Tag Archives: Wikileaks

Security News for the Week Ending August 21, 2020

August 13th, a Day That Will Live in Confusion

August 13th is the day that Part B of Section 889 of the 2019 National Defense Authorization Act went into effect. It bans the use of equipment and services tied to certain Chinese companies that have been deemed security threats by the United States. Companies that have this equipment won’t be able to sell to the federal government without a waiver. Contractors have 24 hours to report if they discover, after August 13th, that they are breaking the law. But contractors are allowed to self certify. While the ban went into effect on August 13th, the GSA training session for contractors has been delayed until mid-September – because they weren’t ready to coherently explain the rules. Ellen Lord, chief of the Pentagon’s acquisition branch asks contractors to take notes on how this is screwing up their business so that, maybe, they can get Congress to change the law. By the way, this is not a contract flow down clause, so primes are responsible for what their subs do, I guess. Sorry contractors. Credit: Federal Computer Weekly

Senators Say WikiLeaks Likely Knew He Was Helping Russia

The US Senate Select Committee on Intelligence says, in a report, that Vladimir Putin personally ordered the hacking of the DNC and WikiLeaks likely knew that it was helping Russia. The Senate report says WikiLeaks received internal DNC memos FROM Russian hackers. Senators wrote that Trump’s campaign staff sought advance notice of WikiLeaks releases. Paul Manafort is named as the person who was the link between the campaign and Russia. It seems odd that this Republican controlled committee would release this report days before the Republican National Convention’s nomination of Trump for President. Credit: The Register

Hide Your Breach – Go to Jail

The Feds have charged Uber’s Chief Security Officer with hiding information about the breaches they had in 2014 and 2016 and about payments they made to the hackers to keep the breach quiet. He is being charged with obstruction of justice and misprision of a felony (i.e. hiding it). He faces up to 8 years in prison if convicted. Credit: DoJ

Ever Wonder What Happens to All That Location Data that Apps Collect?

Well, the answer to that is, it depends. This week we found out one thing that happens to that data. The U.S. Secret Service buys it and uses it instead of having to get a warrant to get that same information from the phone company. Nothing illegal about it. Obviously, the Secret Service is not using it to market any products. Curiously, the company that they bought it from does not advertise that they sell your data to the police. In fact, their agreement, similar to the agreement that Stingray’s provider makes the police sign, says that they are forbidden from mentioning it in legal proceedings at all. When this has been an issue with Stingray’s the police have dropped charges rather than break the agreement. Credit: Hackread

Securus Sued For Recording Attorney-Client Jail Calls and Providing to Police

Securus provides pay phone services in prisons at what most people say are exorbitant prices. Sometimes they charge 100 times the going price outside. According to theory (and law), Securus is not supposed to listen to or record phone calls between inmates and their lawyers. The only reason they were caught was that a detective was listening to recordings provided to him by Securus and recognized the attorney’s voice. He then reported Securus to the Attorney General. The attorney who was illegally recorded is now suing Securus. The interesting thing is that Securus just settled a similar case in another state. You would think they would learn. Credit: The Register

CIA Spies on FBI, DHS and Other Friends

In the ongoing Wikileaks Vault 7 series of leaks, there is a new leak called ExpressLane.

According to the documents released by Wikileaks, the CIA offers a partnership with other law enforcement and government agencies in which those partners can share biometric data such as fingerprints with the CIA.

The CIA does this by offering a predefined hardware, operating system and software to its liaison partners.  It also supports these systems.

Since the program is voluntary, the CIA likely did not get all of the biometric data that each of the partner agencies had collected, so they decided to get creative.

Since they “support” these systems for their friends, they send a technician to update the system via flash drive.  Only that update also installs the ExpressLane backdoor.

ExpressLane has two parts – the first part creates a hidden partition on the target system where the biometric data is captured.  This partition is used as a holding pen for the data that they want to steal.  The data is encrypted and compressed before being stored in the hidden partition.

The second part takes the data from the hidden partition and steals it by copying it to the flash drive the next time the technician comes to “maintain” the system.

This is only one of 21 disclosures that WikiLeaks has made in the Vault 7 series – likely with more to come.

If this turns out to be true and I suspect that it probably is true, then partners – especially those in other countries – are likely going to be less cooperative with the CIA and probably all other federal government law enforcement and justice agencies.   In that sense, WikiLeaks is doing significant damage to the U.S. Government.

One might think that other governments should have assumed that the CIA is not trustworthy (after all, what the CIA was doing is likely NO DIFFERENT from what other countries likely do), but I am not sure that other U.S. Government agencies would have made that same assumption – until now.

For the CIA, this is yet another damaging blow.  Probably not to their prestige (other than the fact that all of this stuff has become public). but rather to their operational ability as all of these tools become public.

SOME of the other leaks include:

  • DUMBO – a tool to hack webcams and microphones
  • IMPERIAL – a series of tools to hack Mac, Linux and Unix systems
  • HIGHRISE – a tool to steal information from phones and exfiltrate it via SMS messages
  • ELSA – A tool to harvest location information data of Windows laptops
  • CHERRY BLOSSOM – A tool to monitor Internet activity on targeted systems by exploiting bugs in Wi-Fi devices
  • WEEPING ANGEL – a tool to transform smart TVs into covert listening devices

And, many, many others.

What we don’t know yet is how many MORE leaked documents WikiLeaks will publish and where they are getting them from.  Two likely candidates are rogue employees and nation state actors like Russia and China.  The CIA has not, that I am aware of, given any indication of the source of the leaks, although I am sure they are trying hard to figure it out and may know already.

In my opinion, rogue employees seem less likely, but who knows.  What is VERY SCARY is if the Russians or Chinese have infiltrated the CIA and are still there.  I am pretty comfortable that the CIA is likely more concerned about this possibility than anyone and are probably working very hard to figure out if that is in fact what happened.

Of course, they may never tell us what they find unless they decide to prosecute someone for espionage.

Information for this post came from The Hacker News.

 

 

Wikileaks Releases Mac, Linux and Unix Malware

In the continuing saga of Vault 7 – the leaking of CIA hacking tools, Wikileaks made Mac, Linux and Unix users feel welcome.  Instead of leaking Windows and Android malicious code, they leaked Mac, Linux and Unix tools instead.  I guess they are equal opportunity leakers.

In this case they just leaked the manuals so that people could understand what the tools do but not be able to do it themselves.

Tool number one is named Achilles.  Achilles is an interesting tool.  Lets say that you wanted to install a piece of malware but you didn’t want to be detected.  Achilles allows you to “bind” a payload executable to a Mac DMG files.  When the user runs the DMG file, it installs the appropriate software but adds a little extra – some malware of the CIA’s choosing.  But then – and this is the interesting part – it then unbinds the malware payload from the DMG file so that the next time it is used to install the product, all that user gets is the actual software.  Achilles generates what is called a one time payload.  This dramatically reduces the probability of being detected.  What this does not do is give you a way of getting the malicious package onto the target system.  That has to be done using a different tool.

Tool number two is called Aeris and that is for Linux or POSIX systems.  It runs on a variety of Linux or POSIX systems including Debian, Red Hat, Solaris, FreeBSD and CentOS.  This particular part of the hacking ecosystem is designed to exfiltrate data from the target system over an encrypted channel.  Collecting the data is left for some other tool in the toolbox.

Tool number three is called SeaPea and targets Mac OS X systems.  It is a rootkit, meaning that it is likely undetectable by normal anti-malware software and it persists across reboots.  It can also hide files, open network connections and launch other malicious code.  It dates back several years and was designed to work with OS X Snow Leopard and Lion.  That, of course, does not mean that it hasn’t been updated work with newer versions but rather “dates” when this documentation was stolen.

What this means is that, not surprisingly, the CIA wants to be able to hack any operating system – they are not counting on users running any OS in particular.

While the CIA folks are good, they are likely on par with other spy organizations – sometimes better than some and sometimes not as good as others.  We should assume that the other folks, both good and bad – Russia, China, Ukraine as well as Germany, England and Israel, for example – have similar abilities.

Given the continuing dribbling of software and documentation over months, it seems likely that Wikileaks is not done yet and will likely leak more.  What we don’t know is how much of the CIA’s hacking arsenal this is.  Is it 5 percent or 50 percent?  25 percent or 75 percent.  We don’t know and likely never will know.  My GUESS (and hope) is that it is on the lower range of possible percentages, but who knows.

