Skip to main content
banner image
venafi logo

WikiLeaks: A Twist on Old Methods for a New Breach

WikiLeaks: A Twist on Old Methods for a New Breach

March 16, 2017 | Eva Hanscom

Last week, WikiLeaks released thousands of documents that allegedly exposed the hacking tools the CIA used to bypass encryption methods. Security experts are still reeling from these revelations. But one question remains: how could such a vast amount of confidential information be leaked without the spy agency noticing?

According to a report from The Wall Street Journal, the FBI officials currently investigating the leak have identified independent contractors as the potential sources. If this is true, the perpetrators likely followed the same discloser methods of another former contractor: Edward Snowden. 

In November 2013, Venafi issued analysis that indicated Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. Roughly two years after our announcement, a leaked NSA memo confirmed that a highly privileged digital certificate was used in the compromise. Unfortunately, the latest leak from the CIA indicates we still misusing the power of keys, certificates and encryption.

“Every organization’s security posture is heavily influenced by their partners, and this is especially true for the Federal government,” says Kevin Bocek, Venafi VP of security strategy. “We saw with Edward Snowden how the use of encryption and digital certificates was turned against the NSA.”

Encryption is a powerful instrument when used properly, however, bad actors and agencies can use the tool maliciously. We expose ourselves to great risks when we utilize formidable security tools without support or awareness. As Bocek explains,

“The government is pushing to encrypt everything and authenticate every machine. However, there was no guidance given on how to protect this incredibly powerful technology that is still today classified as a munition.” 

As we learn more about the exposure and methods of the CIA’s hacking tools, we must continue to strengthen our keys and certificates in positive ways. At the end of the day, encryption must not be broken or exposed, but reinforced and protected.

“Encouraging the use of powerful technology like encryption without guidance is akin to offering up F-16s with no training. Because there is no oversight focused on how encryption is secured, it’s entirely likely that we’ll see more government agency breaches like this one in the future,” concludes Bocek.

Do you have stronger key and certificate security than the CIA?

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat