The pin hole in blackout glass – spies, zero day exploits and exploding toilets
For the last month I have been following the Vault 7 releases, for those who are unaware of what it is, Vault 7 is the largest treasure trove of hacking and vulnerability tools used by agencies such as the CIA, NSA and GCHQ.
The source of this repository is currently unconfirmed, but it has been distributed by WikiLeaks – an organisation notorious for obtaining and circulating secret government information from around the world. WikiLeaks’ tagline is ‘we open government’ – and Vault 7 clearly plays into this ambition.
Vault 7 (also known as Year Zero) is the largest ever publication of highly confidential information from the US Central Intelligence Agency (CIA). What makes it so interesting and shocking is that this level of competency and mass of tools would normally only be collected by the US National Security Agency (NSA), which is known for building targeted hacking and vulnerability tools. To give an idea of the scale, to date the CIA has created more lines of code than Facebook.
The 7818 documents that comprise Vault 7 cover the period from 2013 to 2016, and include targeted hacks on Samsung TVs, iPhones, Android, Cisco routers, plus many more. Where this takes a swift dark turn is the fact that the CIA hoarded many Zero Day vulnerabilities in systems many of us use.
That should send your spy senses tingling, in true James Bond-style!
During the Obama administration the U.S. government made a commitment to advise vendors of Zero Day exploits rather than keeping and using them. As a result of the CIA failing to do so, many holes within systems remained unpatched for years. And if the CIA can find and exploit a security vulnerability, there is very little to stop an unethical hacking outfit doing the same.
Time to pack up and head off to your secret bunker? Maybe not quite yet…
Many, but not all, of the security vulnerabilities released as part of Vault 7 were patched long ago. And the chances of you or I being targeted by the NSA, CIA or GCHQ are extremely slim – unless you really are James Bond (!), or behave in an appropriately suspicious or clandestine manner.
All of the common ways of protecting yourself and your organisation still apply.
Keeping systems patched remains paramount – patch Tuesday should never be missed! Every organisation should always use the most stable patched version of firmware, software and hardware.
You should also sign up to services such as the FortiGuard Threat Intelligence Brief a weekly email highlighting the latest security issues and trends.
Use 2FA (two factor authentication) wherever possible – something you know and something you don’t know which changes every time you use it is far superior to the regular password.
Be wary of email attachments, even from people you know. In order to mitigate the threat of malware entering your company via email ensure that you have a complete anti-virus and sandboxing solution.
Always use a firewall, and not just in the workplace. The rise of IoT means that it will soon be possible to hack all sorts of household appliances and objects, including your toilet (the consequences of which I won’t go into detail about, but you get the jist.)
The choice of firewalls available is huge, but as a bare minimum you should at least set up the firewall included in your home router. It won’t feature the next generation structures needed to fully protect your digital assets, but it is better than nothing.
If a firewall is like a pane of glass, allowing you to view the outside world and the outside world to see in (albeit from a distance), a correctly configured firewall is like a blacked out pane of glass which only allows you to see out. Your priority is not to allow pin holes to appear in that glass.
Stay updated and drive security policy management with solutions such as those provided by Tufin. Complexity drives mistakes and circumvention – keep it simple, use best practice methods and use the GUI if available.
Oh, and don’t have nightmares, all of the above will help to ensure you don’t get caught in the crypts and catacombs of releases from Vault 7, or anywhere else for that matter.