Hacking Team has issued a statement confirming that its code and zero-day software vulnerabilities were leaked:
It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam's investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.
Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Adobe has patched a security bug in flash, and Microsoft is working on a vulnerable kernel driver. Discussed at The Register and Motherboard.
The Intercept has detailed Hacking Team's demonstration to a Bangladesh "death squad," the use of Hacking Team software by the DEA to spy on all Colombian ISPs from the U.S. embassy in Bogota, and more. In one email, CEO David Vincenzetti unwittingly predicts the current fallout while warning employees not to leak the company's secrets: "Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! :-)" he wrote. "You will be demonized by our dearest friends the activists, and normal people will point their fingers at you."
Privacy International's Deputy Director Eric King has called the leaks "the equivalents of the Edward Snowden leaks for the surveillance industry." Nevertheless, Hacking Team plans to continue its operations. PhineasFisher, a hacker who penetrated Hacking Team's competitor Gamma International last year and leaked 40 GB of internal data, has claimed responsibility for this hack.
Original Submission
Related Stories
It is just now being reported on Twitter and by CSO Online that Italian security firm Hacking Team has been compromised by parties unknown.
The attack, which took place during the Women's World Cup, resulted in a Torrent file with over 400GB of of internal documents, source code, and email communications being made available to the public. Meanwhile, the attackers have also seized control of Hacking Team's Twitter, defacing it and posting images of the stolen data.
Christopher Soghoian, principal technologist of the ACLU, says that a preliminary analyst of the Torrent's contents suggests that Hacking Team included among their customers nations such as South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Hacking Team, which specializes in intrusion and surveillance, has always maintained that they do not do business with oppressive governments.
The tools developed by Hacking Team have been linked to several cases of privacy invasion in the past, by researches and the media.
n1 writes:
Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
[...] Hacking Team officials have not released any official public statements about the attack yet.
As researchers and others have begun to look through the documents, they have found a number of significant things, aside from the invoices. Among the discoveries is the fact that Hacking Team has a legitimate Apple iOS developer certificate that expires next year. Another researcher found a handful of files that listed the VPS (virtual private server) servers used by Hacking Team, and published a list of the IP addresses for the servers.
Original Submission 1
Original Submission 2
The attacker who broke into the computers of Hacking Team has written a narrative of the event, detailing the methods used. The write-up is available on pastebin in English (mirror) and in Spanish. (mirror).
Coverage:
In other news about Hacking Team, the Financial Times reports (semi-paywalled) that Italy's ministry of economic development, citing "changed political circumstances" that may be related to Italian-Egyption relations in the wake of the murder of Giulio Regeni, has revoked the company's licence to export outside the EU.
Related stories:
Italian Security Firm "Hacking Team" Has Been Compromised
Hacking Team Complains That its Leaked Zero-Days Will be Misused
Spanish police have arrested three people they linked to the hacking of Gamma Group and Hacking Team:
Spanish police have arrested three people over a data breach linked to a series of dramatic intrusions at European spy software companies — feeding speculation that the net has closed on an online Robin Hood figure known as Phineas Fisher.
A spokesman with Mossos d'Esquadra, Catalonia's regional police, said a man was arrested Tuesday in Salamanca on suspicion of breaking into the website of the Mossos labor union, hijacking its Twitter feed and leaking the personal data of more than 5,500 officers in May of last year. Another man and a woman were arrested in Barcelona in connection to the same breach, he said. No more arrests are expected, he added, speaking on condition of anonymity in line with force policy.
May's breach was claimed by Phineas Fisher, who first won notoriety in 2014 for publishing data from Britain's Gamma Group — responsible at the time for spyware known as FinFisher. The hacker cemented their reputation by claiming responsibility for a breach at Italy's Hacking Team in 2015 — a spectacular dump which exposed the inner workings of government espionage campaigns — and appearing as a hand puppet in an unusual interview for a 2016 documentary on cybermercenaries .
Also at Motherboard and The Hill.
Previously: Gamma FinFisher Hacked - 40 GB of Code and Docs Available
WikiLeaks Releases German Surveillance Malware
Italian Security Firm "Hacking Team" Has Been Compromised
Hacking Team Complains That its Leaked Zero-Days Will be Misused
Hacking Team Break-in Explained
(Score: 5, Insightful) by MrGuy on Thursday July 09 2015, @08:41PM
So, lemme get this straight.
When YOU could deploy the software against any target you were paid to deploy it against, that was just fine.
When someone ELSE can deploy the software against any target of THEIR choice, it's a "major threat"?
The "major threat" has existed since you wrote the software, not since you lost control of it.
(Score: 0) by Anonymous Coward on Thursday July 09 2015, @08:50PM
No kidding.
The *RESPONSIBLE* thing to do would have been to report the vullins. Instead they built a business around it of breaking into other peoples computers. If they found the bug someone else could to. Finding this sort of bug just takes time and a bit of knowledge. There is no 'secret' sauce to it.
I do not feel sorry for them.
(Score: 4, Informative) by takyon on Thursday July 09 2015, @08:55PM
Or money:
NSA purchased zero-day exploits from French security firm Vupen [zdnet.com]
NSA Contracted With Zero-Day Vendor Vupen: NSA likely used French exploit service to keep tabs on the competition and run "deniable cyber ops," says cyber-weapon critic. [darkreading.com]
New Dark-Web Market Is Selling Zero-Day Exploits to Hackers [wired.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Interesting) by frojack on Thursday July 09 2015, @09:39PM
It reminds me of the Spy vs Spy comic books.
This is JUST as LIKELY to be industrial espionage between competitors as any single hacker exploit.
No, you are mistaken. I've always had this sig.
(Score: 2) by SlimmPickens on Friday July 10 2015, @07:06AM
I don't think they would erode their customer base like that.
(Score: 2) by captain normal on Friday July 10 2015, @02:57PM
One persons bug is another's "trade secret". I just love that these hackers got hacked.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 1, Insightful) by Anonymous Coward on Thursday July 09 2015, @09:20PM
When YOU could deploy the software against any target you were paid to deploy it against, that was just fine.
When someone ELSE can deploy the software against any target of THEIR choice, it's a "major threat"?
But WE are the good guys! Everything WE do is righteous!
'It is difficult to get a man to understand something, when his salary depends on his not understanding it.'
--Upton Sinclair
(Score: 3, Funny) by Anonymous Coward on Thursday July 09 2015, @09:53PM
The "major threat" has existed since you wrote the software, not since you lost control of it.
No, the real major threat was born when Flash Player was rolled out...
(Score: -1, Flamebait) by Anonymous Coward on Friday July 10 2015, @02:00AM
The real threat was born when Windows was rolled out.
(Score: 2) by bob_super on Friday July 10 2015, @05:45PM
The NRA would like a chat with you.
In a discrete corner of the desert.
BYOShovel.
(Score: 2) by DeathMonkey on Friday July 10 2015, @06:48PM
It's WAY worse than that, a little FTFY Friday!
When oppressive regimes, including Sudan, Ethiopia, and Egypt could deploy the software against any target, that was just fine.
(Score: 5, Insightful) by zocalo on Thursday July 09 2015, @08:53PM
UNIX? They're not even circumcised! Savages!
(Score: 4, Interesting) by frojack on Thursday July 09 2015, @09:41PM
But just as likely a LOT of things are going to get fixed, and that is happening already.
Often once someone points out a zeroday, Devs dig for similar things and find many more.
No, you are mistaken. I've always had this sig.
(Score: 2) by zocalo on Friday July 10 2015, @06:49AM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Thursday July 09 2015, @10:07PM
The exploits that those agencies use are typically purchased on the black market. They would be bought and used by someone else if not purchased. Now, what would be cool is if an agency would purchase 0-day exploits on the black market, then fix them (if FLOSS), and share them with the public.
