The IT Nerd

Wikileaks did another dump of CIA hacking info late last week. This time the info relates “Marble” which is part of a secret anti-forensic Marble Framework. In short, it basically is an obfuscator used to hide the true source of CIA malware so that blame for a hack can be shifted to anyone. This was part of source code files that were made public. Now that this is public, people who investigate hacks could in theory would be able to use this to confirm or deny that the CIA was behind a hack that was previously attributed to say the North Koreans, Russians, or Chinese. Wikileaks claims that this was in use as recently as 2016, but no proof has been provided on that front.

I for one will be waiting to see if a forensics company can confirm if this is legit or not. I suspect those answers will come shortly.

Wikileaks had the chance to become a bit of a hero by standing by its pledge to release details of the various CIA hacking techniques that it acquired. But it seems to have have decided that blackmailing the tech industry is far more important. Here are the details from Motherboard:

Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security “zero days” and other surveillance methods in the possession of the Central Intelligence Agency… Wikileaks’ demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard’s sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.

Now, if Wikileaks is asking for a 90 day deadline to force these companies to fix these issues in a timely manner, that would be in line with responsible disclosure efforts like Project Zero. Thus there would be nothing to see here. However if there’s more to it, that will not inspire confidence.

Of course the cynic in me also sees this as some sort of litmus test. As in, they’re trying to see who’s potentially in bed with the CIA, or the Kremlin, or anyone else. After all, if you are a tech company and you have a bug out there that’s part of this dump, you’d think that you want to fix it ASAP. Unless you’re working with those who are spying on their citizens, or others, or both.

Other than the above reasons, I struggle to see a good faith reason for WikiLeaks to require agreement to any terms before they tell tech companies about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with. Perhaps it would be simpler for them to say “here’s the bugs we found in the documents that we got. Prove to us that they’re fixed or going to be fixed in 90 days or we go public with them” and leave it at that. The mystery over whatever else they want isn’t helpful IMHO.

One of the things that I have said is that it’s not good that the WikiLeaks dump of the CIA’s hacking tools could give the bad guys a head start in terms of using these exploits to do really bad things. WikiLeaks seems to have thought of this and Julian Assange said that he’ll give first crack at seeing these exploits to the likes of Apple and Google via a press conference streamed on Periscope on Thursday that I watched.

My thoughts on this are that this is good. However, those who I will call the forces of evil don’t need the actual exploits to cause problems for the rest of us. That’s because just reading the documents and seeing what’s in them can give someone enough ideas to reverse engineer whatever the CIA did. That’s bad.

What’s worse is that even if WikiLeaks does this, it doesn’t mean that you’ll get a fix for whatever exploits the CIA has. For example, Android users have to deal with the fragmentation of that platform due to how many companies make Android phones and how many cell carriers tweak them for their networks. That means that it takes forever to get fixes out to users. If they ever appear at all. Users of iOS don’t have this problem as Apple pushes OS updates to every iDevice from 1 Infinite Loop. But they along with users of other platforms may be faced with the fact that some of the exploits that the CIA use aren’t easily or quickly fixable. Add to that the nightmare that is potentially out there for makers of IoT gear who have to rely on users to update their gear (which for the most part they don’t), which of course assumes that these companies actually will provide updates as many don’t, and you have a major problem that’s brewing.

I for one will be watching closely to see how this plays out. It may not be pretty.

If you’re an iOS user who is worried about your security due to the WikiLeaks dump of CIA hacking tools, you have less reason to worry. Apple said in a statement provided to TechCrunch that most of the vulnerabilities detailed in the dump have been patched:

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.

So, what that says to me is that if you’re running iOS 10.2.1, you’re mostly protected. It also implies that the upcoming iOS 10.3 which is in beta now will likely have some more fixes in that. That’s great for iOS users. But one has to wonder what the state of affairs is for macOS users or watchOS users. I’d love to see a statement from Apple on that because while this is a good first step, they need to do more.

Oh, I have a message for Google, Microsoft, Samsung and those who make smart TVs and IoT devices. The universe would love to see a statement that tells the world what your state of affairs is and how you’re going to protect your users.

Yesterday, WikiLeaks dropped a bombshell about the CIA’s abilities in terms of hacking everything from phones to smart TVs. So, is this a story about those abilities? That’s what it’s become, but it shouldn’t be. Instead here’s the real story. Actually, there’s two things that you need to pay attention to:

1. What this data dump shows is that the CIA found bugs in everything from smart TVs to your iPhone and didn’t inform the people who made those products about those bugs in the interest of exploiting them for their own purposes. Thus, they put users of those products at risk from criminals who if they didn’t know anything about these bugs before, they do now and are exploiting them as I type this. And to be frank, I am much more worried about the criminals than the spies as the latter has some degree of oversight. Apple, Google, and everyone else who makes a IoT device or a smart phone will fix bugs that are brought to their attention as they don’t have an interest in making devices that are insecure. But they weren’t given that opportunity. Now, I do understand that the CIA among other intelligence agencies have a job to do. But I don’t think that job should be done at the expense of the safety of the public at large. That I believe needs to change.
2. People are concerned because supposedly secure apps like Signal and WhatsApp are insecure. That isn’t true though. From what I can tell, they were able to pwn the phone and intercept things before they were encrypted. Thus the apps are fine but the OS of your smart phone may not be. So the discussion needs to change to hardening the phones operating systems so that this cannot happen. You as a user have a role to play in that by always applying updates to not only the phone’s OS, but to the apps that you use. That way, you mitigate, but not eliminate, the chance that this could be a risk to you. Having said that, this is a clear signal to the Apple and Googles of the world that they need to up their game as well.

Keep in mind that we’re going to be revisiting this in the future as this is the first of many data dumps that are to come from WikiLeaks. Plus everyone from casual observers, hackers, to software companies, governments, and terrorist organizations are looking at this data dump as we speak and will be looking at future ones as well. Either way, we’ll have more to discuss and we will have to look beneath the surface to find out what is the real story is as that’s what we really should be focusing on.