Flaws are more troubling than surveillance
We shouldn’t be surprised that organisations like the CIA are using technology to monitor people of interest to them, but the weaknesses they knowingly leave behind are a big concern.
This week, along with other students at the SANS Cyber Retraining Academy, I completed two capture the flag challenges. I worked as part of a team to probe a network and find weaknesses in both Windows and Linux systems that allowed for data to be extracted.
At the same time, news was breaking about compromises of a different kind. Documents published by WikiLeaks purported to detail an arsenal of malware and exploits used by the CIA to access computers, mobile devices, and even smart TVs – often to gain control of their cameras and microphones to listen in on their owners’ conversations.
First off, should we be surprised by this? In short, the answer is no. Following the Snowden revelations a few years ago, it was clear that governments and intelligence agencies work on these kinds of exploits. As I wrote last week: If I’m able to take a screenshot on a flawed system after just a few weeks’ training, one can only wonder what the world’s top hackers can do.
In fact, as one commenter on the Washington Post’s report pointed out, this could actually be a step in a positive direction. These kinds of attacks target individuals, and may mark a move away from the mass data analysis that came to light following Snowden’s leaks.
What is more worrying is that the CIA chooses to keep these zero-day vulnerabilities secret rather than disclosing them to manufacturers and developers like Apple and Microsoft. Much like the encryption backdoors detailed in the UK’s Snooper’s Charter, these flaws are not government-only – if they remain unpatched they can be used by malicious actors, too.
The solutions to the capture the flag exercises I completed this week centred around poor encryption, vulnerable software and other weaknesses that let our team slip through the cracks to access data on – and ultimately take control of – the target computers.
If our governments and their agencies deliberately keep defences weak, they could be leaving the door open to people much more dangerous than a bunch of cyber security students.