-
@Frank if the first 1% can be thought of as a trailer to promote the full release then it will be up for a Razzie.
What has been released is designed to grab headlines and excite the public. It is nothing new and is not exclusive to the CIA (as is being made out)
None of this is 'Eye in the Sky' security fantasies or tinfoil hat material. It is commonsense security stuff.
I don't see how it's big news about the Samsung TVs. Basically just work on the premise that anyone that wants to access anything electronic can do so whether it is a games console, a webcam, a smart tv, a cable strung from your house to a junction etc etc.
There's a reason why sensitive information is handled only on secure systems electronically and physically it is handled within secure environments and skifs.
Want to know where classified material is handled? Look for the metallic mesh curtains, to stop anything electronic being accessed simply from long range.
It's a known game. It is as funny as hell in areas like Canberra where embassies are grouped together within line of sight. You can sit in the tea room of the NZ High Comm and talk shit in full knowledge that the Chinese across the road probably have a listening device tuned right at you from across the road. The Aussies even have a spurious DFAT 'training centre' on the hill above the Chinese (and PNG/Canada/NZ/UK)I think it's hilarious how many people think these releases are shocking as they are probably reading all about them on a Huawei device.
-
A lot of whats front page news on this came out at least 2 or 3 years ago. EG your TV might listern to you, CNET flagged that over 2 years ago (link)
https://www.cnet.com/uk/news/samsungs-warning-our-smart-tvs-record-your-living-room-chatter/
and - even better, its in the fricking Samsung agreement you get with your TV -
"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."
The Guardian highlighted in 4 years ago -
It (LG) conceded that the system also collected filenames of attached USB disks, which it said was "part of a new feature being readied to search for data from the internet (metadata) relating to the program being watched".
-
@gollum
seems different:your link detailed information leaking out of the software feature Voice Recognition, which can be turned on and off...
Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."and here is the CIA hacking malware:
https://www.forbes.com/sites/thomasbrewster/2017/03/07/cia-wikileaks-samsung-smart-tv-hack-security/#40c877a64bcd
Weeping Angel runs just like a normal TV app, not unlike YouTube, but in the background, capturing audio but not video. It can, however, also recover the Wi-Fi keys the TV uses to later hack the target's Wi-Fi network, and access any usernames and passwords stored on the TV browser, explained Matthew Hickey, a security researcher and co-founder of Hacker House, a project to encourage youngsters to get into cybersecurity. There was also a feature dubbed "Fake Off" where the TV would continue recording even when shut down.Hickey, who reviewed the CIA notes on the project, said it appeared the malware would infiltrate the TV via a USB key, as the notes on Wikileaks indicated USB install methods were disabled in a specific firmware. He said, however, that there's still a chance the CIA has remote infection techniques.
He noted that the attacks would likely be limited, in that the CIA would have to be nearby to harvest the stolen data. "Effectively they install an application onto your TV through USB, they go away on their spying business and come back with a Wi-Fi hotspot later on. When the TV sees the CIA Wi-Fi, it uploads all of the captured audio it has recorded of people around the TV, even when they thought it was off."
-
How is that not literally this -
"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."
Included in the full Samsung agreement given to everyone who buys their TV. Don't even need a spook to sneak into your house & stick a USB in & upload the software, Samsung - openly, built it in. And then told you they built it in. And then told you they might give it to 3rd parties
The example you've quoted is actually nowhere near as easy as the reality of what has been on smart TV (openly) for 2-3 years.
-
Anything on the internet can be hacked. I went to a presentation from the head of security of a large corporation and it's pretty scary stuff TBH.
Target got hacked via their Air Con units a while back, compromising basically all of their customer data nearly sinking the company for good.
Another example is a company (barbie?) thought it would be cool to put cameras in their dolls so parents could record their kids. Next thing weirdos have hacked them and are watching their kids.
Companies are producing smart TVs, smart fridges, smart anything really. And in the rush to get these to the market secuirty is very much an afterthought. Just because you can put something on the internet, doesn't mean you should.
As to countries hacking each other, there is literally a fucking massive cyber war going on every second of every day that nobody really knows or cares about. I've seen a global map that showed hacking attempts and it was ridiculous, with the States leading the way, but basically every single country was trying to hack the shit out of each other.
-
I worked as an anti hacking developer for credit card companies and banks in London.
So much ignorance and disinformation around this Wikileaks stuff.
Bottom line is that hacking sucks donkey balls. But is harder than most people realise. If they want to hack you as a citizen, they will. But it has be worth thier while. Unless you make it easy for them.P. S Assange is a dishonest twunt. Loathe him with a passion. He is just a pawn.
