The CIA lost control of all its cyber weapons last year. It is the largest arsenal in the world that included viruses, Trojans, and malware that was used to control and disable electronic devices. It is so large that it utilized more code than what is used to run Facebook. Assange called it a “historic act of devastating incompetence.” They also didn’t warn the public that it was out of their control. During today’s press conference, Assange pointed out that they are not defending us from what they created.
Everything with a mic and a camera is remotely controllable. There are weaponized exploits of iPhones, Android, Windows, and Samsung TVs. For example, “Weeping Angel,” infects smart TVs with a fake off mode, so it appears to be off, but it is recording everything in the room. Even vehicle control systems can be infected, then used for assassinations. For smart phones and iPads, the geolocation, audio, and texts are accessible and the phone’s camera can be activated on demand. All encrypted apps are useless because they are controlling the phone itself.
Once a weapon is loose, then it can be duplicated by anyone and spread through pirating. The material is now being sold on the black market. Once built and released, it cannot be controlled. Numerous people have it now, so it will spread everywhere if it hasn’t already. Gray hats can use it to start their own hacking-for-hire companies. We are fortunate that WikiLeaks got it because now tech companies have a chance to take counter measures. WikiLeaks didn’t publish the weapons themselves, just their descriptions. WikiLeaks will work with manufacturers first to disarm them. Then they will publish additional details, so the redactions in Vault 7 are only there for a limited time.
These weapons can be used to attack journalists and their sources. For example, The New York Times tip line is based on signal protocol. It is a good encryption system for phones, but if you control the phone itself, then encryption doesn’t matter. If either the source or the journalist is infected, then it will bypass the protection of the encryption. The New York Times tip line has one phone that all the tips go to. If it is infected, then the numbers of the callers and the messages exchanged are viewable. WikiLeaks sources are not affected because their systems have a specialized cryptology.
The mainstream media squandered their questions to Assange by trying to divert attention to Russia or ask him questions about legalities rather than use a tiny bit of insight and realize that this might have serious ramifications for their profession.
- CNN asked if using the weapons on overseas targets is legal. Assange said that it is “problematic,” that CNN chose to ask a question in defense of the CIA.
- ABC asked if Assange had ever been paid by the Russian government or Russia Today. He said no, but he found it interesting that was their question with the implications for journalists and their sources. He said they are trying to divert from this epic publication to something else.
- Fox asked something useful. They wanted to know the approximate time frame that tech companies will need to fix the problems. Some small issues might be 2-3 days, but the larger problems that involve critical code will take longer. Android and Samsung users must be aware to pull updates. He said that it is up to journalists to pressure companies to address the problems.
There have been systems developed that are completely automated to attack and infest other systems. It’s no longer one person attacking one person or system online. It’s systems attacking systems. Individuals have cause for concern because of the automation of the attacks. If you know someone who knows someone who works for a target, then you might also be on the radar. The practical problem for people is not government spying, but now the tools are in the hands of the bad guys to do the same things.
These weapons were created to be untraceable or to throw off attribution in forensic reviews. They can leave behind fingerprints of any group they want. They also have rules on how to write malware so that it isn’t tracible in forensic review. If fingerprints are left behind, then it is probably intentional.
Proximal attacks are needed for “air gap,” networks. These systems are often used by police departments because they are not on the internet to prevent hacks. These types of systems are infected by something as simple as plugging in a USB drive or putting a CD into a computer while someone from the CIA is giving a presentation. They can pop in a video or presentation, but while it is running, it is ransacking the system’s data.
The CIA is potentially causing billions of dollars in damage to U.S. companies. The government promised to tell tech companies when they found weaknesses. They chose not to tell and exploit the vulnerabilities. To a foreign purchaser, it might not be a jump to think that U.S. tech companies and the government are colluding. That means that our exports may be viewed as untrustworthy or that we are unable to produce goods that are not vulnerable to attacks.
During the press conference, someone asked if Vault 7 shed light on the surveillance of Trump and his team. Assange stated that they were using an app called Confide, which is like Snap Chat, but it is encrypted. He then went on to state that attack sites can be set up by third parties who configure them, then hire out someone else to push the button to avoid legal problems. This was said in his response to what happened with Trump and his team being under surveillance, so it sounds as though outside channels might have been used.
As companies work to fix this, consumers must check for updates from manufacturers and antivirus companies, then run them. We are likely to see many updates in the coming days, so do not put them off until later. If you get a notice that an update is available, do it immediately even if it means that you are momentarily inconvenienced by restarting your computer. Android and Samsung users will need to pull updates as soon as possible.