Vault 7, the worst data theft in CIA history, could have been avoided, report finds.
Read the whole story
Read the whole story
Theft of top-secret CIA hacking tools was result of “woefully lax” security
- Thread starter JournalBot
- Start date
"The stolen data includes everything from the CIA collaboration and communication platform known as Confluence and from a source code repository known as Stash."
Just curious whether that's the same Confluence platform that is available from Atlassian? If so, my company uses it too.. it's not just a CIA platform, but a commercially available product.
edited to include link to product page
Just curious whether that's the same Confluence platform that is available from Atlassian? If so, my company uses it too.. it's not just a CIA platform, but a commercially available product.
edited to include link to product page
Upvote
106
(106
/
0)
A look at the CIA’s internal dank meme division - Ars Technica - 9 March 2017
"And of course there are the usual workplace shenanigans. The CIA's Engineering Development Group piloted the use of a number of commercial tools for managing development in 2013, and adopted Atlassian's Confluence for project documentation. That also meant giving every developer who used the system a home page. Some developers never added content to their personal pages, but one decided to hunt down those who left editing rights open on their "home page" and deface them with images—including animated GIFs from the anime series Trigun."
Love and-u peace-u!
Upvote
80
(81
/
-1)
lazarus0000
Wise, Aged Ars Veteran
Hhhmmmm
Yet another episode of not locking up behind you. This from the same crowd of people who swear (PINKY PROMISE, even) that if we give them a back door to encryption, they'll never, never, not once, EVER lose control of them or allow them to fall into the "wrong" hands.
As if they are the right hands....
Palm to face....
Yet another episode of not locking up behind you. This from the same crowd of people who swear (PINKY PROMISE, even) that if we give them a back door to encryption, they'll never, never, not once, EVER lose control of them or allow them to fall into the "wrong" hands.
As if they are the right hands....
Palm to face....
Upvote
173
(173
/
0)
Most of my spam (what gets through) meets DMARC. The CIA needs to get with the program!
I went looking for a definitive report on federal DMARC compliance with varying answers. Let's say the claim is at least 85%.
I went looking for a definitive report on federal DMARC compliance with varying answers. Let's say the claim is at least 85%.
Upvote
16
(16
/
0)
I think Stash refers to Atlassian's Bitbucket product as well. See: https://confluence.atlassian.com/bamboo ... 57906.html
Upvote
32
(32
/
0)
Information Security is difficult, expensive, and inconvenient. Being the CIA doesn't change that.
In some ways, being the CIA probably makes it harder. Just like even top authors still need proofreaders, even the best IT team needs independent assessments and audits, and I doubt that the CIA is able to allow a truly independent/outside team to examine their systems.
Not to mention the challenge in any organization to persuade people to follow proper procedure every single time with no shortcuts no matter what. It's essentially impossible, but one error in the right (wrong?) place can seriously compromise the security of an entire system.
I'm never surprised when an entity is compromised - I assume that anyone targeted by a motivated and resourced opponent will be. The current state of the art is to compartmentalize to limit the damage, have monitoring systems to detect indicators of compromise, and a well trained team to respond.
In some ways, being the CIA probably makes it harder. Just like even top authors still need proofreaders, even the best IT team needs independent assessments and audits, and I doubt that the CIA is able to allow a truly independent/outside team to examine their systems.
Not to mention the challenge in any organization to persuade people to follow proper procedure every single time with no shortcuts no matter what. It's essentially impossible, but one error in the right (wrong?) place can seriously compromise the security of an entire system.
I'm never surprised when an entity is compromised - I assume that anyone targeted by a motivated and resourced opponent will be. The current state of the art is to compartmentalize to limit the damage, have monitoring systems to detect indicators of compromise, and a well trained team to respond.
Upvote
70
(74
/
-4)
Even the part time English teaching assistant job I got in University is not that lax with USB drive and data shares. Hell, even for a part timer like me, they provide an email address that they control and terminate the moment I leave the job. What even is this?
Upvote
35
(37
/
-2)
Hey, at least they didn't go "full lazy" and hardcode the same backdoor admin account and password for everyone to use. That would be staggeringly lax. Wait.. do we know they didn't do that?
Upvote
26
(26
/
0)
Geeze, Mr. Goodin has been super prolific the last few weeks. Are we just having a bad security spell, or is Ars running more security articles?
Not that I mind, I like security articles, and Dan does an excellent job of encapsulating issues, but I'm surprised at their recent volume.
Not that I mind, I like security articles, and Dan does an excellent job of encapsulating issues, but I'm surprised at their recent volume.
Upvote
17
(17
/
0)
While factually true, look at the facts we know. This wasn't someone penetrating security systems and actively working through protocols. This was the digital equivalent (and perhaps actual case) of walking out the door with the data, thanks to lax and nearly nonexistent protection measures.
It looks to me like a textbook case of "it can't happen here." And then it happened there.
Security *is* hard. But this... this wasn't even security.
Upvote
61
(62
/
-1)
This looks like an insider threat and probably a least privilege failure. If the CIA has gone all agile-matrix management-cross functional team happy like the rest of the world, they probably have quite a few technical staff with very broad access.
I’m not making excuses for them, just pointing out that security is hard in modern environments. Go back to VMS with a well defined MAC (mandatory access control) scheme and this would have been impossible. Good luck getting anyone to live with those limitations.
Upvote
20
(25
/
-5)
There's overbearing, and then there's this:
Sharing admin passwords... That takes me back to what I said: this wasn't security at all.
Upvote
20
(20
/
0)
That's just a matter of being realistic: This was the computer system of the CIA's hacking team. If you restrict any of them, obviously they'll spend all their time trying to crack the system, and then prove their success by playing pranks. By simply giving everyone the sysadmin password, that challenge is gone, so they can all concentrate on their real job (hacking others).
Upvote
-15
(11
/
-26)
j17robotdancer
Ars Praefectus
If there's a silver lining in the report, it's this: the task force assessed with moderate confidence that WikiLeaks never obtained final versions of hacking tools and source code that were housed in the so-called Gold folder.
"The Gold folder was better protected," the report said. "WikiLeaks so far has released data in Stash despite the availability of newer, easier to exploit versions of tools in Gold."
1) Do they have the Gold folder?
2) Is the Gold folder inferior to the things located outside it?
"The Gold folder was better protected," the report said. "WikiLeaks so far has released data in Stash despite the availability of newer, easier to exploit versions of tools in Gold."
1) Do they have the Gold folder?
2) Is the Gold folder inferior to the things located outside it?
Upvote
5
(5
/
0)
Atlassian also has a Git-based source control server product called Stash. I doubt that’s a coincidence.
Upvote
29
(29
/
0)
Nah. If you read Legacy of Ashes: The History of the CIA, it’s pretty clear that this isn’t representative of a decline. It’s pretty much the standard level of competence and effectiveness of the CIA for most of its history.
Upvote
43
(43
/
0)
If you can't trust the CIA, the NSA, or the FBI, who can can you trust?
Upvote
13
(13
/
0)
Let's all thank CIA for finally submitting a bug report (and a big one at that).
Upvote
13
(13
/
0)
It doesn't really matter in the long run, or even in the medium-to short run. The USAian TLAs don't have a lock on smart programmers. If one bunch of cowboys can write this stuff, so can some other bunch of cowboys.
The problem is that it's darn hard to write an app, or an OS, that works as intended. It's 100X harder to write one (not to mention designing the silicon) that blocks every imaginable thing that you DON"T want to have happen.
My bet is that it's kind of like P = NP. There is fundamentally no way to create a 100% secure system if you want ever to load any file onto it or connect it to any other machine.
This doesn't excuse the CIA from failing to plan for remedial operations when (not if) their tools get into the wild.
The problem is that it's darn hard to write an app, or an OS, that works as intended. It's 100X harder to write one (not to mention designing the silicon) that blocks every imaginable thing that you DON"T want to have happen.
My bet is that it's kind of like P = NP. There is fundamentally no way to create a 100% secure system if you want ever to load any file onto it or connect it to any other machine.
This doesn't excuse the CIA from failing to plan for remedial operations when (not if) their tools get into the wild.
Upvote
8
(8
/
0)
We have that too. It is tied to our Active Directory accounts. Mostly used for documentation, technotes, SOPs, and such.
Upvote
5
(5
/
0)
I have seen shit like that in every network I have looked at. Got DBA on a production database once when they had scott/tiger enabled. Logged in, queried ALL_USERS to get a username list and tried them all with the username as the password. Got full DBA. Demoed it right in front of the production DBA, and not a care in the world.
Upvote
18
(18
/
0)
Rumor has it, another Atlassian tool is used to manage that—SourceTree. Makes the corporate accounts/troubleshooting SOOO much easier to manage.
/duck
Upvote
3
(3
/
0)
We use both confluence and stash at my organisation (although we're migrating off Stash atm) also.
Upvote
0
(0
/
0)
How does one exfiltrate 34 TB of data from the CIA? It's not like the suspect worker walked out with an armful of hard drives. Or maybe they did?
Upvote
29
(29
/
0)
Upvote
3
(3
/
0)
Upvote
8
(9
/
-1)
Considering the security, they probably just uploaded everything to their Dropbox over a few days.
/j
Upvote
14
(14
/
0)
I once worked in a financial services department that consisted of 50 people. We had to go past a security officer and swipe through two more locked doors to get to our cubicles. You were supposed to lock your computer if you left your desk.
If you didn't lock your computer there was a 99% chance I was going to send a random email from YOUR computer to a manager asking if they've ever been in a book club, know how to hacky sack or something else random and innocuous.
If you didn't lock your computer there was a 99% chance I was going to send a random email from YOUR computer to a manager asking if they've ever been in a book club, know how to hacky sack or something else random and innocuous.
Upvote
20
(20
/
0)
Woefully lax security by the CIA is a major plot element in Le Carré's The Russia House. And he actually did work for SIS. It seems things may not have changed much.
Upvote
7
(7
/
0)
It wasn't the worst data theft in CIA history. It was the best data theft in CIA history.
Upvote
11
(13
/
-2)
Once the Gold Folder is leaked, the CIA will say ‘at least they never found the Platinum Folder’. And repeat until they hit unobtainium...
Upvote
14
(15
/
-1)
Oh come on, don't underestimate your audience. We know what 34 terabytes means. But what does _a 2.2 billion-page document_ mean? Compressed? Uncompress? Raw text, Word document, PDF? What font size and line spacing?
ps, and what's with using bb code instead of markdown?
Upvote
19
(20
/
-1)
On a previous job, the tradition was to send a message to the entire department promising to bring cake the next day.
Upvote
12
(12
/
0)
I did an internship where it was croissants instead of cake, and on slack instead of emails, same idea though.
Upvote
5
(5
/
0)