Hacking the Hacking Team
April 18, 2016 9:20 PM   Subscribe

Phineas Fisher Hacks Back! Last year, an Italian company best known for selling surveillance software to governments was hacked. Phineas Fisher gives an overview of how he gained access to the Hacking Team's network.
posted by zabuni (12 comments total) 18 users marked this as a favorite
That ghostbin link is a pretty good read of actual operational security. It would be overkill for general use, but it's surprisingly straightforward: have a TrueCrypt partition on your computer running an OS that works nicely through Tor; use Tor to shed connections to your actual IP; don't work through Tor, go through Tor to set up anonymous hosts that can be used safely without Tor slowing it all down or risking an attack on Tor identifying you.

Interesting bit that comes out of that read, though: it's really hard to get a truly anonymous host set up. Either you hack someone else and use them as a launching pad; or you use bitcoin to provision a host. But using bitcoin isn't itself anonymizing, in the same way that Tor might not be: internally it's all encrypted, but at some point it has to touch the real world to be useful, and that always creates vulnerabilities. The only guaranteed way to use bitcoin anonymously is to mine your own, which is pretty much impossible these days as a means of generating working capital.
posted by fatbird at 10:04 PM on April 18, 2016 [1 favorite]

Oh right: other question that raised for me was about TrueCrypt. You can still get it, and various audits of the code have failed to turn up any serious issues, and now we know that it's dead because the guy who wrote it is in jail for a very long time. So is it still considered the best-in-breed for what it does?
posted by fatbird at 10:09 PM on April 18, 2016

I liked the conclusion about what "ethical hacking" really should be...

Hacking guides often end with a disclaimer: this information is for educational purposes only, be an ethical hacker, don't attack systems you don't have permission to, etc. I'll say the same, but with a more rebellious conception of "ethical" hacking. Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking. However, most people that call themselves "ethical hackers" just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked.

Hacking Team saw themselves as part of a long line of inspired Italian design. I see Vincenzetti, his company, his cronies in the police, Carabinieri, and government, as part of a long tradition of Italian fascism. I'd like to dedicate this guide to the victims of the raid on the Armando Diaz school, and to all those who have had their blood spilled by Italian fascists.
posted by anarch at 10:20 PM on April 18, 2016 [3 favorites]

Reading the document it is clear that Phineas Fisher is very skilled. However, after reviewing his description of his attack and the Hacking Team infrastructure documents, what struck me was how quickly Hacking Team could have detected his presence in their network and stopped him cold if they'd had a classic DMZ network, bastion host, and an IDS monitoring the DMZ. Is that sort of set up out of style nowadays?

Maybe modern IT security professionals assume that a dedicated attacker can always get a foothold on the local network, and design their network security accordingly (the setup I describe above is useless against spear phishing)? But if Hacking Team was assuming that, I can't figure out why they weren't proactively scanning their local network for security policy violations (if they had been they'd have noticed the iSCSI devices that were improperly placed in the low-security subnet) or why they weren't running an IDS with rules sufficient to detect his scanning and other activities on their local network. The only thing I can think of is that they didn't insist that their security researchers use a dedicated sandbox/testbed network when experimenting with network scan/intrusion tools, so if they had an IDS configured to alarm on such activity it would have produced too many false alarms to be useful.

Perhaps I'm missing something, but frankly the entire thing strikes me as Hacking Team placed too much faith in their own skills to recognize an attack and as such did not put into place the kind of defenses I think would be normal practice in a professionally run IT security business.
posted by RichardP at 11:06 PM on April 18, 2016 [3 favorites]

"The cobbler's children are always ill-shod" comes to mind.

It's easy to think of Hacking Team as a security company, and thus criticize their security. However, if you think of them as just another ~40 person software company, having a dedicated person watching networking logs, IDS alerts, etc security is probably not a position they've hired. Additionally, some of their bugs (i.e. the backdoor sql injection) indicate that their programmers might not be the most security conscious. If I were guessing, I'd speculate that their shop was split into two-ish teams: one would do the exploit/rootkit development and one would write the collection infrastructure. The exploit dev side of things is likely very security savvy, while the collection infrastructure people are probably "normal" programmers. Obviously, they should have considered security more their line of business, but I'd be surprised if many software companies that size had full time security personnel.

As for TrueCrypt, be aware that it's vulnerable to evil-maid style attacks because most places you use it wont have a trusted bootchain. This is one of the reasons people recommend BitLocker over it (with the obvious caveat: the trust model implications of MS potentially having your keys). Veracrypt and CipherShed are TrueCrypt forks, neither of which I'm in a position to judge on in terms of quality. If you move away from Windows, there are different options...

Also, I would be hesitant to state that Paul Le Roux is the definitive TC author... The authors of TC are somewhat like Satoshi Nakamoto in that every few years there's another news story claiming to reveal The One True Author, and none seem to have any staying power.
posted by yeahwhatever at 12:31 AM on April 19, 2016 [2 favorites]

<---- lol great sysadmin
posted by ardgedee at 4:52 AM on April 19, 2016 [3 favorites]

I note that the initial foothold was a zero-day on an embedded device. Yay, IoT!
posted by Devonian at 5:47 AM on April 19, 2016 [3 favorites]

Having read through the Pastebin doc - a fascinating read indeed - I think another lesson is that the lone hacker has another advantage, in that it is far easier to secure yourself and your systems if there's nobody else to worry about. A lot of the vulnerabilities he exploited were the sort of shortcuts and oversights you're going to get when you're supporting or a part of a team of people who need shared resources and - worse - have the skills and need to spin up their own services and tools.

I've been guilty of that, when I was the network/security tech journo within a larger organisation. I had a really good relationship with our sysadmin, ops and infosec people: I got forgiven a lot of things in return for being a resource for them in various ways (and we shared many of the same hackerish genes, which helped), but if there'd been a lot of people like me and not many straights I can see that a culture could develop where an aura of self-perceived superiority led to delusions of not needing basic discipline.

You need a sysadmin who's not afraid to do the alpha dog bit, and I can see how that might not work too well in hacker machismoland unless you really do have the wherewithal to back it up.
posted by Devonian at 6:24 AM on April 19, 2016

Today's Tradecraft Tuesday show is starting soon (12PM EST):

Hacking Team Breach Overview
Find out how an Italian offensive security firm Hacking Team was compromised by 0-day exploits and data exfiltration.
posted by snuffleupagus at 8:28 AM on April 19, 2016

« Older New World Magischola   |   How to Blow $9 Billion in 6 Months Newer »

This thread has been archived and is closed to new comments