back to article If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security

The CIA was so focused on developing whizzbang exploit code, it left any thought of basic computer security principles on the kitchen counter before dashing off to work each morning. That oversight led to the super-agency inadvertently spilling its hacking tools ultimately into the hands of WikiLeaks, which duly disclosed …

  1. redpawn

    Congress did so reasonably

    HA, HA, HA. If an organization is large enough and not monitored, rules will be broken, but how they ended up using my password is beyond me as I was told it was safe to use.

    1. seven of five

      Re: Congress did so reasonably

      Well, they obviously stole it from you, being spies and all that.

  2. jake Silver badge

    Numpties, the lot of 'em.

    The first clue is the term "Cyber" used as part of an organizational name by so-called security experts. In my experience, using that term in this context is proof of cluelessness.

    What a fucking waste of my tax dollars ...

    1. Povl H. Pedersen

      Re: Numpties, the lot of 'em.

      They used Cyber because Super was already taken, and Cyber sounds a bit more middle eastern.

    2. The Man Who Fell To Earth Silver badge
      FAIL

      Re: Numpties, the lot of 'em.

      It's like the word "Science". Any field that has the word explicitly in it's name isn't one.

      1. Dr_N
        Unhappy

        Re: Numpties, the lot of 'em.

        Rocket Science isn't real? You've ruined my day.

        1. Tim99 Silver badge
          Happy

          Re: Numpties, the lot of 'em.

          It’s usually described as mathematics, physics, chemistry, engineering...

        2. jake Silver badge

          Re: Numpties, the lot of 'em.

          The term Rocket Science has been depreciated. The new term is Rocket Surgery.

          1. Glen 1

            Re: Numpties, the lot of 'em.

            The word "depreciated" has been deprecated.

      2. Toe Knee

        Re: Numpties, the lot of 'em.

        So they’re the IT version of countries with the words “Democratic” and “Republic” In their names?

        1. Spanners Silver badge
          Meh

          Re: Numpties, the lot of 'em.

          As a child, I spent time in a country whose name translates to "Socialist Peoples XXXXXX Arab Republic". In the best tradition, the only true(ish) word was the one that I have crossed out.

          The rest of us are not too great at this either. How united is the USA or the UK for example?

          1. Wellyboot Silver badge

            Re: Numpties, the lot of 'em.

            The US or UK are only truly united internally when some unlucky country drops a war in our lap.

            Other than that, like many countries we're an awkward bunch to try and govern.

            1. jake Silver badge

              Re: Numpties, the lot of 'em.

              See: Cats, herding.

              1. CrazyOldCatMan Silver badge

                Re: Numpties, the lot of 'em.

                See: Cats, herding.

                Pah! Trivial.

                Getting end-users too do things properly - *that's* impossible.

            2. Trigonoceps occipitalis

              Re: Numpties, the lot of 'em.

              The clue is in the name "Kingdom". HM the Queen is head of state for all parts of the UK - hence United Kingdom. As for the rest, yes, cats and herding.

    3. Halfmad

      Re: Numpties, the lot of 'em.

      Honestly these days among higher-ups using "Cyber" is the only way to get funding. If you say Infosec, they aren't interested, say Cyber and the table is raised an inch by their collective excitement..

      1. Yet Another Anonymous coward Silver badge

        Re: Numpties, the lot of 'em.

        Wait for the DoD's new CyberForce

        1. Snowy Silver badge
          Joke

          Re: Numpties, the lot of 'em.

          Stepping it up another notch CyberSecurityForce

        2. teknopaul

          Re: Numpties, the lot of 'em.

          Any one want to join my setting up the CyberSpace Force. I suspect we can secure a decent budget for playing war games and flight simulations in cyber space.

          1. Mr Sceptical
            Mushroom

            Re: Numpties, the lot of 'em.

            First dibs on playing war games with the real satellite battle stations.

            Now where's the button marked Project Thor?

  3. Anonymous Coward
    Devil

    Don't Panic

    If they get their back door they promise they'll take better care of the keys. Maybe attach a Tile to them so they know where they have gone.

    1. The Central Scrutinizer

      Re: Don't Panic

      It sounds like they back doored themselves.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't Panic

        >It sounds like they back doored themselves.

        As in ''They fucked themselves in the arse''?

    2. Mr Sceptical
      Facepalm

      Re: Don't Panic

      I think you're supposed to leave keys under the doormat? Or flowerpot?

  4. vtcodger Silver badge

    Documentation?

    Uncle Sam's snoops lost control of at least 180GB of hacking tools and documentation

    Documentation? The CIA documented their tools? The irresponsible fools. If they'd followed standard industry practices and documented nothing except a few preliminary concepts that were discarded about three weeks into the project, Wikileaks would still be trying to figure out what the 180GB mess does. And How it does it.

  5. Mark192

    Developing the tools was done by the workers and done well.

    Developing and ensuring security policies are followed is management grade stuff...

    1. sabroni Silver badge

      Too right! That's why they're paid so much, because they're supposed to take responsibility.

  6. Anonymous Coward
    Anonymous Coward

    There's a dangerous assumption here.

    Sorry to stir the pot a bit here, but the ability to BREAK things does not automatically imply an ability to make things better as well - the skillsets are not identical.

    The failure is IMHO organisational rather than personal: there should have been someone in charge of ensuring safe practices and security. Sure, they could then use their in-house skills to shake the structure to see if it was solid, but hacking is a point skill, defence is a general, must-cover-all-the-bases process that is less exciting but FAR more exacting to perform.

    Breaking in is a weakest-link idea - one vulnerability and you're in, so you collect data on zero day problems, and see if there's a way you can make code operate out of spec/bounds. Defence is a multi-layer proposition that is process, systems, patching and putting as many layers between you and the outside world as practicality and budget allows.

    This is IMHO a leadership failure.

    1. Anonymous Coward Silver badge
      Paris Hilton

      Re: There's a dangerous assumption here.

      In an organisation where everyone probably thinks that passwords are trivial to crack or bypass, they're not going to put any effort into devising strong password practices. What's the point in having a strong password that nobody can remember when the users would be able to bypass it anyway.

      A bit like in Windows 98 when you could just press 'cancel' on the login screen and get to the desktop...

    2. not.known@this.address

      Re: There's a dangerous assumption here.

      <quote>

      Sorry to stir the pot a bit here, but the ability to BREAK things does not automatically imply an ability to make things better as well - the skillsets are not identical.

      <end_quote>

      Mrs Known can definitely attest to this. In my case, the 'D' in 'DIY' is for 'Destroy'...

    3. phuzz Silver badge

      Re: There's a dangerous assumption here.

      It sounds like they weren't using the same security tools as the rest of the CIA's network, so my assumption would be a bunch of people who thought they were so elite that they didn't need to follow the rules.

      In my experience in civvy life, it's usually the marketing department that consider themselves too 'special' to obey the rules.

    4. Claptrap314 Silver badge

      Re: There's a dangerous assumption here.

      We expect blue collar workers to raise safety issues. You sound like you are excusing people who should be classified "elite". Neither has my job title nor my job description ever had a hint of "security" in it. That doesn't mean that I don't consider it part of by ethical duty to pay a LOT of attention to the issue as an IC. For a group that size, even if they were purely focused on offensive, it is mind-blowing that there was NO ONE willing to sound the alarm inside loud enough to get any of these matters fixed.

      Of course, this was a culture issue, and culture is the responsibility of management & senior ICs. But of all the places to expect that EVERYONE knows that security isn't something you blindly entrust other people to take care of for you, surely this is the place?

      "Unfortunately, it is now clear that exempting the intelligence community from baseline federal security requirements was a mistake." Indeed. And what a tragic fact.

  7. Blofeld's Cat
    FAIL

    Er ...

    "... the intelligence agency was trusted to shore up its computers and networks to a level higher than what's expected of the federal government as a whole."

    I suspect they had already done that - given the lamentable state of security in most government departments worldwide.

  8. DJV Silver badge

    123ABCdef

    Well, that's certainly far more secure than the code on my luggage!

    1. Boothy

      Re: 123ABCdef

      Stick a dot/period in the middle (other characters are available), and most web sites would consider this a strong password!

      As a bit of fun, I did a quick duckduckgo search for password strength checkers, and went through the first few with that password, and then added a dot in the middle. The first two checkers I used all went from weak/instant discovery, to strong/discovery in years after adding a single dot/period!

      Only the third one I tried (@ my1login) actually noticed the character sequences, stating medium strength (with the dot), but also said only 2 days to crack, rather than years (it was ~3 seconds to crack for the original no dot version on the same site).

      But that same site also considered correcthorsebatterystaple Very strong, and 65 years to crack, but with the first two sites stating weak and instant, with one even quoting xkcd, so go figure :-)

      1. Someone Else Silver badge

        Re: 123ABCdef

        But that same site also considered correcthorsebatterystaple Very strong, and 65 years to crack, but with the first two sites stating weak and instant, with one even quoting xkcd, so go figure :-)

        So don't keep us in suspenders, which xkcd panel did it reference?

