Wikileaks’ ‘Vault 7’ proves Big Brother and criminal hackers use the same tricks

vault 7 is an insight into world of cyber espionage new education partnership with dakota state university 01 lg
NSA
Earlier this month, WikiLeaks unleashed the Vault 7 papers, a revealing insight into the tools and techniques used by the CIA. Their release caused a stir among the security community, but if you’re not working on the field, their relevance might not be immediately obvious.

Above all else, Vault 7 shouldn’t put you in a panic about the CIA — not if you’ve been paying attention, anyway. The most attention-grabbing techniques described in the papers aren’t anything new. In fact, they’ve been demonstrated publicly several times over. The revelation here is not the fact the CIA and NSA spy on both American and foreign citizens, but instead the incredible insight they – and presumably other spy organizations worldwide – have into cracking protections that most people consider secure.

A History of surveillance

“I would say that 100 percent of this is stuff that has been known to the security community for a while,” said Ryan Kalember, the senior vice president of cybersecurity strategy at security firm ProofPoint, in reference to the Vault 7 documents. “The Samsung Smart TV hack was demonstrated at security conferences several years ago, the vehicular hacks were demonstrated at BlackHat by quite a few different individuals on different vehicles.”

“Most of the things that have come out are slight variations on known techniques,” agreed James Maude, senior security engineer at Avecto. “There are a few targeted workarounds for antivirus vendors that weren’t previously known about — although similar exploits have been found in the past — and there were a couple of newer techniques for bypassing User Account Control on Windows.”

You don’t have to be a security professional to have heard about the techniques outlined in the Vault 7 papers. You might be surprised that the CIA is using these techniques, but you perhaps shouldn’t be, given that the organization was established for the purposes of gathering intelligence.

In the preface to the book Spycraft: The Secret History of the CIA’s Spytechs from Communism to Al-Qaeda, former director of the agency’s Office of Technical Service, Robert Wallace, describes the groups that comprised the organization when he joined its ranks in 1995. One was apparently responsible for the design and deployment of “audio bugs, telephone taps, and visual surveillance systems.” Another is said to have “produced tracking devices and sensors” and “analyzed foreign espionage equipment.”

The CIA is an organization that was set up for the purposes of surveillance and espionage. The Vault 7 papers aren’t revelatory in terms of what the CIA is doing — they’re revelatory in terms of how the agency is doing it. The way that the organization implements technology is changing with the times, and Vault 7 lets us track its progress.

Espionage evolves

Computers have revolutionized most industries over the past few decades, and that has in turn changed how spy organizations collect data from those industries. Thirty years ago, sensitive information typically took the form of physical documents, or spoken conversations, so spycraft focused on extracting documents from a secure location, or listening to conversations in room thought to be private. Today, most data stored digitally, and can be retrieved from anywhere the internet is available. Spies are taking advantage of that.

The lines have blurred between cybercrime and spycraft

According to Kalember, it’s “absolutely to be expected” that the CIA would move with the times. “If the information that you’re looking for exists in somebody’s email account, of course your tactics are going to move to spear-phishing them,” he explained.

Tactics like phishing might seem underhanded, in the reserve of criminals, but they’re used by spies because they’re effective. “There are only so many ways that you can get something to run on a system,” explained Maude. Indeed, if the CIA were to debut an unprecedented and highly effective method of snooping, it’s almost certain that criminal entities would be able to reverse-engineer it for their own usage.

“We’re in an environment where, particularly with the revelations from the Yahoo attack, the lines have blurred between cybercriminal tradecraft and spycraft,” said Kalember. “There’s one ecosystem of tools that has a big overlap.”

Intelligence operatives and cybercriminals are using the same tools for very similar purposes, even if their targets and their end goals might be very different. The practicalities of surveillance don’t change depending on the individual’s moral or ethical alignment, so there should be little shock when it emerges that the CIA is interested in a Samsung TV’s capacity to listen to conversations. In fact, exploits like that found in Samsung TV’s are of more interest to spies than to criminals. It’s not an exploit that offers immediate financial gain, but it does provide an excellent way to listen in on private conversations.

wikileaks cia hacking tools leak aerial view of headquarters langley  virginia
Aerial view of the CIA headquarters

“When we look at the CIA leaks, when we look at cybercriminal forums and the malware that I’ve looked at, the difference between a cybercriminal and an intelligence analyst is literally who pays their paycheck,” said Maude. “They all have a very similar mindset, they’re all trying to do the same thing.”

This melting pot allows operatives to disguise their actions, letting their work blend in with the similar tactics employed by criminals and other intelligence agencies. Attribution, or lack thereof, means that re-using tools developed by others doesn’t just save time — it’s a safer option all round.

Author unknown

“It’s well known within security circles that attribution looks great in reports and press conferences, but in reality, there’s very little value in attributing threats,” said Maude. “The value is in defending against them.”

