WikiLeaks Will Share CIA's Hacking Secrets

WikiLeaks plans to share details about what it says are CIA hacking tools with the tech companies so that software fixes can be developed.

But will software companies want it?

The information WikiLeaks plans to share comes from 8,700-plus documents it says were stolen from an internal CIA server. If the data is classified, and it almost certainly is, possessing it would be a crime.

That was underlined by White House press secretary Sean Spicer, who advised tech vendors to consider the legal consequences of receiving documents from WikiLeaks.

“If a program or a piece of information is classified, it remains classified regardless of whether or not it is released into the public venue or not,” he said. “There’s a reason that we have classification levels, and that’s to protect our country and our people.”

However, his comments aren’t sitting well with some legal experts.

“The idea that the government might stand in the way of companies fixing vulnerabilities that have already been disclosed is remarkable, and reckless,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in an email.

Cindy Cohn, an attorney and executive director at the Electronic Frontier Foundation said using US law to penalise vendors would be a "gross misuse."

US laws about security clearances on classified documents were never designed with software patching in mind, she said.

“It would be really wrong-headed for the government to go after these companies for simply trying to make their technologies more secure,” Cohn said. “It’s exactly the opposite of what the US government should be doing.”

To-date, the CIA hasn’t confirmed whether any of the documents published by Wikileaks are legitimate, but there is widespread belief they are.

WikiLeaks contained information on numerous exploits aimed at smartphones, PCs and software from major vendors including Apple, Google and Microsoft, but the source code for the attack tools wasn't published.

WikiLeaks founder Julian Assange said tech vendors would be given “exclusive access” to the tools, so they could learn how to better secure their products.

“WikiLeaks has a lot more information on what has been going on with the (CIA) cyber-weapons program,” Assange said.

And there's another worry: If WikiLeaks managed to get its hands on the data, it could be elsewhere too, increasing the risk that companies and consumers are being watched online.

So the US government should be helping tech vendors patch the vulnerabilities involved in the leak, said John Bambenek, manager of threat systems at Fidelis Cybersecurity.

“Right now, there’s only risk and no reward,” Bambenek said. “We need to fix that risk.”

It's unclear when WikiLeaks plans to begin sharing the information.

Vendors including Microsoft, along with the security firms Avira and Comodo, said that WikiLeaks hasn’t contacted them yet. 

“Our preferred method for anyone with knowledge of security issues, including the CIA or WikiLeaks, is to submit details to us at secure@microsoft.com,” Microsoft said in an email.  

Others such as antivirus vendor Bitdefender said they expect WikiLeaks to reach out to them probably over the following days.

“If WikiLeaks do want to reach out to us, we are always grateful for an opportunity to make our products even better,” the company said in an email.

Computerworld

The CIA Has Lost Control Of Its Cyber Weapon Documents:

CIA Silent about Wikileaks Agency Files:

WikiLeaks Dump Shines Light On US Intelligence’s Zero-Day Policy:

 

 

« Here Comes China’s Crypto-Currency
Cyber Insurance: 7 Questions To Ask »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

KPMG

KPMG

KPMG s a leading provider of professional services including information technology and cyber security consulting.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

Voyager Networks

Voyager Networks

Voyager Networks is an IT solutions business with a focus on Enterprise Networks, Security and Collaborative Communications.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

BackBox Software

BackBox Software

BackBox is a leading provider of solutions for automated backup and recovery software for security and network devices.

ControlScan

ControlScan

ControlScan is a Managed Security Services Provider (MSSP) - our primary focus is protecting your business and securing your sensitive data.

Falanx Cyber

Falanx Cyber

Falanx Cyber provides enterprise-class cyber security services and solutions. We deliver end-to-end cyber capabilities, either as specific engagements or as fully-managed services.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Advens

Advens

Advens is a company specializing in information security management. We provide Consultancy, Security Audits and Technology Solutions.

Center for Applied Cybersecurity Research (CACR) - University of Indiana

Center for Applied Cybersecurity Research (CACR) - University of Indiana

CACR serves Indiana and the nation by tackling cyber risk in research and other unusual environments through agile, holistic, principle-based cybersecurity.

Council to Secure the Digital Economy (CSDE)

Council to Secure the Digital Economy (CSDE)

CSDE brings together companies from across the ICT sector to combat increasingly sophisticated and emerging cyber threats through collaborative actions.

Razorpoint Cybersecurity

Razorpoint Cybersecurity

Razorpoint’s world-class security experts have provided advanced, effective cybersecurity expertise to corporate and public-sector organizations around the world.

BlueHalo

BlueHalo

BlueHalo is purpose-built to provide industry capabilities in the domains of Space Superiority and Directed Energy, Missile Defense and C4ISR, and Cyber and Intelligence.

Elisity

Elisity

Elisity Cognitive Trust is a new security paradigm that combines Zero Trust Network Access and an AI-enabled Software Defined Perimeter.

Ceeyu

Ceeyu

Ceeyu is an all-in-one cybersecurity ratings and third party risk management platform.

Fescaro

Fescaro

FESCARO is a trusted cybersecurity partner for global automakers and their partners, helping them transition to software-defined vehicles (SDVs) with tailored automotive software solutions.