from Hacker News

CIA hacking unit failed to protect its systems, allowing Vault 7 disclosure

by sunils34 on 6/16/20, 1:29 PM with 98 comments

  • by LinuxBender on 6/16/20, 2:01 PM

    This happens in many corporations as well. It's fun and exciting to be on the red-team (doing the penetration testing, writing exploits, etc) but the blue team (infrastructure teams and developer teams hardening things) is not only boring to most, but it's also the team that gets the most grief from developers for inducing friction. If your company has a red team, ask how big the blue team is and if they have the same freedom to develop and implement mitigating controls as the red team has to exploit things.

    Hacker competitions mirror this. Red teams are allowed to bring in any exploits and do just about anything (as criminals would be expected to do) and the blue team are stifled by bureaucracy and not allowed to bring in anything.

  • by dijit on 6/16/20, 4:47 PM

    Words can't describe how normal that is. Exploit tools are require local systems to be super open in order to be frictionless.

    Even in the consumer industry; anyone remember all those very silly people who installed backtrack2 (precursor to kali, based on slackware not debian) to their main drive and then went to defcon and got rekt because their OS was insecure (and couldn't be updated!)

    Exploit development is a glass cannon, remove all friction to modify the system and craft packets, invoke monitoring modes for hardware and frictionless tracing... that's going to have a security cost.

    This echo's a wider issue in the industry "Development" vs "Sysadmin" mindsets, where sysadmins are stifling and developers are all about removing barriers to progress faster and iterate more.

  • by Veserv on 6/16/20, 11:44 PM

    The article tries to make it sound like the failure is a lack of prioritization and if they just focused correctly the problem could have been avoided, but I do not see why anybody would assume they would be able to protect their systems even if they tried.

    How well protected do you think cyber-weapons designed to surveil countries, disable infrastructure, and destabilize governments should be? How capable and well-funded should the attacker need to be before gaining access to cyber-weapons designed to kill economies and people? $1B, $10B? A team of 1,000, 10,000?

    Does anyone know of any system or organization in existence that would even be willing to claim they can stop a team of 1000 dedicated hackers working full-time for 10 years funded with $1B let alone put it in writing? What is the highest you have heard? Is it even in the general ballpark?

    It is absurd to assume that the failure to solve the problem is just a lack of prioritization if no one even claims to be able to solve it and it is meaningless to propose that they should adopt policies that do not even claim to be able to protect against the actual threat model let alone have evidence of such protection. They either need to find someone who will make the extraordinary claim that they can provide an actual defense and have the extraordinary evidence to back up that extraordinary claim or they MUST NOT deploy such systems since they can not be protected.

  • by OliverJones on 6/16/20, 9:57 PM

    How does somebody exfiltrate 34 TERABYTES from a secure facility without getting noticed?

    To misquote Dr. Strangelove, "ze whole point of ze secret hack is lost if you don't keep it a secret." https://youtu.be/2yfXgu37iyI?t=205

    Oh, maybe they have a firewall built on a RaspberryPi somebody ordered online.

    Seriously, WTF? This is as insecure as having contract sysadmins with root privilege spread all over the globe.

    And when will these state actors with unlimited funding figure out that NOBODY can keep secrets forever, not even them?

  • by mtgp1000 on 6/17/20, 12:09 AM

    I saw a screenshot of a CNN article which said that that the CIA frequently used tactics to make hacks appear as though they were from Russia. Which is something I always suspected was relatively easy to do...change some logs, some timestamps, use some existing code...I'm not a hacker per se, but most of us write code here and deal with these kinds of things...

    So does anything in this vault possibly call certain recent allegations of Russian interference into question?

  • by rollulus on 6/16/20, 3:54 PM

  • by tru3_power on 6/16/20, 4:45 PM

    Reminds me of any “security” product. Next time you get the chance, I suggest you tear into any industry standard security tool and you’ll be surprised at what you find.

  • by Aaronstotle on 6/16/20, 4:27 PM

    I find it ironic that the CIA didn't bother to have it's systems secured/verified by the NSA. I'm sure the CIA thought that they were good enough, coming from an organization that was infiltrated from its inception, their hubris isn't surprising.

  • by cybervasi on 6/16/20, 7:11 PM

    Guarding information and guarding physical assets have one thing in common. It is largely a passive exercise in waiting for something to happen. For this reason it is very boring and unreliable. The only way to improve the situation is to have active and random drills when someone attempts to steal the assets. This would make the work of the Blue team a lot more rewarding rather than just be relegated to mindless blocking access to anything and everything.

  • by catsdanxe on 6/16/20, 4:22 PM

    >34 terabytes of information, or about 2.2 billion pages.

    That's insane that they could leave so much data available to be stolen.

  • by wideawake on 6/17/20, 1:28 PM

    Guess it's good to know that even big gov orgs are disfunctional

  • by jokoon on 6/16/20, 5:32 PM

    Unless you make engineers and entire companies focus on security through proper designs and standards, nothing will be secure. Most software is unsecure because geopolitically, the countries who make software are also the one who are able to penetrate those systems better than the rest of the world.

    No government will push to improve door locks unless that government isn't the most capable of defeating those locks. It's a cost/benefit function.

    Right now, improving software security is a net loss for the US. So it won't happen when the US is controlling the computer and software industry.

    So I'm not surprised to see even the best experts being beaten so easily.

  • by badrabbit on 6/16/20, 10:01 PM

    A hacking unit is offensive. It's like saying, "america's elite nuclear force failed to stop an ICBM". Blowing up things (attack) is a different ballgame than defenfing things. Think of it this way if you are a hacker devoting 40hrs a week carefully studying and planning to infiltrate a network, you will succeed. APT actors have entire groups of teams dedicated to infiltrating one target at a time. Getting in is feasible, persisting,lateral movement and exfiltration without getting caught is very difficult but even commercial tools like cobaltstrike are built to allow different teams to focus on different stages of a hack.