
Wikileaks reveals CIA's Elsa: a geo-location malware for WiFi / Windows - tgragnato
https://wikileaks.org/vault7/#Elsa
======
chrissnell
This is nothing new. Many IT departments at security-sensitive companies have
been doing this for a while with their own gear. It's quite common for
enterprised-managed laptops to scan for SSIDs and report this information back
to HQ. This is primarily done to assist in the tracking of stolen laptops.

Many will quietly connect to open APs when they're discovered and use DNS
requests to tunnel this information back, thus attempting to work around
captive portals. They might, for example, send an A-record query like this:

chrissnell-laptop-DEADBEEFC0W.security.bigcorp.com

where DEADBEEFC0W is the ESSID of a discovered nearby AP and
security.bigcorp.com is a specialized DNS server configured to record this
data.

~~~
shallot_router
This is a big issue with the CIA tool leaks. The really interesting part is
who they're using the tools against and how often; the tools themselves,
devoid of context, aren't really very interesting.

If they're using this to track a dozen intelligence officials in Saudi Arabia,
it's very different optics from if they're using this to track, say, tens of
thousands of "red-flagged" families in the US. (Especially since the CIA
technically shouldn't be performing any sort of surveillance within the US.)

The NSA leaks, or at least part of them, were a much bigger deal because they
revealed warrantless, widespread, persistent drag-net surveillance of US
citizens. So far, the CIA leaks have not revealed anything relating to
surveillance of US citizens or even any civilians living anywhere.

The CIA may very well (still) be evil, but these leaks do not even begin to
prove it, so far.

------
mmjaa
To me, these stories are a) vital, and b) dis-heartening, and c) demonstrative
of the fact that we need to continue to build better, open and secure,
operating systems and tools for end users.

I think there is definitely something to be said for the fact that if the CIA
is doing this, then criminals are too - since the fine line between what the
CIA does and what a criminal does is simply, a sheet of paper with someones
signature on it.

Most of all, however, I think its very important that we continue to reveal
these secrets. For those of us not living under the CIA's nefarious shadow, it
is good to see them get their secrets revealed.

~~~
willstrafach
I am curious as to what you believe the CIA is supposed to be doing?

~~~
oval-atom
I doubt they have a clue.....disillusioned into idea that we are in a utopian
world.

~~~
pizza
The CIA itself has a utopic mission

~~~
ionised
So they are as naive and shortsighted as they seem.

------
0x0
This honestly doesn't sound very interesting. Just a regular piece of software
using a few of many available location services that are based on SSID
scanning. Mozilla for example offers the same:
[https://location.services.mozilla.com/](https://location.services.mozilla.com/)

~~~
gvx
The interesting thing about it is not so much how it works as what they do
with it: presumably track individuals' locations without their knowledge.

------
ju-st
On page 22: " <wifi-ap> <ssid>TIPICOS GLORIA</ssid>
<mac>68:7F:74:74:34:2B</mac> <rssi>-75</rssi> </wifi-ap>"

The SSID is the name of a Mexican restaurant in western Washington DC...

Unfortunately the document doesn't include API documentation for the
geolocation services of Google and Microsoft. Would be interesting to know if
CIA is aware of a way around api-key restrictions :)

------
mankash666
Why is there a judgement on the CIA's actions everytime a tool is leaked? It's
their charter to spy on people, the targets being American or not is just
semantic. For instance, if an American is a person of interest, the only thing
required is for the FBI to be a (name sake) participant in the investigation.

Outrage against 3 letter security/intelligence agencies is silly, it's like
blaming Google for being great at search

~~~
ahartman00
right, but not everybody lives in the us. and of course, their spy agencies
dont spy :P

it's also interesting hearing the outrage about russian hacking, and the
outrage about the cia having the abilities to hack. I hope it's not the same
people complaining.

------
emojo
I'm curious what an intercept of Mac Product looks like in the Dark Matter
scenario. It's not the first mention I've seen of the CIA intercepting the
supply chain of an organization.

If one was to purchase a Mac and it was to be intercepted and infected, what
does that resealing process look like?

------
willstrafach
After reading through the user guide, this appears to contain no
vulnerabilities/exploits, just a payload to fulfill a need to track the
location pattern of a target.

This is very basic stuff which could be easily replicated with kismet and some
scripts. I am guessing this is some sort of intern project.

~~~
tgragnato
Well, it depends on the target: using a sledgehammer to crack a nut can leave
you with more damage than results.

~~~
willstrafach
Sorry, I am not sure I understand the analogy?

~~~
xzel
He's saying for some simple jobs you don't want to use a more complex too
because there could be consequences. In this context, you don't need to use a
fancy exploit that could get into the wild, lead to discovery and be blocked
from other targets, or whatever else, when you can use something as simple as
this exploit.

~~~
willstrafach
Got it, thank you! I was not trying to criticize this piece of software, just
had thought it might be worth mentioning in case folks were curious (As past
Vault7 releases had indeed made mention of exploits used).

------
moomin
Am I the only one wondering if they have a tool called Anna?

------
dokument
Do you want to build a Snowden?

------
fumar
As someone who is not that savvy about malware or persistent software calling
"home," what is the best operating system that will avoid these type of
attacks?

~~~
quakeguy
A typewriter.

------
pizza
This type of thing might be very useful for preventing CIA's Harold Martin
counterparts from leaking from CIA hardware.

------
setq
Isn't this the same principle google uses for their location services?

------
Zelizz
Why don't they just use the location APIs? :D

------
SomeStupidPoint
Is this just an article based on the (already posted) vault7 trove of
documents?

Because it seems to be a lightweight blog post based on an already old leak,
without much analysis.

~~~
nyolfen
vault7 has been announced and partially released, but wikileaks has been
releasing a trickle of new documents over time (it seems they learned from the
strategic timing of snowden release documents); these documents are new to the
public. they seem to release new documents from the vault7 trove every week or
two.

~~~
SomeStupidPoint
So Wikileaks is now in the policy of filtering documents and release timings
to shape a narrative?

I seem to recall that their claim to fame was that they were above trying to
manipulate the narrative and simply dumped documents when they got them.

Why should we trust a cabal of people who are not telling us the full scope of
the situation, and instead filtering what we know based on their desire to
shape our opinion over any of the other cabals doing the same thing?

~~~
willstrafach
If they are trying to filter something, they are doing a pretty awful job.
Everything released so far in Vault 7 appears to simply be a dump of
intelligence collection tradecraft/methods.

~~~
SomeStupidPoint
As a purely hypothetical example:

 __ __*

The vault7 trove could contain documents on CIA minimization and targeting
rules, which show that they carefully avoid US targets and only go for high
value targets with these tools, and further could contain mostly exploits
targeted at industrial/military targets.

Wikileaks has focused on how they could use the (selectively) released tools
to target civilians.

By selecting to release only tools that (could) target civilian appliances,
hiding the fact that most tools are built for, eg, industrial/military
targets, and that CIA procedures focus on industrial/military targets,
Wikileaks effectively shapes the narrative to be about how the CIA is
targeting civilians, when the reality is that they're targeting high value,
perfectly appropriate things (which just happen to occasionally use technology
others do as well).

 __ __*

Sowing that kind of distrust between US civilians and one of their intel
agencies would be a perfectly normal PSYOPs goal, and in-line with what you'd
expect from, eg, RT.

That Wikileaks has decided to editorialize their content in such a way means
that you now need to evaluate those kinds of scenarios when thinking about the
things they release, instead of just focusing on the content. It reduces their
brand value significantly.

~~~
willstrafach
You make a good point regarding what they might be trying to do. But do you
think many people are actually buying it? Anyone could think of malicious uses
for all sorts of things, the only noteworthy revelations would be actual proof
of misuse.

~~~
SomeStupidPoint
> Anyone could think of malicious uses for all sorts of things, the only
> noteworthy revelations would be actual proof of misuse.

Does this same logic apply to the vault7 trove itself?

The entire leak is basically "Spy agency has capability to spy. _Yawn._ " once
you take away the angle of "Oooo! Spooky! They might target _you_!"

So we're already in the case that Wikileaks is trying to editorialize the
content for an agenda, which we know is to cause damage to the US intel
community. (They haven't been friends for a _long_ time, in well documented
ways.)

We also know that Wikileaks is withholding the full extent of what they know
or not, and are choosing what to reveal (which is a tactic well know to be
used to shape narratives).

Why should we care what Wikileaks has to say on this matter, for the exact
reason you so helpfully pointed out?

They're a biased source, not disclosing their full knowledge and seeking to
manipulate us, who haven't actually shown any evidence of wrong-doing.

~~~
willstrafach
You might be missing that I do fully agree with you. I guess if it is out
there anyway though, makes some sense for there to be discussion on HN as it
is a technical forum. Probably safe to skip their "analysis" and only pay mind
to the source document.

