Vault 7, Year Zero part 2.
We’ve so far had a total of five releases from Wikileaks under the name of “Vault 7” and although it’s all pretty much just documentation one can still work out the innards and its impact. Most of it are old hacks and technologies but some were still current – as we saw when the likes of Microsoft and Apple quickly released large patches in order to fix some of the most vulnerable bugs that our “protectors” in The Five Eyes were using on a daily basis to penetrate target computers in order to extract whatever information they were after.
Getting hold of electronic information isn’t as easy as it used to be and today even total amateurs can easily secure a computer to make it virtually impossible to hack, or otherwise compromise. Standard encryption software can create hard enough encryption that even the NSA can’t crack and that’s a big problem for the intelligence community. They pretty much survive on breaking in between the layers and gaining access on user level and therefore bypassing the hard encryption.
I fully understand the need for these agencies to gain access to some information in order to stop certain shady terrorist organisations from doing their activities, and this I’m sure most people agree with – even the die-hard anti-NSA/CIA/GCHQ/etc people. What I don’t agree with is their wideband “read everything just in case” philosophy in case they find anything by pure luck, or by crawling everything they get their hands on. I’m also not happy with these organisations using severe vulnerabilities to penetrate peoples computers without reporting it to the vendors because if these agencies can find these vulnerabilities, the bad people can also find them because let’s face it – they are often better at what they do than these agencies… (or worse, they are on the payroll of these agencies, which is exactly why we have these leaks today because the agencies have employed shady people who copied all they could get their hands on just for fun, and for bragging rights…)
I’d like to have a system where the vendors could work with the agencies in order to secure information and data regarding criminals and terrorists but our agencies have shown again, and again, that they are too greedy and that their version of pro-activity is to read everybody’s emails, listen in on everybody’s phone calls and to read everybody’s text messages. Not because they need it today but because they might need it tomorrow. By collecting all this information they also know who’s been talking to who and with a bit of clever database programming you can easily profile someones personal network with a click of a button and thus create relationships between people in order to predict who’s working with who. Sadly in reality there are way too many false positives by using this methodology and a single innocent contact can create false terrorists in a mere second… This is unacceptable and also the reason why Edward Snowden decided to spill the beans.
Vault 7 so far?
The releases in Vault 7 so far has been Dark Matter, Marble Framework, Grasshopper, Hive and now most recently Weeping Angel.
Dark Matter: Various CIA projects that infects Apple firmware. Notable projects were Sonic Screwdriver (executing code whilst booting), DarkSeaSkies (EFI firmware implant consisting of DarkMatter, SeaPea and NightSkies), Triton, Dark Mallet and DerStarke. NightSkies is designed to be physically installed during manufacturing so CIA had managed to put agents in Apple somewhere to do this…
Marble Framework: A anti-forensic framework to hide malware by obfuscation in order to avoid detection by anti virus software. Worth noting that Marble is designed not just for English but also Russian, Korean, Chinese, Arabic and Farsi.
Grasshopper: A framework for Windows where various modules can be selected and executed on target computers in order to collect various types of information. A lot of the code that make up these modules were stolen malware from various hacker groups. Carberp has been identified as one.
Hive: A generic back-end infrastructure for CIA’s various tools/hacks to collect data over HTTPS and also able to send commands to the hacked devices.
Weeping Angel: Vulnerability in Samsung F-series TV’s to make them remote-controllable spy stations by recording sound.
Scribbles: An anti-leak digital watermark tool in order to collect, and store, personal data inside the document to catch whistleblowers who steals documents at CIA. Only for Microsoft Office. Full source code release.
NSA hack by Shadowbrokers
At the same time as someone managed to copy most, if not everything, at CIA, Shadowbroker hacked the NSA and stole all of their hacking tools. The difference is that when those who leaked the CIA stuff to Wikileaks, they did it to stop it by maning it public. Shadowbroker did it to make money and they taunted the NSA in media by offering these tools for money. As time passed they released small parts of their NSA hack, and they indicated what tools they had. Eventually they started to release larger chunks and I don’t think anyone actually paid them for these tools – but somehow Microsoft managed to patch all the vulnerabilities in the last chunk they released – the one they were asking all the money for, and Shadowbroker wrote that they never got any money from it and that they would now release it all and go into hiding. Some think they got a fair bit of bitcoin, some think they didn’t, but Microsoft managed to get hold of all the vulnerabilities and it’s more or less for sure that the NSA didn’t tell them… Makes you think…?
The last Shadowbroker dump was really powerful whereas the previous one was more for older versions of Solaris. This was mostly targetting Microsoft Windows and with tools like EternalBlue and EternalChampion you could easily attack a Windows computer, or server, install a backdoor, inject malicious code that allowed remote access and control and then removing the backdoor in order to erase all traces of the intrusion. I downloaded and decrypted the dump and it worked like a charm! Luckily Microsoft pushed out a big patch a few weeks prior to the release so most people were safe, but I still suspect Microsoft, or someone close to them, made a “donation” to Shadowbroker. Why else would they be able to patch the vulnerabilities when we know NSA didn’t tell them although they had a bit more than 90 days to do so?
The NSA tools were mainly written in python and even had a java UI for easy of use. It’s well written stuff. Not something they’d just cobbled together – this was written as a proper framework with various modules that could be loaded on the fly, depending on the target and what you wanted to do. I’ve seen enough corporate code in my days to recognise it and this was corporate code. Years in the making… I’m sure NSA have begun making new tools already, and they surely have other vulnerabilities that are yet to be discovered, but these tools were the real deal and it must’ve been a real blow to their operation by having them stolen and later put up for sale for highest bidder…
Panic, future and what’s next?
We need our intelligence community and we need government players who can gather information in order to stop terrorists from attacking their targets. But we can’t allow them to roam totally free, and by listening to all of our private conversations! That is not the correct way of doing intelligence! By allowing severe bugs to exist for years without telling the vendors they are responsible for other factions discovering the very same bugs, which they use for malicious activities rather than national security. Not acceptable.
In the aftermath of the CIA and NSA leaks politicians are yet again showing their incompetence by, yet again, trying to ban private encryption… sigh. How on earth are you going to do that to begin with??? It’s so fundamentally stupid that I don’t even know where to begin – and these people are elected to run our countries??? Holy crap…
I’m using non-RSA certified encryption on my computers, and to encrypt and sign my private emails, and no intelligence player in the world can decrypt that. Not even in my lifetime! Because I’m not a shady person I’m not of their interest. Intelligence used to be about collecting information about shady people and shady organisations. That’s real intelligence. Not parsing everything on telecom trunks and internet fibres hoping you find something by parsing keywords…
Perhaps these leaks will force our intelligence community to start working with real intelligence again, this I doubt because it’s much easier to make a few clicks on a computer than to do actual intelligence work, and all the intelligence agencies have become comfortable doing this. They know they break the law. The just don’t care. They think they can get away with everything under the banner of “terror”, and this is why we’ve had so many high-profile whistleblowers the last years…
The more or less rolling releases from Vault 7 are very exciting to read for us who’s one way or another connected to the intelligence community, but I both wish, and I don’t, that Wikileaks could’ve released all the code as well and not just the Confluence wiki documentation, but the people who are behind Wikileaks are responsible people who are there to inform the world – not to give them dangerous code, so this is best for everyone. Wikileaks have contacted all affected vendors in order to fix all the vulnerabilities and when that’s all done and verified they might release the code after all? The CIA code isn’t as nice and “corporate” as the NSA code from what I’ve seen so far and that also tells me quite a lot. That CIA have employed a lot of shady people and that’s why we have these leaks as well. Pretty stupid if you ask me 😉
Use Open Source software. Use Open Source encryption standards. This way it’s going to be very hard for these agencies to steal your data. I don’t care if I’m only doing legal things, my privacy is important to me and because I don’t know who’s in charge tomorrow or what they are going to do with my data, I won’t allow them to have it either! OpenPGP is a great start and with 4096 bit keys with sha512 your security goes a long way. 😉
And unless it’s already blatantly obvious, Richard Stallman was right…