Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday July 09 2015, @08:24PM   Printer-friendly
from the secure-your-site-better? dept.

Hacking Team has issued a statement confirming that its code and zero-day software vulnerabilities were leaked:

It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

Adobe has patched a security bug in flash, and Microsoft is working on a vulnerable kernel driver. Discussed at The Register and Motherboard.

The Intercept has detailed Hacking Team's demonstration to a Bangladesh "death squad," the use of Hacking Team software by the DEA to spy on all Colombian ISPs from the U.S. embassy in Bogota, and more. In one email, CEO David Vincenzetti unwittingly predicts the current fallout while warning employees not to leak the company's secrets: "Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)" he wrote. "You will be demonized by our dearest friends the activists, and normal people will point their fingers at you."

Privacy International's Deputy Director Eric King has called the leaks "the equivalents of the Edward Snowden leaks for the surveillance industry." Nevertheless, Hacking Team plans to continue its operations. PhineasFisher, a hacker who penetrated Hacking Team's competitor Gamma International last year and leaked 40 GB of internal data, has claimed responsibility for this hack.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by zocalo on Thursday July 09 2015, @08:53PM

    by zocalo (302) on Thursday July 09 2015, @08:53PM (#207118)
    They're probably right, these exploits and tools are almost certainly going to be used successfully by criminals, hostile/repressive governments and (gasp!) terrorists. Some of those exploits are almost certainly going to be used successfully against the very organizations and entities many of Hacking Team's customers are supposed to be working on behalf of as well. And yet, despite all that, I'm almost 100% certain that we can assume that the inevitable aftermath will *still* not serve as a wake up call to the NSA, GCHQ, FBI, etc. that hoarding zero days or deliberately introducing backdoors into security and encryption products is very bad idea.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Moderation   +4  
       Insightful=4, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 4, Interesting) by frojack on Thursday July 09 2015, @09:41PM

    by frojack (1554) on Thursday July 09 2015, @09:41PM (#207148) Journal

    But just as likely a LOT of things are going to get fixed, and that is happening already.

    Often once someone points out a zeroday, Devs dig for similar things and find many more.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by zocalo on Friday July 10 2015, @06:49AM

      by zocalo (302) on Friday July 10 2015, @06:49AM (#207309)
      True enough; that pattern occurs all the time when people post zero days to mailing lists like Full Disclosure, Dark Web sites, and other sources of toys for the script kiddies, and this isn't all that different - just on a much larger scale and with a nice front end. The difference is that when this kind of thing happens it's the vendors and end users who are the ones scrambling the most to develop and deploy patches, rather than the hackers scrambling to reverse engineer a patch, develop an exploit and use it before the window of opportunity to do so starts to close. That window will never close all the way, of course, patch availability and patch deployment are not the same thing - people get pwned by bugs that were fixed years ago all the time, and I don't see that changing any time soon, but at least those of us that do patch are in with a fighting chance with a more responsible disclosure approach.
      --
      UNIX? They're not even circumcised! Savages!
  • (Score: 0) by Anonymous Coward on Thursday July 09 2015, @10:07PM

    by Anonymous Coward on Thursday July 09 2015, @10:07PM (#207157)

    The exploits that those agencies use are typically purchased on the black market. They would be bought and used by someone else if not purchased. Now, what would be cool is if an agency would purchase 0-day exploits on the black market, then fix them (if FLOSS), and share them with the public.

    This is all a bit like blaming thieves because the bank has shitty security. If one robber hadn't robbed the bank, then another robber will just walk in through that big hole in the wall and grab things from the vault. The problem isn't that robbers can get into the vault so easily, it's that there's a huge hole in the wall allowing anyone in. In this case the vault is our collective computer systems and the shitty software we run on it has all the holes in it.

    Until the public demands security from its products there will be no supply of secure software. It takes time to create provably secure software, but it is possible since computers have finite word sizes -- every possible input to an individual function can be tested to have the intended results. We don't have to test every Input with fuzzing just the complete range and esp. around edge cases. There is still some room for human error even with rigorous testing but currently there are very few if any pieces of software that are designed with such rigorous testing frameworks including input fuzzing.

    I once developed some driver code that was small enough I could test every possible input and output and thus verify it was secure. I know it's not impossible to have security, it's just that no one wants to pay for it, and you get what you pay for.

  • (Score: 2) by gidds on Friday July 10 2015, @01:39PM

    by gidds (589) on Friday July 10 2015, @01:39PM (#207426)

    the inevitable aftermath will *still* not serve as a wake up call to the NSA, GCHQ, FBI, etc. that hoarding zero days or deliberately introducing backdoors into security and encryption products is very bad idea.

    If the backdoors stay hidden, who benefits?  They do.  If they get released, who suffers?  We do.

    So why should they care?

    It's the old privatise-the-profits-and-socialise-the-risks game, only this time it's above the law.

    --
    [sig redacted]
  • (Score: 2) by DeathMonkey on Friday July 10 2015, @06:52PM

    by DeathMonkey (1380) on Friday July 10 2015, @06:52PM (#207586) Journal

    They're probably right, these exploits and tools are almost certainly going to be used successfully by criminals, hostile/repressive governments
     
    Yeah, we definitely wouldn't want these vulnerabilities to fall into the hands of regimes like Sudan, Ethiopia, and Egypt.