-
@gollum Samsung hasn't put software in their TV to implement a fake off mode, which is one of the exploits revealed.
This is worth a read; https://www.theregister.co.uk/2017/03/08/cia_exploit_list_in_full/?page=1
GIves a summary of the exploits (some are a few years old, but real). In short, if you have an Andriod phone it's pretty easy to spy on you.
Snowden thinks the info is real, for what that's worth.
-
@Baron-Silas-Greenback said in Wikileaks CIA releases.......:
I worked as an anti hacking developer for credit card companies and banks in London.
So much ignorance and disinformation around this Wikileaks stuff.
Bottom line is that hacking sucks donkey balls. But is harder than most people realise. If they want to hack you as a citizen, they will. But it has be worth thier while. Unless you make it easy for them.P. S Assange is a dishonest twunt. Loathe him with a passion. He is just a pawn.
Yeah, something like 80% of hacking occurs due to human error - E.G. people clicking on a dodgy link, putting a dodgy USB drive into their PC. It's pretty difficult to hack without some form of user interaction. The Target hack was due to a person being duped into plugging in a device, otherwise the hackers had nothing. The biggest threat to corporations is its own users.
And as you say, there's a very low probability that a single person is being hacked unless they are a person of interest. Hackers doing it to make money target corporations. Government agencies target people believed to be a threat. Joe Public is not worth the effort for anyone.
The headline that the CIA could watch you through your new smart TV generates some good clicks but is not what is happening in reality.
-
I went to a presentation recently, where a company had been hacked and the people that hacked them offered to unlock it for $800NZD (they had a call centre you call to arrange)
They contacted their Insurer, who spent about $15k unlocking their servers and 'blocking the hole'
Your credit card data can be sold for $50USD...
Hackers will often target smaller organisations that can give them a backdoor into a large one.
While there are revenge attacks, most are driven by greed.
-
@taniwharugby yeah the Target hack was done by hacking the air conditioning vendor, who then planted the malware on Targets network. Crazy stuff.
There's hacking software you can purchase that gives a gauranteed return on investment. It's big business nowadays.
I never allow companies to save my credit card details for that reason.
-
the value for a lot of information is dropping, so hackers are stealing more data or finding other information to sell.!
We have been seeing a lot of info around Cyber Risk
-
@Kirwan said in Wikileaks CIA releases.......:
Snowden thinks the info is real, for what that's worth.
Snowden is horribly over hyped, he was a very low level, not very competent no-one who exploited appalling security. He's now painting himself as an expert - and compared to most he certainly is. But he was not some high level in the know US intelligence genius. I quite like the stuff he does on the Intercept, but its not like he was priviy to top level - or even mid level meetings.
The big issue I have with all of the "The CIA are tracking you!" stuff is as @dogmeat says, most of the time its not Tom Cruise floating down past lasers & putting in a USB stick that self destructs, its someone opening spam, or getting an email that says "Hi! its Microsoft we need to direct access your PC!" & being too stupid to realise. Or even in Snowdens case where he literally just said to guys with security clearance "can I have your password". And they let him.
While in day to day life Facebook listens to us (and tells us it is doing so) via our phones, as does Google (which again, tells us), Amazons Fire TV boxes don't have an off switch, and so on & so on. People willingly, enthusiastically give away far more information to google, garmin, fitbit, amazon, apple etc every day than any spy agency could ever wish for. Juat the other day people had to be told to maybe not stick their boarding passes on fricking instagram -
https://blog.kaspersky.com/dont-post-boarding-pass-online/10495/
The panic over the deep state tracking us amazes me, the deep state is not tracking you, everyone you digitally wank into (FB, Snap, Google etc) IS tracking you & 100% already has enough information to destroy your life, info you freely - gleefullyy, gave them. They aren't going to. But you have given them everything they need to do so. And for at least 50% of the population all it would take to get you to hand all of that to a 16 year old "hacker" would be a mocked up email from Facebook_Important@hotmail.com
-
The boarding pass thing is funny. I can't believe how many people I see telling all and sundry they are away from their house for a while etc
The other good one is the use of your normal email address as your apple or google id. All someone has to do is use the email address you freely hand out and crack your probably weak password and they can track your whereabouts because you probably also have location tracking on.
All those people concerned about their samsung tv are carrying and allowing a personal tracking device on their person. -
Yeah, the huge celebrity photo leak (The Fappening) wasn't amazing hacking, it was a guy digitally watching celebs till he could guess their email address & then just trying out obvious passwords till he got it right. That was all it took. Read Scarlett Johansens tweets for a week, see she bleats on about her dog "Scruffy", login to her icloud using a password of scruffy, Ilovescruffy, scruffy123 till you are in.
