Categories
Security

Ex-CIA engineer Joshua Schulte convicted over massive ‘Vault 7’ leak in 2017

On Wednesday, a jury in New York convicted ex-Central Intelligence Agency engineer Joshua Schulte on all nine charges he faced (as first reported by @InnerCityPress) as a result of the single largest leak in agency history. Dubbed Vault 7, the files and information shared by WikiLeaks in 2017 exposed a trove of tactics and exploits the CIA used to hack its targets’ computers, iPhones or Android phones, and even Samsung smart TVs.

CIA spokesperson Tammy Thorp said in a statement given to The Verge, “Today’s verdict affirms that maintaining the security of our nation’s cyber capabilities is of the utmost importance. It’s critical to the security of the American people, and it’s critical to our advantage against adversaries abroad. As set forth in the trial, unauthorized disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools and information to do us harm.”

Schulte, the subject of a lengthy profile in the New Yorker that described him as “abrasive” and then went into far worse details, was arrested in 2018, initially charged with possession of child pornography, and has been in jail ever since.

The article details Operations Support Branch (OSB), where Schulte worked and reportedly built hacking tools by quickly turning prototypes into actual exploits that could monitor or steal information from the targeted person’s devices. It reports that investigators obtained evidence against Schulte through his own lapses in personal security, like storing passwords on his phone that could be used to access his encrypted storage.

It even goes into the trouble investigators had obtaining the Vault 7 documents — they remained classified despite being leaked and publicly available on the internet, leading FBI officials to download the cache over Wi-Fi at a Starbucks to a freshly purchased laptop that immediately became officially classified, stored in a supervisor’s office, and only accessible with Top Secret clearance.

Additional charges accusing him directly of stealing classified national defense information and sending it to WikiLeaks were filed later. In 2020, the government’s first attempt at prosecuting Schulte ended in a mistrial as a jury convicted him on contempt of court charges as well as lying to FBI investigators but couldn’t agree on the rest.

That spurred the second trial that just ended, where Schulte opted to represent himself. The charges he was convicted on are all specifically related to gathering, stealing, and transmitting classified information and obstruction of justice for lying to investigators about it. He has not yet been sentenced, pending the resolution of the other charges he still faces for possessing and transporting child pornography.

The Associated Press reports prosecutors argued that after feeling ignored and disrespected over his complaints about the work environment, Schulte took revenge on the CIA by stealing and leaking the same exploits he’d been a part of creating. In his defense, Schulte argued unsuccessfully that he was being used as a scapegoat for the government’s failure to protect dangerous hacking tools. There is some evidence to support that argument, as The Washington Post reported in 2020 that an internal investigation by the CIA’s WikiLeaks Task Force found security in the unit was “woefully lax,” with users sharing admin-level passwords and a lack of controls over access to historical data or the use of removable USB thumb drives, and this was years after the Snowden leaks. Schulte claimed there was no reasonable motive established and that hundreds of people had access to the information who could’ve been behind the leaks.

In a statement released after the verdict, US Attorney for the Southern District of New York Damian Williams said, “When Schulte began to harbor resentment toward the CIA, he covertly collected those tools and provided them to WikiLeaks, making some of our most critical intelligence tools known to the public – and therefore, our adversaries.” His statement ended by saying, “Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history.”



Repost: Original Source and Author Link

Categories
Security

LastPass’ mobile app offers access to your desktop vault without a master password

Password manager LastPass is rolling out a new “passwordless” method to access its desktop vault today.

Previously, users had to type in their master password to unlock the company’s desktop vault (and its stored passwords). Now, they’ll be able to authenticate access via the company’s mobile app. This will include the option to use your phone’s biometric login features, like face and fingerprint unlock.

LastPass is characterizing this as a “passwordless” login, but it’s important to note that your master password isn’t going anywhere anytime soon. LastPass’ chief secure technology officer Chris Hoff says master passwords will still be necessary to register a LastPass account, add new trusted devices, make changes to an account, or type in if a passwordless login attempt fails. But the hope is that this new authentication approach can be a first step toward phasing out the master password entirely, as the industry moves toward passwordless authentication using standards such as FIDO.

“LastPass is excited to be the first solution and only password manager to allow users to securely and effortlessly login, manage their account credentials and get instant access to the accounts used every day — without ever having to enter a password,” said LastPass’ Hoff.

Today’s announcement is focused on desktop LastPass users, who currently aren’t offered any biometric login options as an alternative to typing in their master password. Meanwhile, on mobile, the company’s apps already offer biometric login options including fingerprint and face unlock.

The changes come a little over a year after LastPass made significant changes to its pricing structure, which vastly restricted the usability of its free tier. Last March, it restricted free users to only being able to access their passwords on mobile or desktop — not both. The company behind the service has also gone through changes after previous owner GoTo (then known as LogMeIn) announced plans to spin LastPass out into an independent company late last year.

LastPass’ new passwordless feature is rolling out from today and will be available to all users, regardless of whether they’re on a free or paid tier.

Update June 6th, 10:18AM ET: Updated to confirm that passwordless login will be available to users of the service’s free tier, and that the app can be protected with biometric security.

Repost: Original Source and Author Link