The NSA has broad capabilities to gather up lots of different types of communications that are, by and large, unencrypted

Most surveillance is intended to be surreptitious, but even when an attempt is discovered, it can be very difficult to accurately trace it to its source. The CIA takes advantage of this fact by utilizing tools and techniques developed by others. By implementing someone else’s work — or better yet, a patchwork of others’ work — the agency can prompt questions about who’s responsible for its espionage.

“Attribution is something that has been a controversial subject in the private sector,” said Kalember. When security researchers are examining attacks, they can look at the tools that are used, and often where information was sent, to get an idea of who was responsible.

Delving further into the malware, it’s possible to get even great insight into its authors. The language used for text strings might provide a clue. The time of day that code was compiled might hint at their geographical location. Researchers might even look at debug paths to figure out which language pack the developer’s operating system was using.

Unfortuantely, these clues are easy to forge. “All of those things are well-known techniques that researchers can use to try and do attribution,” explained Kalember. “We’ve recently seen both cyber-criminal groups and nation state groups intentionally mess with those methods of attribution to create the classic false ‘flag type’ of scenario.”

vault 7 is an insight into world of cyber espionage slack imgs

He gave an example of the practice related to the malware known as Lazarus, which is thought to have originated in North Korea. Russian language strings were found in the code, but they didn’t make any sense to Russian speakers. It’s possible that this was a half-hearted attempt at misdirection, or perhaps even a double-bluff. The Vault 7 papers demonstrated that the CIA is actively engaging in this methodology to deceive those trying to track malware back to it.

“There was a big part of the Vault 7 leaks that focused on this program called UMBRAGE, where the CIA was pointing out the broad ecosystem of tools that were available for use,” said Kalember. “They appeared to be mostly trying to save themselves time, which a lot of people involved in this line of work do, by re-using things that were already there.”

UMBRAGE demonstrates how the CIA is monitoring trends to maintain its effectiveness in terms of espionage and surveillance. The program allows the agency to operate more quickly, and with less chance of being discovered — a huge boon to its endeavors. However, the Vault 7 papers also demonstrate how the organization has been forced to change its tactics to reassure those critical of its attitude towards privacy.

From Fishing Net to Fishing Rod

In 2013, Edward Snowden leaked a cavalcade of documents that unveiled various global surveillance initiatives being operated by the NSA and other intelligence agencies. The Vault 7 papers demonstrate how the Snowden leaks changed best practices for espionage.

“If you look at the Snowden leaks, the NSA has broad capabilities to gather up lots of different types of communications that were — by and large — unencrypted,” said Kalember. “That meant that without really being known to anybody, there was a tremendous amount of interesting information that they would have had access to, and they wouldn’t have had to take any risks to get access to any individual’s information that happened to be swept up in that.”

haven edward snowden vault7

Put simply, the NSA was utilizing a widespread lack of encryption to cast a wide net and collect data. This low-risk strategy would pay off if and when a person of interest’s communications were intercepted, along with masses of useless chatter.

“Since the Snowden leaks we’ve really talked up the need for end-to-end encryption, and this has been rolled out on a massive scale, from chat apps to websites, SSL, all these different things that are out there,” said Maude. This makes widespread data collection far less relevant.

“What we’re seeing is that intelligence agencies are working around end-to-end encryption by going straight to the endpoint,” he added. “Because obviously that’s where the user is typing, encrypting, and decrypting the communication, so that’s where they can access them unencrypted.”

The Snowden leaks spearheaded an industry-spanning initiative to standardize end-to-end encryption. Now, surveillance requires a more precise approach, where the focus is on specific targets. That means accessing the endpoint, the device where the user is inputting or storing their communications.

Nothing digital is ever 100 percent secure

“The CIA’s Vault 7 leaks, by contrast to the Snowden leaks, describe almost entirely targeted attacks that have to be launched against specific individuals or their devices,” said Kalember. “They probably, in most cases, involve taking slightly greater risks of being caught and identified, and they’re much harder to do in purely clandestine terms, because it’s not being done upstream from where all the communications are occurring, it’s being done at the level of the individual and the device.”

This can be tracked directly to the Snowden leaks, via its status as a public service announcement regarding unencrypted communications. “The big thing that changed, that kind of precipitated this whole shift, was the rise of end-to-end encryption,” added Kalember.

What does this mean for the average person? It’s less likely that your communications are being intercepted now than it was a few years back.

The CIA and I

At the end of the day, worrying about the CIA spying on you as an individual is a waste of energy. If the agency has a reason to snoop on you, they have the tools to do so. It’s very difficult to avoid that fact, unless you plan to go entirely off the grid. Which, for most people, isn’t practical.

In a way, if you’re worried about the security of your data, the information included in the leak should be reassuring. With international espionage agencies and top cybercriminals using the same ecosystem of tools, there are fewer forms of attack to be concerned with. Practicing good security habits should protect you against the biggest threats, and some of the precautions you can take are simpler than you might expect.

A recent report on Windows vulnerabilities published by Avecto found that 94 percent of vulnerabilities could be mitigated by removing admin rights, a statistic that could help enterprise users keep their fleet of systems secure. Meanwhile, personal users can reduce their changes of being breached simply by looking out for phishing techniques.

“The thing with security is that nothing digitally is ever 100 percent secure, but you know there are measures you can take that make your security much better,” said Maude. “What the CIA leak shows us is that the measures you can take to defend yourself against cybercriminals using common ransomware tools are broadly the same measures you can take to defend against the CIA implanting something on your system.”

The Vault 7 papers aren’t a call for panic, unless you’re an individual that the CIA might already be interested in investigating. If knowing that the CIA can listen to your conversations through your TV scares you, then it probably doesn’t help to hear that career criminals who make a living through extortion and blackmail have access to the same tools.

Fortunately, the same defenses work just as well against both parties. When matters of online security hit the headlines, the takeaway is usually the same; be vigilant and be prepared, and you’ll most likely be ok.

Computing

Arm’s future CPU designs may finally catch up with Intel in laptops by 2020

Arm publicly revealed its CPU road map for the first time, covering designs to be released through 2020. Typically disclosed under an NDA, Arm revealed its plans to show how its CPU designs will advance the always-on laptop.
Wearables

Is this proof Google plans to launch a Pixel Watch soon?

From its Pixel smartphones to Google Home, the Google brand is quickly becoming synonymous with high-quality consumer hardware. This year, it looks like Google may branch out a little further by creating its first smartwatch.
Cars

Porsche goes rallying, and it’s not with the model you’re thinking of

Porsche channeled its racing heritage to turn the 718 Cayman, not the Cayenne, into a rally car. The GT4-spec model was built as a fully functional concept, and it will participate in its first rally during August.
Computing

Apple preps production of updated MacBook Air for a 2018 launch

To reach its rumored launch timeline of later this year for its low-cost notebook, Apple is expected to begin production of its updated MacBook Air soon. The sub-$1,000 laptop could launch as early as September or October.
Computing

These 30 apps are absolutely essential for Mac lovers

There are literally hundreds of thousands of great software programs compatible with MacOS, but which should you download? Look no further than our list of the best Mac apps you can find for the latest MacOS and how they can help out your…
Computing

Apple’s rumored entry-level MacBook may appear in September starting at $1,200

Apple may reveal new products in September including an entry-level 13-inch MacBook based on Intel’s seventh-generation processors. Apple originally intended these units to rely on Intel’s now-delayed 10nm “Cannon Lake” processors.
Computing

With Q#, Microsoft is throwing programmers the keys to quantum

Quantum computers aren’t yet practical, but Microsoft has already developed a programming language for them. Q# works inside Visual Studio, just like most other languages, and could offer a gateway into the weird world of quantum physics.
Mobile

AirDrop makes sending files to Apple devices easy -- here's how

Want to send files or photos to your friends when you're standing directly beside them? Instead of texting or emailing, why not learn how to use AirDrop? Here's everything you need to know about using AirDrop on both iOS and MacOS.
Deals

Stay safe on the web and save up to $70 with McAfee Total Protection

If you don't have some sort of protection on your phone, tablet, or computer, you're basically leaving the door open for anyone looking to do some cyber burgling. Protect yourself for a year with McAfee Total Protection for just $30.
Computing

PDF to JPG conversion is quick and easy using these simple methods

Converting file formats can be an absolute pain, but it doesn't have to be. We've put together a comprehensive guide on how to convert a PDF to JPG, no matter which operating system you're running.
Product Review

Recent production woes make the Eve V a worse buy than it once was

Our Eve V review looks at a crowdsourced detachable tablet that checks some boxes for its backers. Its delay in making it to the market holds it back in some areas, and Eve Technology is an unknown quantity.
Computing

Here's how to convert an MP4 to an MP3 file with online and offline tools

Sometimes you just want the audio without the video. In this guide, we'll show you how to convert an MP4 to an MP3 using web-based software and dedicated programs for both Windows and MacOS.
Computing

Crypto-intrigued? Here's how to buy Bitcoin for the first time

Is it time to purchase your first Bitcoin investment? If you're ready to get involved in the cryptocurrency, we'll walk you through how to pick an exchange, how to choose the right wallet, and how to buy Bitcoin the safe way!
Product Review

Dell's classic 4K P2715Q monitor still holds up today

The Dell P2715Q might not be the most modern of 4K displays, but its IPS panel, extensive connectivity, and easily adjusted stand make it more than competitive with the newest crop of screens.