The Wikileaks ‘Vault7’ release from earlier this month reignited the reality of state-sponsored espionage, and what our governments know about us.
The revelations were that Wikileaks had a cache of CIA material consisting of several hundred million lines of computer code that has been “circulated among former US government hackers and contractors in an unauthorized manner.” These were leaked to the whistle-blowing website and demonstrated abilities to hack mobile phones and bypass the encryption used by messaging services like Signal, WhatsApp and Telegram.
Wikileaks later announced plans to work with affected manufacturers to help them push out fixes, but according to Motherboard, Julian Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents asking the companies to sign off on a series of conditions before being able to receive the technical details to deploy patches. These apparently included a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.
The whole situation served as a reminder of 2013, when Edward Snowden revealed the reality of mass surveillance by global governments. I recently caught up with F -Secure chief research officer Mikko Hypponen to talk about the impact of this fresh revelation on government spying.
“The biggest surprise to me is that it happened, but I am surprised that they let somebody steal all of that information,” Hypponen said, referring to the fact that this was leaked by an insider.
Asked if Wikileaks’ reputation for activity within the presidential election, along with Assange’s self-imposed exile, had changed views of the whistle-blowing website, Hypponen said that he “didn’t think that they leaked anything that has turned out to be fake”, so should be trustworthy.
“The reasons for leaking may be suspect but I don’t think they have been duped, and I don’t think anyone has ever proved them to be fake – so Vault7 is real. Also, no one has been caught by leaking through Wikileaks which is remarkable. Manning got caught because of his own chats, Snowden revealed himself, and they have proven that they do have the know-how and capability to not get their sources compromised, and that is remarkable.”
Mikko made a very relevant point about fresh ‘leakers’ - mainly 'where are the leakers around the world'?
“Particularly with intelligence leaks focused around Five Eyes intelligence, we’ve seen very little coming from countries doing really bad stuff and that is clearly out of balance,” he said.
“Also, the issue with the leaking is that someone could just walk away with the laptop and all of that data, previously data was stored on paper and it would have been 10 truckloads of paper and that is hard to drive out of any organization. Take the tiniest memory card and fill a shipping container with them and ship it from Europe to the USA, it will be a million times more than what the internet can do right now, even though it will take days.”
Back at Infosecurity Europe 2014, Hypponen said that “Leaking can be done by employees and insiders” and “if an employee knows they can leak information without getting caught, you only have one option left: do no evil.”
When asked why he felt this was the right time to reveal this cache, Mikko said he was unsure of the timing and motivation, as they specifically chose a time and thought of a reason for it, and coming so soon after the SHA-1 collision disclosure, he said that story would have persisted longer had the Vault7 release not appeared.
“Of course there is a big difference between the NSA and CIA, as CIA does mass surveillance. NSA looks at your data and CIA probably does not and that is the same for most people. The CIA does intelligence and its targets are very few and targeted, and the vast majority of its targets are being intercepted as NSA do mass surveillance and these leaks were very bad for both NSA and CIA as, with regards to CIA’s targets: extremists and terrorist organizations, rogue nations and these guys are now running around in circles trying to find CIA things on their network based on the information that was made public by Wikileaks.”
The larger question is about disclosure, and why Wikileaks did not disclose the flaws in the first place to the vendors? Hypponen believed that this did not happen simply “because they did not think about it” and the reaction was negative in the media as a result for not disclosing properly. “We as security companies would love to hear from them ahead as well, but regarding this case we have not been contacted by Wikileaks at all.”
To conclude, I asked Hypponen if he felt that had the leak not been made, would the spying have continued? He said “probably”, but ultimately surveillance malware like Flame has a kill or expiry date, so once the project and operation has been done there is no reason why the author cannot privately disclose the vulnerabilities.
Looking to the future, he said that there will be rules of cyber-war in the coming years, and one in 10 to 20 years will be that your malware must not carry on forever so the crisis will not go on forever, and it must stop by a certain date from X years in the future. “I also believe that you will have to sign your malware so you could prove that it was yours.”
After the revelations on Vault7 were made, we have seen the release of a tool for users to check low-level system firmware for modifications, and I expect we will see more activity both at vendor and government sides. However, the speed at which this story was forgotten, while we still talk about the impact of Snowden’s leaks four years on, suggest that this is not something that will persist in the collective mind of information security.