ida-cracked-files-sostituire agli originali.rar
July 6, 2015 7:16 AM   Subscribe

Italian surveillence software vendor Hacking Team were hacked, with 400GB of data dumped. According to leaked invoices, Hacking Team sold offensive software to countries including South Korea, Sudan, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia, Ethiopia, Egypt, and Luxemburg. There are initial indications that Hacking Team had pretty poor operation security, for example, using the password Ht2015!.

Reporters Without Borders listed Hacking Team on their Enemies of the Internet index.

Christian Pozzi from Hacking Team claimed the dump contained a virus, and that Hacking Team simply provide custom software solutions tailored to our customers needs.

A github repository of Hacking Team code has been created.
posted by These Premises Are Alarmed (43 comments total) 27 users marked this as a favorite
 
So, those responsible for hacking the people who have just been hacked, have been hacked?
posted by Strange Interlude at 7:20 AM on July 6, 2015 [28 favorites]


Christian Pozzi from Hacking Team claimed the dump contained a virus

Not gonna work, guys.

Wonder how long the github repo will last.
posted by Leon at 7:45 AM on July 6, 2015 [1 favorite]


Worth noting that multiple US agencies, including the Departmemt of Defense and the DEA, are also listed as customers of Hacking Team malware in the dumped documents.
posted by mediareport at 7:46 AM on July 6, 2015 [6 favorites]


Ah, tailored access solutions. So much nicer than illegal hacking.

I'll tell my mate Fingers Magee. He always thought of himself as a pretty good safe cracker, but he'll be delighted to rebrand as a bespoke tailored access solutions provider.
posted by Devonian at 8:03 AM on July 6, 2015 [20 favorites]


It could be the same person that was behind last year's FinFisher hack.
posted by antonymous at 8:27 AM on July 6, 2015


Also, Pozzi noted that the dump was made of fire, and that the floor around it was made of lava.
posted by 1adam12 at 8:29 AM on July 6, 2015 [15 favorites]


Worth noting that multiple US agencies, including the Departmemt of Defense and the DEA, are also listed as customers of Hacking Team malware in the dumped documents.

With the inordinate amounts of money those agencies spend, I'm continually amazed that they ever source software anywhere other than internally.
posted by feckless fecal fear mongering at 8:32 AM on July 6, 2015 [3 favorites]


Jacob Applebaum has been linking to 0days in the Hacking Team dump via Twitter. Expect OS + flash patches shortly...
posted by pharm at 8:38 AM on July 6, 2015 [3 favorites]


Worth noting that multiple US agencies, including the Departmemt of Defense and the DEA, are also listed as customers of Hacking Team malware in the dumped documents.

0 days! Come get your 0days!

makes sense to know a priori what might be in the wild.
posted by ocschwar at 8:48 AM on July 6, 2015


I'm reading this and thinking about it. And I don't think I like the world we made. Can we start making a nicer one?
posted by Annika Cicada at 9:04 AM on July 6, 2015 [3 favorites]


for example, using the password Ht2015!.


Jesus- what did they change it to? "guest"?
posted by TheWhiteSkull at 9:38 AM on July 6, 2015 [3 favorites]


H@ck!ngT3am - They're super leet, after all.
posted by kmz at 9:47 AM on July 6, 2015 [1 favorite]


More than 25 years ago, I worked in an investment bank, and you weren't allowed to choose your own passwords! Instead a generator gave you lists of pronounceable, random passwords, and you chose from the list. My favorite one was "oxyfobe".

Hard to believe that a quarter of a century later, people have learned nothing...
posted by lupus_yonderboy at 9:58 AM on July 6, 2015 [1 favorite]


"Jacob Applebaum has been linking to 0days in the Hacking Team dump via Twitter."

Can someone explain what that means?

Meaning, I understand twitter, and the dump, and the concept of zero day exploits...but does that statement mean that Hacking Team was using zero day exploits as part of their software package? Or someone is listing zero-day exploits of Hacking Team's software?
posted by das_2099 at 10:09 AM on July 6, 2015


Hard to believe that a quarter of a century later, people have learned nothing...

Hacking Team made millions because they knew differently. Then their hubris got the better of them and made them forget. No worries, though, because the Internet just reminded them.
posted by Revvy at 10:14 AM on July 6, 2015 [1 favorite]


0day exploits are exploits that aren't known about by the general security community and are unpatched. So the dump contains exploits that HT had and used in its software.
posted by I-baLL at 10:15 AM on July 6, 2015


But does that statement mean that Hacking Team was using zero day exploits as part of their software package?

Yes. They sell software packages that exploit 0day vulns to allow their customers to spy on people.
posted by alby at 10:36 AM on July 6, 2015 [1 favorite]


Team was using zero day exploits as part of their software package? Or someone is listing zero-day exploits of Hacking Team's software?

