Skip to main content
banner image
venafi logo

WikiLeaks: A Twist on Old Methods for a New Breach

WikiLeaks: A Twist on Old Methods for a New Breach

March 16, 2017 | Emil Hanscom

Last week, WikiLeaks released thousands of documents that allegedly exposed the hacking tools the CIA used to bypass encryption methods. Security experts are still reeling from these revelations. But one question remains: how could such a vast amount of confidential information be leaked without the spy agency noticing?

According to a report from The Wall Street Journal, the FBI officials currently investigating the leak have identified independent contractors as the potential sources. If this is true, the perpetrators likely followed the same discloser methods of another former contractor: Edward Snowden. 

In November 2013, Venafi issued analysis that indicated Edward Snowden used the NSA's own cryptographic keys and digital certificates to steal the agency's classified data. Roughly two years after our announcement, a leaked NSA memo confirmed that a highly privileged digital certificate was used in the compromise. Unfortunately, the latest leak from the CIA indicates we still misusing the power of keys, certificates and encryption.

“Every organization’s security posture is heavily influenced by their partners, and this is especially true for the Federal government,” says Kevin Bocek, Venafi VP of security strategy. “We saw with Edward Snowden how the use of encryption and digital certificates was turned against the NSA.”

Encryption is a powerful instrument when used properly, however, bad actors and agencies can use the tool maliciously. We expose ourselves to great risks when we utilize formidable security tools without support or awareness. As Bocek explains,

“The government is pushing to encrypt everything and authenticate every machine. However, there was no guidance given on how to protect this incredibly powerful technology that is still today classified as a munition.” 

As we learn more about the exposure and methods of the CIA’s hacking tools, we must continue to strengthen our keys and certificates in positive ways. At the end of the day, encryption must not be broken or exposed, but reinforced and protected.

“Encouraging the use of powerful technology like encryption without guidance is akin to offering up F-16s with no training. Because there is no oversight focused on how encryption is secured, it’s entirely likely that we’ll see more government agency breaches like this one in the future,” concludes Bocek.

Do you have stronger key and certificate security than the CIA?


Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more