Report Says CIA's Hacking Unit — Home To The Vault 7 Exploits — Deployed Almost No Internal Security Measures

from the no-one-would-dare-cross-the-CIA...-would-they? dept

More details about the leak of CIA hacking tools are coming to light. And they’re not making the CIA look any more deserving of its “Intelligence” middle name.

The “Vault 7” leak detailed the CIA’s exploits — ones targeting cellphones and a variety of smart devices. Encryption still works, though, but devices have to remain uncompromised by exploits. Since they aren’t, encryption won’t stop agencies like the CIA from intercepting communications or inserting themselves into private conversations.

The prosecution of the accused Vault 7 leaker has been a nightmare of its own, with the government having difficulty pressing its case even as it uncovers evidence the leaker continued to leak sensitive information after being incarcerated.

The latest report, by Ellen Nakishima and Shane Harris of the Washington Post, shows the CIA was far more interested in developing tech weapons than ensuring its hoard of exploits remained in its possession.

The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.

[…]

The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.

Information wants to be leaked, apparently. Maybe not innately, but when the culture says the best defense is a good offense, chances are sensitive tools and tech are going to go wandering off.

The CIA knows how exploitable pretty much everything is. That it deployed nearly no security measures to ensure its exploit stash remained on the premises is an indictment of every bureaucracy that thinks merely being a big government agency will deter people — both on the inside and outside — from screwing with it. According to this report, the CIA didn’t even employ bush-league, mom-and-pop-store-level security measures. There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network, which has prevented the CIA from determining the size of the breach or enumerating what was actually taken.

This crucial job was outsourced, which apparently contributed to the problem. The job was too important to be left undone. But the CIA apparently didn’t feel it was important enough to handle itself so it gave it to someone else, resulting in this:

The computer network was maintained by contractors, the former official added. “There was a misunderstanding between the people who ran the unit and people who ran and maintained the network.”

Give an agency more money than oversight and it can perform any task poorly. Exploits are truly useful but they’re only useful if they remain undisclosed and unpatched. Treating security cavalierly has paid off about as well as anyone outside the agency would have imagined. The tools were leaked. Only after that did anyone decide to check the latches on the Vault’s doors. Proactive is better than reactive, as any intel operative should know. While this may be a great way to inadvertently comply with the Vulnerability Equities Process, it’s no way to run an intel agency’s tech black ops program.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Report Says CIA's Hacking Unit — Home To The Vault 7 Exploits — Deployed Almost No Internal Security Measures”

Subscribe: RSS Leave a comment
29 Comments
ECA (profile) says:

Bad concept.

We created the best progs to get into anything, why secure our own systems, if it wont help.

designing security to defend against Ourselves, means someone will find a way to defeat our progs.

Protecting our systems from our progs, means Someone will figure out how we did it and protect themselves.

Since the USA has privacy laws, that we cant go against, WHO can we give these to? Who can sit outside the USA and do the things WE WANT TO DO.

Age old problem. 1/2 hardware problem, and 1/2 software. Which is easiest to break into. Such as using a Flash drive to boot a system and NOT let the Hard drive boot. So that you can scan and fix a failure or Scan everything on that drive. Linux has been ahead on allot of things because everyone can Improve the software and make things better and better, in steps, where MS thinks everyone is abit stupid and cant tell the difference.

Hardware can only do what its programmed to do. And if you confuse it or use it Against the system the system has to Stop. If long ago, a certain little thing was added tot he Hardware, it would not be easy to find. All it would take is a Exit from the programming on the chip that would LET an invading software Control what was to be done, rather then let the internal hardware do it.(abit simplified) Insted of failing a Check on commands send and Stopping processing, that it would Exit and give control to the software trying to be used. Shouldnt be to hard. Esp when Most CPU’s now have integrated most of the Hardware controls. The Chips are almost fully ‘All in one’ devices. There are so many protocols in-bedded in them, that taking advantage of the confusion in the chip Can be fairly easy, as the chip has to figure out what you want, and decides Wrongly/rightly.

I love the idea that Someone or some group thinks they are the only ones to be able to do something. And then you look at the net and all the Software that can DO the same thing, and its Free or cheaper.

ECA (profile) says:

Re: Re:

or create a secondary server to verify the connection tot he Correct person/company.. 1 that IF hacked, it would lead nowhere or into a honey pot.. Kinda simple really.

Never a direct connections to the Main, until verified.
Then monitor what is done by that person and PRINT IT OUT..
And if they Hang around for a long period, THE sysop should verify them AGAIN..

No reason Sony should loose 18 terabytes of data, because of HACKER.

Anonymous Coward says:

CIA's Hacking Unit

Far too many people have acquired their weapons and intelligence training from Hollywood, but the real world does not work that way.

Anyone with vetted access and doing active work with, let’s say non-standard software, is and has to be capable of walking out of the facility with that software. That’s the purpose of vetting, these are trusted people working with sensitive access content.

