Authorization

WikiLeaks offers help for tech companies with CIA software holes

WikiLeaks offers help for tech companies with CIA software holes Wikileaks founder Julian Assange on Thursday said that his organization is willing to share information with tech companies about product vulnerabilities from the “Vault 7” CIA data published on Tuesday.

“After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that fixes can be developed and pushed out, so that people can be secure,” Assange said in a live-streamed press conference from the Ecuadorian Embassy in London, where Assange has resided since 2012. He also emphasized that Tuesday’s data trove comprises only a portion of the total leaked information the organization holds and that more will come.

That leaked CIA cache, which currently includes almost 9,000 documents, contains information about CIA offensive hacking operations including details about malware, viruses, trojans, and undisclosed zero-day vulnerabilities that the agency allegedly uses for digital intelligence-gathering. Targeted devices include not just computers and smartphones, but also internet-connected TVs and network servers.

“This is a historic act of devastating incompetence to have created such an arsenal and stored it all in one place and not secure it,” Assange said.

Crucially, WikiLeaks also says it has access to—but withheld and redacted—source code, which would show specifically how these attacks work, enabling opportunistic bad actors to apply them as well. It’s that code that Wikileaks says it will share with tech companies, so that they can see specifically where the holes are and more efficiently patch them.

Meanwhile, some companies have already noted that they had patched certain vulnerabilities listed in the dump in the immediate wake of the Vault 7 release. Apple said that it had already discovered and patched “many” of the 14 iOS bugs described in the documents and that it is working to “rapidly address” the rest. A Microsoft spokesperson told CNBC on Wednesday that, “We are aware of the report and we are looking into it.” The Linux Foundation said that as an open source project, it has the vetting and ability to add software updates quickly and assist other open source software.

Assange did not explain why Wikileaks didn’t disclose these vulnerabilities to software vendors prior to or concurrent with making even the neutered versions publicly available on Tuesday. It also remains to be seen if and when WikiLeaks will follow through on this morning’s promise.

There’s also the question of how much time companies will have to patch those holes. Assange indicated that he plans to drop more documents; if that includes source code, the gap between initial disclosure and public consumption will be critical. Once it’s public, anyone will be able to deploy them.

It’s important to note, too, that patching these vulnerabilities won’t act as a panacea. To receive protection, consumers will need to download the software updates companies release, a process which can be challenging on Internet of Things devices like smart TVs and, crucially, the large population of Android devices running legacy versions of the operating system, or versions that are altered and don’t receive updates directly from Google.

And while WikiLeaks sharing information with companies will be an important first step, security experts are taking a wait and see approach.

If WikiLeaks does what Assange says it will, though, and in a responsible way, it would be a welcome moment of restraint for an organization that has historically shown little interest in it.
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«    Декабрь 2018    »
ПнВтСрЧтПтСбВс
 12
3456789
10111213141516
17181920212223
24252627282930
31