By Jesse Schooff
March 7, 2017
Article from Jesse Schooff
Government is one of the biggest threats to IT Security
A couple of weeks ago, I commented on customs agents searching devices and demanding passwords at border crossings, calling the issue a case of government as an adversary of IT security. I had no idea how prophetic that accusation would be.
Earlier today, Wikileaks published a trove of information acquired from the CIA, focusing on the tools and exploits used by the CIA to hack into people’s computers, phones, televisions, and even their cars. As an IT professional, I am shocked to my core by the scope of the information released.
Worse, the release shows U.S. government and intelligence agencies operating in bad faith with the public, and with technology vendors. To explain why, we’ll need to go back in time a few years.
Hackers, whether they’re criminals or intelligence agents, love discovering software bugs. A bug, leveraged properly, allows a hacker to perform an action which they shouldn’t be allowed to do. Even if that action is itself innocuous, it might lead them to a place where they can do something else they’re not supposed to, and so-on. This is called privilege escalation. Discovering a bug means that, potentially, no one knows about it: not the software vendor, nor the victim. This means they have no defence. Such bugs are called zero-day vulnerabilities, because it has been “zero days” since they’ve been disclosed to the public (i.e. not yet disclosed).
It might then seem like a good idea for spies to keep any zero-days that they discover secret, so that they can continue using them to hack their targets’ systems. Even if you have complete trust in your nation’s spy agencies (which, after reading this article, you might not), hoarding zero-days is a bad policy. This is because there’s never any guarantee that you’re the only one to have discovered them. That secret bug you discovered might also have been found independently by enemy nations, or by criminals. By not disclosing the bug to the software vendor (so that they can fix it) you put everyone at risk of being hacked: ordinary citizens, politicians, corporations, even other agencies of your own government – all at risk.
That’s why after the discovery of the disastrous Heartbleed bug in OpenSSL, then U.S. President Obama introduced a policy known as the Vulnerabilities Equities Process. Essentially, the idea was that U.S. intel agencies would not be in the business of stockpiling large numbers of zero-days, and that agencies would co-operate to scrutinize how widely any systems affected by bugs were used by the U.S. government itself. Most vulnerabilities would be confidentially reported to tech vendors, who would fix the bugs and push out software updates.
Generally, it’s a good policy. Not allowing government systems to run software with undisclosed bugs is the IT security equivalent of not shooting oneself in the foot.
Unfortunately, it doesn’t seem that U.S. intel has been respecting said policy.
The recent release by Wikileaks shows that the CIA does indeed hoard active vulnerabilities, as well as sharing them with allied agencies (such as Britain’s GCHQ), and purchasing them from hackers. This utterly reckless status-quo places countless innocent citizens and institutions (be they American or otherwise) at risk of being hacked, for the sake of the CIA being able to spy on virtually anyone anywhere, in the name of security.
The details revealed by Wikileaks are deeply concerning. The CIA having direct access to a cellphone’s OS means that any encrypted messaging apps installed are rendered useless. Malware designed for smart TVs would allow them to be used as spy microphones. There’s even some pie-in-the-sky research about taking control of cars, and Wikileaks’ speculation on how that could be used for covert assassinations. The public will be disturbed by these tidbit facts.
But what we should be most outraged at is zero-day hoarding. Not disclosing bugs to vendors means that we’re all more likely to be hacked. Internet scammers in another country wanting to get access to your bank account. Sex criminals looking to steal nude photos. A repressive regime trying to hunt down LGBTQ persons. An enemy nation looking to blackmail someone into silence. There is no shortage of nasty hackers in this world, and the Internet connects us to all of them. Undisclosed zero-days place everyone, EVERYONE, at risk.
Tech security only works to keeps us safe when government is an active partner. Until law enforcement and intelligence agencies stop undermining our IT security infrastructure, none of us are truly secure.
Jesse Schooff is a Volunteer Content Creator for OpenMedia. Born in Toronto and raised in Vancouver, Jesse studied music composition at UBC. For the past 13 years he has been the systems administrator and IT help desk for a small Canadian company. He has a lifelong passion for politics and technology, and is a vocal advocate of tech security, digital rights, and the open internet. You can read more of his stuff on his blog at GeekMan.ca
November 17, 2017
November 10, 2017
November 10, 2017
November 8, 2017