It is just now being reported on Twitter and by CSO Online that Italian security firm Hacking Team has been compromised by parties unknown.
The attack, which took place during the Women's World Cup, resulted in a Torrent file with over 400GB of of internal documents, source code, and email communications being made available to the public. Meanwhile, the attackers have also seized control of Hacking Team's Twitter, defacing it and posting images of the stolen data.
Christopher Soghoian, principal technologist of the ACLU, says that a preliminary analyst of the Torrent's contents suggests that Hacking Team included among their customers nations such as South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Hacking Team, which specializes in intrusion and surveillance, has always maintained that they do not do business with oppressive governments.
The tools developed by Hacking Team have been linked to several cases of privacy invasion in the past, by researches and the media.
n1 writes:
Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
[...] Hacking Team officials have not released any official public statements about the attack yet.
As researchers and others have begun to look through the documents, they have found a number of significant things, aside from the invoices. Among the discoveries is the fact that Hacking Team has a legitimate Apple iOS developer certificate that expires next year. Another researcher found a handful of files that listed the VPS (virtual private server) servers used by Hacking Team, and published a list of the IP addresses for the servers.
(Score: 2, Touché) by Anonymous Coward on Monday July 06 2015, @05:42PM
I guess they didn't use their own products, which is bad, or they did use their products and got hacked anyway, which is worse. Based on their client list of oppressive regimes they got what they deserved.
(Score: 5, Insightful) by MrGuy on Monday July 06 2015, @05:59PM
You misunderstand their products.
Hacking Team sells intrusion products - products that exploit weaknesses and introduce backdoors on targeted machines to enable surveillance. This is materially different from selling products/being experts in the field of PREVENTING companies from hacking your OWN machines. The fields are related, but they differ significantly - one is offense and the other is defense.
To have a successful hacking product, you need knowledge of only a small number (as little as one) exploitable problems as a way in. Your main expertise needs to be in making benign-looking exploit tools that can run on the target machine and enable surveillance without alerting the user, so that you can stay undetected for a long time. To protect a company, you need to know ALL the possible exploits that can be used to find a way in to your machines.
(Score: 5, Funny) by The Archon V2.0 on Monday July 06 2015, @06:53PM
And for further proof that you don't need to have good security to build intrusion tools, the managing director thinks "passw0rd" is a password that should be used.
Repeatedly.
Across multiple systems.
http://www.computing.co.uk/ctg/news/2416369/hacking-team-md-used-passw0rd-as-password-for-every-system [computing.co.uk]
(Score: 2) by edIII on Tuesday July 07 2015, @12:01AM
I've always thought the best password was just a single space. I mean seriously, who would ever think you would be that stupid right? ;)
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Tuesday July 07 2015, @12:24AM
I do understand their products. And if they did they would have patched or otherwise mitigated those know (to them) vulnerabilities. If they can penetrate their own networks with their own products then they are foolish.
(Score: 2) by JNCF on Monday July 06 2015, @07:45PM
Based on their client list of oppressive regimes they got what they deserved.
'Chickens coming home to roost,' as The Man said.