Cybersecurity Professionals Suck at Practising What They Preach

Cybersecurity professionals are in a great position to leak sensitive and confidential information. Although most of the profession abides by an excellent moral and ethical stance, the assumption that "the cybersecurity industry is secure" is categorically untrue.

First Published 7th July 2022

Cybersecurity Professionals Suck at Practising What They Preach

Joshua Schulte holding an in-person Meet & Greet session with his fans at a U.S. District Court in New York.

5 min read  |  Reflare Research Team

Julian in the news

In June 2022, the Home Secretary of the UK, Priti Patel, made the decision to extradite Julian Assange to the US. Assange has been in jail in the UK since 2019 after the then Ecuadorian president Moreno revoked his citizenship and withdrew his asylum status. In the US, Assange will face a potential 175-year prison sentence.

So what did he do exactly to warrant such a lengthy prison sentence?

Well, for those unfamiliar with Julian Assange, he was the founder of WikiLeaks, the non-profit organisation famous for publishing news leaks and classified materials. Some of the leaks WikiLeaks published included US diplomatic cables, classified documents related to the Afghanistan and Iraq wars, Hillary Clinton's personal emails, and CIA hacking tools.

Because of his role as the leader of Wikileaks, Assange has been fighting against attempts to extradite him to the United States since at least 2010. And there is sufficient evidence and good reason for him to resist such extradition. Bradley Manning (now known as Chelsea Manning), a former United States Army soldier who shared with WikiLeaks 750,000 documents, many classified in nature, was sentenced in August 2013 to 35 years in prison. Although Assange faces a significantly greater prison term, it is worth noting that Manning was released from prison in 2017 after receiving a commutation from the former US President, Barrack Obama.

Now, here is something very interesting. While every news agency on the planet was busy reporting about the UK Home Secretary's decision to extradite Assange, a new trial against a lesser-known leaker also began earlier that very same month.

Joshua not in the news

Joshua Schulte may not have a public profile as established as Chelsea Manning or Edward Snowden. Still, while Manning exposed to the whole world the things that happened in Iraq and Afghanistan, Schulte brought us knowledge about one of the most elite hacking groups on the planet (he was the man that brought us Vault 7). Additionally, Schulte is the reason why engineers today have access to Ghidra –  one of the best reverse engineering tools – for free. Schulte’s story is so deep, it would make for a reasonably compelling Netflix production. But regardless, if you were ever curious about what a government-backed hacker looks like, Schulte is it.

Schulte, according to reports, was a member of the Operations Support Branch (O.S.B) of the US Central Intelligence Agency (CIA). O.S.B. is an elite hacker unit of the organisation specialising in the creation of cyberweapons to be used in physical access operations against foreign targets. These are the type of operations that take place when remote hacking (e.g. over the internet) is not possible and physical access to the devices is required to accomplish the mission.

At O.S.B., Schulte worked on various projects with fancy names such as Wild Turkey, McNugget, and Brutal Kangaroo. However, after a fight with his co-worker at the office escalated, Schulte found himself out of favour and soon resigned – but not before copying hundreds of tools which he then shared with Wikileaks.

Leaking secrets is easy

But how could he have done that? Something as elite as the CIA hacking unit must surely have some super-strict protocols when it comes to data leak prevention, especially after Manning and Snowden fiascos, right?

Well, according to the New Yorker, clearly not.

O.S.B. might be the elite CIA hacking unit that hires the best of the best, but we now also learned that they are also pretty horrible at securing their own systems and work environment. Systems and files are protected with weak passwords such as “123ABCdef”, and sensitive details are shared on Post-it notes. As a case-in-point, Schulte was able to restore his access to a project after his access was revoked by his boss.

However, none of this surprises us. Many of us have been in the industry long enough to know that cybersecurity professionals are some of the worst people when it comes to practising what they preach. They also tend to have a massive ego to make things worse and many of them are delusional enough to think they are unlikely to get attacked due to their “expert” status. Cybersecurity professionals are by no means immune to cognitive dissidence.

Not the first, and probably not the last

Over the years, we have seen plenty of cybersecurity experts and organisations fall victim to hackers. In 2011, the cybersecurity company HBGary was hacked by the Anonymous group that they claimed to have infiltrated. This resulted in the resignation of the CEO, Aaron Barr and HBGary itself was sold to ManTech international a year later. NSA had around 50 terabytes of sensitive data and tools leaked around the same time as the CIA incident by a group called The Shadow Brokers (TSB).  Recently, top cybersecurity companies such as FireEye and Okta too have been victims of successful cyber-attacks.

To cyber threat actors, cybersecurity companies and professionals are no different from any other targets. In fact, in January 2021, Google Threat Analysis Group published a report about a sophisticated social engineering campaign targeting cybersecurity researchers.

In summary, cybersecurity is hard, even for cybersecurity companies. Being a cybersecurity company or cybersecurity professional does not make it less likely to become a target. If organisations such as the CIA and NSA can be hacked, other organisations too can be breached. Mindfulness, diligence, and common sense can go a long way to mitigating possible security breaches - whether we are working in cybersecurity or not.

To stay up-to-speed on the very latest trends and analysis in cybersecurity leaks and whatnot, subscribe to Reflare's research newsletter.

Additionally, you should explore some of our related articles listed to learn more.

Subscribe by email