CIA hacking unit failed to protect its systems, allowing Vault 7 disclosure(washingtonpost.com) |
CIA hacking unit failed to protect its systems, allowing Vault 7 disclosure(washingtonpost.com) |
Hacker competitions mirror this. Red teams are allowed to bring in any exploits and do just about anything (as criminals would be expected to do) and the blue team are stifled by bureaucracy and not allowed to bring in anything.
This also contributes to perverted incentives (like the red/blue teams) where the CIO frequently gets their way and is more likely to get budget while CISOs take all the blame when their budget increase requests get declined and IT is tasked with keeping unpatched systems up and stable rather than patching systems quickly. Obviously, the best orgs find a way to get both done, but resources are always scarce for the rest of us.
Even in the consumer industry; anyone remember all those very silly people who installed backtrack2 (precursor to kali, based on slackware not debian) to their main drive and then went to defcon and got rekt because their OS was insecure (and couldn't be updated!)
Exploit development is a glass cannon, remove all friction to modify the system and craft packets, invoke monitoring modes for hardware and frictionless tracing... that's going to have a security cost.
This echo's a wider issue in the industry "Development" vs "Sysadmin" mindsets, where sysadmins are stifling and developers are all about removing barriers to progress faster and iterate more.
Anyway I can give you the skinny of the situation:
1) Backtrack 2 did not have an installer, it was a live-CD. But that doesn't stop you installing it by just copying the live environment to a disk (with some mount-binding and grub install, you're all good!) There were guides for doing this although they all had large warnings and the backtrack maintainers cautioned heavily against doing it.
2) because it was a liveCD there was no package update mechanism, it was not based on debian at the time so there was no apt or anything similar, even if there was there was no repositories, backtrack was a "tool" not a distro really.
3) sshd is one of the services that gets started on system boot for backtrack2.
4) someone at defcon unveilled an sshd exploit, a pretty nasty one, they had disclosed responsibly and everyone had been patched for at least 6 months, except the people who went against recommendations and installed backtrack2. They all got rooted.
Bonus: everyone who ran backtrack2, without exception, ran it with the root user; as that was the default and they had patched software that normally complains about such things to not complain. xD
Yes, but your "local system" that receives traffic or whatever doesn't need to be the one having access to all your data…
How well protected do you think cyber-weapons designed to surveil countries, disable infrastructure, and destabilize governments should be? How capable and well-funded should the attacker need to be before gaining access to cyber-weapons designed to kill economies and people? $1B, $10B? A team of 1,000, 10,000?
Does anyone know of any system or organization in existence that would even be willing to claim they can stop a team of 1000 dedicated hackers working full-time for 10 years funded with $1B let alone put it in writing? What is the highest you have heard? Is it even in the general ballpark?
It is absurd to assume that the failure to solve the problem is just a lack of prioritization if no one even claims to be able to solve it and it is meaningless to propose that they should adopt policies that do not even claim to be able to protect against the actual threat model let alone have evidence of such protection. They either need to find someone who will make the extraordinary claim that they can provide an actual defense and have the extraordinary evidence to back up that extraordinary claim or they MUST NOT deploy such systems since they can not be protected.
I guess it's safe to say that even with $1M of funding and small team of dedicated security researchers coupled with right people for social engineering you can break into any network. Everyone can be fooled and humans are always the weakest spot. Especially now when information about everyone is publicly available on social networks so you can gather all information you need remotely.
And when it's come to hacking into networks of company with no dedicated budget for cybersecurity cost of attack would be one or two orders of magnitude lower. Some self-organized groups of hobbyists prove you can even do it with no funding at all.
To misquote Dr. Strangelove, "ze whole point of ze secret hack is lost if you don't keep it a secret." https://youtu.be/2yfXgu37iyI?t=205
Oh, maybe they have a firewall built on a RaspberryPi somebody ordered online.
Seriously, WTF? This is as insecure as having contract sysadmins with root privilege spread all over the globe.
And when will these state actors with unlimited funding figure out that NOBODY can keep secrets forever, not even them?
So does anything in this vault possibly call certain recent allegations of Russian interference into question?
Remember folks: there are disinformation campaigns on HN too.
Maybe they're right, but it's a little suspicious, no?
Even if it was a "hey, could you look at this and tell us what you think" with no obligation to address issues, it is undesirable to establish a precedence.
