CIA WikiDump re-enforces old security mantras

Despite the efforts of the Assange publicity machine, it's business as usual on the security front, even if the CIA is up to no good.

Now that a little of the hype has disappeared from the release by WikiLeaks of allegedly more than 8,000 internal CIA documents, and the sorts of hacking the American spy agency was up to, what has changed in the world of security?

Unlike the Snowden documents, which fundamentally shook the world of many people with and without an interest in the world of cybers, this cache offers little over and above what should be standard security fare.

First up, the CIA is an intelligence agency -- it hacks stuff. The CIA does what "the Russians" and "the Chinese" do, but they are meant to be on America's side. If they were not in the realm of looking to purchase zero-day vulnerabilities, or work out how to compromise the iPhones of foreign agents within the US, then they wouldn't be doing their job properly.

leaked

Secret CIA files detail tools for hacking iPhones, Android, smart TVs

Thousands of classified "secret" and "top secret" files point to a covert effort by the CIA to develop exploits for vulnerabilities in popular phones for surveillance.

Looking at the idea that the CIA was hacking smart TVs, it was surely doing that, but it was a local attack that involved physical access to the TV.

One of the central tenets of security is, to quote Microsoft: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

The consequences of the CIA being able get someone to load malware onto a TV is summed up nicely by Robert Graham, who said during the week: "If you aren't afraid of the CIA breaking in and installing a listening device, then you shouldn't be afraid of the CIA installing listening software".

Maintaining physical security remains as important this week as it was last week, and all the other weeks before it -- it's crucial to keep information secure.

Despite the claims of WikiLeaks that the CIA can bypass encrypted messaging apps, it was not the apps themselves that were targeted, but the underlying operating systems. The same style of keylogging attacks from spy agencies, organised crime gangs, and marketing organisations that mobile phone users, particularly Android users, have had to live with for years now.

Make no mistake, these hacking techniques are real and the CIA is using them, but there is nothing unique to what is happening here.

When the latest publicity storm from the Ecuadorian embassy in London is combined with some previous misreporting on a backdoor within WhatsApp, regular citizens who do not follow the security industry closely may think encrypted messaging apps have been cracked.

But in amongst all the fuss is a small silver lining: Quite the reverse could be true.

As Open Whisper Systems, the organisation behind Signal, tweeted, it may show how their efforts are being rewarded.

"Ubiquitous e2e [end-to-end] encryption is pushing intelligence agencies from undetectable mass surveillance to expensive, high-risk, targeted attacks," it said.

"The story isn't about Signal or WhatsApp, but to the extent that it is, we see it as confirmation that what we're doing is working."

If there is anything positive to take away from this situation, it is that encryption is possibly doing its job.

For everything else, it should fall under the banner of security as usual.

ZDNet Monday Morning Opener

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on Monday Morning Opener:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All