        1. Claptrap314 Silver badge

          Re: 123ABCdef

          Time spent on the Register forums before being exposed as not a techie--30 minutes.

          1. jake Silver badge

            Re: 123ABCdef

            Someone Else has been an ElReg commentard since 2009.

            Not everyone reads xkcd religiously, regardless of technical ability.

            1. Claptrap314 Silver badge

              Re: 123ABCdef

              No, but if you have to have someone send you to LMDDGTFY, you're obviously gormless.

        2. Mike 16

          Re: Which xkcd?

          You mean you don't have the editor extension that does a search of the text archive for xkcd and return the appropriate URL for the cartoon you dimly remember? Back in the day, I used it often, mostly when composing email replies. (my MUA paid attention to $EDITOR)

          I suddenly occurs to me that the "prison joke" (or variants like the "antarctic research station joke") about everybody telling jokes by number, because the all knew them. may have been started by a time-traveller after getting one too many of https://xkcd.com/936/

          I guess I don't tell it right...

      2. Brewster's Angle Grinder Silver badge

        The entropic decrease of entropy

        We're confusing two different things - statistical randomness and predictability. We really want passwords that are unpredictable but we use statistical randomness as a proxy since it's all but impossible to know whether a string of bits is predictable.

        This is deep philosophical water. But if our dictionary of predictable strings constantly expands then the likelihood of password being predicted increases with time. So "entropy" (randomness) of passwords decreases over time until we hit a tipping point when the dictionary becomes unmanageably big. At which point we have to remove the least likely passwords - for predictable values of "least likely".

        1. Claptrap314 Silver badge

          Re: The entropic decrease of entropy

          I agree with you supposition, but not its consequent. Our memory is also increasing, and our hashing algorithms are good enough that we don't really have to worry too much about the size of the dictionary.

  9. cb7

    I wonder if they came up with any Linux exploits?

    1. phuzz Silver badge
      Linux

      Yes. For example there's "Facedancer21" to attack things like routers and APs using an embedded Linux. They also seem to have developed Linux versions of some multiplatform tools (eg).

      There's probably much more, but it's difficult to find without spending days trawling through the documents.

  10. Anonymous Coward
    Anonymous Coward

    Why did they need an exemption?

    If the assumption was that they would have gone beyond the basic requirements then why did they need an exemption from them - you only need it if you're *not* going to at least meet them.

    1. Claptrap314 Silver badge

      Re: Why did they need an exemption?

      For the same reason that the teacher doesn't usually take the exams themselves. There was probably either an understanding or else an explicit requirement for the CIA to help HS develop the requirements.

  11. vtcodger Silver badge

    Seriously

    Seriously -- when I last worked with classified material back around 1990, the CIA breach would probably have been impossible. Their computers would have been in a secure, probably EM shielded, "vault" connected to the outside world through some sort one way firewall that didn't allow ANY information out. Only IN. And yes that was (more or less) possible back then. So it doesn't surprise me that CIA workflows evolved that were oriented toward getting some work done occasionally rather than toward securing information. And yes, DARPANET was around back then. I even used it a few times. But only from computers outside the "vault". The local security lady would have organized a firing squad if anyone had connected a PC with information classified at any level to a phone line.

    Trouble is that the modern internet doesn't seem very compatible with the concept of secure vaults. I don't know how the problem of preventing information from leaking out of secure facilities while still allowing information in and while getting a bit of work done from time to time has been solved. Badly it would seem. However, it seems to me to be a VERY difficult problem. Pragmatically there may not be a solution. To the extent I've thought about it, I think that trying to secure massive amounts of data accessible from anywhere in the universe with encryption and convoluted authentication schemes is unlikely to work very well. It's probably better to cut the amount of information that needs to be secured to an absolute minimum and to keep that information off public media to the greatest extent possible. It'll still leak a bit I think. But maybe not so much.

    1. Joe W Silver badge
      Joke

      Re: Seriously

      But back in the mesolithic period you talk about, 180GB of data would have been much more difficult to move around on physical media than today....

      (that said: yeah, had to read some classified (well, really low classification, but still) stuff way back when, mostly on micro fiche[1], a couple of those might have been easier to transport, but they were checked for completeness when you went back to the front desk).

      [1] which puts me into the palaeolithic, I guess....