They do use standards and recommendations from NSA/OMB for enterprise systems. But even the US Courts went that route, just with a lot of renaming of things so it can't be seen as being subservient to the Executive branch. There are some good frameworks and standards that you shouldn't waste time re-implementing.
Half of the NSA's mission is to build/design secure communication systems for the US government and military.
The NSA does some seriously insane stuff, but I don’t think even they take themselves as seriously as the CIA does.
No logs, no congressional investigation.
These are smart well-resourced people. They don't do things like this for no reason.
That's insane that they could leave so much data available to be stolen.
No government will push to improve door locks unless that government isn't the most capable of defeating those locks. It's a cost/benefit function.
Right now, improving software security is a net loss for the US. So it won't happen when the US is controlling the computer and software industry.
So I'm not surprised to see even the best experts being beaten so easily.
Once deployed your self-produced tools which have very little security protection themselves can be pilfered. Bonus points for tapping into the software deployment platform and downloading everything.
This is why I've been so concerned about cybersecurity and cyberwarfare. I do not see gross competence here and most of the people I respect that write about this type of thing are sounding the alarm. Click Here to Kill Everybody or Matt Tait (@pwnallthethings on Twitter) ending an Infiltrate conference talk with a nuclear bomb as the final image.
Put another way: perhaps it's not an accident? And perhaps some of what was leaked was a decoy?
Yes, keeping secrets is difficult. All the more reason to take advantage of that.
Like leaving data of their secret assets available on Google searches, leading to hundreds of deaths? And firing the employee who warned then of the problem seven years before it was exploited?
Or even the news story of how their old boss(!) John Brennan had his AOL(!) email account(!) cracked(!) by a teenager(!) guessing his password(!). The teenager exfiltrated something sensitive, a job application I believe, and was prosecuted for it. Meantimes, the former Director of Central Intelligence gets to keep his reputation.
Source: lived around DC when it happened, had contractor friends complaining out loud about it
Also, I'm sure those members of "the hacking team" weren't allowed to discuss their work with their family/friends, so it's not terribly unrealistic to expect them to use even just basic security hygiene (eg. don't share admin passwords).
Your implication that this was due to lack of proper security hygeine is unfounded. Security hygeine reduces risk it does not eliminate it. Risk is proportional to threat and attack surface, for an org like the CIA they have not-so-small attack surface and the whole world as their threat, so reduction in risk by means of common security controls and hygeine will not reduce risk from the most persistent and resourceful attackers.analogy to your reasoning would be "Google has an army of devs and security pros, so Chrome should never have a remote code execution vuln" ,no, as much as they may have money and talent, modern software is too complex for those resources to eliminate all bugs. Perspective is important.
Same idea in reverse with the CIA -- maybe someone in the CIA is a bad actor and now knows the secret 0-days the NSA is using -- because they're busy locking them down -- and those get leaked.
Just one source: https://www.intelligence.senate.gov/sites/default/files/docu...
Maybe they're right, but it's a little suspicious, no?
Sorry, but "high degree of confidence" is not proof, especially not from the organization that told us Iraq had WMDs with high degrees of confidence.
Additionally, at no point in time did they have access to the hardware.
Are you forgetting that this is the same collection of people responsible for being unable to secure their own hacking tools?
It's unfortunate that the political climate in the US is on such a knife's edge right now that basically no one trusts anyone and everyone is running with their own databases of the facts of the world.
I understand the US government is itself very largely to blame for this deep distrust, but posts like yours make me worried for the next few decades. This isn't a criticism of you at all, but just general concern that things are kind of coming apart at the seams societally. I really hope the "two movies on one screen" phenomenon doesn't escalate to the point that the screen shatters into a billion pieces.
https://www.csoonline.com/article/2462478/hacker-hunts-and-p...
Yeah, I don't think this happened. Nobody has publicly exploited an opensshd rce for ages.
This was like 2007-8.
When intelligence agencies share clear evidence a dictator gassed his own civilian population, no one cares or trolls ask for more evidence.
Funnily enough, there's no clear evidence of this. According to OPCW leaked documents there's a higher probability the gas was manually placed at the site. [1] Which of course, calls into question the Syrian government's involvement, especially given earlier intelligence showing ISIS had possession of such chemical weapons.
[1] https://www.independent.co.uk/voices/douma-syria-opcw-chemic...
> Your implication that this was due to lack of proper security hygeine is unfounded. Security hygeine reduces risk it does not eliminate it.
Nope. No security professional will admit that anything ever eliminates risk, so that's a strawman fallacy.
