
Wikileaks reveals CIA’s ‘Brutal Kangaroo’ toolkit for hacking air-gapped network - Sami_Lehtinen
https://wikileaks.org/vault7/#Brutal%20Kangaroo
======
belorn
With every leak of government produced malware I hope the issue get pushed a
bit further onto the political agenda so a international treaty can be reached
on software implemented weapons. There need to be some defined limits for what
agencies can do and what happens when the weapons sooner or later are
discovered and turned into problems like WannaCry.

Its clear to most politicians that its a problem if criminals use guns
acquired from the military or police, and that its partial the fault of those
agencies when it happens. We are not there yet with malware.

~~~
mindslight
Your diagnosis is at odds with the basis of open security.

The primary thing that needs to happen is an accepting of responsibility by
those who administer critical systems. Mathematically, what we call a
developed "exploit" is really just an _existence proof_ that something is
already insecure (hence "PoC or GTFO"). The blame needs to be properly
assigned to the developers/integrators of these systems for negligence
(currently _gross negligence_ \- eg relying on Turing-complete languages)
instead of scapegoating those who discover the emperor has no clothes, even
despite their underlying motivations and lack of full disclosure.

Nasty exploits have always existed - the worrisome development is the scale of
execution brought on by entities with such resources, and the trend of
governments becoming overtly adversarial against the people, both their own
citizens and foreign individuals.

Even if it were practical (see: China's attitude to imaginary property),
having these entities form treaties (ie collude) with one another is not going
to resolve this. If anything, treaties will form gentleman's agreements
between allies, while enshrining the attacking individuals "of interest" as
standard procedure.

~~~
belorn
I would not object to the idea that companies should be held liable for
critical faults which get exploited. It was the suggestion that Schneier gave
several years ago in order for security funding to be financially sound.
However we very far from this reality, where its questionable if companies can
be held liable for security faults in extreme cases like voting machines,
airplane systems, and medical devices. I recall reading that Schneier more or
less given up on it.

We need to get to a point where people in power positions are held responsible
for the damages caused by government developed malware that is used in
maleware like wannacry. That is hard to do without the issue rising on the
political agenda.

~~~
mindslight
> _its questionable if companies can be held liable for security faults in
> extreme cases like voting machines, airplane systems, and medical devices_

> _We need to get to a point where people in power positions are held
> responsible_

You're contradicting yourself. If it's possible to hold people in power
responsible for what a single agency under them does (not even requiring their
knowledge!), then it's certainly possible to hold them responsible for
approving public use of insecure voting machines! (especially at a more local
political level)

And if it's not possible to hold people in power responsible (which _is_ a
reasonable assumption), then the philosophy of distributed defense becomes
even more important!

> _the damages caused by government developed malware_

Attempts to silence messengers never end well. And I don't think that changes,
even and especially when the messenger is a well funded government. But
normalizing that philosophy certainly sets the stage to silence demonize
smaller messengers!

~~~
ethbro
The problem with holding manufacturers liable is that I'm not sure it's the
economically optimal solution. Fundamentally, let's break down exploits into
two categories:

1) Shoddy programming creates exploit that is obvious to manufacturer (let's
say Chinese Android TV stick makers)

2) Exploit exists despite manufacturer's efforts otherwise (let's say
Microsoft)

Putting exploit risk on software companies solves #1. But, especially in
critical industries, balloons the cost of their systems due to #2, because
they must now cover a risk they can't even model (unknown unknown). Can you
imagine what accountants and actuaries would do with "You may have a nation
state targeting the firmware controller in an HDD to compromise your system"?

I think a more optimal situation would be the government mandating liability
for known-problematic code standard lapses, but then providing a liability
shield provision _if the manufacturer can deliver a fix to a critical
vulnerability in X days_.

