Security

Hacking Team havoc shows even 'security experts' suck at security

Do what we say, not what we do

As they said in the movie ... Mess with the best, die like the rest

Analysis Over the weekend, 400GB of highly sensitive files belonging to Italian malware spyware software house Hacking Team were spread over the internet for everyone to see.

The leaked source code and documents look legit, and match what is already known about the secretive firm, which specializes in selling software for monitoring people to governments around the world. This spyware exploits security vulnerabilities in victims' computers and phones to install itself and report back their every move. With the source code now in the wild, these vulnerabilities can be patched to keep people safe.

Persons unknown appear to have completely pwned the company, but this shouldn’t come as a surprise since we've seen exactly the same sort of thing before from "security specialists."

Anyone remember HBGary Federal? That firm was a security consultancy set up to offer contracts to governments and corporations, again involving tracking people online and seeking to influence them, for a fee.

In February 2011 HBGary Federal's CEO Aaron Barr gave an interview ahead of that year's BSides security conference in the US in which he claimed to be tracking members of the Anonymous hacking collective online, and that he was in a position to name names.

That set off warning bells with Anonymous and some of the group's members made HBGary Federal a target. But whereas the group had mostly limited itself to denial-of-service attacks in the past, this time the team plundered HBGary's servers and stole thousands of emails and documents before putting them online.

The email released was rather embarrassing, since it showed HBGary Federal was pitching a plan to discredit WikiLeaks and its supporters by manipulating journalists and waging a dirty tricks campaign against the whistleblowing site.

What should have been a triumphant month for the firm turned into a disaster. Barr's presentation was cancelled (along with a similar one planned for DEFCON), Barr was forced to resign, and the company's reputation was trashed when the extent of the hack became known.

What was especially embarrassing for the firm was that the bulk of the attack was made possible by sloppy security on its part. The initial entry point appears to have been a misconfigured server and the attack was so successful because Barr, and other executives, reused passwords on multiple accounts.

We're still waiting on the details, but it appears very likely that something similar happened to the Hacking Team. Given the vast amounts of data released about the company, this wasn't just one person getting sloppy, but a security infrastructure that lacked the cut offs and data protection measures security firms have been telling us for years are essential.

As a result, the Hacking Team's reputation is taking as hard a hit as HBGary Federal's did. The Italian firm has long been fingered by internet watchers for selling surveillance software to governments that could be considered dodgy, despite saying publicly that it refuses to deal with repressive regimes.

Instead, the files show the firm signed deals with Kazakhstan, Ethiopia, and Bangladesh, all of whom have been identified as human rights abusers. The firm also inked a $1m+ deal with Saudi Arabia, which flogs and imprisons citizens who dare to suggest that everything is less than hunky dory in the Arabic theocracy.

Even the FBI has been buying up the Hacking Team's software, spending more than $700,000 on the spyware, the purloined documents state. All the buyers will now be wondering if they've backed a losing horse.

The Hacking Team files also show what appears to be passport scans that were stored in clear text on the company's servers, that the team had developed tracking code for jailbroken iPhones, and details of internal investigations into misbehavior by its own staff – all stored unencrypted and available for theft.

The fact is you'll find these kinds of slip-ups in most computer security outfits. A former CEO of one of the biggest security firms admitted to this hack that he reused passwords on occasion and even security guru Bruce Schneier admits to making mistakes in locking down his systems, because this kind of stuff is incredibly hard to get right and one slip up is all it takes.

But if you are a security firm, and breaches like this expose your stupidity, then expect to get hammered for it. While the ACLU's Christopher Soghoian might have overstated the case, it's difficult to see how Hacking Team can regain trust after such an egregious failure. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016