martes, 27 septiembre 2022
Visitas totales a la web: 87906801

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

Multiple “CIA failures” led to theft of agency’s top-secret hacking tools

Dan Goodin

Vault 7, the worst data theft in CIA history, could have been avoided, report finds.

In early 2017, WikiLeaks began publishing details of top-secret CIA hacking tools that researchers soon confirmed were part of a large tranche of confidential documents stolen from one of the agency’s isolated, high-security networks. The leak—comprising as much as 34 terabytes of information and representing the CIA’s biggest data loss in history—was the result of «woefully lax» practices, according to portions of a report that were published on Tuesday.

Further Reading

Found in the wild: Vault7 hacking tools WikiLeaks says come from CIAVault 7, as WikiLeaks named its leak series, exposed a trove of the CIA’s most closely guarded secrets. They included a simple command line that agency officers used to hack network switches from Cisco and attacks that compromised Macs, in one case using a tool called Sonic Screwdriver, which exploited vulnerabilities in the extensible firmware interface that Apple used to boot devices. The data allowed researchers from security firm Symantec to definitively tie the CIA to a hacking group they had been tracking since 2011.

Proliferation over security

Agency officials soon convened the WikiLeaks Task Force to investigate the practices that led to the massive data loss. Seven months after first Vault 7 dispatch, the task force issued a report that assessed the extent and the cause of the damage. Chief among the findings was a culture within the CIA hacking arm known as the CCI—short for the Center for Cyber Intelligence—that prioritized the proliferation of its cyber capabilities over keeping them secure and containing the damage if they were to fall into the wrong hands.

«Day-to-day security practices had become woefully lax,» a portion of the report made public on Monday concluded. For instance, a specialized «mission» network reserved for sharing cyber capabilities with other agency hackers failed to follow basic practices, followed on the main network, that were designed to identify and mitigate data theft from malicious insiders.

«Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,» the report continued. «Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.»

The task force said that the design lapse of the mission system was just one of «multiple ongoing CIA failures» that led to the leak. Other errors included:

  • Not empowering «any single officer with the ability to ensure that all Agency information systems are built secure and remain so throughout their life cycle»
  • Not ensuring «that our ability to secure our information systems against emerging threats kept pace with the growth of such systems across the Agency»
  • «A failure to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security»

Not just the CIA

The redacted report was included in a letter US Sen. Ron Wyden (D-Ore.) sent on Tuesday to John Ratcliffe, the director of National Intelligence.

«The lax cybersecurity practices documented in the CIA’s WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community,» Wyden wrote. He went on to ask Ratcliffe why the US authorities aren’t mandating security measures such as two-factor authentication and DMARC email validation for US-operated networks.

In mid-2018, federal authorities identified a former CIA employee as the suspect who leaked the Vault 7 data. Joshua Adam Schulte was later indicted.

After Schulte pleaded not guilty, portions of the WikiLeaks Task Force report played a role in his trial, as defense attorneys argued that CIA security practices were lax enough that many officers could have leaked the confidential information. Earlier this year, the jury hearing Schulte’s criminal trial was unable to reach a verdict on the most serious charges, The Washington Post reported.

The report said that, in the spring of 2016, the CIA employee behind the Vault 7 leaks stole at least 180 gigabytes of information. The task force said it was possible that the employee may have taken as much as 34 terabytes of data, a staggering amount that’s roughly the equivalent of a 2.2 billion-page document. The stolen data includes everything from the CIA collaboration and communication platform known as Confluence and from a source code repository known as Stash.

If there’s a silver lining in the report, it’s this: the task force assessed with moderate confidence that WikiLeaks never obtained final versions of hacking tools and source code that were housed in the so-called Gold folder.

«The Gold folder was better protected,» the report said. «WikiLeaks so far has released data in Stash despite the availability of newer, easier to exploit versions of tools in Gold.»

Fecha de publicaciónjunio 2020

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

Pilar Montero del grupo de emergencias en Patrimonio (UCM): «El terremoto de Lorca lo cambió todo»

La directora del grupo de investigación de Gestión de Riesgos y Emergencias en Patrimonio Cultural (GREPAC)...

La actriz de Hollywood que logró uno de los inventos militares más importantes del siglo XX

Hedy Lamarr pasó de huir del fascismo que se propagaba por Europa en los años treinta a enfrentarse directamente a él, creando...

SEGURIDAD, “GLOBAL BRITAIN” Y ENTIERRO DE LA REINA ISABEL II DEL REINO UNIDO

El 19 de septiembre de 2022, ha sido un día que pasará a la historia del Reino Unido y la del resto del mundo. En ese día se ha producido el entierro de la reina Isabel II de Inglaterra tras su fallecimiento el día 8 de septiembre en el castillo de Balmoral (Escocia).

El pulso electromagnético, el arma que puede hacer retroceder a una ciudad al siglo XIX

Estados Unidos, Rusia y China trabajan en sus propios proyectos. El Pentágono cree que Irán y Corea del Norte también lo hacen.

Así se gestó un ‘atraco virtual’ de 240.000 euros a través de Bizum

Más de un centenar de personas participó en un entramado para desvalijar la cuenta corriente de una anciana tras detectar una debilidad...