You can’t run best practice malware scanners on a system full of, and actively creating malware. You have to be able to extract the tools for testing on example target machines.

It’s not Hollywood, there are no body scanners or magic detectors. The normal work process must allow for developers to off load the tools for testing. At that point, it’s entirely possible for a vetted person to walk out with tools. In fact, many test procedures require walking out with tools in order to test them in a realistic environment.

It’s not a technical protection failure, it’s a personnel failure. By definition, authorized people are authorized and no amount of rules can account for that and still be functional.

Anonymous Anonymous Coward (profile) says:

Re: CIA's Hacking Unit

Are you trying to tell us that Hollywood epitomizes a better security regime than is actually in practice? If the want to test their new toys, I am sure they could get access to a separate IP address or VPN or proxy server from which to launch their test attacks.

It goes along the lines of that truism. If you want to keep something secret, tell one person, if you must. There is no second option.

If they actually wanted to keep the stuff in their possession, and their possession only, then they should not let it out of the building, at least until they use it, and that should be done under very controlled circumstances. At least as controlled as the best controlled networks allow these days.

Trusting people, you make me laugh.

Scary Devil Monastery (profile) says:

Re: Re: CIA's Hacking Unit

"Are you trying to tell us that Hollywood epitomizes a better security regime than is actually in practice?"

Well, he’s right. Some of it might be from Hollywood usually employing theoretical utopias of security backed in no small measure by what appears to be actual magic.

And although he’s a bit off when it comes to personnel being able to walk out while carrying advanced malware constructs on USB sticks his theory still applies. The people employed must at least be able to walk out of the building and an actual invasive body search is probably not required to get in or out for even the harshest secure sites.

Similarly just having access to upload or download data from a network which isn’t airgapped means the ability to upload the malware to a folder accessible from elsewhere does exist.

So in the end it all boils down to having to trust people which is why every candidate for intelligence employment is so carefully vetted for patriotic values and behaviors.

(Which backfired, of course, when Snowden saw what was being done and felt he was obligated to blow the whistle over the various forms of mass surveillance he felt was unconstitutional. They should have changed their vetting program to include "Do you actually give a shit about the nation and constitution?" and only hired those saying "hell no").

This comment has been deemed insightful by the community.
Celyxise (profile) says:

Re: CIA's Hacking Unit

There is a difference between a malicious authorized user and a complete lack of security.

There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network

There is no excuse for this level of apathy, especially for the CIA.

Uriel-238 (profile) says:

I'm pretty sure this is on brand for the US

Are there any government servers that are properly secured? I mean we pretty much assume Russia and China have access to the big NSA internet-traffic database in Utah because it’s that easy to hack.

As are your FBI files.

As are all our space program stuff.

Maybe the air force keeps Area 51 stuff off the servers, but then again maybe not.

None of this is news here on Techdirt.

That One Guy (profile) says:

Re: Almost correct

None of this is news here on Techdirt.

Which itself is part of the problem. ‘Government agencies involved in sensitive stuff display stunning lack of concern over security’ should be news, huge news, due to it’s rarity and the concern shown by all when discovered. As it is though it’s just another tuesday as those paying attention aren’t surprised in the least.

Scary Devil Monastery (profile) says:

For the argument against backdooring encryption, see vault 7

Considering that both the CIA and worse, the bloody NSA have proven highly fallible against persistent crackers…what does this tell us about Bill Barr’s persistence to have smartphone OEMs backdoor their encryption and hand government the magic key unlocking every phone?

I keep coming back to that. The Wcry trojan was bad enough but was, after all, "only" what criminals used the exploit and leaked malware for.

Once Barr gets his way and every smartphone in the US is suddenly wide open to China, Russia, North Korea, and every major organized crime ring in the G20, how does he think he’ll un-open that can of worms?

That One Guy (profile) says:

Re: 'Not like they're peeking into my device, I have encryption.'

Once Barr gets his way and every smartphone in the US is suddenly wide open to China, Russia, North Korea, and every major organized crime ring in the G20, how does he think he’ll un-open that can of worms?

What makes you think he would care? I imagine so long as he can snoop through devices on a whim he might throw out some empty ‘how dare those criminals break into american devices, no idea how that happened’ press releases but otherwise it would likely be seen as a price he’s willing to have the public pay.

Uriel-238 (profile) says:

Re: Not EVERY smartphone

US business have demonstrated that given the choice between actually doing business and staying competitive, and staying within the confines of the law, they’ll do the former.

Secure encryption for devices and computer systems is readily available, and will stay current through foreign markets and open source communities. They’ll be less convenient to use.

We also have steganography and multiple-account encryption, which means it’s possible to circumvent a courtroom command to unlock a device, and evidence you unlocked it wrong would be difficult to prove.

Most of the public won’t care until Chinese advertisers have hacked their phones into a portable barking adbox. But those who are determined to do business, for good or ill, will continue to do so. And those who have secrets to hide, whether perverse, anarchist or industrial, will turn to legitimate offerings already available.

