Written by Alexa Erickson
In March, WikiLeaks began its new series called Vault 7, involving leaks on the U.S. Central Intelligence Agency. According to WikiLeaks, “it is the largest ever publication of confidential documents on the agency.”
The first installment, called “Year Zero,” revealed 8,761 documents and files from an isolated, high-security network within the CIA’s Center for Cyber Intelligence in Langley, Virgina.
“Year Zero” introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of “zero day” weaponized exploits against a wide range of U.S. and European company products, include Apple’s iPhone, Google’s Android and Microsoft’s Windows and even Samsung TVs, which are turned into covert microphones.
The latest installment of the Vault 7 series was released in April, presenting a user manual describing a CIA project called “Scribbles,” or “Snowden Stopper.” The piece of software is thought to permit the embedding of “web beacon” tags in documents “likely to be stolen.” Such tags are said to collect information regarding an end user of a document, then give the information back to the beacon’s creator without detection.
The documentation says, “the Scribbles document watermarking tool has been successfully tested on […] Microsoft Office 2013 (on Windows 8.1 x64), documents from Office versions 97-2016 (Office 95 documents will not work!) [and d]ocuments that are not be locked forms, encrypted, or password-protected.”
According to Dr. Martin McHugh, Information Technology Programme Chair at Dublin Institute of Technology, the Scribbles tool can be used for good and evil. “Methods of tracking have historically been developed for our protection but have evolved to become used to track us without our knowledge,” he said. “Web beacons typically go unnoticed. A tiny file is loaded as part of a webpage. Once this file is accessed, it records unique information about you, such as your IP address and sends this back to the creator of the beacon.”
Such limitations to Microsoft Office documents pose several issues, since the Scribbles user guide notes it only works with Microsoft Office products. This means if end users take advantage of other programs, like OpenOffice or LibreOffice, they’ll be able to see the CIA’s watermarks, whose cover will then be blown and the tool becomes meaningless.
The documentation therefore advises:
If the targeted end-user opens them up in a different application, such as OpenOffice or LibreOffice, the watermark images and URLs may be visible to the end-user. For this reason, always make sure that the host names and URL components are logically consistent with the original content. If you are concerned that the targeted end-user may open these documents in a non-Microsoft Office application, please take some test documents and evaluate them in the likely application before deploying them.
The number of flaws noted in the guide make the hacking tool worrisome. If you plan on stealing, say, government documents, there’s a whole lot of opportunity to get caught if you use the wrong application. And if you do use Microsoft Word, there’s concern that failing to close the program entirely once finished will result in the program not properly cleaning up the resources. So… is it worth it?
Originally posted @ Collective Evolution