The technology industry was rocked earlier this month when whistle-blowing site, WikiLeaks, published what it called the Vault 7 Year Zero archive. Leaving many Americans stunned with loads of questions unanswered.
The leak amounts to a cache of nearly 9,000 confidential documents allegedly obtained from within the US Central Intelligence Agency (CIA), detailing hoarded vulnerabilities and deliberately-crafted attacks against a wide range of commercial software and hardware. Some of the attacks would appear to be in contravention of US regulations on the sharing of security vulnerabilities discovered by intelligence agencies with vendors and manufacturers.
"There is an extreme proliferation risk in the development of cyber 'weapons,'" WikiLeaks editor Julian Assange claimed in his announcement of the release. "Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade. But the significance of 'Year Zero' goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective."
For businesses, though, the political, legal, and forensic aspects of the Vault 7 Year Zero archive must take a back seat to a far more pressing issue: the immediate and direct effect its release is likely to have on their infrastructure, consumer confidence, and product offerings.
Vault 7 Year Zero itself consists of nearly 9,000 confidential documents that WikiLeaks claims have been provided by a former government contractor directly from the CIA. The documents themselves are confidential, many rated at the highest levels of secrecy available to the agency. They document a wealth of programs designed to provide the CIA with backdoor access to technological platforms from desktop PCs and smartphones to smart TV sets.
Among the most notable of the archive's releases are documents detailing:
- How to infect the Extensible Firmware Interface (EFI) of any modern desktop, laptop, or server with malware which is invisible to the host operating system
- How to inject code into secure shell (SSH) processes running on Apple's MacOS X platform, a tool dubbed Weeping Angel which allows for selected models of Samsung smart TVs to be placed into a 'fake off' mode in which the microphone is actively recording and transmitting nearby conversations
- Tools which record all keystrokes entered into Windows systems
- A program designed to find a means of taking remote control of automated vehicles' navigation and steering systems.
A program dubbed 'Fine Dining' is detailed within the archive, and makes for sobering reading. According to a module tool list allegedly leaked from the CIA's Operational Support Branch (OSB), 'Fine Dining' includes the ability to make use of DLL hijacking vulnerabilities in commercial software ranging from the Chrome Portable web browser and Notepad++ text editor to security tools from Sophos, Kaspersky, ClamAV, SanDisk, and McAfee. It uses the very tools developed to protect systems in order to inject a malicious payload.
Initially, there was little to corroborate the provenance of the Year Zero archive. The CIA, naturally, has neither confirmed nor denied the legitimacy of the files. The technology industry, however, has provided all the verification required: many of the companies named within the leaked documents have stepped forward to confirm that the exploits and vulnerabilities detailed are genuine. Although, some have claimed that they are outdated with the majority having been independently discovered and fixed before the archive was publicly made available.
For the US government, that's a problem. It may be unsurprising that a national security agency would be developing ways around the security systems built into modern technology. This was contained in the documents detailing the hoarding of so-called 'zero-day exploits' . These are methods of attack which target previously unknown vulnerabilities about which the manufacturer has not been made aware. This type of behavior would appear to fly in the face of the Vulnerabilities Equities Process, introduced in 2010 and which requires all government agencies to alert manufacturers to any and all security vulnerabilities discovered in their products.
Meanwhile, WikiLeaks has promised that more is to follow. According to Assange, the Year Zero archive represents less than one percent of the total documents the site has received from its anonymous source. This means that even as manufacturers work to plug the previously-unknown vulnerabilities detailed in the Year Zero archive, they can expect more to appear in the Year One, Year Two, and subsequent releases.
The Business Impact
The impact of the release is severe, and is likely to continue to upset businesses for quite some time to come. The immediate impact is obvious: a loss of confidence in those companies named within the Year Zero archive, with customers wondering whether their privacy can be assured and investors wondering if their money is safe. This will soon spread out into a loss of confidence in general: even companies not directly named in the release will likely make use of hardware or software named within in the development of their products or infrastructure, and the idea that the CIA's alleged activities are limited only to those named so far is staggeringly unlikely.
Some industry experts have counselled against panic. "Whether the alleged cyber weapons exist or not is largely immaterial at a time when I assume most people believe they do," explains Lee Munson, security researcher at Comparitech.com. "What the Vault 7 leaks should do, however, is confirm that, while taking a nothing to hide, nothing to fear approach is hopelessly out of date, most citizens should not be any more concerned about surveillance today than they were yesterday. While exploits across a range of devices and the ability to turn on cameras and microphones is a touch chilling, they’re nothing new, and anyone with real concerns should already be going about their business with those possibilities in mind."
Others have argued it should act as a wake-up call not only for the CIA but for businesses in general. "It's too easy for data to be stolen, even - allegedly - within the CIA's Center for Cyber Intelligence," claims Brian Vecci, a technical evangelist at Varonis. "According to WikiLeaks, this treasure trove of files was given to them by a former US government contractor. The CIA is not immune to issues affecting many organisations: too much access with too little oversight and detective controls. A recent Forrester study found that 59 percent of organisations do not restrict access to files on a need-to-know basis."
There are, of course, steps a business can take to protect itself from the ongoing fallout of the Year Zero release, as well as from the impending impact of future Vault 7 releases.
The first is as simple as it is obvious: check the released details against any software or hardware platforms currently in use in order to highlight potential areas of concern for deeper analysis.
The second: ensure you have a robust patching policy in place.
With the named companies working to develop and release patches for the security vulnerabilities detailed within the Year Zero archive, updates will be arriving thick and fast in the coming weeks. These updates need to be tested and deployed as quickly as possible. As the Year Zero archive is now publicly available it's a safe bet that organizations and individuals with baser concerns than the CIA will be looking to exploit the vulnerabilities for their own ends.
The third step goes considerably deeper: protect corporate data, including so-called 'toxic data.'
"Files that were once useful in their operations are suddenly lethal to those same operations. We call this toxic data, anything that is useful and valuable to an organisation but once stolen and made public turns toxic to its bottom line and reputation," explains Vecci. "All you have to do is look at Sony, Mossack Fonseca and the DNC to see the effects of this toxic data conversion. Organizations need to get a grip on where their information assets are, who is using them and who is responsible for them. There are just too many unknowns right now. They need to put all that data lying around in the right place, restrict access to it and monitor and analyse who is using it," he concludes.
Fourth, businesses need to consider a complete top-down review of their infrastructure and policies currently in place - something which could have prevented the documents in the Year Zero archive from having been ever made public.
"US government computer systems, policies, and procedures are largely outdated in today’s hostile world of connected technologies. The moment anything with either external connectivity or mobility - e.g. a USB memory stick - gets near such systems, the game is over," argues Mike Ahmadi, global director of critical systems security at Synopsis. "The software running on legacy government computer systems is so fraught with vulnerabilities that any level of access creates the potential for a security breach."
As well as locking down data against abuse and theft, businesses should look at streamlining their systems, reducing their attack surface, and ensuring the adequate security measures are in place to keep private data private. "The alleged cyber spying tools all appear to have one thing in common," explains Munson. "The need to acquire information over the wire. That means, for now at least, we can assume that messaging systems with strong end-to-end encryption are beyond the reaches of the security services; a win for everyone who is truly concerned about protecting their privacy today."
One thing is certain: no business with any form of technology near its infrastructure should be ignoring the lessons or the impact of the Year Zero leak.