CIA's 'woefully lax' security allowed the 'Vault 7' data breach

Posted:
in General Discussion
A new report into how WikiLeaks revealed the CIA's tools for hacking Macs slams the security agency's "unacceptable" lack of security over its own systems.

The CIA's
The CIA's "woefully lax" security reportedly allowed the data breach to occur


Following the huge 2017 "Vault 7" leak of classified data from the CIA, a government investigation has reported that it was because "day to day security practices had become woefully lax."

A redacted version of "WikiLeaks Task Force: Final Report," has been released by Senator Ron Wyden as part of a letter he has written to the Director of National Intelligence. Wyden calls for "unclassified answers"to questions raised by the report, as well as how the agency plans to act on its multiple recommendations.

"Vault 7" is the name that WikiLeaks gave to its whole collection of data from the CIA's Center for Cyber Intelligence (CCI). It included details of workable ways of exploiting older versions of macOS, as well as source code, and communications. "All of the documents reveal, to varying degrees, CIA's tradecraft in cyber operations," says the report.

An example of the Mac-hacking tools used by the CIA and revealed by WikiLeaks, includes a system called "Achilles." This 2011 system was developed for use against Snow Leopard Macs, and while there is no information about its successful use, it would have required users to install a doctored application.

Details of this and other Mac exploits were previously reported to have come from ex-CIA employee Adam Schulte, who provided WikiLeaks with the data. The report does not mention his name in any of its non-redacted text, but Schulte is reportedly still under investigation.

The report confirms that between 180GB and 34 terabytes of information were leaked, but the investigators still can't be more precise because of inadequate security on the systems involved. It notes that it's only because WikiLeaks published the data that the CIA knew it had been stolen.

"Because the stolen data resided on a mission system that lacked user activity monitoring and a robust server audit capability, we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017," says the report.

"Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss-- as would be true for the vast majority of data on Agency mission systems," it continues.

The report notes that the "mission system" involved did comply with all of the Agency's security requirements at the time. "However, in a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems," it says.

Extract from the start of the heavily-redacted report
Extract from the start of the heavily-redacted report


"Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely," it continues. "These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security."

The longest redacted section of this intelligence briefing report includes recommendations for what the agency should do to address its "multiple ongoing CIA failures." It warns that "we are making educated assumptions about the scope and timing of the loss, in part because we lacked effective monitoring and auditing of this mission system."

But it also notes that the investigators have "moderate confidence" that the most confidential CIA information remains secure.
"Data in Confluence, a collaboration and communication platform, and some data in Stash, a source code repository, have been released by WikiLeaks; we assess WikiLeaks possesses all of the Confluence and Stash data. However, we now assess with moderate confidence that WikiLeaks does not possess the Gold folder of final versions of all developed tools and source code that resided on the Development Network (DevLAN), even though WikiLeaks claims it has released only a small slice of the archive it possesses. The Gold folder was better protected; WikiLeaks so far has released data in Stash despite the availability of newer, easier to exploit versions of tools in Gold; and Gold's size, several terabytes, made it harder to export."

Comments

  • Reply 1 of 8
    cjcoopscjcoops Posts: 112member
    Good grief....

     The report confirms that between 180GB and 34 terabytes of information were leaked, but the investigators still can't be more precise because of inadequate security on the systems involved”.