The point is that sharing admin passwords is a blatant violation of cybersecurity hygiene which every employee of the CIA is capable of understanding and avoiding. If the org can't enforce even just the basic stuff, there's not much hope of raising standards above that.
> from the most persistent and resourceful attackers.
Here's a secret that everyone already knows: the most persistent and resourceful attackers will always get in given enough time.
https://finance.yahoo.com/news/cias-communications-suffered-...
Clear evidence you can't fake: a rush of hundreds of people (including children) to the different hospitals near the Khan Sheikhoun site while all showing the same respiratory and neurological symptoms. How can one fool so many doctors?
Here's a breakdown of the exact, and single email/document used to "discredit" all chemical attacks perpetrated by Al-Assad on his population https://www.bellingcat.com/news/2019/11/25/emails-and-readin...
Also, Assad was by all accounts winning the war and pushing back on all fronts at the time. Do you think he's such a lunatic and so strategically bankrupt that he'd launch a chemical attack on his own people while he's winning? Or is it more likely that ISIS launched a false flag attack using chemical weapons that we know they have in order to get the West to do their bidding against Assad?
The Syrian war is a mess, and there are no good guys. The US-backed rebels commit war crimes and behead children, for example.
The source of leaked documents really doesn't concern me as long as they are authentic. For argument's sake, if Snowden was a Kremlin double agent I wouldn't care because he revealed genuine government wrongdoing.
Attacking the source generally isn't a valid argument, especially given the authenticity of the information.
Here are more details and evidence if you are sincere and want to dig deeper: https://www.intelligence.senate.gov/sites/default/files/docu...
It's a pretty simple question, and that's what it boils down to.
Moreover, the outcomes are different for both teams:
- RedTeam success => they are seen as "real" hackers/heros and the BlueTeam are the poor incompetent
- RedTeam fail => the BlueTeam did "only" its job, the investments in cybersec for the company paid off... so the budget for the cybersec can be reduced.
So, for RedTeam, it's either a win or a tie. And for BlueTeam it's either a tie or a loss...
If the BlueTeam could fight back, maybe this could change...
On the other side the attackers have the more exciting job and only need one success which they can achieve by using whatever means they see fit.
You'll see this outside of IT just as well, like in sports. Goalkeepers (defenders) vs. strikers come to mind but at least there they all operate within the same set of rules.
- RT is the terro - BT is the AT
The RT has to "plant" an exploit. The BT can either block/track the RT or "diffuse" (find/disable) the exploit.
The "maps" would be the kind of system:
- an AD behind a firewall - a WebServer with datas to extract from a backend DB - and so...
The sponsors could sell either the skills of their pen-testers to hire, or their solution to secure a system, so it might be a good maketing campaing for the winner...
That's not to say there aren't cowboy CxOs recklessly ignoring reality, but accepting risks is part of the job. The real answer generally lies somewhere in the middle of the two extremes.
This is the root of so many problems for technical teams in ostensibly non-technical businesses. More developers and engineers really need to embrace the reality that your work doesn't always speak for itself - sometimes you have to speak convincingly on its behalf.
I can imagine the average corp board member underestimating the risk accumulated by consistently ignoring CISO request for more cybersecurity investments, but the insurance industry is used to dealing with the low-frequency, high-impact payouts.
Do you think it was mis-communication, ignorance, greed, hubris, or something else?
If an insurance company is unable to price it's own internal IA risks either at all, or at a non-zero value, I'm discouraged from hoping for a market solution to the problem that, as the truism states, "offense is easy, defense is impossible." I think the intelligence services and LE have also done a bad job, as evidenced by the hoarding, instead of reporting or fixing, of vulnerabilities.
Schneier has lately argued that regulation is necessary. The idea of GDPR for infosec is unappetizing, but I have trouble thinking of any other solution that hasn't already failed.
Basically, insurance only works when the insured has faith that the insurer will pay and that both parties understand the boundaries of the contract. One of the lawsuits involves the effects of WannaCry, which the insurer claims was a state-sponsored attack. "Acts of War" is one of those common exclusions to insurance policies, so the insurer has an incentive to always claim cyber attacks are nation-state sponsored if the insurer wins that case.
The other case I think is about the difference between a general corporate insurance policy which has some coverage related to fraud and the insurer who claims the insured should have purchased a standalone cyber insurance policy. I think that case partially revolves around "when fraud happens on a computer network, is that a 'hack' or is it traditional fraud?"
Moral of the story is determine how it impacts your career goals and chose.