      1. John Brown (no body) Silver badge

        Re: Seriously

        "[1] which puts me into the palaeolithic, I guess...."

        Depends. There's still lots of archived material only available on microfiche (if you're lucky and don't have to go back to the original hand-written records). People doing historical research, for example, especially those doing family history research. (Huge amounts have been transcribed into computer searchable data of recent years, but in no way can you do everything sat at your desk with a PC and an internet connection!)

    2. jake Silver badge

      Re: Seriously

      "And yes, DARPANET was around back then."

      In 1990? The Internet (whatever that is!) was working so well by then that we tore down what was left of the Darpanet in 1990 because it was superfluous. Even UUCP outlasted the Darpanet.

      "Trouble is that the modern internet doesn't seem very compatible with the concept of secure vaults."

      The Internet is, by it's very nature, not secure and not securable. TCP/IP was built to share information, not to block the sharing of information.

  12. Anonymous Coward
    Anonymous Coward

    John Le Carré was there earlier

    A key plot element in The Russia House is incompetent CIA security.

    1. Anonymous Coward
      Anonymous Coward

      Re: John Le Carré was there earlier

      Is that why they are nicknamed Clowns In Action?

    2. jake Silver badge

      Re: John Le Carré was there earlier

      Given the shear numbers of fictional books, I would be absolutely flabbergasted if at least a few of them didn't appear to predict (parts of) the future.

      Coincedence, by any other name, is still just alignments of random points.

  13. Eatondave

    But useradmin is boring

    Fairly typical situation (which equally translates to the commercial sector), all the focus is on the sexy stuff with scant attention paid to the boring routine security practices. Cue much wringing or hands, statements that we will do better, maybe a few dismissals of junior staff and then a quiet return to BAU.

    1. John Brown (no body) Silver badge

      Re: But useradmin is boring

      "Lessons will be learned" :-)

  14. Anonymous Coward
    Anonymous Coward

    Doesn't really surprise me that much.

    My current client is a large US corporation, and I'm helping them do some work (I'm a filthy contractor :-) ) which involves a lot of system discovery for one of their customers (part of a modernization programme). My client hosts their customers systems in a very locked down private cloud,

    As such I needed to be given access to a certain tool, that could only be accessed when inside the secure private cloud. OK, fair enough.

    Ok, so how do I get in? "You need your existing VPN to corporate, then a new VPN account to the private cloud, then a cloud account to get on to a jump box, and then an account for the actual tool.". Ok, fine, I go through the process to get all this sorted out, which took about two weeks of forms and emails, and getting the right approval, and I finally get all the info I need, and so have a go logging in for the first time....

    1. From company provided laptop, VPN into corporate network. Needs a single sign on account (existing corp account), and also uses multi-factor. Done.

    2. Now VPN to the private cloud, needs a new account, and this also uses multi-factor. So far so good.

    3. Now I need to Remote Desktop to a Windows server, with another new and separate account, no multi-factor this time. Hmm, ok.

    4. Launch Chrome (as it seems no other browser works properly with the tool set, which is web based), hmm.

    5. Log in, ok, what's the account...

    User: admin, password redacted, but was a simple English word, with some basic character replacement (i.e. i to 1, o to 0 etc).

    WTF! You were so close!

    I raised this as an issue, but nope, don't care, not going to change it!

    I logged in, as an ADMIN! I noticed there was even a settings section to add new users, and could be hooked into AD etc! But seems no one could be bothered to set it up, so everyone is an admin!

    1. Someone Else Silver badge

      Sounds like somebody got bored with the whole process and was distracted at the end by something shiny and sparkly....

  15. not.known@this.address
    Black Helicopters

    It's all a double-blind - and we fell for it!

    Everyone assumes the CIA are a bunch of incompetent numpties with no idea of security because of Wikileaks letting all their whizzy toys out of the cupboards, but what if it's all not-quite-fake news and just their old out-of-date stuff that's nowhere near as good as the stuff they still have hidden, but we're not looking for because we [i]know[/i] they're numpties?

    Wait, who is General Failure and why is he reading my hard drive?

    1. Mike 16

      Re: It's all a double-blind - and we fell for it!

      So, you are saying that the CIA is run by the writers of "Columbo"?

      https://www.imdb.com/title/tt1466074/

  16. Anonymous Coward
    Anonymous Coward

    coincidence?

    I find it strange that a very similar password was used to decrypt malware pre-installed in the government assistance Lifeline phones.

    b = new char[] { 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102 };

    Coincidence?

    /s

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like