Report Says CIA's Hacking Unit -- Home To The Vault 7 Exploits -- Deployed Almost No Internal Security Measures

from the no-one-would-dare-cross-the-CIA...-would-they? dept

More details about the leak of CIA hacking tools are coming to light. And they're not making the CIA look any more deserving of its "Intelligence" middle name.

The "Vault 7" leak detailed the CIA's exploits -- ones targeting cellphones and a variety of smart devices. Encryption still works, though, but devices have to remain uncompromised by exploits. Since they aren't, encryption won't stop agencies like the CIA from intercepting communications or inserting themselves into private conversations.

The prosecution of the accused Vault 7 leaker has been a nightmare of its own, with the government having difficulty pressing its case even as it uncovers evidence the leaker continued to leak sensitive information after being incarcerated.

The latest report, by Ellen Nakishima and Shane Harris of the Washington Post, shows the CIA was far more interested in developing tech weapons than ensuring its hoard of exploits remained in its possession.

The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.

[...]

The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.

Information wants to be leaked, apparently. Maybe not innately, but when the culture says the best defense is a good offense, chances are sensitive tools and tech are going to go wandering off.

The CIA knows how exploitable pretty much everything is. That it deployed nearly no security measures to ensure its exploit stash remained on the premises is an indictment of every bureaucracy that thinks merely being a big government agency will deter people -- both on the inside and outside -- from screwing with it. According to this report, the CIA didn't even employ bush-league, mom-and-pop-store-level security measures. There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network, which has prevented the CIA from determining the size of the breach or enumerating what was actually taken.

This crucial job was outsourced, which apparently contributed to the problem. The job was too important to be left undone. But the CIA apparently didn't feel it was important enough to handle itself so it gave it to someone else, resulting in this:

The computer network was maintained by contractors, the former official added. “There was a misunderstanding between the people who ran the unit and people who ran and maintained the network.”

Give an agency more money than oversight and it can perform any task poorly. Exploits are truly useful but they're only useful if they remain undisclosed and unpatched. Treating security cavalierly has paid off about as well as anyone outside the agency would have imagined. The tools were leaked. Only after that did anyone decide to check the latches on the Vault's doors. Proactive is better than reactive, as any intel operative should know. While this may be a great way to inadvertently comply with the Vulnerability Equities Process, it's no way to run an intel agency's tech black ops program.

Filed Under: cia, hacking tools, security, vault 7, vault7


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 17 Jun 2020 @ 11:56am

    They had an Air Force psychologist with no cybersecurity experience in charge of cybersecurity. He's presently waterboarding the servers while CIA leadership calls and hangs up on the FBI over and over.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Jun 2020 @ 11:59am

      Re:

      We're getting reports that Dick Cheney is certain this method is working, while Donald Trump has weighed in to assert that there are "very fine comploo, clo, complooters, machines on both sides."

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 17 Jun 2020 @ 12:33pm

    When you are pretty sure you bought all of the exploits so no one shoudl be able to break into our stuff.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 17 Jun 2020 @ 1:08pm

    Bad concept.

    We created the best progs to get into anything, why secure our own systems, if it wont help.

    designing security to defend against Ourselves, means someone will find a way to defeat our progs.

    Protecting our systems from our progs, means Someone will figure out how we did it and protect themselves.

    Since the USA has privacy laws, that we cant go against, WHO can we give these to? Who can sit outside the USA and do the things WE WANT TO DO.

    Age old problem. 1/2 hardware problem, and 1/2 software. Which is easiest to break into. Such as using a Flash drive to boot a system and NOT let the Hard drive boot. So that you can scan and fix a failure or Scan everything on that drive. Linux has been ahead on allot of things because everyone can Improve the software and make things better and better, in steps, where MS thinks everyone is abit stupid and cant tell the difference.

    Hardware can only do what its programmed to do. And if you confuse it or use it Against the system the system has to Stop. If long ago, a certain little thing was added tot he Hardware, it would not be easy to find. All it would take is a Exit from the programming on the chip that would LET an invading software Control what was to be done, rather then let the internal hardware do it.(abit simplified) Insted of failing a Check on commands send and Stopping processing, that it would Exit and give control to the software trying to be used. Shouldnt be to hard. Esp when Most CPU's now have integrated most of the Hardware controls. The Chips are almost fully 'All in one' devices. There are so many protocols in-bedded in them, that taking advantage of the confusion in the chip Can be fairly easy, as the chip has to figure out what you want, and decides Wrongly/rightly.

    I love the idea that Someone or some group thinks they are the only ones to be able to do something. And then you look at the net and all the Software that can DO the same thing, and its Free or cheaper.

    reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 17 Jun 2020 @ 2:07pm

    Damn...to bad they didn't have something like strong encryption to protect the data instead of relying on the CFAA to make it illegal to hack them.

    /sarcasm

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 17 Jun 2020 @ 8:21pm

      Re:

      or create a secondary server to verify the connection tot he Correct person/company.. 1 that IF hacked, it would lead nowhere or into a honey pot.. Kinda simple really.

