New WikiLeaks information released today indicates that the CIA may have a list of hacking tools designed to circumvent encryption. WikiLeaks released thousands of documents that, if authentic, lists a range of software used by the CIA to infiltrate smartphones, computers and even Internet-connected televisions. This latest mass release of privileged information raises at least two questions: How did a breach this big happen to the CIA? Could it happen to me?
The ultimate irony is that it’s entirely possible that WikiLeaks misused encryption to access and reveal the CIA’s misuse of encryption. According to Venafi VP of security strategy, Kevin Bocek, “Because the CIA very likely had security defences similar to the NSA, it’s also quite likely that the CIA breach followed the Snowden breach blueprint.” A likely scenario is that attackers took over CIA machine identities by stealing or forging digital keys and certificates in order to extract data using encrypted communications.
The implications of this breach are extremely serious, if not downright frightening. The misuse of the keys and certificates used in encryption point to a severe breakdown in the protection of machine identities within the CIA. Keys and certificates are critical to privacy and security because they govern (pun intended) both legitimate and illegitimate access to your machines, applications and services. Bocek notes, “The CIA is just the latest in a long series of victims that failed to protect machine identities and it’s led to a devastating breach of national security.”
Bocek goes on to cite precedent for this type of government supported threat against machine identities. “The most powerful cyber weapons – like Stuxnet – use the power of machine identities to make machines such as Iranian nuclear centrifuge controllers think malware should be trusted. We know this because documents released as part of the HIVE project make it clear that attackers sought to use the power of certificates to authenticate implanted malware.”
Attacks like Stuxnet are particularly effective in circumventing machine identities because they allow attacker to hide their activity inside encrypted traffic. Bocek explains, “Because only trusted machines were able to communicate with headquarters and they had to communicate using encryption, stealing or forging keys and certificates is the lynch pin of many high-profile attacks.”
Sadly, the latest WikiLeaks seems to indicate that the CIA are high on the list of those attackers misusing encryption. “It’s a near certainty that we’ll find many of CIA hacking tools exposed in this breach also rely a machine identity attack strategy because it allows attackers to avoid almost every other security control. This attack is a perfect illustration of why protecting the identities of machines should be an urgent and critical security priority for every organization,” concludes Bocek.
Do you have control over the keys and certificates that protect your organization’s machine identities?