
CIA hacking unit failed to protect its systems, allowing Vault 7 disclosure - sunils34
https://www.washingtonpost.com/national-security/elite-cia-unit-that-developed-hacking-tools-failed-to-secure-its-own-systems-allowing-massive-leak-an-internal-report-found/2020/06/15/502e3456-ae9d-11ea-8f56-63f38c990077_story.html
======
LinuxBender
This happens in many corporations as well. It's fun and exciting to be on the
red-team (doing the penetration testing, writing exploits, etc) but the blue
team (infrastructure teams and developer teams hardening things) is not only
boring to most, but it's also the team that gets the most grief from
developers for inducing friction. If your company has a red team, ask how big
the blue team is and if they have the same freedom to develop and implement
mitigating controls as the red team has to exploit things.

Hacker competitions mirror this. Red teams are allowed to bring in any
exploits and do just about anything (as criminals would be expected to do) and
the blue team are stifled by bureaucracy and not allowed to bring in anything.

~~~
willcipriano
Hacker competitions often seem very contrived to me. I suspect that in order
for the red team to make any progress you have to tie the blue teams hands
behind their backs. Most of what I see from the penetration testing community
is pretty gimmicky and situational generally and often doesn't take into
account the attackers risk/reward ratio.

~~~
AnHonestComment
What would be a less gimmicky setup?

~~~
olivierduval
Allowing Blue Team to fight back maybe? Or to be able to actively track the
red team instead, using an active defense, instead of only passive defense?

Moreover, the outcomes are different for both teams:

\- RedTeam success => they are seen as "real" hackers/heros and the BlueTeam
are the poor incompetent

\- RedTeam fail => the BlueTeam did "only" its job, the investments in
cybersec for the company paid off... so the budget for the cybersec can be
reduced.

So, for RedTeam, it's either a win or a tie. And for BlueTeam it's either a
tie or a loss...

If the BlueTeam could fight back, maybe this could change...

~~~
willcipriano
That's good. Perhaps something like if they can attribute the attack to a
particular machine the red team gets "arrested".

~~~
DaiPlusPlus
Do the feds still attend DC? >:}

~~~
birdyrooster
No and they don’t come because hackers asked them not to. >:/

~~~
Shared404
Found the Fed.

------
dijit
Words can't describe how normal that is. Exploit tools are require local
systems to be super open in order to be frictionless.

Even in the consumer industry; anyone remember all those very silly people who
installed backtrack2 (precursor to kali, based on slackware not debian) to
their main drive and then went to defcon and got rekt because their OS was
insecure (and couldn't be updated!)

Exploit development is a glass cannon, remove all friction to modify the
system and craft packets, invoke monitoring modes for hardware and
frictionless tracing... that's going to have a security cost.

This echo's a wider issue in the industry "Development" vs "Sysadmin"
mindsets, where sysadmins are stifling and developers are all about removing
barriers to progress faster and iterate more.

~~~
bowmessage
What's the story re: backtrack2, for the uninformed?

~~~
dijit
I'm trying to find a citation here, but it's difficult because "Backtrack 2
ssh exploit defcon" is going to produce a lot of content which is unrelated.

Anyway I can give you the skinny of the situation:

1) Backtrack 2 did not have an installer, it was a live-CD. But that doesn't
stop you installing it by just copying the live environment to a disk (with
some mount-binding and grub install, you're all good!) There were guides for
doing this although they all had large warnings and the backtrack maintainers
cautioned heavily against doing it.

2) because it was a liveCD there was no package update mechanism, it was not
based on debian at the time so there was no apt or anything similar, even if
there was there was no repositories, backtrack was a "tool" not a distro
really.

3) sshd is one of the services that gets started on system boot for
backtrack2.

4) someone at defcon unveilled an sshd exploit, a pretty nasty one, they had
disclosed responsibly and everyone had been patched for at least 6 months,
except the people who went against recommendations and installed backtrack2.
They all got rooted.

Bonus: everyone who ran backtrack2, without exception, ran it with the root
user; as that was the default and they had patched software that normally
complains about such things to not complain. xD

~~~
FDSGSG
>4) someone at defcon unveilled an sshd exploit, a pretty nasty one, they had
disclosed responsibly and everyone had been patched for at least 6 months,
except the people who went against recommendations and installed backtrack2.
They all got rooted.

Yeah, I don't think this happened. Nobody has publicly exploited an opensshd
rce for ages.

~~~
dijit
It may have been the kernel; frankly I'm fuzzy on the details I just remember
the staunch warnings and feeling vindicated.

This was like 2007-8.

------
Veserv
The article tries to make it sound like the failure is a lack of
prioritization and if they just focused correctly the problem could have been
avoided, but I do not see why anybody would assume they would be able to
protect their systems even if they tried.

How well protected do you think cyber-weapons designed to surveil countries,
disable infrastructure, and destabilize governments should be? How capable and
well-funded should the attacker need to be before gaining access to cyber-
weapons designed to kill economies and people? $1B, $10B? A team of 1,000,
10,000?

Does anyone know of any system or organization in existence that would even be
willing to claim they can stop a team of 1000 dedicated hackers working full-
time for 10 years funded with $1B let alone put it in writing? What is the
highest you have heard? Is it even in the general ballpark?

It is absurd to assume that the failure to solve the problem is just a lack of
prioritization if no one even claims to be able to solve it and it is
meaningless to propose that they should adopt policies that do not even claim
to be able to protect against the actual threat model let alone have evidence
of such protection. They either need to find someone who will make the
extraordinary claim that they can provide an actual defense and have the
extraordinary evidence to back up that extraordinary claim or they MUST NOT
deploy such systems since they can not be protected.

~~~
SXX
Yeah I guess some people really misunderstood how hard making secure system
is. Of course you can't claim to kill economy or too many people with it, but
really you don't even need that kind of funding to break into most networks.

I guess it's safe to say that even with $1M of funding and small team of
dedicated security researchers coupled with right people for social
engineering you can break into any network. Everyone can be fooled and humans
are always the weakest spot. Especially now when information about everyone is
publicly available on social networks so you can gather all information you
need remotely.

And when it's come to hacking into networks of company with no dedicated
budget for cybersecurity cost of attack would be one or two orders of
magnitude lower. Some self-organized groups of hobbyists prove you can even do
it with no funding at all.

------
OliverJones
How does somebody exfiltrate 34 TERABYTES from a secure facility without
getting noticed?

To misquote Dr. Strangelove, "ze whole point of ze secret hack is lost if you
don't keep it a secret."
[https://youtu.be/2yfXgu37iyI?t=205](https://youtu.be/2yfXgu37iyI?t=205)

Oh, maybe they have a firewall built on a RaspberryPi somebody ordered online.

Seriously, WTF? This is as insecure as having contract sysadmins with root
privilege spread all over the globe.

And when will these state actors with unlimited funding figure out that NOBODY
can keep secrets forever, not even them?

~~~
j88439h84
What are the tools to help orgs notice exfiltration?

~~~
killjoywashere
Glossing over 10 years of tens of thousands of people's work, things like
Titan Rain (1, 2) led to a lot of thinking about monitoring your production
environment with things like the istio sidecar system.

(1)
[https://en.wikipedia.org/wiki/Netwitness](https://en.wikipedia.org/wiki/Netwitness)

(2)
[https://en.wikipedia.org/wiki/Shawn_Carpenter](https://en.wikipedia.org/wiki/Shawn_Carpenter)

------
mtgp1000
I saw a screenshot of a CNN article which said that that the CIA frequently
used tactics to make hacks appear as though they were from Russia. Which is
something I always suspected was relatively easy to do...change some logs,
some timestamps, use some existing code...I'm not a hacker per se, but most of
us write code here and deal with these kinds of things...

So does anything in this vault possibly call certain recent allegations of
Russian interference into question?

~~~
0xy
The intelligence community's opinion that the DNC hack was done by Russia was
based upon the single source of a private organization CrowdStrike. But given
all the heavy hitting nation states regularly frame others, "Russia's
fingerprints" can mean either they did it or they didn't, so it's functionally
worthless.

~~~
meowface
That's completely untrue.

~~~
0xy
Shawn Henry said "We said that we had a high degree of confidence it was the
Russian Government"

Sorry, but "high degree of confidence" is not proof, especially not from the
organization that told us Iraq had WMDs with high degrees of confidence.

Additionally, at no point in time did they have access to the hardware.

Are you forgetting that this is the same collection of people responsible for
being unable to secure their own hacking tools?

~~~
meowface
Skepticism of the claims of law enforcement and the intelligence community are
good, for a multitude of reasons, but the case here is a lot stronger than
you're suggesting and is substantiated by much more than mere finger-pointing
by the US government or other governments.

It's unfortunate that the political climate in the US is on such a knife's
edge right now that basically no one trusts anyone and everyone is running
with their own databases of the facts of the world.

I understand the US government is itself very largely to blame for this deep
distrust, but posts like yours make me worried for the next few decades. This
isn't a criticism of you at all, but just general concern that things are kind
of coming apart at the seams societally. I really hope the "two movies on one
screen" phenomenon doesn't escalate to the point that the screen shatters into
a billion pieces.

------
rollulus
[https://outline.com/6pySsH](https://outline.com/6pySsH)

------
tru3_power
Reminds me of any “security” product. Next time you get the chance, I suggest
you tear into any industry standard security tool and you’ll be surprised at
what you find.

------
Aaronstotle
I find it ironic that the CIA didn't bother to have it's systems
secured/verified by the NSA. I'm sure the CIA thought that they were good
enough, coming from an organization that was infiltrated from its inception,
their hubris isn't surprising.

~~~
LinuxBender
My limited understanding is that these orgs compete with each other for budget
allocation and would never allow access into each others systems, but I could
be wrong.