Both actually, but ioerror was listing presumed 0-days that were used as an initial infection mechanism. Most of the things in the dump appear to be n-day. People have identified trivial SQLi in their control software so far...

It's also been confirmed as the same guy as who was behind last years Gamma Group hack (Fin Fisher).

What I think is interesting is their client list includes a lot of banks. Maybe I missed the memo, but why are banks buying this stuff? Also, if you want to raise a stink, the FBI and DEA are also on the client list. Way to support small Italian business guys.
posted by yeahwhatever at 10:39 AM on July 6, 2015 [3 favorites]


why are banks buying this stuff?

Banks are probably trying to stay ahead of exploits before they go wild. That could be interpreted as either bounty hunting or extortion, I guess, depending on how hard the sell was.
posted by rh at 11:40 AM on July 6, 2015


I view that as unlikely. There are dedicated vulnerability feeds for that from a variety of sources.

Monitoring employees seems likely the most obvious, but I'm surprised that there aren't other solutions for that.
posted by yeahwhatever at 12:00 PM on July 6, 2015


The thing about "Ht2015!" and "Passw0rd" is...don't these people read XKCD? If not, why not? Don't they like to laugh? Does working with Sudan mean your humor is...unconventional?
posted by rhizome at 12:06 PM on July 6, 2015 [4 favorites]


I believe (but can't confirm) that the banks were using Hacking Team's pentesting services, not the surveillance services.
posted by antonymous at 12:11 PM on July 6, 2015 [4 favorites]


why are banks buying this stuff?

Financial espionage? Insider trading? Those are the first things that spring to mind.
posted by Anticipation Of A New Lover's Arrival, The at 12:15 PM on July 6, 2015 [1 favorite]


According to Motherboard the company has backdoors in their software that allows them to shut it down remotely and stuff. So now I guess the entire Internet has those backdoors too. Mama mia!
posted by RobotVoodooPower at 1:08 PM on July 6, 2015 [2 favorites]


Financial espionage? Insider trading? Those are the first things that spring to mind.

Bear in mind that PCI compliance added a pentest requirement in 2008. Even if the clients aren't regulated by PCI somehow, I imagine other regulators have since published similar requirements.
posted by pwnguin at 1:27 PM on July 6, 2015 [1 favorite]


And it looks like the FBI had 15 seats of this thing. We haven't heard a lot yet about the FBI's use of malware, even if in this post-Snowden era we can more easily assume everyone is a bad actor. It would be interesting to compare their usage of the software with their granted warrants.
posted by RobotVoodooPower at 1:28 PM on July 6, 2015 [1 favorite]


Hacking Team simply provide custom software solutions tailored to our customers needs

BTW, "individually tailored solutions" is doublespeak for "hacking", and it's also the FBI's preferred term.
posted by RobotVoodooPower at 1:35 PM on July 6, 2015 [1 favorite]


Also this Intercept article has some additional detail, like emails where the DEA discusses purchasing the software for use in foreign countries where they have more legal wiggle room.
posted by RobotVoodooPower at 1:49 PM on July 6, 2015 [1 favorite]


Bear in mind that PCI compliance added a pentest requirement in 2008. Even if the clients aren't regulated by PCI somehow, I imagine other regulators have since published similar requirements.

Getting a pentest from a company that possesses 0days and intends to retain them seems like a really bad idea.

The pentesting company will have all sorts of opportunities to misrepresent their work, and misrepresent the performance of your existing deployed security products and policies.
posted by ocschwar at 2:30 PM on July 6, 2015 [2 favorites]


Other interesting things to come out of this: it's looking like they had code to create/drop child porn on devices. There is speculation that this was used by their client to incriminate people. However, before people run crazy with this idea, this is still pretty speculative. HT has claimed it's testing code... Link to twitter (sfw)

There's also speculation that this was timed to impact the discussion surrounding the Wassenaar Arrangement. I'm not sure how much I buy that, but it will complicate those talks.

(also what's up with the title? A version of IDA that someone else cracked from years and years ago doesn't seem super relevant)
posted by yeahwhatever at 3:20 PM on July 6, 2015 [1 favorite]


(also what's up with the title? A version of IDA that someone else cracked from years and years ago doesn't seem super relevant)

it was just a funny detail that in the data dump they found pirated software hacking team was presumably using in their business
posted by p3on at 8:32 PM on July 6, 2015 [1 favorite]


Revelations about the Secret World Of Computer Spying have been pretty consistent: they're not very good at what they do. Take the NSA's spying, for instance. Their capabilities are huge, but that's because they have a correspondingly-huge budget backed by the power of secret subpoenas. Their own security is laughable - they're still not sure what Snowden took! - and their programs have been both ineffective, in that they don't seem to have solved any problems, and strategically unwise, in that they have angered several major US allies.

