Wikileaks published a cache of documents and information from what appears to be a wiki from the Central Intelligence Agency (CIA).
This week, we discuss the details of the leak (as of 11Mar 2017), and how damaging it is to blue teamers.
To help us, we asked Mr. Dave Kennedy (@hackingDave) to sit down with us and discuss what he found, and his opinions of the data that was leaked. Mr. Kennedy is always a great interview, and his insights are now regularly seen on Fox Business News, CNN, and MSNBC.
Dave isn't one to rest on his laurels. For many of you, you know him as the co-organizer of #derbycon, as well as a board member of #ISC2. We ask him about initiatives going on with ISC2, and how you (whether or not you're a ISC2 cert holder). You can help with various committees and helping to improve the certification landscape. We talk about how to get involved.
We finish up asking about the latest updates to DerbyCon, as well as the dates of tickets, and we talk about our CTF for a free ticket to DerbyCon.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-009-dave_kennedy_vault7_isc2_derbycon_update.mp3
Youtube: https://www.youtube.com/watch?v=lqXGGg7-BlM
iTunes: https://itunes.apple.com/us/podcast/2017-009-dave-kennedy-talks-abotu-cias-vault7-isc2/id799131292?i=1000382638971&mt=2
#Bsides #London is accepting Call for Papers (#CFP) starting 14 Febuary 2017, as well as a Call for Workshops. Tickets are sold out currently, but will be other chances for tickets. Follow @bsidesLondon for more information. You can find out more information at https://www.securitybsides.org.uk/
CFP closes 27 march 2017
------
HITB announcement:
“Tickets are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here: http://conference.hitb.org/hitbsecconf2017ams/
---------
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#RSS: http://www.brakeingsecurity.com/rss
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
SoundCloud: https://www.soundcloud.com/bryan-brake
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
--show notes--
http://www.bbc.com/news/world-us-canada-10758578
WL: “CIA ‘hoarded’ vulnerabilities or ‘cyber-weapons’
Should they not have tools that allow them to infiltrate systems of ‘bad’ people?
Promises to share information with manufacturers
BrBr- Manufacturers and devs are the reason the CIA has ‘cyber-weapons’
Shit code, poor software design/architecture
Security wonks aren’t without blame here either
http://www.bbc.com/news/technology-39218393 -RAND report
Report suggested stockpiling is ‘good’
“On the other hand, publicly disclosing a vulnerability that isn't known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability, while still keeping an inventory of vulnerabilities of which only it is aware of in reserve.”
Encryption does still work, in many cases… as it appears they are having to intercept the data before it makes it into secure messaging systems…
http://abcnews.go.com/Technology/wireStory/cia-wikileaks-dump-tells-us-encryption-works-46045668
(somewhat relevant? Not sure if you want to touch on https://twitter.com/bradheath/status/837846963471122432/photo/1)
Wikileaks - more harm than good?
Guess that depends on what side you’re on
What side is Assange on? (his own side?)
Media creates FUD because they don’t understand
Secure messaging apps busted (fud inferred by WL)
In fact, data is circumvented before encryption is applied.
Some of the docs make you wonder about the need for ‘over-classification’
Vulnerabilities uncovered
Samsung Smart TVs “Fake-Off”
Tools to exfil data off of iDevices
BrBr- Cellbrite has sold that for years to the FBI
CIA appears to only have up to iOS 9 (according to docs released)
Car hacking tech
Sandbox detection (notices mouse clicks or the lack of them)
Reported by eEye: https://wikileaks.org/ciav7p1/cms/page_2621847.html
Technique: Process Hollowing: https://wikileaks.org/ciav7p1/cms/page_3375167.html
Not new: https://attack.mitre.org/wiki/Technique/T1093
**anything Mr. Kennedy feels is important to mention**
What can blue teamers do to protect themselves?
Take an accounting of ‘smart devices’ in your workplace
Educate users on not bringing smart devices to work
And at home (if they are remote)
Alexa,
Restrict smart devices in sensitive areas
SCIFs, conference rooms, even in ‘open workplace’ areas
Segment possibly affected systems from the internet
Keep proper inventories of software used in your environment
Modify IR exercises to allow for this type of scenario?
Reduce ‘smart’ devices
Grab that drill and modify the TV in the conference room
Cover the cameras on TV
Is that too paranoid?
Don’t setup networking on smart devices or use cloud services on ‘smart’ devices
Remind devs that unpatched or crap code can become the next ‘cyber-weapon’ ;)
