from the playing-with-fire-might-get-you-burned dept.
The attacker who broke into the computers of Hacking Team has written a narrative of the event, detailing the methods used. The write-up is available on pastebin in English (mirror) and in Spanish. (mirror).
Coverage:
In other news about Hacking Team, the Financial Times reports (semi-paywalled) that Italy's ministry of economic development, citing "changed political circumstances" that may be related to Italian-Egyption relations in the wake of the murder of Giulio Regeni, has revoked the company's licence to export outside the EU.
Related stories:
Italian Security Firm "Hacking Team" Has Been Compromised
Hacking Team Complains That its Leaked Zero-Days Will be Misused
Related Stories
It is just now being reported on Twitter and by CSO Online that Italian security firm Hacking Team has been compromised by parties unknown.
The attack, which took place during the Women's World Cup, resulted in a Torrent file with over 400GB of of internal documents, source code, and email communications being made available to the public. Meanwhile, the attackers have also seized control of Hacking Team's Twitter, defacing it and posting images of the stolen data.
Christopher Soghoian, principal technologist of the ACLU, says that a preliminary analyst of the Torrent's contents suggests that Hacking Team included among their customers nations such as South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Hacking Team, which specializes in intrusion and surveillance, has always maintained that they do not do business with oppressive governments.
The tools developed by Hacking Team have been linked to several cases of privacy invasion in the past, by researches and the media.
n1 writes:
Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
[...] Hacking Team officials have not released any official public statements about the attack yet.
As researchers and others have begun to look through the documents, they have found a number of significant things, aside from the invoices. Among the discoveries is the fact that Hacking Team has a legitimate Apple iOS developer certificate that expires next year. Another researcher found a handful of files that listed the VPS (virtual private server) servers used by Hacking Team, and published a list of the IP addresses for the servers.
Original Submission 1
Original Submission 2
Hacking Team has issued a statement confirming that its code and zero-day software vulnerabilities were leaked:
It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.
Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Adobe has patched a security bug in flash, and Microsoft is working on a vulnerable kernel driver. Discussed at The Register and Motherboard.
The Intercept has detailed Hacking Team's demonstration to a Bangladesh "death squad," the use of Hacking Team software by the DEA to spy on all Colombian ISPs from the U.S. embassy in Bogota, and more. In one email, CEO David Vincenzetti unwittingly predicts the current fallout while warning employees not to leak the company's secrets: "Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)" he wrote. "You will be demonized by our dearest friends the activists, and normal people will point their fingers at you."
Privacy International's Deputy Director Eric King has called the leaks "the equivalents of the Edward Snowden leaks for the surveillance industry." Nevertheless, Hacking Team plans to continue its operations. PhineasFisher, a hacker who penetrated Hacking Team's competitor Gamma International last year and leaked 40 GB of internal data, has claimed responsibility for this hack.
Original Submission
Spanish police have arrested three people they linked to the hacking of Gamma Group and Hacking Team:
Spanish police have arrested three people over a data breach linked to a series of dramatic intrusions at European spy software companies — feeding speculation that the net has closed on an online Robin Hood figure known as Phineas Fisher.
A spokesman with Mossos d'Esquadra, Catalonia's regional police, said a man was arrested Tuesday in Salamanca on suspicion of breaking into the website of the Mossos labor union, hijacking its Twitter feed and leaking the personal data of more than 5,500 officers in May of last year. Another man and a woman were arrested in Barcelona in connection to the same breach, he said. No more arrests are expected, he added, speaking on condition of anonymity in line with force policy.
May's breach was claimed by Phineas Fisher, who first won notoriety in 2014 for publishing data from Britain's Gamma Group — responsible at the time for spyware known as FinFisher. The hacker cemented their reputation by claiming responsibility for a breach at Italy's Hacking Team in 2015 — a spectacular dump which exposed the inner workings of government espionage campaigns — and appearing as a hand puppet in an unusual interview for a 2016 documentary on cybermercenaries .
Also at Motherboard and The Hill.
Previously: Gamma FinFisher Hacked - 40 GB of Code and Docs Available
WikiLeaks Releases German Surveillance Malware
Italian Security Firm "Hacking Team" Has Been Compromised
Hacking Team Complains That its Leaked Zero-Days Will be Misused
Hacking Team Break-in Explained
(Score: 3, Interesting) by Webweasel on Wednesday April 27 2016, @02:05PM
I have sent out the link to the sysadmins here at work.
Rather pleased to see stuff I have been screaming about, MongoDb, Linkedin as security risks are actually flagged in the writeup.
Been laughing hearing the reactions from the less skilled staff, they have NO CLUE whatsoever. This document has scared a few people.
Intersting though, it really shows no matter how hard you try and secure your network two things will always let you down:
0 days (I'm guessing he found an exploit in an edge device like a Big IP F5?)
Lazy Admins. P@ssword as the main domain admin password.
Ultimatly seems like hacking team did a solid job overall protecting themselves, but no matter how hard you try no network is perfect.
Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
(Score: 3, Interesting) by jcross on Wednesday April 27 2016, @02:36PM
I read this a couple days ago and was amazed at how easy it was for the author to own everything once he infected their unnamed embedded network device. My impression was that the hacking team was not doing a great job protecting themselves, given how much of their infrastructure was based on Windows software. I mean, I was surprised by how many passwords were apparently stored in the clear or unsalted (iirc the author did not guess those bad passwords, he just read them out of a file). I mean I knew Windows security was bad, but not that bad. These guys had no excuse for not knowing, though, because they made their nut exploiting holes in Windows. Did they seriously think they were immune?
(Score: 2) by maxwell demon on Wednesday April 27 2016, @02:43PM
Wow. Just wow. And those are admins? Well, I guess their password security checking tool said it's very secure, as it contains uppercase, lowercase and special characters. :-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by bitstream on Wednesday April 27 2016, @02:48PM
The less skilled or clueless population reserve is not point in bothering with. They will always be surprised and not learn.
However I think the unknown 0-day vulnerability is the hardest to tackle. Much software is really complex and it's hard to weed out all bugs. I'm sure the VPN box had a decent password but when the software was bad, it didn't matter. It does however show that it's unsustainable with these hard to update boxes that lack documentation to go FOSS and still are complex and critical. I suspect IoT will make a lot of people suffer really hard.
(Score: 2) by butthurt on Thursday April 28 2016, @12:57AM
Mimikatz is capable of [offensive-security.com] "dumping hashes and clear text credentials straight from memory."
(Score: 4, Informative) by bitstream on Wednesday April 27 2016, @02:56PM
Some things to learn:
* Watch out for unknown 0-day, especially with those embedded boxes that can't be updated.
* Use good passwords.
* Avoid Microsoft, and their clientele. They are like bad news for security. And don't run email attachments..
* Full disk encryption, use it.
* Virtual machine for all anonymity networking.
* Don't interact with anonymity networks from any IP associated with identity.
* Be thoughtful of your traffic pattern.
* Firmware in BIOS, USB, Harddisk etc. They can all be infection vectors.
(Score: 0) by Anonymous Coward on Wednesday April 27 2016, @03:19PM
The expropriators were expropriated