Is There A Positive Aspect To CIA Spying?

The latest release from WikiLeaks detailing how the CIA has allegedly stockpiled a plethora of tools to hack a variety of everyday devices, from phones, to televisions to cars, is a stark reminder about the fragile state of Internet security. 

The US government has amassed extraordinary hacking powers largely in secret, and this leak might just force us to grapple with whether we are comfortable with that.

The most widely reported aspect of the purported leak is the allegation that the CIA has myriad ways to hack popular smartphones like iPhone and Android devices, and that the agency could be allowing its hackers to take control of internet connected televisions and covertly listen in on conversations in people’s living rooms. 

This type of attack has been the worry of many privacy advocates for years, as more and more televisions and other household devices, collectively known as the Internet of Things, are increasingly connected to the Internet while always “listening”.

There was never a doubt that the US and other government around the world would quickly move to leverage the ability to exploit these features, as more and more consumer electronics companies have made them standard in all sorts of household items. 

The former Director of National Intelligence James Clapper even made clear in testimony to Congress last year. But just how often governments have exploited this type of technology is still largely unknown.

While many of the headlines accompanying these documents will send a shiver down the spine of readers, there is some good news in the WikiLeaks documents. 

Contrary to some early reports suggesting that the CIA can “defeat” popular end-to-end encrypted messaging apps like Signal and WhatsApp, the WikiLeaks release is further evidence that encryption does work to protect people’s privacy.

The documents do purport to show is that the CIA has a host of exploits to attack the operating systems of popular mobile devices like iPhones and Androids, a deeply worrying prospect, to be sure, but to “defeat” secure messaging apps, government hackers essentially have to gain access to your phone itself before they can read your messages. 

So if you’re using an app like Signal, the content of those communications are at least still likely protected from their vast surveillance nets that otherwise indiscriminately capture billions text messages and emails per day.

This is encouraging news. The Snowden revelations were so offensive to so many people because the government was secretly using mass surveillance to spy on hundreds of millions of people at once, the vast majority of them innocent. 

With countless users switching over to end-to-end communications in recent years, it means intelligence agencies like the CIA must target individuals one by one, which, in turn, means the cost for each surveillance target goes up, and forces them to prioritise a much smaller number of people.

Still, the amount of smartphone vulnerabilities and exploits detailed in these documents was shocking even to experts. “It certainly seems that in the CIA toolkit there were more zero-day exploits”, an exploitable vulnerability in software not known to the manufacturer, “than we’d estimated,” Jason Healey, a director at the Atlantic Council think tank, told Wired Magazine. He added: “If the CIA has this many, we would expect the NSA to have several times more.”

As Edward Snowden himself tweeted recently: “Why is this dangerous? Because until closed, any hacker can use the security hole the CIA left open to break into any iPhone in the world.” He called it “reckless beyond words.”

For years, civil society groups have been calling on US intelligence agencies to disclose these vulnerabilities to tech companies instead of hoarding them in secret. Intelligence agencies should help make the everyday devices we rely on safer, rather than less secure. 

The government has claimed that they run the vulnerabilities they know about through an interagency “equity process” to determine whether they should disclose and help fix them. But the surprising amounts of exploits in the WikiLeaks release suggests this process is either woefully inadequate or largely only exists on paper.

Undoubtedly, there will be a heated debate over WikiLeaks and the value of having these documents in the public record for the days and weeks to come, as any publication by WikiLeaks inevitably does. 

But whether Trump administration officials like it or not, the hacking powers of our government is a vital topic that needs much more public debate, and this latest release may end up fueling it.

But in the mean-time, perhaps you might download Signal.

Guardian:

 Assange Says CIA Lost Control Of Its Cyber Weapon Documents:

CIA leak 'absolutely' an 'inside job':           Signal: The Snowden-Approved Crypto App Comes to Android

 

 

« A Common Language For Sharing Intelligence On Cybersecurity Threats
New Malware Hides In Memory »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Lloyd's

Lloyd's

As an insurance market, Lloyd’s can provide access to more than 65 expert cyber risk insurers in one place.

XBOSoft

XBOSoft

XBOSoft is a software QA and testing company. We cover the entire QA and testing life cycle including software and application security.

Lockton

Lockton

Lockton is the world’s largest privately owned insurance brokerage firm. Commercial services include Cyber Risk insurance.

SentinelOne

SentinelOne

SentinelOne is a pioneer in delivering autonomous security for the endpoint, datacenter and cloud environments to help organizations secure their assets with speed and simplicity.

AFCON Control & Automation

AFCON Control & Automation

AFCON is a leading global provider of software solutions and services for the smart management of Control & Automation systems in the age of Digital Transformation.

US Cyber Range

US Cyber Range

US Cyber Range is a scalable, cloud-hosted infrastructure providing students with virtual environments for realistic, hands-on cybersecurity labs and exercises.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

Secureframe

Secureframe

Companies from startups to enterprises use Secureframe to automate SOC 2 and ISO 27001 compliance, complete audits, and continuously monitor their security.

Secuna Software Technologies

Secuna Software Technologies

Secuna is the most trusted Cybersecurity Testing Platform in the Philippines. Our pool of vetted security researchers will find and ethically report security vulnerabilities in your product.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

Banyax

Banyax

Banyax provides 24×7 real-time Cyber Defense Center Services using the latest technology tools to provide state-of-the-art defense.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Advanced IT

Advanced IT

Reliable managed IT Security & support services that will help you take your business operations to the next level without breaking the bank!

Clear Ridge Defense

Clear Ridge Defense

Clear Ridge was founded in April 2015 with the mission and vision to support Joint, Service Cyber Components, and commercial clients in specialized cyber support.

Minsait Cyber

Minsait Cyber

Minsait Cyber (formerly SIA Group) is the Indra Group's cybersecurity company, a leader in Spain and Portugal in terms of both revenue and expert talent, with more than 2,000 specialists.

Maze

Maze

At Maze, we’re dedicated to changing how security teams understand and act on vulnerabilities — especially in cloud and application environments.