      Never a direct connections to the Main, until verified.
      Then monitor what is done by that person and PRINT IT OUT..
      And if they Hang around for a long period, THE sysop should verify them AGAIN..

      No reason Sony should loose 18 terabytes of data, because of HACKER.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 17 Jun 2020 @ 2:48pm

    'Are they attacking us? No? Then why would we care?'

    Potentially worse than arrogance is indifference, as I could easily see them not bothering with security simply because they don't care if the exploits are leaked/'borrowed', as it's unlikely that the exploits will be used against them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Jun 2020 @ 4:26pm

    CIA's Hacking Unit

    Far too many people have acquired their weapons and intelligence training from Hollywood, but the real world does not work that way.

    Anyone with vetted access and doing active work with, let's say non-standard software, is and has to be capable of walking out of the facility with that software. That's the purpose of vetting, these are trusted people working with sensitive access content.

    You can't run best practice malware scanners on a system full of, and actively creating malware. You have to be able to extract the tools for testing on example target machines.

    It's not Hollywood, there are no body scanners or magic detectors. The normal work process must allow for developers to off load the tools for testing. At that point, it's entirely possible for a vetted person to walk out with tools. In fact, many test procedures require walking out with tools in order to test them in a realistic environment.

    It's not a technical protection failure, it's a personnel failure. By definition, authorized people are authorized and no amount of rules can account for that and still be functional.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 17 Jun 2020 @ 5:03pm

      Re: CIA's Hacking Unit

      Are you trying to tell us that Hollywood epitomizes a better security regime than is actually in practice? If the want to test their new toys, I am sure they could get access to a separate IP address or VPN or proxy server from which to launch their test attacks.

      It goes along the lines of that truism. If you want to keep something secret, tell one person, if you must. There is no second option.

      If they actually wanted to keep the stuff in their possession, and their possession only, then they should not let it out of the building, at least until they use it, and that should be done under very controlled circumstances. At least as controlled as the best controlled networks allow these days.

      Trusting people, you make me laugh.

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 18 Jun 2020 @ 4:30am

        Re: Re: CIA's Hacking Unit

        "Are you trying to tell us that Hollywood epitomizes a better security regime than is actually in practice?"

        Well, he's right. Some of it might be from Hollywood usually employing theoretical utopias of security backed in no small measure by what appears to be actual magic.

        And although he's a bit off when it comes to personnel being able to walk out while carrying advanced malware constructs on USB sticks his theory still applies. The people employed must at least be able to walk out of the building and an actual invasive body search is probably not required to get in or out for even the harshest secure sites.

        Similarly just having access to upload or download data from a network which isn't airgapped means the ability to upload the malware to a folder accessible from elsewhere does exist.

        So in the end it all boils down to having to trust people which is why every candidate for intelligence employment is so carefully vetted for patriotic values and behaviors.

        (Which backfired, of course, when Snowden saw what was being done and felt he was obligated to blow the whistle over the various forms of mass surveillance he felt was unconstitutional. They should have changed their vetting program to include "Do you actually give a shit about the nation and constitution?" and only hired those saying "hell no").

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Jun 2020 @ 3:22pm

        Re: Re: CIA's Hacking Unit

        I was trying to tell you that Hollywood is fictional and unrealistic, but your take away was Hollywood does it better?

        reply to this | link to this | view in chronology ]

    • icon
      Celyxise (profile), 17 Jun 2020 @ 5:19pm

      Re: CIA's Hacking Unit

      There is a difference between a malicious authorized user and a complete lack of security.

      There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network

      There is no excuse for this level of apathy, especially for the CIA.

      reply to this | link to this | view in chronology ]

  • identicon
    Owen, 17 Jun 2020 @ 7:50pm

    Wasn't there one of those Russian GRU hackers who had poor infosec also? His password was something like his name and birthday? Seems like all the people who are supposed to know better don't actually use good security.
    Define irony.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 17 Jun 2020 @ 9:47pm

    I'm pretty sure this is on brand for the US

    Are there any government servers that are properly secured? I mean we pretty much assume Russia and China have access to the big NSA internet-traffic database in Utah because it's that easy to hack.

    As are your FBI files.

    As are all our space program stuff.

    Maybe the air force keeps Area 51 stuff off the servers, but then again maybe not.

    None of this is news here on Techdirt.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 17 Jun 2020 @ 10:34pm

      Almost correct

      None of this is news here on Techdirt.

      Which itself is part of the problem. 'Government agencies involved in sensitive stuff display stunning lack of concern over security' should be news, huge news, due to it's rarity and the concern shown by all when discovered. As it is though it's just another tuesday as those paying attention aren't surprised in the least.

      reply to this | link to this | view in chronology ]

  • icon
    Scary Devil Monastery (profile), 18 Jun 2020 @ 12:02am

    For the argument against backdooring encryption, see vault 7

    Considering that both the CIA and worse, the bloody NSA have proven highly fallible against persistent crackers...what does this tell us about Bill Barr's persistence to have smartphone OEMs backdoor their encryption and hand government the magic key unlocking every phone?