What this does mean is that there is likely a huge number of security holes in a whole range of operating systems that have not been patched – ones that both the good guys and the bad guys are exploiting.  While I am not so concerned about the good guys, I am VERY concerned about the bad guys.

Information for this post came from Bleeping Computer.

Wikileaks Publishes CIA Hacking Tools – Round One

It seems like the spy-guys (or is it spy-people) can’t seem to catch a break.  First it was Snowden; more recently it was Martin – both Booz Allen contractors at the NSA.  Now it is the CIA.  Wikileaks published thousands of documents, which appear to be real, describing CIA hacking tools.  This includes, supposedly, at least a dozen ‘zero-day’ attacks for a variety of platforms including iPhone, Android and Windows.

Assuming this is all real, this will definitely make the CIA’s job harder as vendors patch holes that the CIA has known about for an unknown amount of time – maybe years – and decided to use the attacks rather than telling the vendors and letting them fix the bugs.  This has been the argument about having U.S. Cyber Command being responsible for both hacking and defending us.  Under President Obama there was a protocol to follow that formalized the process of whether they revealed a bug or kept it secret.  That protocol did not stop them from keeping secrets as today’s leaks prove.  That is part of what Wikileaks wants to reveal.  Some people will consider that good; others will consider it bad.

The first set of documents, which Wikileaks calls Vault 7, contains about 8,700 documents of what they call Year Zero.  The documents are purported to come from inside CIA Langley.

This series of documents follows a preview disclosure last month describing the CIA’s efforts to target French political parties and candidates during the 2012 elections – which sounds very similar to what we are accusing Russia of doing here, last year.  What the CIA wanted to do with the information was not disclosed.

Apparently, the CIA’s hacker division called the Center for Cyber Intelligence (CCI), had over 5,000 users and had developed over a thousand hacking tools.

For what it is worth, Wikileaks says that their source wants to start a debate about whether the CIA has exceeded its authority and whether there is sufficient oversight. Clearly if the CIA develops a tool and the bad guys figure it out, that tool is out of control and there may not be a way to get the genie back in the bottle.

Wikileaks says that it has redacted some information and decided not to release the actual tools because of the risk that represents.

The CIA’s Engineering Development Group (EDG), which is part of CCI, is part of the Directorate for Digital Innovation, one of five directorates inside the CIA.

One of the tools that was disclosed is a tool to infect smart TVs so that they become covert eavesdropping devices, even when supposedly powered off.

Another project was to take over control of cars to perform covert and likely totally undetectable assassinations.  There have been rumors about this in the past when there were some explainable car crashes that killed high profile individuals.

While the iPhone only represents about 15% of the global smart phone market, apparently the CIA has a whole branch dedicated to hacking them.  This is likely due to the status symbol that the iPhone represents in government circles.

The CIA also has techniques to bypass the encryption of apps like Signal, Whatsapp, Wiebo, Confide and others.  They do this not by cracking the encryption, but likely by covertly installing eavesdropping software on the phones to capture the data before it is encrypted or after it is decrypted.

After Snowden revealed that the intelligence community was hoarding zero day vulnerabilities, the Obama administration agreed to a process to decide which vulnerabilities to disclose, but, according to Wikileaks, the CIA did not follow those protocols and continued to hoard zero day vulnerabilities.

There is a huge amount of information released and reporters will likely be reviewing it for weeks, but Wikileaks says that there is much more to come.  How much and when is not clear.

To me, what is most interesting is not that the CIA is doing this – everyone is doing this – but rather, even after Manning, after Snowden, and after Martin, just to name a few massive leaks, the intelligence community doesn’t seem to be able to stop the leaks.

What President Trump will do is not clear.

What Snowden said that he did and I assume what Wikileaks is doing also, is to distribute encrypted copies of unredacted documents to hundreds of media sources with the system set up to automatically distribute the keys if something bad happens to Wikileaks or its embattled founder, Julian Assange.  I don’t know if this is true, but it is that only thing that makes sense to explain why Assange is still alive and Wikileaks is still online.  *IF* it is known to the intelligence community that Wikileaks is in possession of some sort of nuclear option, they are likely to tread much more lightly around Wikileaks.  Given what they have already published, this is certainly not out of the question.

Information for this post came from a Wikileaks Press Release.