WikiLeaks to help shield tech firms from CIA’s hacking tools
WASHINGTON — WikiLeaks will work with technology companies to help defend them against the CIA’s hacking tools, founder Julian Assange said Thursday. The move sets up a potential conflict between Silicon Valley firms eager to protect their products and an intelligence agency stung by the radical transparency group’s disclosures.
In an online news conference, Assange acknowledged that some companies had asked for more details about the CIA cyberespionage toolkit that he purportedly revealed in a massive disclosure earlier this week.
“We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out,” Assange said. Once tech firms had patched their products, he said, he would release the full data of the hacking tools to the public.
In response to Assange’s news conference, CIA spokeswoman Heather Fritz Horniak said: “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity. Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”
The CIA has so far declined to comment directly on the authenticity of the leak, but in a statement issued Wednesday it said such releases are damaging because they equip adversaries “with tools and information to do us harm.”
Article continues after this advertisementAssange began his online press conference with a dig at the agency for losing control of its cyberespionage arsenal, saying that all the data had been kept in one place. “This is a historic act of devastating incompetence,” he said, adding that, “WikiLeaks discovered the material as a result of it being passed around.”
Article continues after this advertisementAssange said the technology was nearly impossible to keep under wraps — or under control.
“There’s absolutely nothing to stop a random CIA officer” or even a contractor from using the technology, Assange said. “The technology is designed to be unaccountable, untraceable; it’s designed to remove traces of its activity.”
The CIA wouldn’t confirm Wednesday that the material came from its files, although no one is doubting that it did. The CIA wouldn’t talk about whether there was any investigation underway to figure out how the material ended up on the internet for all to see. And the agency wouldn’t say whether it suspects that a mole lurking inside the CIA secretly spirited the material to WikiLeaks, or whether the CIA could have been the victim of a hack.
The WikiLeaks disclosures were an extraordinary coup for a group that has already rocked American diplomacy with the release of 250,000 State Department cables and embarrassed the Democratic Party with political back-channel chatter and the U.S. military with hundreds of thousands of logs from Iraq and Afghanistan.
The intelligence-related documents describe clandestine methods for bypassing or defeating encryption, antivirus tools and other protective security features for computers, mobile phones and even smart TVs. They include the world’s most popular technology platforms, including Apple’s iPhones and iPads, Google’s Android phones and the Microsoft Windows operating system for desktop computers and laptops.
WikiLeaks has not released the actual hacking tools themselves, some of which were developed by government hackers while others were purchased from outsiders. However, the group is now saying that it will.
If sharing were to occur, it would be an unusual alliance that would give companies like Apple, Google, Microsoft, Samsung and others an opportunity to identify and repair any flaws in their software and devices that were being exploited by U.S. spy agencies and some foreign allies, as described in the material.
Security experts said WikiLeaks was obligated to work privately with technology companies to disclose previously unknown software flaws, known as zero-day vulnerabilities because consumers would have no time to discover how to defend themselves against their use, and with companies that design protection software. WikiLeaks has said the latest files apparently have been circulating among former U.S. government hackers and contractors.
“The clear move is to notify vendors,” said Chris Wysopal, co-founder and chief technology officer of Veracode Inc. “If WikiLeaks has this data then it’s likely others have this data, too. The binaries and source code that contain zero days should be shared with people who build detection and signatures for a living.”
One clear risk is that WikiLeaks revealed enough details to give foreign governments better opportunities to trace any of the sophisticated hacking tools they might discover back to the CIA, damaging the ability to disguise a U.S. government hacker’s involvement. “That’s a huge problem,” said Adriel T. Desautels, the chief executive at Netragard LLC, which formerly sold zero-day exploits to governments and companies. “Our capabilities are now diminished.”
Apple said many of its security vulnerabilities disclosed by WikiLeaks were already fixed. In a statement late Tuesday, it said its initial analysis showed that the latest version of the iOS system software for iPhones and iPads fixed many of those flaws. Apple said it will “continue work to rapidly address any identified vulnerabilities.” –Raphael Satter and Deb Riechmann
* * *
Satter reported from Paris. Associated Press Michael Liedtke in San Francisco contributed to this report.