Ideally, we'd want any legislation to do two things that solve both of the
above problems. Increase adherence to generally accepted secure coding
standards (helps #1) and increase ability to deliver a timely fix to customers
(aka codebase maintenance and agility; helps #2 and especially important in
mass-use IoT devices).

~~~
runeks
> The problem with holding manufacturers liable is that I'm not sure it's the
> economically optimal solution

Either you hold someone liable or the effect will just be hiding the risk.

How about just requiring that the use of critical software systems be ensured
against malware/failure in general? Seems like we want that anyway, and if we
can't find anyone to insure a piece of software, it probably shouldn't be used
in a critical system in the first place.

Importantly, it's the _users of software in critical systems_ alone that need
to be insured. Neither software vendors nor regular users need insurance. The
insurance company, alone, should handle the job of shielding a critical system
from the mistakes of software vendors. We need to allow software vendors to be
able to make mistakes, or nothing would get made, ever (source: I'm a
programmer).

And the insurer would be wise to spend some of the premium on bug bounties for
the software they're ensuring (to minimize the cost of failure). In the end,
all white hats would end up being employed by an insurance company, helping
assess software security.

~~~
ethbro
Did you read the rest of my comment?

~~~
runeks
The difference between your approach and mine is that you propose to solve it
by making rules (regulations), as opposed to adding a separate party that can
absorb risk (insurance), thus shielding a creative industry -- software
development -- from adhering to a list of rules, which surely will only grow
in size.

~~~
ethbro
Ah. Insurance doesn't act as a separate party to absorb risk in the way you're
talking about.

They act as a party to amortize known risk, in exchange for a monetary premium
set based on that known risk.

Without the government stepping in and limiting catastrophic liability to some
degree (ideally in exchange for signaling the market to produce a social
good), the premiums changed would be so large as to just suck money out of
tech. There's no creativity shield if you're paying an onerous amount of your
profits in exchange.

Which is why I said any solution has to be two part: (1) require risk
liability on a better-defined subset of risk & (2) provide a liability shield
on the remaining less-defined risk _iff_ a company demonstrates an ability to
handle it (aka prompt patching). This creates a modelable insurance risk
market, therefore reasonable premiums, and still does something about nation-
state level attacks.

------
gruez
Shouldn't the Wikileaks page be linked instead? The original article doesn't
add anything and the wl page has more technical details.

~~~
dang
Ok, we changed to that from
[https://www.theinquirer.net/inquirer/news/3012499/-wikileaks...](https://www.theinquirer.net/inquirer/news/3012499/-wikileaks-
cia-uses-brutal-kangaroo-toolkit-to-hack-air-gapped-networks), which points to
it.

------
deepnet
There seems to be no evidence that public money is being spent on national
cyber-defense, i.e. counter measures - at least there have been no links
suggesting the NSA, CIA or GCHQ are working on patches.

This leaves private industry, e.g. Microsoft et al, solely responsible for
defending citizens.

As there is no disclosure by the spies, Microsoft cannot patch without
knowledge of the vulnerabilities - at least until there is a leak or potential
leak that promts a reluctant disclosure.

This leaves one wondering is tax money being spent solely to make us less safe
?

Could Wannacries NHS (UK) devastation have been averted if academic security
researchers had responsibly disclosed the potential for this vulnerability ?
Surely the UK Health Minister should have been more properly briefed on the
dangers to patients that his decision not to patch Windows could have ?

If these agencies come crying for more tax dollars we should seriously enquire
if they have any plans to make us safer rather than continuing to backdoor
their own citizens.

Surely laws being passed in the UK and USA to curtail security research the
danger to the public can only increase.

Without whistleblowers and journalists such as Wikileaks we would far more at
risk from cyber-attacks !

I say Wikileaks as we know journalists are being targeted by Nation State
actors to hack the identities of their sources. and Wikileaks is a fine
exemplar of decent Op-Sec.

------
bronzeage
Why is it that only the US, but not china, russia, U.K, germany, etc., out of
all the strong countries, have these leaks? U.S needs to take a good look at
itself and find the reason that their intelligence organizations are like a
leaky bucket. It seems as if americans don't care and don't even see it as a
bad thing when traitors sabotage entire organizations years of work.

In any other sane country, the outrage against such leakers would be far
greater than the outrage against the government for doing its job. If a person
was as a big traitor as snowden in my country, you'd see his whole family and
friends deny him, he would think twice before doing it not only because of the
chance of getting caught and going to jail, but from the actual embarassment
and shame from all the people close to him.

Yet look at snowden, acting like he's some hero. Look at all the other
leakers. They are barely ashamed. Your society hates the government so much
you're turning traitors into heroes. Your security screening process is
probably failing hard with so many leaks. How can the US allies trust it when
everything leaks one way or the other. Leaking should be considered such a
horrible treason the only the most psychopathic person would do it, and the
screening should screen those out. But when society views leakers as heroes,
and even the president freely leaks other countries intelligence to russia,
followed by even more leaks than what he actually said, when it's justified as
long as 1 in the 1000 documents they leaked shows some government wrongdoing
(and statistically this will ALWAYS happen), they aren't traitors they are
heroes. Then you don't need be a huge psychopath to betray your country. You
just need some nudge in the 'right' direction.

If any of you think the right approach is to have no secrets (a.k.a. no
vulnerabilities. Today it's vulnerabilities, tommorow it's CIA agents
identities), you're naive. If you think your enemies will be as righteous as
you, you are naive. If you think that if you disclose all vulnerabilities,
nobody will have them, you are naive because russia and china will find their
own different vulnerabilities.

