Italian based company Hacking Team suffered a major security breach earlier this week. Hacking Team provides offensive cyber security capabilities mainly for governments and law enforcement. Web is already full of analysis and stories about this case. I summary here some of the most important and interesting points.
What was leaked
Seems that pretty much everything was leaked. There is 400GB torrent file on p2p network that contains Hacking Team’s internal data: customers (including total revenues), source codes, emails, and so on. Some data is already out there on web:
- Github repository of Hacking Team source codes: http://github.com/hackedteam
- Emails have been uploaded to Wikileaks, which provides a handy search functionality: https://wikileaks.org/hackingteam/emails/
- Current English Wikipedia-page of Hacking Team lists some customer data, including revenues: http://en.wikipedia.org/wiki/Hacking_Team
Important findings
So far, the whole 400GB data dump is probably not reviewed completely and accurately. However, some major findings and disclosures have been made.
- Flash zero-day vulnerability was found, (CVE-2015-5119). Adobe’s advisory: https://helpx.adobe.com/security/products/flash-player/apsa15-03.html - patched 8th July.
- Another Flash zero-day (CVE-2015-5122), advisory: https://helpx.adobe.com/security/products/flash-player/apsa15-04.html. As of writing this, the vulnerability remains unpatched.
- Hacking Team did NOT have exploits for iPhones that were not jail-broken.
- Hacking Team was using poor passwords, more at https://grahamcluley.com/2015/07/hacking-team-strong-passwords/
- Hacking Team was selling exploits to some countries with human-right issues (including Sudan, Saudis)
- Detailed attack methodologies were discovered (not only the exploits, but how they are applied against the targets). A descriptive write up at Cybereason: http://www.cybereason.com/hacking-team-hacked-team-leak-unleashes-flame-like-capabilities-into-the-wild/
- It turned out, that Hacking Team has backdoor for their surveillance products. Hence, they are able to access information that their customers (governments) are watching. This raises some questions abouth things such as responsibility and ethics.
Some thoughts of mine
From government’s and law enforcement agencies point of view: is it responsible and safe to use products of foreign, privately held company for surveillance of citizens, even though the surveillance itself would be legal? If a foreign “hacking company” had a backdoor to Finnish government’s surveillance data, I would not be comfortable with that.
Exploit and surveillance tool markets are one topic of a debate. This is a complicated issue: should producing, selling and exporting “cyber weapons” be regulated the same way as firearms and other “real weapons”?
I have quite skeptical and suspectible approach on companies or individuals, who are selling zero-day exploits on the web, and exploiting them before warning a manufacturer / developers. There is no international regulations or policies for producing and selling “cyber weapons” - which I think Hacking Team’s products could be categorized.
To be honest, I don’t think that Hacking Team survives this breach. Moreover, I except, that credibility and trustworhy of information security companies will be a topic of many debates in near future. Hence, maintaining good reputation and taking care of internal security, will be vital for all companies and organizations in security field.