Wikileaks shows there's no such thing as a top secret hack

11 March 2017 by Steve Blum
, , ,

Not the latest version.

The Central Intelligence Agency’s guide to cracking is getting bad reviews from the tech community. Published earlier this week on Wikileaks, the thousands of files of internal documentation maintained by the CIA’s engineering development group are mostly openly available cook books and mundane advice on how not to get caught.

A story by Sean Gallagher at Ars Technica steps through some of it and concludes it amounts to an outdated “Malware 101” textbook…

It’s not clear how closely tool developers at the CIA followed the tradecraft advice in the leaked document—in part because they realized how dated some of the advice was. Back in 2013, two users of the system said so in the comments area: “A lot of the basic tradecraft suggestions on that page seem flawed,” wrote one. Another followed, “Honestly, that stuff is probably already dated…”

Four years later, some of the recommendations have become even more stale. That’s largely because of the advances made in malware detection and security tools, including those built into many operating systems. But it’s also because the tradecraft used by everyday malware authors without the benefit of state sponsorship have surpassed these sorts of tradecraft suggestions.

One of the takeaways from the Wikileaks dump should come as no surprise: the CIA is an avid collector of zero day exploits, which are bugs in applications, operating systems and hardware that the rightful owners don’t know about yet. But plenty of others will. Apparently, the CIA buys at least some of these backdoors from the grey and black marketeers that openly sell them. Even a flaw discovered by the CIA’s team isn’t exactly a secret – it’s there for the taking by anyone else with the necessary, and far from rare, skills.

Spying is the CIA’s job. But the reason for doing it is to protect the U.S. Feeding the market for malware and hoarding it instead of fixing it makes us all less secure.