Home Security Vault 7: Plans to expose firms that do not patch flaws

Some organisations such as the Mozilla Foundation have received information from WikiLeaks to tend to vulnerabilities in their products which were recorded in the CIA document dump known as Vault 7 that was made a fortnight ago.

WikiLeaks publisher Julian Assange said, apart from confirming that the offer had been made, Google and some other companies had yet to respond.

Assange held a press conference overnight on 10 March to offer to share unpublished data from Vault 7 with technology companies to enable them to fix vulnerabilities detailed therein.

During that conference, he also said that once the remaining material — which he said was a very large amount — had been vetted and critical details redacted, it would be released to the public.

In a statement issued on Friday, Assange said the companies who had been contacted had not agreed, disagreed or questioned what he termed as WikiLeaks' standard industry disclosure plan.

The standard disclosure time for a vulnerability is 90 days after the person/company responsible for patching the software is given full details of the vulnerability.

Assange said most of the companies who were lagging behind in agreeing to the disclosure plan and receiving information about vulnerabilities from WikiLeaks, "have conflicts of interest due to their classified work for US government agencies".

Many multinational technology companies in the US have big contracts with government agencies and departments. For example, Microsoft recently cut a deal with the Pentagon for Windows 10 installations.

Linux companies are also part of this mix: Red Hat Linux has contracts for its enterprise Linux with the NSA which runs some of its spying software on the platform.

Even newspaper companies have ties of this nature: the owner of the Washington Post, Jeff Bezos, who is better known as the boss of Amazon, has a US$600 million to supply cloud services to the CIA.

Assange said, in practice, associations such as these limited tech industry staff from fixing security holes based on information that had been leaked from the CIA.

"Should such companies choose to not secure their users against CIA or NSA attacks, users may prefer organisations such as Mozilla or European companies that prioritise their users over government contracts," he said.

"Should these companies continue to drag their feet, we will create a league table comparing responsiveness and government entanglements so users can decide for themselves."

Cisco on Friday announced that 318 of its router models were at risk of a remote attack through a vulnerability detailed in the Vault 7 documents.

HOW TOP MANAGERS MOTIVATE, ENERGISE EMPLOYEES

Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

 

 

 

 

Connect

Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities