News Stay informed about the latest enterprise technology news and product updates.

WikiLeaks' disclosure of CIA hacks comes with requirements

WikiLeaks reportedly made demands of vendors at risk from the Vault 7 CIA hacks, but without knowing what the requirements are, experts are unsure how to react.

WikiLeaks promised it would share details of the CIA hacks found in the Vault 7 documents with affected vendors,...

but the outlet also has mysterious demands it wants met before disclosing vulnerability information.

When WikiLeaks first claimed it would work with the software vendors to patch the vulnerabilities found in the CIA hacks, experts were wary of whether WikiLeaks could follow through on its promises. WikiLeaks has reportedly made contact with companies to begin the responsible disclosure process, but also reportedly has certain demands it wants met before sharing information.

According to Motherboard, multiple sources claimed WikiLeaks contacted Apple, Google, Microsoft and other companies referenced in the Vault 7 documents and asked those companies "to sign off on a series of conditions before being able to receive the actual technical details to deploy patches."

A Microsoft spokesperson confirmed contact was made by WikiLeaks and Microsoft has "followed up, treating them as [it] would any other finder." As of this post, neither Apple nor Google responded to requests for similar confirmation.

Experts debate WikiLeaks demands

While the details of WikiLeaks' demands remain unknown, one alleged requirement, according to Motherboard, would be a 90-day patch deadline to remediate any vulnerabilities found in the Vault 7 CIA hacks.

Chris Eng, vice president of research at Veracode, said a strict 90-day deadline "may sound reasonable on the surface, [but] it fails to account for the complexity of the vulnerability."

"A common fallacy is that if the bug is easy to exploit it must be easy to fix," Eng told SearchSecurity. "Only the vendor is in a position to evaluate and recommend a remediation timeframe. What's reasonable is that the vendor maintains an open line of communication with the finder."

Igor Baikalov, chief scientist at Securonix, said a 90-day deadline "is a reasonable and widely accepted practice," noting this is standard policy for Google's Project Zero.

"If Apple and Google products are truly secure from the CIA hacks obtained by WikiLeaks, then there would be no harm for these companies to meet WikiLeaks requirements, as far as we know them," Baikalov told SearchSecurity. "Or have they already obtained the details directly from the CIA? In either case, it seems that the WikiLeaks' ploy to stress government ties of the companies as the reason for delayed response worked."

Chris Carlson, vice president of product management at Qualys, also said companies may be wary of WikiLeaks because of the outlet's potential interest to impact the government's offensive cyber capabilities.

"WikiLeaks might be using threat of embarrassment as leverage over vendors to release security patches if it has proof that there is collusion between vendors and the U.S. government," Carlson told SearchSecurity. "While enterprises will benefit from zero-day vulnerability disclosure and vendors releasing security patches, it's hard to believe that WikiLeaks really cares about enterprise users. More likely, WikiLeaks is trying to impair nation states that are using and benefiting from these zero days by forcing vendors to acknowledge and release security patches."

Chris Sullivan, CISO and CTO at Core Security, said vendors may not have time to delay patching the vulnerabilities found in the CIA hacks.

"We will not wait indefinitely for the vendor [when disclosing flaws] because adversaries may have found the same vulnerability and could be using it undetected. If the vendor is uncooperative, we will release our security advisory anyway. In that way at least defenders know what [indicators of compromise] to look for and can implement compensating controls," Sullivan told SearchSecurity. "If WikiLeaks demands are along these lines, then they are behaving responsively. If they are getting ready to extort the vendor then I suspect they will lose a lot of credibility and trust."

Next Steps

Learn about the confusion caused by the leak of the Vault 7 CIA hacks.

Find out why both WikiLeaks and the CIA have come under fire about responsible vulnerability disclosure.

Get info on why Cisco extended its responsible disclosure deadline to 90 days.

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of how WikiLeaks is handling the responsible disclosure of CIA hacking tools?
Cancel
Wikileaks may have finally opened up peoples eyes to what is really going on in our world. Everybody thinking our government is out for us and they us terrorism as there excuse to spy on us. It's all garbage its all about control. The NSA, FBI and the CIA are all the same. Wake up people save our country now or its over. Also a safe search engine that doesn't track you, a good old fashion private search engine Lookseek.com. Have a awesome day.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close