is to determine how 8,761 files just walked out of one of the most secretive and confidential organizations in the world. Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organization but once stole and made public turns toxic to its bottom line and reputation. All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion.”

Philip Lieberman, President, Lieberman Software:

“Presidential Directive 20 and Title 10 provide transparency to the strategy and resources of the US Government regarding methods and technologies used for national security purposes. The creation, capabilities and usage of cyber weapons is controlled by the Senate, Congress and President in a coordinated process governed by law. The agencies themselves do not operate independently or autonomously without first receiving detailed authorization and direction from national leadership and is vetted by the judicial branch.

 

Questions as to the capabilities and usage of those capabilities should be directed to the Senate and President directly rather than the agencies themselves as they simply carry out operations directed from above them.

 

The appropriateness and usage of capabilities is a matter of politics and national security that may or may not disturb citizens. My advice is to contact your representative in Congress and the Senate and ask them for an explanation as to why and how these capabilities are used.”

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.