And then for good measure try her Amazon, iTunes, Facebook & Instagram accounts too because they are probably all the same fricking password
-
@gollum said in Wikileaks CIA releases.......:
Yeah, the huge celebrity photo leak (The Fappening) wasn't amazing hacking, it was a guy digitally watching celebs till he could guess their email address & then just trying out obvious passwords till he got it right. That was all it took. Read Scarlett Johansens tweets for a week, see she bleats on about her dog "Scruffy", login to her icloud using a password of scruffy, Ilovescruffy, scruffy123 till you are in.
And then for good measure try her Amazon, iTunes, Facebook & Instagram accounts too because they are probably all the same fricking password
We all do owe the man a debt of gratitude as well. Guessing that Kate Upton's password was 'spoodgeonmyback' was genius.
-
But members of the security community have dismissed Assange’s hyperbole around the CIA files – collectively nicknamed “Vault 7” – which he described as “exceptional from a political, legal and forensic perspective”. Ryan Kalember, SVP of Cybersecurity Strategy at Proofpoint, disagreed. “There’s nothing earth-shattering,” he said, pointing out that many of the operating systems mentioned in the documents are quite old and have already been updated.
“It seems like the CIA was doing the same stuff cybersecurity researchers do, which is compile lists of vulnerabilities and try to figure out which ones are being exploited in the wild and which ones could be.” It’s not clear at this point how many, if any, of the vulnerabilities are genuine “zero-days” – those not yet known to vendors, named after the number of days they have to fix them.
Kalember said that the so-called Weeping Angel hack, which uses malware to spy on Samsung smart TVs, has been shown at security conferences for a couple of years and requires physical access to the device.
“The CIA should be embarrassed that they lost control of this cache, but they should also be embarrassed if this is their level of technical sophistication,” said another another security researcher, who did not want to be named. “What they have is pretty unimpressive.” Both said that the vulnerabilities detailed in the documents are likely to have already been patched by the companies. Apple and Google have both publicly stated this is the case.
There could be more to come, however: Assange has emphasized that the data trove released on Tuesday is only a portion of the total leaked information WikiLeaks holds. “The fact that Julian Assange is offering to selectively disclose vulnerability information to affected companies is better than revealing it to all and sundry, but it depends on the veracity, accuracy and currency of that information,” said BullGuard CEO Paul Lipman.
“I don’t think WikiLeaks is the first stop for tech companies looking to solve vulnerabilities,” he added. How do the CIA files compare to the revelations contained in the NSA leaks from whistleblower Edward Snowden? “It’s apples and oranges,” said Kalember. “The Snowden leaks were not only technically interesting but contained a lot of novel stuff that was not known at all.”
He said that with Vault 7, he and other members of the cybersecurity community have spent a lot of time “laughing about funny things on the CIA’s intranet” (like this collection of emoticons) rather than “debating anything interesting from a tech perspective”.
Some researchers were skeptical of WikiLeaks’ motives, pointing to apparent ties between the whistleblowing organization and Russia – despite Assange’s denial. “Everything they have done over the last few months suggests they are operating as a front for a different leaker [Russia],” said Kalember. He said that the possible Russian ties as well as WikiLeaks’ track record of publishing identifying information about people (known as ‘doxxing’ ) – including millions of women in Turkey – and threats to make an online database of all verified users on Twitter – has diminished confidence in the organization.
“No-one in the information security community really trusts him and his motives,” he said. At the press conference, Assange attempted to counter accusations that he or WikiLeaks had ties to Russian intelligence agencies, describing his operation as “a neutral, digital Switzerland”. The WikiLeaks’ promotion of the CIA files has placed emphasis on a group at the agency called Umbrage, which collects a library of attack techniques produced in other states including, the press release stated, the Russian Federation.
“With Ubrage and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the ‘fingerprints’ of the groups that the attack techniques were stolen from,” WikiLeaks said. This could be interpreted as an attempt by WikiLeaks to undermine the attribution of the DNC hack to the Russians – something that the international security community almost unanimously agrees on.
“They place a lot of emphasis on the fact that the CIA could be using malware to achieve its ends and leave trails that point to people in different directions. Everybody does this, but it’s not going to genuinely undermine proper attribution,” he said. That hasn’t stopped conservative media figures from embracing the conspiracy theory, amplified by a flood of Twitter bots spouting memes and a similar narrative.
“I think at this point Assange is effectively acting in the service of the Russian government, whether intentionally or not,” said Kalember.
-
The biggest disappointment I have with Assange is that he has totally destoyed any shred of belief I had in the Hollywood version of the USA govt machine. He should been assassinated years ago..
Wikileaks CIA releases.......