Such perverts and anarchists will also become much more immensely useful to the rest of us.

Its Rogsed says:

re: FREE CHILD PORN!

Tim, the real exploit is the human being sitting at a computer screen. In agency jargon, they are an “asset,” which is both disposable, and actionable/actuated.

Hack that asset (Schulte, and his Libertarian stance) and you own one of the most glorious "potential” machines of all technology. “It” will do what you tell “it” to do, provided it can be compromised via undue processes of agency.

Manufactured terrorists? A windfall of security state advertising for products like Carbyne911 augmented by EVEN MORE, NEW IMPROVED! Palantir.

Stop making Schulte out to be a bad guy, because your CIA/Mossad/Squad 8200 handlers insist that he is wrecking their world wide child pornography compromise operations.

The leak was a good and neccessary thing, ESPECIALLY BECAUSE

“ the government (IS) having difficulty pressing its case”

What case? That CIA handles/frames its freethinkers as if they are perverts and con men because they are atheist/unbiased/irreligious/non-conformed?

Thats the real news buddy.

Uriel-238 (profile) says:

Re: FREE CHILD PORN! from the FBI

You inadvertently raise a valid point. The FBI keeps a database of every digital piece of child porn it encounters as part of its efforts to trace pictures to subjects and photographers. And it raises the question if that database is as securely locked away as all of our other government department assets.

Not that I think people should be consuming child porn (of real children) or those children should be subject to abuse, but the FBI’s betrayal of its own mission (across multiple campaigns) warrants embarrassment and scorn.

Agrogsvating says:

Re: Re: FREE CHILD PORN! from the FBI

Also, Uriel, why did you respond here at this post (which doesnt matter) rather than.here, where I specifically called you out, and asked for your response?

https://www.techdirt.com/articles/20200616/10401844725/minneapolis-city-council-votes-unanimously-to-disband-police-department.shtml?threaded=true#c1008

Yeah. I admit it: I started this “George Floyd” fire.

These other things are just sparks.

oops says:

Re: Re: FREE CHILD PORN! from the FBI

I forgot to address your contention:

re:if that database is as securely locked away as all of our other government department assets

Yeah, its locked away in Mormon Utah, (and secondarily, Israel) whose founding patriarchs are in the record AS pedophiles.

See how ”all roads lead to Rome/Israel/ Zion"?

Stop me when you start seeing “patterns”.

Seeing patterns in unrelated datsets indicates mental illness, lol.

Rogsasifitmatters says:

Uriel, you constantly surprise me with your analysis.

But few things that I do are "inadvertant.” Google “George Floyd and Gandhi Mahal” for one recent example of my calculated, time aware, “premeditation.”

re: the FBI’s betrayal

Yeah, that.

Over, and over again, as FBI heads, like James Comey and others work with zionist “security contractors" from Israel to distribute child porn (and my opinion is very clear: fewer kids die from weird contact with weird adults, than who die from depleted uranium, or US sponsored bomb droppings; or, the many sordid stories from CPS and the foster care/ Big Pharma industry beneficiaries, for that matter, the latter overseen by police and military affiliated pedophile whackjobs)

See what happens when you stack the Supreme Court with only Jews,and Catholics?

"Rome, again.”

Hey, look at us, stopping the bad guys from raping children! Whatever would you do without US!?

(Note to self: without them involved, no child actually gets raped, or exploited as a resource, because its they who hold that power, and they who begin that leveraging discussion in the first place.)

(Note to them, whoever "they” are: stop exploiting children as leverage against their parents choices to adhere/not adhere to your child-rape based society.)

Bartonizp (user link) says:

how to know if a chinese girl likes you

Find association Articles on Sooper Articles

steps to make A Social Club 6 Easy StepsBeginning your own social club can be loads of fun. You get to explore something you appreciate and meet people that share your enthusiasm. Running a club is additionally a test requiring a great deal of correspondence, organizing and exertion. Here you’ll be aware of about How To Start A Social Club. Some bonds grew stronger while withered with time. But that era gave us a reality check about marriages, americans around us, And now to delight in these bonds. below are a few great gift ideas for any friend who works too much. There a large number of friends at our school, College and in your childhood years life. But now you ask [url=https://www.bestbrides.net/how-to-survive-your-first-date-with-a-chinese-lady/%5Dchineseladydate%5B/url] who is your true friend. A true significant other is that who always be with us in your weakness or in your strength. When others try to hurt you on an emotional level. try to be loyal to each o your friend. True friends are always those similar to a Degree course in friendship. So always trust other people you know. Today we are with new ideas for gathering log distance birthdays. If you are ar away from your Brother and this is his birthday you must read this for the ways to celebrate his birthday. Enjoy motivational, useful and funny and famous friendship quotes on friends and friendship. This not only enhances the compatibility but also locks the people coupled with a similar lifestyle. It is the single thing where you can share your emotions and feelings with someone. This is the best time to surprise employees and clients with gifts to enhance every thing has become.
[—-]

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »