Sergey Nivens - Fotolia
WikiLeaks vows to disclose CIA hacking tools; CIA to investigate
WikiLeaks founder Julian Assange promised to work with vendors to help patch products vulnerable to CIA hacking tools, while the FBI and CIA will investigate the leak.
The CIA promised to investigate the leak and theft of cyberweapons, while WikiLeaks' founder, Julian Assange, said his outlet would help to "disarm" the CIA hacking tools that WikiLeaks released.
The CIA refused to comment on the authenticity of the Vault 7 documents released by WikiLeaks.
"CIA's mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries. It is CIA's job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad. America deserves nothing less," the CIA wrote in its statement. "The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community's ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize U.S. personnel and operations, but also equip our adversaries with tools and information to do us harm."
As part of the statement, the CIA flatly denied "conducting electronic surveillance targeting individuals here at home, including our fellow Americans," saying the agency does not do that and cannot do that because of oversight and laws prohibiting such activity.
Assange admitted during a press conference held on Facebook Live that there was no direct evidence found in Vault 7 proving the CIA had hacked anyone in the U.S. But Assange noted the CIA used the American consulate in Frankfurt, Germany, as a "base" for cyberattacks carried out in Europe, Africa, the Middle East and China.
Vishal Gupta, CEO of Seclore, based in Sunnyvale, Calif., said the CIA statement could "be taken as confirmation from the CIA that the leaked documents are legitimate." Gupta added, "If the CIA had any doubts about the authenticity of the WikiLeaks release, I believe they would be very vocal and direct about that."
Brian Vecci, technical evangelist at Varonis, based in New York, agreed with this reading of the statement.
"It's telling that the CIA has not flatly denied that this was leaked by an insider or pointed to an external attacker as the source," Vecci told SearchSecurity. "The leaked data and the method in which it was leaked suggests that this was done by someone who likely already had access to the information, whether that access was still needed or not."
Tim Prendergast, CEO of Evident.io in Pleasanton, Calif., said he had "no doubts the leaked data is real," and it is "likely only a fraction of what assets the governments of the world have."
"The CIA is one of many agencies in the world -- across world governments -- that have this kind of technology. The need for cyber advantages is real, and every country on the planet is investing in this kind of stockpiling," Prendergast told SearchSecurity. "This may be the trove that was leaked [most] recently, but many others have been purposefully or maliciously leaked in smaller portions over the past decade. Anticipating anything less than their existence, use and availability makes us naive as a population of this technology-forward planet."
Assange berated the CIA for not protecting its own cyberweapons, saying it had "lost control" of its arsenal and would not know or be able to prevent malicious insiders from using the CIA hacking tools themselves. He said the report that the CIA knew about the leak raises the specter of who knew about it. "[It] brings into question the entire concept of cyberwarfare, because it is our analysis, and stated also by many other experts, that it is impossible to keep effective control of cyberweapons. ... If you build them, eventually, you will lose them," Assange said. "They are just information. There's no barrier for them spreading across the world."
Vecci agreed and said the real issue "isn't whether [the CIA] should be developing tools to spy, it's why weren't they spying on their own data?"
"Having a clear and updated understanding of who could have accessed this data is critical, as is making sure that people who don't need to see it can't. The risk of unauthorized disclosure is significant, as the CIA says. And that means that critical data like this also needs to be monitored," Vecci said. "You can't catch what you can't see; if the CIA wasn't able to see how this data was being used and by who, and [it] wasn't alerted that the data was being accessed in abnormal ways, then that's a problem."
While Gupta said "No one should be blaming the CIA for not disclosing these vulnerabilities," he agreed the CIA hacking tools should have been guarded better.
"No one should be surprised that one of the most advanced intelligence agencies in the world is stockpiling the means to carry out investigations in the digital age -- that's their job," Gupta said. "However, the CIA must be able to guarantee that incidents such as this one don't continue to occur. The CIA having access to sophisticated hacking techniques is one thing, but that information being accessible to anyone with an internet connection poses a huge risk to everyone's security."
WikiLeaks disclosure of CIA hacking tools
Experts had criticized both WikiLeaks and the CIA for not disclosing the Vault 7 vulnerabilities. But during the press conference, Assange said it was "fairly obvious" why WikiLeaks released the documents instead of the code.
"[WikiLeaks did this] because we don't want journalists and people of the world and our sources being hacked using these weapons. But the problem is with limited information about the details of how those cyberweapons operate. There is a limited ability to try and produce security fixes for [the affected devices], because the exact technical details are not known."
However, Assange promised that WikiLeaks would work with affected vendors to make sure vulnerabilities targeted by the CIA hacking tools would be patched.
"After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them, to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out so people can be secured," Assange said.
But some experts, including Matthew Green, a computer science professor at Johns Hopkins University, said Assange may be overstating the ability of WikiLeaks and affected vendors to ensure patches.
Assange is personally going to see those Android 4.x phones get patched. https://t.co/dqL6XoXDlW— Matthew Green (@matthew_d_green) Mar ch 9, 2017
Vecci said although many of the vulnerabilities affected by the CIA hacking tools have already been patched, it "doesn't mean that all the affected systems in the wild have also been updated."
"In fact, it's practically impossible to say whether they have been or ever will be. There will always be vulnerabilities and tools that exploit them," Vecci said. "If WikiLeaks does make additional information available to hardware and software vendors that helps them patch previously unknown exploits, that's a good thing, but it doesn't mean that all systems will be safe."
Willis McDonald, senior threat manager at Core Security in Roswell, Ga., said responsibly disclosing the issues is the right move, but there may be a limit to what patching can accomplish in this case.
"I doubt WikiLeaks will hold on to the tools long enough for vendors to patch their systems. Sometimes, these vulnerabilities can take months or years to patch, depending on the vendor. I don't see WikiLeaks waiting years to release something this sensational," McDonald told SearchSecurity. "I don't expect that many of these vulnerabilities will be fully patched. Between end-of-life products, disinterested vendors and poor patching procedures by individuals and organizations, you are still going to have a large population of vulnerable systems to exploit."
Apple, Google and Avira all released statements saying many of the vulnerabilities targeted by CIA hacking tools have already been patched. Assange also claimed WikiLeaks was working to "disarm" the CIA hacking tools of critical components, and it would release the defanged cyberweapons after patching by vendors had been done.
McDonald thought Assange might not be able to deliver on this promise.
"WikiLeaks has not performed simple redaction properly," McDonald said. "I'm not sure WikiLeaks can be trusted to 'disarm' the tools -- unless they plan on removing exploit libraries, or they expect that by disclosing the vulnerabilities to vendors, they will be essentially disarming them."
Vecci was also unsure if WikiLeaks could follow through.
"Time will tell. However, Wikileaks is not an organization which has a stated goal of improving data security. WikiLeaks can serve as a resource, but I wouldn't rely on it as a solution to data security," Vecci said. "These tools leverage vulnerabilities in systems, and it's unlikely that a tool could be disarmed if the underlying exploits are not fixed."
Learn more about mitigating cyberthreats
Find out post-election cyberattacks
Get info on ransomware cyberattacks in healthcare
Dig Deeper on Security operations and management
Lawyers and journalists sue CIA and Mike Pompeo over Assange surveillance claims
Assange appeals against Priti Patel’s extradition order
Judges to decide whether Assange can appeal against extradition as he reaches 1,000 days in jail
Julian Assange can be extradited to the US to face espionage and hacking charges, court rules