Advertisement

WikiLeaks CIA cache: Fool me once

A lot of smoke and misleading claims from the king of controversial data dumps.

Illustration by D. Thomas Magee

This week's poorly conceived distraction from Trump and Putin sittin' in a tree was brought to us by WikiLeaks, which dumped 8,761 documents of the CIA's hacking arsenal online for all to see. The leak factory didn't even bother trying to play coy -- it actually made the "Vault 7" password an anti-CIA JFK quote about destroying the agency.

Hilarity ensued. Well, if you think it's funny when the press parrots WikiLeaks' misleading claims wrapped in PR spin.

What sort of misleading claims? How about the suggestion that the safest encryption apps, Signal and WhatsApp (neither of which actually appear in the document dump), are broken. Or that the CIA bugs everyone's phones. That our government is spying on us through our TVs with the flick of a switch. And that the CIA, which is providing evidence to Congress in the Trump-Russia probe, is part of a conspiracy to damage ... Russia.

When the news hit Tuesday morning, the bigger outlets ran wild, uncritically repeating the WikiLeaks press statement, and reporting on the documents without having them verified. If only being first was better than being correct.

WikiLeaks framed the whole media-attention sideshow as a giant embarrassment for an out-of-control CIA. Breitbart loved it. Especially the bit about how the CIA is trying to frame those completely innocent Russian government hackers. Hey, at least it was a break from WikiLeaks lending support to Trump's ravings that Obama wiretapped him.

By Tuesday afternoon, people were starting to get over the shock of learning that the CIA is a spy agency. A few news outlets started to correct their shit. They might've even felt a bit swindled by having regurgitated that crucial first round of PR from WikiLeaks, casting the dump as some sort of Snowden 2.0. (Snowden, for his part, has done his very best to make it a Snowden 2.0.)

Many in hacking and security weren't taking the bait to begin with. Many hackers were less interested this time by what was in the drop than by who it was from, and why it was being released now.

By now the press has started to sort things out -- but only after the misinformation had spread. But as Zeynep Tufekci writes, this is just a page from the WikiLeaks playbook. This time, she said, "there are widespread claims on social media that these leaked documents show that it was the C.I.A. that hacked the Democratic National Committee, and that it framed Russia for the hack. (The documents in the cache reveal nothing of the sort.)"

In an unusual turn, the CIA made a statement. Intelligence officials told press the agency was aware of a breach leading to this very dump, and is looking at contractors as the likeliest source. A formal criminal probe has been opened.

Thanks to the disinformation, lots of people are concerned about what was in the dump and how it affects their privacy and security. The contents haven't been confirmed by the CIA but it looks like it's shaping up to be the real deal. It mostly contains a lot of attack tools, and lots of clues that CIA operatives love Dr. Who, Nyan Cat, and hoard cheesy memes.

The files consist mostly of notes and documentation on the CIA's hack attack tools -- very specific tools used when the agency focuses on a very specific target. These aren't just hoovering up everyone's data like the lazy old NSA -- this is what a modern Bond's "Q" would use to go after a special someone, or someones.

As in, probably not you.

The attacks focus on operating systems, not on apps themselves. That bit you read about the CIA cracking Signal and WhatsApp was false. What this all shows, interestingly, is that encryption on those apps is tight enough that even the CIA hasn't been able to break them and needs to pop old versions of iOS just to read some ambassador's uncreative sexts.

There is literally no surprise here. The ubiquity of large systems having exploitable bugs, and the implications of this, have been reported on for decades.

Perhaps the nonstop cycle of social-media outrage has given us collective amnesia. What's old is new, and suddenly everyone is shocked to hear that there are 0-days in Windows and Android, and people are taking advantage of exploits. We all jump on a chair and lift our skirts and cry "rat!" because someone, somewhere, hasn't taken our advice about what to do with vulnerabilities.

So what's vulnerable, according to the CIA's hack attack tools circa 2013-2016? That would be Windows (Exchange 7 and 10 especially), OS X El Capitan, some Apple iPhone operating systems, and as we'd expect, a range of Android system exploits. The documents indicate that antivirus products like F-Secure, Bitdefender and Comodo are a pain in the ass to deal with, which makes them look pretty good.

The irony is that the best way to avoid these kinds of attacks is to update your system software when you're supposed to, don't get phished and try not to become a CIA target by, say, committing treason. Oh, and don't stop using reputable encrypted apps. Especially not because some guy with a hard-on for the CIA told the press the apps were compromised.

The docs do reveal that the CIA is well into hacking Internet of Things devices to use for surveillance with its Embedded Development Branch. According to journalists who are actually reading the documents, meeting notes from 2014 show that the CIA's analysts "are looking at self-driving cars, customized consumer hardware, Linux-based embedded systems and whatever else they can get their hands on."

This is to be expected, because spies gotta spy. Of course, because we live in a time when companies are using connected teddy bears to surveil kids and then getting owned by malicious hackers, we should expect spy agencies to roll IoT into their bespoke little government-funded "Q" laboratories.

It should make you uncomfortable -- and angry -- as hell that the CIA can use your smart toaster to spy on you. But, what's really troubling is that it's just piggybacking on data that companies are already collecting. Truth is, the US government isn't the early adopter here; Amazon, Google and Facebook are really the front-line developers of the surveillance state.

Image: REUTERS/Rick Wilking (Samsung TV)