~~~
swiley
The USG has traditionally not kept secrets from the populous (or not for very
long.) The idea that they are not only keeping secrets but that these secrets
are evidence of corruption and violation of our trust means that it is, in
fact, a good thing they where leaked.

~~~
bronzeage
This is exactly what I'm talking about. Look at you. You think your government
is bad? Look at russia. Look at china. You have the privilege of being in one
of the least corrupt, most democratic country out there, yet you hate the
country and its government more than the people in worse countries. A russian
civilian has 10 times more reasons than you to hate the government. It's a
fact. But he's also much more loyal to his country than you. Corruption or
not, he won't hurt his country as much as your leaks are doing right now. The
only reasonable conclusion is that it has nothing at all to do with the
quality of the government, and everything to do with the loyalty of its
people.

~~~
corndoge
There's always room to improve. Leaks exposing corruption and to a lesser
extent critical software vulnerabilities are a good thing. I don't think
anyone would argue that exposing the identity of, for example, undercover
agents is a good thing. As another commenter said, you seem to lack color
vision and only see black and white.

Also, patriotism as a justification for not exposing a corrupt government is a
load of shit.

~~~
bronzeage
Did any leakers care to leak only the information relevant to the corruption?
No. I do have color vision. I see the most blackish grey. And so should you.
Yet you all cling to that little white spot in the middle of all the
blackness, and using it to justify everything. You're sending a very clear
message to all would-be traitors: as long you throw us a little bone of
government wrongdoing, you're wellcome to burn the whole house down. You think
this makes any sense at all?

~~~
derefr
You know that there can be more than one "patriot" in any given scenario,
right?

The guy who actually exfiltrates a DB dump on a USB stick is one guy, and he
might be a sociopath. But he (usually) doesn't just post it to the Internet;
instead, he gives it to a journalist.

Now, is the journalist _also_ a sociopath? Probably not. Probably he cares
about lives that would be lost if actual "actively sensitive" classified
information was leaked. So he doesn't _publish_ that information. He just
looks for the stuff that works as "news": basically, things that hurt _the
government_ (as a bureaucratic entity) without hurting _the state_ (as a body
representing the people.) He takes the body-destroying toxin he was sent, and
purifies it down until it's a chemotherapy treatment. And _then_ he hands it
to his editor, who _also_ cares what happens to the country, and they talk
about it with the publisher, who in turn advocates for the positions held by
the boards of the companies behind the ads that _run_ in the paper, who might
_also_ be patriots...

In short, to the degree that "leaks" are mostly something that happen through
the _media_ , not through lone vigilantes, there is a sieve of probabilistic
patriotism reducing the "splash damage" of any leak. The media is not a "fifth
column."

------
csomar
My understanding of air-gapped network/computer is that it gets no access to
Internet/External devices (like a thumb drive in this case). So is accurate to
call it "hacking air-gapped network"?

~~~
kazinator
Indeed, A and B are not "gapped" if a thumb drive connects to B, and then
later the same thumb drive connects to A.

That's the same as being able to send a datagram from B to A over a network.

"Air gapped" is an idiotic term to begin with.

Radio communication such as Wi-Fi is literally air-gapped.

The plates of a capacitor can use air as a dielectric, making them literally
air-gapped, yet the cap will pass AC signal, and two adjacent air-gapped
inductors can pass signal, as well as power with great efficiency.

~~~
Shorel
It is not idiotic.

It is anachronistic.

------
jancsika
Doesn't this require two-way dataflow between the air-gapped computer(s) and
the "primary host"?

Edit: in other words, you would have to 1) plug a USB drive into the "primary"
host and then plug the _same_ drive into an air-gapped computer, and 2) take a
USB drive that was plugged into the air-gapped computer and plug it back into
an internet-connected computer. Plus, all computers in the dataflow above must
be running Windows, right?

~~~
sverige
>Plus, all computers in the dataflow above must be running Windows, right?

Linux surely has plenty of 0 days to exploit.

~~~
jancsika
Sure. But "plenty" is not equivalent to "so cheap and so powerful that a well-
funded state actor would automatically design every targeted exploit package
to be cross-platform." At least this particular case suggests that is probably
not the case.

Keep in mind from the article that the user must browse the files in the GUI
for the exploit to work. I doubt Windows and the set of the most commonly used
Linux GUI file browsers all have "plenty" of 0 days to exploit for this same
purpose. Or, if they do, it's going to cost substantially more money to find
them, test them, and package them up.

On an unrelated note, I agree-- the Linux kernel probably has plenty of 0 days
to exploit.

------
dboreham
This doesn't describe an air gap jump in the sense I understand the term
(compromising or extracting data from a system that isn't connected to
anything external, perhaps by ultrasound via the speaker/mic). This is regular
movie-style "plug the magic thumb drive in" trick, no?

------
qubex
Tomorrow unwary operatives or turncoats will turn up at work, submit to a
surprise frisk-down to find whether they're carrying any USB drives, these
will be ceased, and analysed, and found to contain this malware, and they'll
be tossed into the deepest dungeons with only a kangaroo court to look forward
to.

~~~
mcguire
Why would you expect an agent to be carrying one of these things? The typical
vector ous some innocent local with poor security hygiene.

------
chenster
So .. is Mac safe, relatively speaking?

------
throwawaymanbot
Good for the CIA having skills and tools like this. These are needed.

But is hacking really a "weapon"? I think that hacking is a technical
capability or tool, but I wouldn't call it a weapon.

The flip side of this is that we have to realize that as long as
vulnerabilities are put in to protocols/products on behalf of Govts, The Govts
can exploit them sure, but other people who ahve the ability to read or view
code _will_ eventually find out/figure out these weaknesses/exploits also.

Like weakening a protocol that all systems, even your own use. Then not even
the govt itself is safe or can defend adequately against them.

I really believe in Security Karma.

~~~
mcguire
Stuxnet was surely a weapon, right?

~~~
throwawaymanbot
Stuxnet as an entity, was just the method to deliver different payloads right?
I'm not exactly convinced if id ever class that as a weapon over a clever
hack. I mean, is the ability to read and find holes in code, a weapon?

Was it a weapon or a very clever hacking job that prevented and held back
scientists in Iran from creating an _actual_ weapon? Either way, it was peace
through superior code and vulnerability finding power

It begs the question though, is the text editor mightier than the sword?

------
azinman2
And what does the world gain by Wikileaks leaking this for public usage? It
will only become more ubiquitous. Microsoft already has patched the
vulnerability.

When will Russia, China, Israel, Iran, France, North Korea or other countries
wares be leaked? Something tells me they wouldn’t even if they got it...

~~~
tibarun
Usonians are so brainwashed by "american exceptionalism" that they can't even
see how out of control their military/industrial complex has become.

~~~
JumpCrisscross
> _Usonians_

What this?

~~~
na85
I've seen it occasionally used to refer to Americans, because technically
speaking, any citizen of any country of North or South America is an
"American", and yet citizens of the USA don't recognize this.

To many, the implicit assumption that USA strictly equals America and vice
versa is just another artifact of the arrogance built into US culture.

~~~
mikeash
Use of the term "American" to describe US citizens is quite common outside the
US.

To me, the idea that this is somehow a manifestation of our cultural arrogance
and not just a mundane example of the malleability of human language is just
another artifact of how certain people really, really want to find more
reasons to hate us.

