Hacking Team has issued a statement confirming that its code and zero-day software vulnerabilities were leaked:
It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.
Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Adobe has patched a security bug in flash, and Microsoft is working on a vulnerable kernel driver. Discussed at The Register and Motherboard.
The Intercept has detailed Hacking Team's demonstration to a Bangladesh "death squad," the use of Hacking Team software by the DEA to spy on all Colombian ISPs from the U.S. embassy in Bogota, and more. In one email, CEO David Vincenzetti unwittingly predicts the current fallout while warning employees not to leak the company's secrets: "Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)" he wrote. "You will be demonized by our dearest friends the activists, and normal people will point their fingers at you."
Privacy International's Deputy Director Eric King has called the leaks "the equivalents of the Edward Snowden leaks for the surveillance industry." Nevertheless, Hacking Team plans to continue its operations. PhineasFisher, a hacker who penetrated Hacking Team's competitor Gamma International last year and leaked 40 GB of internal data, has claimed responsibility for this hack.
(Score: 5, Insightful) by zocalo on Thursday July 09 2015, @08:53PM
UNIX? They're not even circumcised! Savages!
(Score: 4, Interesting) by frojack on Thursday July 09 2015, @09:41PM
But just as likely a LOT of things are going to get fixed, and that is happening already.
Often once someone points out a zeroday, Devs dig for similar things and find many more.
No, you are mistaken. I've always had this sig.
(Score: 2) by zocalo on Friday July 10 2015, @06:49AM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Thursday July 09 2015, @10:07PM
The exploits that those agencies use are typically purchased on the black market. They would be bought and used by someone else if not purchased. Now, what would be cool is if an agency would purchase 0-day exploits on the black market, then fix them (if FLOSS), and share them with the public.
This is all a bit like blaming thieves because the bank has shitty security. If one robber hadn't robbed the bank, then another robber will just walk in through that big hole in the wall and grab things from the vault. The problem isn't that robbers can get into the vault so easily, it's that there's a huge hole in the wall allowing anyone in. In this case the vault is our collective computer systems and the shitty software we run on it has all the holes in it.
Until the public demands security from its products there will be no supply of secure software. It takes time to create provably secure software, but it is possible since computers have finite word sizes -- every possible input to an individual function can be tested to have the intended results. We don't have to test every Input with fuzzing just the complete range and esp. around edge cases. There is still some room for human error even with rigorous testing but currently there are very few if any pieces of software that are designed with such rigorous testing frameworks including input fuzzing.
I once developed some driver code that was small enough I could test every possible input and output and thus verify it was secure. I know it's not impossible to have security, it's just that no one wants to pay for it, and you get what you pay for.
(Score: 2) by gidds on Friday July 10 2015, @01:39PM
If the backdoors stay hidden, who benefits? They do. If they get released, who suffers? We do.
So why should they care?
It's the old privatise-the-profits-and-socialise-the-risks game, only this time it's above the law.
[sig redacted]
(Score: 2) by DeathMonkey on Friday July 10 2015, @06:52PM
They're probably right, these exploits and tools are almost certainly going to be used successfully by criminals, hostile/repressive governments
Yeah, we definitely wouldn't want these vulnerabilities to fall into the hands of regimes like Sudan, Ethiopia, and Egypt.