Skip to main content
banner image
venafi logo

New WikiLeaks: Can the CIA Circumvent Your Encryption?

New WikiLeaks: Can the CIA Circumvent Your Encryption?

WikiLeaks targets CIA
March 7, 2017 | Scott Carter

New WikiLeaks information released today indicates that the CIA may have a list of hacking tools designed to circumvent encryption. WikiLeaks released thousands of documents that, if authentic, lists a range of software used by the CIA to infiltrate smartphones, computers and even Internet-connected televisions. This latest mass release of privileged information raises at least two questions: How did a breach this big happen to the CIA? Could it happen to me? 

The ultimate irony is that it’s entirely possible that WikiLeaks misused encryption to access and reveal the CIA’s misuse of encryption. According to Venafi VP of security strategy, Kevin Bocek, “Because the CIA very likely had security defences similar to the NSA, it’s also quite likely that the CIA breach followed the Snowden breach blueprint.” A likely scenario is that attackers took over CIA machine identities by stealing or forging digital keys and certificates in order to extract data using encrypted communications.

The implications of this breach are extremely serious, if not downright frightening. The misuse of the keys and certificates used in encryption point to a severe breakdown in the protection of machine identities within the CIA. Keys and certificates are critical to privacy and security because they govern (pun intended) both legitimate and illegitimate access to your machines, applications and services. Bocek notes, “The CIA is just the latest in a long series of victims that failed to protect machine identities and it’s led to a devastating breach of national security.”

Bocek goes on to cite precedent for this type of government supported threat against machine identities. “The most powerful cyber weapons – like Stuxnet – use the power of machine identities to make machines such as Iranian nuclear centrifuge controllers think malware should be trusted. We know this because documents released as part of the HIVE project make it clear that attackers sought to use the power of certificates to authenticate implanted malware.”

Attacks like Stuxnet are particularly effective in circumventing machine identities because they allow attacker to hide their activity inside encrypted traffic. Bocek explains, “Because only trusted machines were able to communicate with headquarters and they had to communicate using encryption, stealing or forging keys and certificates is the lynch pin of many high-profile attacks.”

Sadly, the latest WikiLeaks seems to indicate that the CIA are high on the list of those attackers misusing encryption. “It’s a near certainty that we’ll find many of CIA hacking tools exposed in this breach also rely a machine identity attack strategy because it allows attackers to avoid almost every other security control. This attack is a perfect illustration of why protecting the identities of machines should be an urgent and critical security priority for every organization,” concludes Bocek.

Do you have control over the keys and certificates that protect your organization’s machine identities? 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat