WikiLeaks founder pledged to help patch bugs outlined in CIA leaks, but many in the tech world say leaks arent that troubling and worry instead about Russia ties
WikiLeaks founder Julian Assanges pledge to help Silicon Valley technology companies patch the bugs outlined in leaked CIA files has been met with skepticism from the security community.
Assange said he would contact technology companies to privately supply technological details of the hacking techniques and security vulnerabilities that were redacted from the cache of classified documents released to the public.
We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out, Assange said in a news conference streamed from the Ecuadorian embassy in London, where he has claimed diplomatic asylum since 2012.
But members of the security community have rejected Assanges hyperbole around the CIA files collectively nicknamed Vault 7 which he described as exceptional from a political, legal and forensic perspective.
Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint, disagreed.
Theres nothing earth-shattering, he said, pointing out that many of the operating system mentioned in the documents are quite old and have already been updated.
It seems like the CIA was doing the same stuff cybersecurity researchers do, which is compile listings of vulnerabilities and to continue efforts to figure out which ones are being exploited in the wild and which ones could be.
Its not clear at this phase how many, if any, of the vulnerabilities are genuine zero-days those has still not been known to vendors, named after the number of days they have to fix them.
Kalember said that the so-called Weeping Angel hack, which utilizes malware to spy on Samsung smart TVs, has been shown at security meetings for a couple of years and requires physical access to the device.
The CIA should be embarrassed that they lost control of this cache, but they should also be embarrassed if this is their level of technical sophistication, said another another security researcher, who did not want to be named. What they have is pretty unimpressive.
Both said that the vulnerabilities detailed in the documents are likely to have already been patched by the companies. Apple and Google have both publicly stated this is the case.
There could be more to come, however: Assange has emphasized that the data cache released on Tuesday is only a portion of the total leaked information WikiLeaks holds.
The fact that Julian Assange is offering to selectively disclose vulnerability information to affected companies is better than disclosing it to all and sundry, but it depends on the veracity, accuracy and currency movements that information, said BullGuard CEO Paul Lipman.
I dont believe WikiLeaks is the first stop for tech companies looking to solve vulnerabilities, he added.
How do the CIA files compare with the revelations contained in the NSA leaks from whistleblower Edward Snowden?
Its apples and oranges, said Kalember. The Snowden leaks were not only technically interesting but contained a lot of novel stuff that was not known at all.
He said that with Vault 7, he and other members of the cybersecurity community have expended a lot of day chuckling about funny things on the CIAs intranet( like this collection of emoticons) rather than debating anything interesting from a tech perspective.
Some researchers were skeptical of WikiLeaks motives, pointing to apparent ties between the whistleblowing organization and Russia despite Assanges denial.
Everything they have done over the last few months indicates they are operating as a front for a different leaker[ Russia ], said Kalember.
He said that the possible Russian ties as well as WikiLeaks track record of publishing identifying information about people( known as doxxing) including millions of women in Turkey and threats to make an online database of all verified users on Twitter has diminished confidence in the organization.
No one in the information security community actually trusts him and his motives, he said.
At the press conference, Assange attempted to counter accusations that he or WikiLeaks had ties to Russian intelligence agencies, describing his operation as a neutral, digital Switzerland.
WikiLeaks promotion of the CIA files has placed emphasis on a group at the agency called Umbrage, which collects a library of attack techniques produced in other states including, the press release stated, the Russian Federation.
With Umbrage and pertained projects the CIA cannot only increase its total number of assault types but also misdirect attribution by leaving behind the fingerprints of the groups that the two attacks techniques were stolen from, WikiLeaks said.
This could be interpreted as an try by WikiLeaks to undermine the attribution of the DNC hack to the Russians something that the united nations security community almost unanimously agrees on.
They place a lot of emphasis on the fact that the CIA could be using malware to achieve its ends and leave roads that point to people in different directions. Everybody does this, but its not going to genuinely undermine proper attribution, he said.