    I keep coming back to that. The Wcry trojan was bad enough but was, after all, "only" what criminals used the exploit and leaked malware for.

    Once Barr gets his way and every smartphone in the US is suddenly wide open to China, Russia, North Korea, and every major organized crime ring in the G20, how does he think he'll un-open that can of worms?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 18 Jun 2020 @ 11:52am

      'Not like they're peeking into my device, I have encryption.'

      Once Barr gets his way and every smartphone in the US is suddenly wide open to China, Russia, North Korea, and every major organized crime ring in the G20, how does he think he'll un-open that can of worms?

      What makes you think he would care? I imagine so long as he can snoop through devices on a whim he might throw out some empty 'how dare those criminals break into american devices, no idea how that happened' press releases but otherwise it would likely be seen as a price he's willing to have the public pay.

      reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 18 Jun 2020 @ 12:22pm

      Not EVERY smartphone

      US business have demonstrated that given the choice between actually doing business and staying competitive, and staying within the confines of the law, they'll do the former.

      Secure encryption for devices and computer systems is readily available, and will stay current through foreign markets and open source communities. They'll be less convenient to use.

      We also have steganography and multiple-account encryption, which means it's possible to circumvent a courtroom command to unlock a device, and evidence you unlocked it wrong would be difficult to prove.

      Most of the public won't care until Chinese advertisers have hacked their phones into a portable barking adbox. But those who are determined to do business, for good or ill, will continue to do so. And those who have secrets to hide, whether perverse, anarchist or industrial, will turn to legitimate offerings already available.

      Such perverts and anarchists will also become much more immensely useful to the rest of us.

      reply to this | link to this | view in chronology ]

    • identicon
      Its Rogsed, 21 Jun 2020 @ 10:15am

      Re: For the argument against backdooring encryption, see vault 7

      I, for one, am teaching the Chinese what a distraction your commentary actually is, and how to spot others like you.

      And, sending "them” whoever “they” are to you doorstep.

      reply to this | link to this | view in chronology ]

  • icon
    Bergman (profile), 18 Jun 2020 @ 5:10pm

    Well of course not. Nobody would DARE to hack the CIA!

    reply to this | link to this | view in chronology ]

  • identicon
    Its Rogsed, 21 Jun 2020 @ 10:11am

    re: FREE CHILD PORN!

    Tim, the real exploit is the human being sitting at a computer screen. In agency jargon, they are an “asset,” which is both disposable, and actionable/actuated.

    Hack that asset (Schulte, and his Libertarian stance) and you own one of the most glorious "potential” machines of all technology. “It” will do what you tell “it” to do, provided it can be compromised via undue processes of agency.

    Manufactured terrorists? A windfall of security state advertising for products like Carbyne911 augmented by EVEN MORE, NEW IMPROVED! Palantir.

    Stop making Schulte out to be a bad guy, because your CIA/Mossad/Squad 8200 handlers insist that he is wrecking their world wide child pornography compromise operations.

    The leak was a good and neccessary thing, ESPECIALLY BECAUSE

    “ the government (IS) having difficulty pressing its case”

    What case? That CIA handles/frames its freethinkers as if they are perverts and con men because they are atheist/unbiased/irreligious/non-conformed?

    Thats the real news buddy.

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 21 Jun 2020 @ 11:41am

      FREE CHILD PORN! from the FBI

      You inadvertently raise a valid point. The FBI keeps a database of every digital piece of child porn it encounters as part of its efforts to trace pictures to subjects and photographers. And it raises the question if that database is as securely locked away as all of our other government department assets.

      Not that I think people should be consuming child porn (of real children) or those children should be subject to abuse, but the FBI's betrayal of its own mission (across multiple campaigns) warrants embarrassment and scorn.

      reply to this | link to this | view in chronology ]

  • identicon
    Rogsasifitmatters, 23 Jun 2020 @ 12:48pm

    Uriel, you constantly surprise me with your analysis.

    But few things that I do are "inadvertant.” Google “George Floyd and Gandhi Mahal” for one recent example of my calculated, time aware, “premeditation.”

    re: the FBI's betrayal

    Yeah, that.

    Over, and over again, as FBI heads, like James Comey and others work with zionist “security contractors" from Israel to distribute child porn (and my opinion is very clear: fewer kids die from weird contact with weird adults, than who die from depleted uranium, or US sponsored bomb droppings; or, the many sordid stories from CPS and the foster care/ Big Pharma industry beneficiaries, for that matter, the latter overseen by police and military affiliated pedophile whackjobs)

    See what happens when you stack the Supreme Court with only Jews,and Catholics?

    "Rome, again.”

    Hey, look at us, stopping the bad guys from raping children! Whatever would you do without US!?

    (Note to self: without them involved, no child actually gets raped, or exploited as a resource, because its they who hold that power, and they who begin that leveraging discussion in the first place.)

    (Note to them, whoever "they” are: stop exploiting children as leverage against their parents choices to adhere/not adhere to your child-rape based society.)

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.