Share this
Cybersecurity Professionals Suck at Practising What They Preach
by Reflare Research Team on Jul 7, 2022 7:37:00 PM
Cybersecurity professionals are in a great position to leak sensitive and confidential information. Although most of the profession abides by an excellent moral and ethical stance, the assumption that "the cybersecurity industry is secure" is categorically untrue.
First Published 7th July 2022
James from the Blue Team clicked on every email to ensure their antivirus still worked.
5 min read | Reflare Research Team
Julian in the news
In June 2022, the Home Secretary of the UK, Priti Patel, made the decision to extradite Julian Assange to the US. Assange has been in jail in the UK since 2019 after the then Ecuadorian president Moreno revoked his citizenship and withdrew his asylum status. In the US, Assange will face a potential 175-year prison sentence.
So what did he do exactly to warrant such a lengthy prison sentence?
Well, for those unfamiliar with Julian Assange, he was the founder of WikiLeaks, the non-profit organisation famous for publishing news leaks and classified materials. Some of the leaks WikiLeaks published included US diplomatic cables, classified documents related to the Afghanistan and Iraq wars, Hillary Clinton's personal emails, and CIA hacking tools.
Because of his role as the leader of Wikileaks, Assange has been fighting against attempts to extradite him to the United States since at least 2010. And there is sufficient evidence and good reason for him to resist such extradition. Bradley Manning (now known as Chelsea Manning), a former United States Army soldier who shared with WikiLeaks 750,000 documents, many classified in nature, was sentenced in August 2013 to 35 years in prison. Although Assange faces a significantly greater prison term, it is worth noting that Manning was released from prison in 2017 after receiving a commutation from the former US President, Barrack Obama.
Now, here is something very interesting. While every news agency on the planet was busy reporting about the UK Home Secretary's decision to extradite Assange, a new trial against a lesser-known leaker also began earlier that very same month.
Joshua not in the news
Joshua Schulte may not have a public profile as established as Chelsea Manning or Edward Snowden. Still, while Manning exposed to the whole world the things that happened in Iraq and Afghanistan, Schulte brought us knowledge about one of the most elite hacking groups on the planet (he was the man that brought us Vault 7). Additionally, Schulte is the reason why engineers today have access to Ghidra – one of the best reverse engineering tools – for free. Schulte’s story is so deep, it would make for a reasonably compelling Netflix production. But regardless, if you were ever curious about what a government-backed hacker looks like, Schulte is it.
Schulte, according to reports, was a member of the Operations Support Branch (O.S.B) of the US Central Intelligence Agency (CIA). O.S.B. is an elite hacker unit of the organisation specialising in the creation of cyberweapons to be used in physical access operations against foreign targets. These are the type of operations that take place when remote hacking (e.g. over the internet) is not possible and physical access to the devices is required to accomplish the mission.
At O.S.B., Schulte worked on various projects with fancy names such as Wild Turkey, McNugget, and Brutal Kangaroo. However, after a fight with his co-worker at the office escalated, Schulte found himself out of favour and soon resigned – but not before copying hundreds of tools which he then shared with Wikileaks.
Leaking secrets is easy
But how could he have done that? Something as elite as the CIA hacking unit must surely have some super-strict protocols when it comes to data leak prevention, especially after Manning and Snowden fiascos, right?
Well, according to the New Yorker, clearly not.
O.S.B. might be the elite CIA hacking unit that hires the best of the best, but we now also learned that they are also pretty horrible at securing their own systems and work environment. Systems and files are protected with weak passwords such as “123ABCdef”, and sensitive details are shared on Post-it notes. As a case-in-point, Schulte was able to restore his access to a project after his access was revoked by his boss.
However, none of this surprises us. Many of us have been in the industry long enough to know that cybersecurity professionals are some of the worst people when it comes to practising what they preach. They also tend to have a massive ego to make things worse and many of them are delusional enough to think they are unlikely to get attacked due to their “expert” status. Cybersecurity professionals are by no means immune to cognitive dissidence.
Not the first, and probably not the last
Over the years, we have seen plenty of cybersecurity experts and organisations fall victim to hackers. In 2011, the cybersecurity company HBGary was hacked by the Anonymous group that they claimed to have infiltrated. This resulted in the resignation of the CEO, Aaron Barr and HBGary itself was sold to ManTech international a year later. NSA had around 50 terabytes of sensitive data and tools leaked around the same time as the CIA incident by a group called The Shadow Brokers (TSB). Recently, top cybersecurity companies such as FireEye and Okta too have been victims of successful cyber-attacks.
To cyber threat actors, cybersecurity companies and professionals are no different from any other targets. In fact, in January 2021, Google Threat Analysis Group published a report about a sophisticated social engineering campaign targeting cybersecurity researchers.
In summary, cybersecurity is hard, even for cybersecurity companies. Being a cybersecurity company or cybersecurity professional does not make it less likely to become a target. If organisations such as the CIA and NSA can be hacked, other organisations too can be breached. Mindfulness, diligence, and common sense can go a long way to mitigating possible security breaches - whether we are working in cybersecurity or not.
To stay up-to-speed on the very latest trends and analysis in cybersecurity leaks and whatnot, subscribe to Reflare's research newsletter.
Additionally, you should explore some of our related articles listed to learn more.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)