This company's efforts are much the same: bad internal security, combined with deliberate attacks on other people's security. In a rational world they'd be treated as the criminals they are, and governments would work on closing zero-day exploits rather than paying shady firms to exploit them.
posted by Joe in Australia at 11:42 PM on July 6, 2015 [2 favorites]


"Revelations about the Secret World Of Computer Spying have been pretty consistent: they're not very good at what they do"

Uhm, I'm not sure how that's your takeaway on all this. Successfully spying on everything isn't "very good at what they do"?

To me, it seems that the takeaway lesson is that while they're good at what they do, they fail massively at defending themselves. Hell, the NSA is so good at offense and so bad at defense that they got backdoored algorithms implemented as a federal standard thus weaking the US government's security.
posted by I-baLL at 12:28 AM on July 7, 2015


The way the NSA backdoored the NIST random number generator was pretty neat, at least from the point of view of the NSA themselves: The random number generator they (probably) backdoored is based on an elliptic curve, which relies on the difficulty of the discrete logarithm problem for it’s security - if you don’t already know the points on the curve, it’s extremely difficult to work backwards from the output to find the input. What the NSA did was to find initial values for the curve that were generated by points that they already knew (or knew how to find, which is much the same thing) whilst convincing everyone else that those points were chosen randomly.

You can only uncover the internal state of the random number generator (and therefore predict it’s output once you have enough data) if you know those points; If you don’t know the points, then the random number generator is impossible to predict. This meant that for everyone outside the NSA, any secure communication that relied on Dual_EC_DRBG was completely secure - unless you know the points, you can’t predict the output. But for the NSA, anyone using it was doing the mathematical equivalent of their half of a Diffie-Hellman secure key exchange with them & as a result the NSA can access the internal state of your random number generator & break your encryption.

The NSA must have thought this was a genius idea - they could tap the communications of anyone using this algorithm without weakening the security of their target’s communication with anyone else. What could possibly go wrong?

Well, what could go wrong is that it turns out that the NSA’s internal security is about as effective as wet tissue paper & it seems quite likely that every other major state-level security agency on the planet has managed to get access to those curve points themselves thanks to either hacking the NSA directly or by subverting well placed insiders.

Such hubris. Much decrypt. Thanks NSA!
posted by pharm at 1:44 AM on July 7, 2015 [9 favorites]


Uhm, I'm not sure how that's your takeaway on all this. Successfully spying on everything isn't "very good at what they do"?

We don't actually know how good their spying is, either. Why would you presume that their process for searching data is any better than their process for monitoring and recording internal operations? But assuming that they actually are capable of doing everything they claim, they've still failed:

Espionage isn't an aim in itself; it's one of the tools of state. The NSA's subversion of private infrastructure has made the USA weaker, and revelations exposed by its lax security have offended the USA's allies. Espionage is always risky, but the NSA apparently assumed that its actions would never be revealed. They were foolhardy and did not balance the risks and benefits of their operations. That's what I mean by not being very good: their job is to be an organ of the state, not a hidden empire with its own priorities. None the less, that's how they've behaved.
posted by Joe in Australia at 2:45 AM on July 7, 2015 [3 favorites]


In order to reach the judgment that "they're not very good at what they do" I think you have to know what it is they're trying to do. Starting from some assumed value of "what they're supposed to be doing" is akin to building your argument on quicksand.
posted by Nerd of the North at 7:06 AM on July 7, 2015 [1 favorite]


So far, it appears they have only sold their "tailored access" to governments, and the list of governments indicates they paid at least some attention to their critics. Note the absence of Belarus from their client list.

So, given they're based in Italy, what criteria should they be using when they sell their product?
posted by ocschwar at 8:03 AM on July 7, 2015


Canada is also absent from their client list. What is it you are suggesting about Canada?
posted by Bovine Love at 8:25 AM on July 7, 2015


Canada is also absent from their client list. What is it you are suggesting about Canada?

That as a 5-Eyes member, everything they might need from HT, they get from the US?

I'm mostly suggesting that while the disclosures are certainly not reflecting well on HT (Saudi? Oman?), they're not as damning as one might expect. They do pick their customers. And we can honestly discuss how they should pick them.
posted by ocschwar at 8:34 AM on July 7, 2015


Or perhaps Belarus just wasn't interested in buying. It is hard to determine if they were picking, or failing. I'll admit, the list could be worse, but it is pretty bad.
posted by Bovine Love at 10:31 AM on July 7, 2015 [1 favorite]


https://firstlook.org/theintercept/2015/07/08/hacking-team-emails-exposed-death-squad-uk-spying/

They pitched to Belarus.

Consider my comments backpedaled.
posted by ocschwar at 7:09 PM on July 9, 2015






« Older You're The One That I Want Satan   |   Mary Anning: the greatest fossil hunter the world... Newer »


This thread has been archived and is closed to new comments