If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security

Internal report confirms what we all feared: Lax controls led to WikiLeaks Vault 7 hack tools blab

The CIA was so focused on developing whizzbang exploit code, it left any thought of basic computer security principles on the kitchen counter before dashing off to work each morning.

That oversight led to the super-agency inadvertently spilling its hacking tools ultimately into the hands of WikiLeaks, which duly disclosed details of the spies' malware, viruses, remote-control software, and other materials under the Vault 7 banner in 2017.

If you followed our coverage of the trial of Joshua Schulte, the CIA sysadmin accused of passing the files to WikiLeaks, this much will already be known to you. The fact the virtual machine that held all of the tools apparently used 123ABCdef as its password is perhaps all you need to know. Schutle's trial ended with a hung jury, though he was found guilty of contempt and lying to FBI.

Don't just take our word for it. An internal CIA report into the embarrassing affair came to much the same conclusion: Uncle Sam's snoops lost control of at least 180GB of hacking tools and documentation, which ended up in the lap of WikiLeaks, due to lax security. From shared admin passwords to no limitations on removable storage, the agency broke or snubbed virtually every rule in the book.

Rather than take basic steps to secure its materials, the CIA's Center for Cyber Intelligence (CCI) was more interested in developing zero-day exploits and other offensive software. This focus on attack to the detriment of defense allowed the escape of its hacking tools.

A redacted version of the internal report [PDF] was shared with the world today by US Senator Ron Wyden (D-OR) in an open letter to Director of National Intelligence John Ratcliffe. Here's the nuts and bolts of the matter, direct from the CIA dossier:

Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.

Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.


Amazing new WikiLeaks CIA bombshell: Agents can install software on Apple Macs, iPhones right in front of them


The report noted there were shortcomings in the CIA's procedures and mechanisms for detecting and thwarting rogue insiders, thus allowing, oh say, someone within the agency to walk off with the goods. "The WikiLeaks disclosures revealed gaps and weaknesses in CIA’s Insider Threat program, which has traditionally relied on close coordination between the Office of Security and [Counterintelligence Mission Center] CIMC," the report stated.

"Among the gaps are the seams in communication between components such as the Office of General Counsel, Medical Services, Human Resources, security, counterintelligence, and line management that have sometimes prevented us from connecting the dots to corporately detect and address Insider Threat issues."

Wyden is seeking answers from Ratcliffe as to why the CIA's internal security is so lacking, even years after the Vault 7 scandal, especially when the intelligence agency was trusted to shore up its computers and networks to a level higher than what's expected of the federal government as a whole.

"While Congress exempted the intelligence community from the requirement to implement the Department of Homeland Security's cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with out nation's most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems," Wyden said.

"Unfortunately, it is now clear that exempting the intelligence community from baseline federal security requirements was a mistake." ®

Similar topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022