CIA Did Not Have Multi-Factor Authentication Controls for All Users as Recently as August 2016

I know I keep harping on the disclosures about the intelligence community’s security practices disclosed in the House Intelligence Report on Edward Snowden. But they go some way to explain why people keep walking out of spy agencies with those agencies’ hacking tools.

Over three years after the Snowden leaks, multiple Intelligence Inspector General Reports show, agencies still hadn’t plugged holes identified in response to Snowden’s leaks. When the CIA did an audit mandated by 2015’s CISA bill, for example, it revealed that “CIA has not yet implemented multi-factor authentication controls such as a physical token for general or privileged users of the Agency’s enterprise or mission systems.”

As I understand it, this had something to do with multi-factor use on devices used by multiple persons. So it may not have been as bad as this sounds (and — again, as I understand it, the problem has since been fixed).

Nevertheless, the CIA is whining about how evil Wikileaks is for publishing documents that (per Wikileaks, anyway) CIA stored with inadequate protection.

The American public should be deeply troubled by any Wikileaks disclosure designed to damage the Intelligence Community’s ability to protect America against terrorists and other adversaries. Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.

Sorry. I mean, Americans can be pissed that its premier intelligence agency got pwned.

But Americans should also be pissed that CIA is storing powerful weapons in a way such that they can easily be leaked. We wouldn’t excuse this with CIA’s anthrax stash. We should not give the Agency a pass here.

19 replies
  1. lefty665 says:

    Anthrax was clearly not purloined by fall guy Bruce Ivins. Do we have any assurance it was stored securely?

    CIA apparently did not classify most of these tools, so they did not consider them sensitive. Congress might reasonably be interested in that.

        • Ron says:

          agree, authentication or no, the seeming idiocy of TS cleared staff + contractors and total lack of security does not instill any idea of confidence in US govt’s ability to either protect/keep their IC exploits secure, much less their weaponization of various diseases/germs/bacteria. Even though the anthrax false flag after 911 has been totally discredited, at least in regard to it being terrorist delivered, and actually govt agencies creating chaos, the anthrax came from a govt lab… how secure can these facilities be? Not very it would appear…

  2. JGarbo says:

    Is this latest “leak” another “limited hang out” or are these folks really just too dumb to leave unsupervised?

  3. Tom in AZ says:

    Another question is should we be OK with the CIA building an ‘off the books’ NSA style capacity, with no oversight as to who it was used against?

  4. scribe says:

    I’m gonna bet that some of the passwords on the CIA system were “password” or, like in the TV commercial, “IHateMyJob1”.
    And that they were written on a little slip of post-it note taped to the associated machine’s keyboard.

  5. rg says:

    Can’t help but wonder how CIA knows that Wikileaks “designed” its disclosure to damage their ability to protect against terrorists. Wallowing in self pity.

  6. PG says:

    Do I understand this correctly?  Not only is the CIA unable to secure the agency’s own property/weapons, but beyond that, the tools/weapons they develop and use to hack devices, including cars, are left behind (so to speak) after they are used and then others can find and use them?  And they are violating their agreement to share the vulnerabilities they discover with US tech companies?  Is “protecting Americans…” is actually part of their mandate?

  7. martin says:

    As the WL dump of docs shows CIA’s hack of *devices* such as smart TVs, phones and cars, given Trumps outrage over *leaks* from White House, and given it’s been reported Trump *loves* watching TehVeh, I’m wondering how many *smart TVs/phones* are scattered around the various floors and rooms of the WH. Could it be…er… naw, the CIA wouldn’t do that now would they? I mean, even though Trump has a beef with the IC, notwithstanding his stupid appearance at Langley where he..well, you know. I’m sure the professionalism of the CIA would never lower it’s standards in a vindictive manner, right? Insert two rolling eyes smiley here.
    note to self : Immediately take two anti-conspiracy pills and two shots of 100prf BrainFart. Sleep it off.
    Meanwhile*thinking*: hmmmm, more than 24hrs since WL dump… @realDonaldTrump *crickets*
    *mind churning* nah..STFU you moron. Drink!

  8. martin says:

    hmmm, hey lefty, are you normally up till 3am? Just curious.  Most nights I have to get up around that time and turn off the TV, which my wife leaves on when she falls asleep. Then..I’m awake. fuk. 3am sucks.

  9. martin says:

    hmmmm, also wondering why comments on the Hal Martin post are closed.. after only 4 comments?????

  10. martin says:

    O/T Since that comment section is closed, just wanted to point out something per this:


    “So yes, it is shocking that a contractor managed to walk out the door with 75% of NSA’s hacking tools, whatever that means.”

    Not NSA,  but the Senate staffer who worked at Langley during the time the Senate *Torture* report was being drafted, has described what he went through to *remove* CIA files from the compromised computer that was supposedly “isolated” from CIA’s network. Amazing.

  11. Joanne Leon says:

    Given that the hacking tools are worth a lot of money on the open/black market, you would think they would secure them better. I don’t know how things work in their development environments, but in my experience it’s not uncommon for multiple people to use the same logins when working in test and sandbox development environments, especially when different logins are set up with different permissions, etc., when you have to test different scenarios (simulating various user accounts with different permissions, variou devices, various operating systems, etc.) Also some automated testing software would have to use a variety of user accounts. Things are so complex and they just keep getting more complex.

    • Bardi says:

      Joanne Leon,

      I believe most, if not all those “tools” were obsolete several years ago.

      I see quite a few that I quit using a while ago.

      • John Casper says:

        Bardi, thank you.

        “A former senior official at the National Security Agency told NBC News that may be exaggerated.
        “But I also think there is a pile of stuff in here that looks like the real deal. I imagine the toolset is in the hundreds,” he said.”
        Still, he said, “it’s not the whole wad. Not the stuff that I would say is ‘Level 10 crown jewels.'”

        This source doesn’t go as far, but is headed in the same direction.

        Rhetorical, unless you want to respond, what’s 500mg of obsolete hacking tools doing on a top secret network?

  12. greengiant says:

    Preceeding emptywheel post covered this.    if …  software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet.

    So at least one employee or contractor just copied the tool kit and other information,  presumably the tool kit was common to some number of users.

Comments are closed.