Wikileaks releases a new dump from the CIA – hacking tools – Vault 7
I’m losing track of all the leaks that have happened at US government agencies. It seems that yet another load of information has been shared to Wikileaks. This batch of data supposedly carries hacking tools. It seems there is a lot of policy and procedure documents including checklists for secure development.
Wikileaks Vault 7 — A link to the information dump. Caution: some of the information is classified (if this applies to you then you will know that already). Some of the information also been redacted for now.
Scheier’s comments — Bruce and the commenters often provide interesting thoughts and insight.
One interesting thing that Bruce pointed out:
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.
Tradecraft Do’s and Don’ts
One interesting document shows something that looks like a checklist of Do’s and Don’ts for writing code which is resistant to forensics.
Development Tradecraft DOs and DON’Ts
Checklists are a good thing from an operational security perspective. Working a formulaic and procedural way will reduce the likelihood of making mistakes (think Secure Development Life Cycle (SDCL)). Which is what I’d expect from a well funded government agency.
Further commentary
Obvious this dump is attracting comments from most security experts:
- Brian Krebs – WikiLeaks Dumps Docs on CIA’s Hacking Tools (8 Mar 2017)
- He picked out an interesting exchange between CIA employees about code obfuscation (re: Equation Group)
- Graham Cluley – Dahua security camera owners urged to update firmware after vulnerability found (8 Mar 2017)
- Bruce Schneier (again) – More on the CIA Document Leak (8 Mar 2017)
Updated 8th March 2017.