CIA Dirty Laundry Aired

Joshua Schulte, the CIA employee standing trial for leaking the Wikileaks Vault 7 CIA hacking tools, maintains his innocence. And during the trial, a lot of shoddy security and sysadmin practices are coming out:

All this raises a question, though: just how bad is the CIA’s security that it wasn’t able to keep Schulte out, even accounting for the fact that he is a hacking and computer specialist? And the answer is: absolutely terrible.

The password for the Confluence virtual machine that held all the hacking tools that were stolen and leaked? That’ll be 123ABCdef. And the root login for the main DevLAN server? mysweetsummer.

It actually gets worse than that. Those passwords were shared by the entire team and posted on the group’s intranet. IRC chats published during the trial even revealed team members talking about how terrible their infosec practices were, and joked that CIA internal security would go nuts if they knew. Their justification? The intranet was restricted to members of the Operational Support Branch (OSB): the elite programming unit that makes the CIA’s hacking tools.

The jury returned no verdict on the serious charges. He was convicted of contempt and lying to the FBI; a mistrial on everything else.

Tags: , , , ,

Posted on March 10, 2020 at 6:18 AM β€’ 33 Comments

Comments

Don β€’ March 10, 2020 7:29 AM

Watched “The Report” last night (Prime Video, sorry, don’t recall) which is about the US Senate investigation into the CIA’s use of Enhanced Interrogation Techniques” which their own internal studies showed were not effective at all. Seems that torture isn’t effective to get any truth.

It isn’t a huge action film, but as the Senate investigation team works through CIA documents, emails, and memos, the descriptions of acts are shown.

An embarrassing time for many to be in the CIA, over the last few decades. If you work for the govt and are specifically told that your elected boss cannot know what you are doing, then perhaps that’s a really bad idea to be doing it. Duh.

Rj Brown β€’ March 10, 2020 7:31 AM

So that’s what security in depth means in the place where the real experts work? I guess they figured that since everybody knows the rules for passwords, then all the password cracking programs would only try passwords that met those rules (so the cracking would run faster, since it wouldn’t waste time on passwords that it knew would never be used) so they would actually be more secure by breaking those rules! πŸ˜‰

Sheilagh Wong β€’ March 10, 2020 7:32 AM

When Wikileaks first published government data the argument was made that they were endangering military personnel around the world. The truth is that Wikileaks is actually protecting military personnel from bureaucratic incompetence negligence.

JonKnowsNothing β€’ March 10, 2020 8:29 AM

@Vesselin Bontchev

re: Is this what passes for justice in the USA?

The process is LAW, which is not the same as JUSTICE. US Prosecutors can and do try cases over and over and over, if they have the backing of their superiors.

If someone is found Not Guilty, prosecutors can and do find “other charges”. Which is one reason, prosecutors do not put all the charges on the table. This way they can re-try the case on a different basis.

Grand Juries are a method used to test the strength of cases and help focus the prosecution’s assertions. Such indictments basically mean: go give it a try and see what you get.

Many prosecutors only get promotions if they get convictions and others are elected based on their conviction rate, so they concentrate on getting convictions.

There are a few get-out-of-jail-free cards. Some countries don’t have any.

MarkH β€’ March 10, 2020 8:35 AM

@Vesselin Bontchev:

In U.S. jury trials, criminal verdicts generally require that the jury reach a unanimous decision.

Failure of the jury to agree, is not regarded as either a ‘yes’ or a ‘no’.

When this happens, the prosecutor(s) may at their discretion request another trial.

If I remember correctly, the judge can sometimes decline this request, but usually grants a new trial when asked.

The implications of this system for justice are probably rather complex.

I heard on my radio that Schulte is also facing child pornography charges, to be tried separately … so probably his “goose is cooked” anyway.

JonKnowsNothing β€’ March 10, 2020 8:46 AM

@Don

re:

An embarrassing time for many to be in the CIA

I think they are enjoying it all.

They are odd-ducks to be sure considering what they do to pay the rent, buy food, make car payments and put the kiddos through college.

I think maybe it’s their attempt at recruiting? Folks do like “reclamation projects” like Y2K+++ and fixing the CIA broken systems is surely a big challenge.

They have a profile problem at the moment but give them a few weeks or months and it will fade into the background while they keep-on-truckin’ with their programs.

I don’t think the loss of their zero-days is that big a deal, there are a lot more of them out there and it doesn’t impact their renditions or black sites at all. They’ve hushed-up the Anne Sacoolas hit and run in the UK too. They are expertos at hushing things up.

Maybe they are happy in a way, getting rid of all that old junk code. Lots of corporate programmers would be happy to dump some of their old codebases.

ht tps://en.wikipedia.org/wiki/Death_of_Harry_Dunn

Harry Dunn was a 19 year old British man who died following a road traffic collision, on 27 August 2019. He was riding his motorcycle near Croughton, Northamptonshire in the United Kingdom, near the exit to RAF Croughton, when it collided with a car travelling in the opposite direction. The car, a Volvo XC90, was said to have been driven by Anne Sacoolas, a CIA operative and the wife of a US government employee working at the United States Air Force listening station at RAF Croughton. Sacoolas admitted that she had been driving the car on the wrong side of the road

(url fractured to prevent autorun)

Curious β€’ March 10, 2020 10:22 AM

I can’t help but wonder: Is it possible that USA government (and others I guess) would maybe benefit in ways, from an intended dissemination of its internal hacking tools to the rest of the world?

It could be like, some kind of plausible deniability: “Yes, it could have been us hacking you, but adversaries are using our internal hacking tools as well, we are so sorry?”

I guess, even in a world with an acclaimed need for computer security, and with people maybe yelling out “national security!” as a sort of imperative, I am willing to bet that, anyone with shady intentions in an organization will benefit from merely betting on using or maintaining their initiative alone, regardless of conventional wisdom that might warrant such poster ideas like like security, or even law and order.

uh, Mike β€’ March 10, 2020 10:49 AM

Banks are the best at security, by far and away.
The military is next, depending on the effectiveness of an air gap.
The rest of the government may as well just publish the damn server. It would make people more careful about what they put in it.

Clive Robinson β€’ March 10, 2020 11:08 AM

@ Bruce, ALL,

And during the trial, a lot of shoddy security and sysadmin practices are coming out.

What do you expect?

They consider themselves an elite unit within an elite organization, which of course means they believe that rules do not apply to them, because in their minds “They are Exceptional”.

It’s what happens where people get into a Walter Mitty mindset due to lack of reality in their lives for various reasons. Just one being “highly compartmentalized”, another being the feeling of power that you know things others do not, and then there are the silly games about being “read in”. But at the end of the day most sensible people eventually realise the real secret behind “state secrecy” is that it is all about “the hiding of failure” from oversight.

Sometimes however as this group has found out “reality comes a knocking with teeth” that rip away the shabby pretence and group think to reveal, –just as with the vain Emperor of fiction– that there is no substance to what they have mentally clothed themselves with, and their failings are laid bare to public scrutiny and ridicule…

The trouble of course is that it’s highly unlikely any of them in that group will ever actually be called or held to account…

AmICrazy β€’ March 10, 2020 11:31 AM

@ uh, Mike

Banks are the best at security, by far and away.

My bank changed my password to a combination of letters from my name & numbers from my SSN. They will not allow me to change my password to something more secure until I agree to their new terms of service, which is geared toward ensuring any financial problems are entirely my liability. And preventing me from taking them to court; Mandatory arbitration, they pick the arbitrator… And dictating what I can spend my money on. There’s morality constraints, defined as whatever they say it is today. No gambling. No cryptocurrencies. I not allowed to pay off my mortgage. (I get the impression I’m the first person to ever read their EULA.)

My bank feels this is secure as they phone me whenever my account is accessed online. My phone service was compromised last year, voicemails deleted, the greeting changed. One of the features that phone web interface offers is forwarding calls to another number.

I have now transferred most of my money out of my bank into someplace hopefully more secure. (I’m switching banks.)

Banks are only interested in protecting themselves. As long as they can blame somebody else, they’re good.

Most of their so-called “security” is trivially circumvented. And this is without even touching upon malware or banking trojans. It’s script-kiddie level obstacles.

Ross Snider β€’ March 10, 2020 11:47 AM

On the scale of things, that’s hardly dirty laundry for the CIA.

I’m actually not surprised at all by the information security practices of the group, having seen heard similar stories from many managed environments and organizations. I think this says more about how the CIA behaves and is limited similarly to other well funded organizations, and says more about how our information security ecosystem makes it difficult to control information.

Who? β€’ March 10, 2020 1:15 PM

@ Uh, Mike

Banks are the best at security, by far and away.

No way. My bank (ING) blocked my account two months ago because I have no cell phone. The only way I will have to recover control of this account will be buying one of those surveillance devices from Google or Apple and sending a copy of my national identification card by plain email. There is no way I will buy a cell phone and, obviously, I will not send a copy of a so sensitive identification card by email. No pgp(1), no https (nor even a POODLE-friendly SSL one!), just plain smtp.

They did a sickly interpretation of the PSD2 moving anything to a broken “app” running on these surveillance devices manufactured by corporations whose business model is violating the privacy of their own customers. Guess what? The ING app requires full access to the cell phone storage, the GPS, the camera and the microphone.

Bank security is a joke.

name.withheld.for.obvious.reasons β€’ March 10, 2020 3:05 PM

@ Sheilagh Wong

When Wikileaks first published government data the argument was made that they were endangering military personnel around the world.

I would argue, “How is going to war, illegally, fit in a “National Security” context when the premise to do so is based on lies?

Didn’t this false war do more damage and put many more people in jeopardy than ANYTHING Wikileaks did?

Thinking Monkey β€’ March 10, 2020 3:10 PM

@JonKnowsNothing

Yes, it is for what passes for justice. When a guilty person is let go because of the prosecution not wanting to spend valuable resources on trial after trial, it’s a travesty, but you can imagine the chagrin of a person who is actually being falsely accused and after years in jail waiting for trial, paying lawyers massive amounts of money then FINALLY getting to court only to find out you’ve been cleared of the charges but the prosecution has drummed something else up to charge you with.

Case close to home: An Alabama man was sentenced to death in the 1980’s for capital murder (murder during the commission of a robbery, I believe). A recent Supreme Court ruling (that a juvenile can be tried as an adult but it’s not optional, they HAVE to be tried as an adult if the prosecution chooses that route) is setting him free. However, the prosecution had charges ready so that this murderer may be “set free”, but will never see the light of day except behind a razor-wire fence.

And WHAT IF Schulte really didn’t steal that material? To see how one’s opinion is swayed, depending what side of the case you choose to be on, imagine it was you on trial for this. If guilty hopefully justice will be served, if not, I’ll cheer when he goes free.

lurker β€’ March 10, 2020 4:23 PM

Set a thief to catch a thief; and make sure your silverware is safer than just under lock and key.

But if CIA is really such an awful place to work that they can only hire psychopaths, then mightn’t it be better to just close it down?

Grima S β€’ March 10, 2020 4:53 PM

@name.withheld.for.obvious.reasons re: PW entropy. Nope. Obviously the original password selected was 123ABCDEF, which was forced to be changed to 123ABDdef to satisfy some mundane “3 kinds of characters” system rule.

@Vesselin Bontchev re: Emptywheel – Any particular reason for choosing as your source a statist thug sympathizer who is clearly rooting for the kleptocracy to prevail?

In general, assuming that the defense is permitted to introduce those weak passwords as evidence (wouldn’t surprise me at all if DOJ declared them to be “highly classified confidential information” in their own right), why would even a stupid juror vote to convict? The set of people who could have accessed that information and passed it on would seem to be quite large…

Grima S β€’ March 10, 2020 5:02 PM

@Who re: banking infosec – I don’t know where you are or what options you have, but I choose to deal only with banks that have HQ physically nearly. The one I currently use has passably adequate practices, including a reasonable 2FA procedure, and if something similar to what you experienced had happened to me, I would have been camped on the CEO’s doorstep in short order. That failing, I’d have been parading on their front walk with a sign highlighting their inadequacies. The “old days” whan all business was local did have certain advantages…

Jon β€’ March 10, 2020 9:56 PM

Bank security is very good for the bankers.

For the customers, however, their overarching goal is “Shift the liability somewhere else” and that’s much cheaper than actual security. J.

name.withhheld.for.obvious.reasons β€’ March 10, 2020 11:34 PM

@Grima S

The original post, now gone, made the example of the first password probably set prior to any stored password history (say the last ten passwords).

So, when the first password 987654321 was used the entropic length of 9 bytes was in force. As their passwords grew more complex, say 123ABCDE, still 9 bytes, two linear ASCII sets, they were forced to move to smaller sequential pairs as over time the password function increased its complexity requirements.

My argument is that the length, the 9 bytes, was probably all the entropy that was available to be hashed over the entire history of the associated account.

mitgggeld β€’ March 11, 2020 7:04 AM

@name.w* @Grima S
“The original post now gone…”
Did you “gone” your post or did someone else? Security by obscurity. Ain’t gonna work on a security blog-

Givon Zirkind β€’ March 11, 2020 7:35 AM

  1. How come CIA internal security did not know? Did they never do an audit?

  2. From this we learn, you can trust no one.

  3. Vetting is like obscurity security.

  4. As an American, who the hell is minding the store?!

jbmartin6 β€’ March 11, 2020 9:07 AM

The lesson here is that password discipline is unlikely to be effective across the whole of an organization and need to be supplemented with something(s) else. Among other things, I like the idea of having the red team hunt shared and guessable passwords and automatically logging in the resetting them as they are found.

Grima S β€’ March 11, 2020 9:37 AM

@name.withhheld.for.obvious.reasons re: pw entropy – my reply was a tongue-in-cheek explanation based on the IQ common denominator on display by CIA…

@mittgeld re: post airbrushing – this is far from the first time a legitimately infosec-related post critical of a US sigint organization has been disappeared from this blog. Makes for interesting speculation about the true interests, loyalties, and ambitions of those with moderation rights…

mitgggeld β€’ March 11, 2020 10:07 AM

@Grima S @name.w*
I wouldn’t jump to conclusions. I’m sure it is complicated. And under the circumstances, our host does better than most.

mitgggeld β€’ March 11, 2020 10:57 AM

@Grima S @name.*
See, eg: httt
psssttt://www.schneier.com/blog/archives/2020/03/more_on_crypto_.html#c6807311ttt

I (mis?)read that as a veiled something-or-other. I didn’t see the deleted post in either case. I’m sure I’m guilty of jumping to conclusions too. No context -> no meaning.

JonKnowsNothing β€’ March 11, 2020 11:45 AM

@Givon Zirkind
re question 4:

who the hell is minding the store?!

The people in charge of the CIA are the folks that think Torture and Enhanced Interrogation works, that renditions are lawful, that black sites are just APNs in other countries. Their mindset hasn’t changed since the Inquisition and maybe for some centuries before that.

The current head of the CIA, is noted for destroying @200+ video surveillance tapes detailing the hundreds of hours of torture/enhanced interrogation sessions of people still residing involuntarily in our Cuban foothold.

She got a get-out-of-jail free card for doing it.

Since, they didn’t have the ability to trace her logs, and she put up her hand during the investigation and said “I did it … but I just followed orders…well, yes I did know that I wasn’t supposed to do it … but my boss insisted…”

That’s the person running the show, that’s the person who has the employee lists, that’s the person running all the National Security Programs under the CIA Authority.

What did you expect?

ht tps://en.wikipedia.org/wiki/Assessor%27s_parcel_number

An assessor’s parcel number, or APN, is a number assigned to parcels of real property by the tax assessor of a particular jurisdiction for purposes of identification and record-keeping.

(url fractured to prevent autorun)

Simon Barry β€’ March 12, 2020 6:14 AM

To that one person or persons out there who really need a true and efficient Blackhat hacker i would advice you to contact wizcyber on Wickr (might have to download wicker) send a text message on +447537129768 he just offered me top notch services, with proof before payment and he is capable of offering hacking services of any sort. P .s i am only doing this to help other from meeting this fake so called hackers who soil the good names of powerfull and genuine hacker. Do mention Amy when contacting him as he can be understandably wary…

Tom β€’ March 15, 2020 9:43 AM

Remember Trans World Airlines (TWA)?
The top level password for TWA’s reservations system (IBM PARS) in early 70s was 1234TW. That was the Customer Engineer’s password. Pretty much the keys to the kingdom.

c0m5 β€’ March 15, 2020 4:21 PM

@JonKnowsNothing, @Don

> The people in charge of the CIA are the folks that

think Torture and Enhanced Interrogation works

Analysing the efficiency of intelligence operations is definitely a good thing, but the question here isn’t whether the interrogarions that involve torture work or not. The problem is that doing this is gravely immoral and this is why it shouldn’t be done at all, period.

Even if it were efficient and provided useful intelligence, it shouldn’t be done.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.