Home Security Vault 7: Plans to expose firms that do not patch flaws

Vault 7: Plans to expose firms that do not patch flaws

Some organisations such as the Mozilla Foundation have received information from WikiLeaks to tend to vulnerabilities in their products which were recorded in the CIA document dump known as Vault 7 that was made a fortnight ago.

WikiLeaks publisher Julian Assange said, apart from confirming that the offer had been made, Google and some other companies had yet to respond.

Assange held a press conference overnight on 10 March to offer to share unpublished data from Vault 7 with technology companies to enable them to fix vulnerabilities detailed therein.

During that conference, he also said that once the remaining material — which he said was a very large amount — had been vetted and critical details redacted, it would be released to the public.

In a statement issued on Friday, Assange said the companies who had been contacted had not agreed, disagreed or questioned what he termed as WikiLeaks' standard industry disclosure plan.

The standard disclosure time for a vulnerability is 90 days after the person/company responsible for patching the software is given full details of the vulnerability.

Assange said most of the companies who were lagging behind in agreeing to the disclosure plan and receiving information about vulnerabilities from WikiLeaks, "have conflicts of interest due to their classified work for US government agencies".

Many multinational technology companies in the US have big contracts with government agencies and departments. For example, Microsoft recently cut a deal with the Pentagon for Windows 10 installations.

Linux companies are also part of this mix: Red Hat Linux has contracts for its enterprise Linux with the NSA which runs some of its spying software on the platform.

Even newspaper companies have ties of this nature: the owner of the Washington Post, Jeff Bezos, who is better known as the boss of Amazon, has a US$600 million to supply cloud services to the CIA.

Assange said, in practice, associations such as these limited tech industry staff from fixing security holes based on information that had been leaked from the CIA.

"Should such companies choose to not secure their users against CIA or NSA attacks, users may prefer organisations such as Mozilla or European companies that prioritise their users over government contracts," he said.

"Should these companies continue to drag their feet, we will create a league table comparing responsiveness and government entanglements so users can decide for themselves."

Cisco on Friday announced that 318 of its router models were at risk of a remote attack through a vulnerability detailed in the Vault 7 documents.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.