~~~
fl0wenol
It's less about budget and more about we're not the DoD and can do whatever we
please, stay the hell off our lawn.

Even if it was a "hey, could you look at this and tell us what you think" with
no obligation to address issues, it is undesirable to establish a precedence.

They do use standards and recommendations from NSA/OMB for enterprise systems.
But even the US Courts went that route, just with a lot of renaming of things
so it can't be seen as being subservient to the Executive branch. There are
some good frameworks and standards that you shouldn't waste time re-
implementing.

~~~
blaser-waffle
Plus there is a reason you secure and compartmentalize information. The NSA
may be comprised in some way, and giving them access means that deliberately
or accidentally leak something vital.

Same idea in reverse with the CIA -- maybe someone in the CIA is a bad actor
and now knows the secret 0-days the NSA is using -- because they're busy
locking them down -- and those get leaked.

------
cybervasi
Guarding information and guarding physical assets have one thing in common. It
is largely a passive exercise in waiting for something to happen. For this
reason it is very boring and unreliable. The only way to improve the situation
is to have active and random drills when someone attempts to steal the assets.
This would make the work of the Blue team a lot more rewarding rather than
just be relegated to mindless blocking access to anything and everything.

~~~
mox1
I mean you have more or less described a modern Cyber security Red Team.

------
catsdanxe
>34 terabytes of information, or about 2.2 billion pages.

That's insane that they could leave so much data available to be stolen.

~~~
Plutonsvea
Most of it likely useless and junk, or thousands of pages of logs I'm
guessing. No doubt there is some juicy stuff in there though.

------
wideawake
Guess it's good to know that even big gov orgs are disfunctional

~~~
blaser-waffle
all big orgs are dysfunctional. successful big orgs manage to work around it
to a greater or lesser degree.

------
jokoon
Unless you make engineers and entire companies focus on security through
proper designs and standards, nothing will be secure. Most software is
unsecure because geopolitically, the countries who make software are also the
one who are able to penetrate those systems better than the rest of the world.

No government will push to improve door locks unless that government isn't the
most capable of defeating those locks. It's a cost/benefit function.

Right now, improving software security is a net loss for the US. So it won't
happen when the US is controlling the computer and software industry.

So I'm not surprised to see even the best experts being beaten so easily.

------
badrabbit
A hacking unit is offensive. It's like saying, "america's elite nuclear force
failed to stop an ICBM". Blowing up things (attack) is a different ballgame
than defenfing things. Think of it this way if you are a hacker devoting 40hrs
a week carefully studying and planning to infiltrate a network, you will
succeed. APT actors have entire groups of teams dedicated to infiltrating one
target at a time. Getting in is feasible, persisting,lateral movement and
exfiltration without getting caught is very difficult but even commercial
tools like cobaltstrike are built to allow different teams to focus on
different stages of a hack.

~~~
thephyber
It's more analogous to saying "the defense contractors for a new stealth plane
failed to protect the designs and prototypes, so the enemy now has all of the
detailed info they need to build countermeasures against this stealth
technology". Securing the plans for stealth is a key requirement of the
stealth continuing to work.

Also, I'm sure those members of "the hacking team" weren't allowed to discuss
their work with their family/friends, so it's not terribly unrealistic to
expect them to use even just basic security hygiene (eg. don't share admin
passwords).

~~~
badrabbit
No, that's not what the analogy at hand. The designers of a stealth plane are
just that. The right analogy would be if the navy seals designed a secret
weapon, someone infiltrated their ranks and exfiltrated the weapons plans.
Navy seals are not immune to moles. No org is.

Your implication that this was due to lack of proper security hygeine is
unfounded. Security hygeine reduces risk it does not eliminate it. Risk is
proportional to threat and attack surface, for an org like the CIA they have
not-so-small attack surface and the whole world as their threat, so reduction
in risk by means of common security controls and hygeine will not reduce risk
from the most persistent and resourceful attackers.analogy to your reasoning
would be "Google has an army of devs and security pros, so Chrome should never
have a remote code execution vuln" ,no, as much as they may have money and
talent, modern software is too complex for those resources to eliminate all
bugs. Perspective is important.

~~~
thephyber
I agree that your analogy works better.

> Your implication that this was due to lack of proper security hygeine is
> unfounded. Security hygeine reduces risk it does not eliminate it.

Nope. No security professional will admit that anything ever _eliminates_
risk, so that's a strawman fallacy.

The point is that sharing admin passwords is a blatant violation of
cybersecurity hygiene which every employee of the CIA is capable of
understanding and avoiding. If the org can't enforce even just the basic
stuff, there's not much hope of raising standards above that.

> from the most persistent and resourceful attackers.

Here's a secret that everyone already knows: the most persistent and
resourceful attackers will always get in given enough time.

~~~
badrabbit
I agree on both of your last two points. Not sure where disagree then.