    Laugh in despair or cry?
    razorpitSpamSandwichtoysandmejony0watto_cobra
  • Reply 2 of 8
    razorpitrazorpit Posts: 1,796member
    Don’t worry though. They’ll do a much better job of controlling those back door keys.
    edited June 2020 lkruppstompyRayz2016toysandmejony0entropysexceptionhandlerwatto_cobra
  • Reply 3 of 8
    rob53rob53 Posts: 3,308member
    The talk of defunding or at a minimum totally restructuring the police departments is only the beginning of a total restructuring of all governmental institutions. The CIA, NSA, FBI and the secret organizations only a few people know about (not me) have little control over what they do and how much tax money they are given. I have little trust in Congressional oversight because there isn't any. If I was employed by a company that allowed this much data to be misplaced, stolen, or lost I would have already been fired. In the case of the CIA, I would have been put in jail as well (I did work for the government and this kind of incompetence/negligence might have been seen as enough to remove my clearance and include imprisonment depending on what level of data was lost). It's time for a change. Does the US really need to waste so much money on the types of things they do?
    lkrupptoysandmejony0watto_cobra
  • Reply 4 of 8
    lkrupplkrupp Posts: 10,557member
    rob53 said:
    The talk of defunding or at a minimum totally restructuring the police departments is only the beginning of a total restructuring of all governmental institutions. The CIA, NSA, FBI and the secret organizations only a few people know about (not me) have little control over what they do and how much tax money they are given. I have little trust in Congressional oversight because there isn't any. If I was employed by a company that allowed this much data to be misplaced, stolen, or lost I would have already been fired. In the case of the CIA, I would have been put in jail as well (I did work for the government and this kind of incompetence/negligence might have been seen as enough to remove my clearance and include imprisonment depending on what level of data was lost). It's time for a change. Does the US really need to waste so much money on the types of things they do?
    So you have a problem with the way the world has worked since Ogg invented smoke signals in 10,000BC? Idealism always leads to disappointment and despair.
    edited June 2020 SpamSandwichtht
  • Reply 5 of 8
    SpamSandwichSpamSandwich Posts: 33,407member
    And this is why no one but you should ever be entrusted with your most valuable data.
    razorpitbloggerblogtoysandmejony0chasmentropyswatto_cobra
  • Reply 6 of 8
    razorpitrazorpit Posts: 1,796member
    You are trying to relate issues here that aren’t the same.
    rob53 said:
    The talk of defunding or at a minimum totally restructuring the police departments is only the beginning of a total restructuring of all governmental institutions.
    This has nothing to do with the story. Defunding the police is a completely different sinister topic.
    rob53 said:
    The CIA, NSA, FBI and the secret organizations only a few people know about (not me) have little control over what they do and how much tax money they are given. I have little trust in Congressional oversight because there isn't any. If I was employed by a company that allowed this much data to be misplaced, stolen, or lost I would have already been fired. In the case of the CIA, I would have been put in jail as well (I did work for the government and this kind of incompetence/negligence might have been seen as enough to remove my clearance and include imprisonment depending on what level of data was lost). It's time for a change.
    Agreed. Congress needs to go back to the principals of serving the union and not each other. Take a look who are representatives are now. It’s no wonder we are in the situation we are in regarding congressional oversight. People need to start going to jail for stuff like this but no one ever does, and those same representatives get reelected cycle after cycle. We don’t need term limits, we need educated voters.
    rob53 said:
    Does the US really need to waste so much money on the types of things they do?
    The waste would be eliminated if the penalties were applied to those who broke the law or were incapable of performing the duties required.
    jony0chasmwatto_cobra
  • Reply 7 of 8
    blastdoorblastdoor Posts: 3,579member
    "And you want to be my latex salesman..."




    SpamSandwich
  • Reply 8 of 8
    chasmchasm Posts: 3,597member
    Not going to go into the "defund the police" waters except to say that its shorthand for a range of proposals that go from quite moderate to overly severe, and it's just that nobody came up with a good short phrase because it's complex and Americans don't really read. If you're interested, there's plenty of fuller explanations out there.

    As for the actual article, I'd just like to express my gratitude to the CIA (and NSA and FBI) for continually re-proving why E2E encryption is such a important thing. Yes, some people will abuse encryption for ill purposes, yes. Just as people do end-runs around all other systems of law enforcement, morality, ethics, common sense, and any other rules, laws, or methods humans have ever devised. And yes there is a cost to that abuse, just as there is a cost to the abuse of (for example) easy gun purchasing in the US. As a society, we are constantly accepting the "price" of some of our freedoms. Everything's a bit of a trade-off, and TANSTAAFL.

    In addition to no free lunch, there's no such thing as perfect security, and there's no such thing as a "magic backdoor" that only the "good guys" (which of course is itself a biased perspective) can access. Those who attempt to sincerely argue otherwise just mark themselves out as inept and technologically illiterate fools. As Tim has said, there's either encryption or there's no encryption. As this story goes to show yet again, those in government who argue for encryption "for me but not for thee" are in fact inviting disaster upon themselves.
    watto_cobra
Sign In or Register to comment.