This is all a bit like blaming thieves because the bank has shitty security. If one robber hadn't robbed the bank, then another robber will just walk in through that big hole in the wall and grab things from the vault. The problem isn't that robbers can get into the vault so easily, it's that there's a huge hole in the wall allowing anyone in. In this case the vault is our collective computer systems and the shitty software we run on it has all the holes in it.
Until the public demands security from its products there will be no supply of secure software. It takes time to create provably secure software, but it is possible since computers have finite word sizes -- every possible input to an individual function can be tested to have the intended results. We don't have to test every Input with fuzzing just the complete range and esp. around edge cases. There is still some room for human error even with rigorous testing but currently there are very few if any pieces of software that are designed with such rigorous testing frameworks including input fuzzing.
I once developed some driver code that was small enough I could test every possible input and output and thus verify it was secure. I know it's not impossible to have security, it's just that no one wants to pay for it, and you get what you pay for.
(Score: 2) by gidds on Friday July 10 2015, @01:39PM
If the backdoors stay hidden, who benefits? They do. If they get released, who suffers? We do.
So why should they care?
It's the old privatise-the-profits-and-socialise-the-risks game, only this time it's above the law.
[sig redacted]
(Score: 2) by DeathMonkey on Friday July 10 2015, @06:52PM
They're probably right, these exploits and tools are almost certainly going to be used successfully by criminals, hostile/repressive governments
Yeah, we definitely wouldn't want these vulnerabilities to fall into the hands of regimes like Sudan, Ethiopia, and Egypt.
(Score: 2) by cosurgi on Thursday July 09 2015, @08:55PM
Does anybody know where to download the leaked material?
Were there any vulnerabilities in debian? (linux kernel included)
#
#\ @ ? [adom.de] Colonize Mars [kozicki.pl]
#
(Score: 4, Informative) by Anonymous Coward on Thursday July 09 2015, @09:50PM
magnet:?xt=urn:btih:51603bff88e0a1b3bad3962614978929c9d26955&dn=Hacked%20Team&tr=udp%3A%2F%2Fcoppersurfer.tk%3A6969%2Fannounce&tr=udp%3A%2F%2F9.rarbg.me%3A2710%2Fannounce&tr=http%3A%2F%2Fmgtracker.org%3A2710%2Fannounce&tr=http%3A%2F%2Fbt.careland.com.cn%3A6969%2Fannounce&tr=udp%3A%2F%2Fopen.demonii.com%3A1337&tr=udp%3A%2F%2Fexodus.desync.com%3A6969&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.pomf.se&tr=udp%3A%2F%2Ftracker.blackunicorn.xyz%3A6969
the most interesting parts are the sauce code. mmm, sauce.
(Score: 2) by FatPhil on Thursday July 09 2015, @10:47PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday July 10 2015, @12:23AM
There are bits of it on github and here (and its parent hierarchy): http://ht.transparencytoolkit.org/c.pozzi/Truecrypt%20Volume/Login.txt [transparencytoolkit.org]
(Score: 0) by Anonymous Coward on Friday July 10 2015, @12:32AM
Found this in my history. I think it's the linux specific code, tools, etc.: https://github.com/hackedteam/core-linux [github.com]
(Score: 5, Touché) by FatPhil on Friday July 10 2015, @04:26AM
To view a .txt file?!?!? Modern internet, please die.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by bob_super on Friday July 10 2015, @05:48PM
> [transparencytoolkit.org]
You wanted transparency, right?
(Score: 3, Funny) by Adamsjas on Friday July 10 2015, @12:17AM
And this is all safe to down load on windows right?
(Score: 0) by Anonymous Coward on Friday July 10 2015, @06:02AM
windoze is unsafe at any speed
(Score: 5, Touché) by The Archon V2.0 on Thursday July 09 2015, @08:58PM
>Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Yes, yes, we read your list of customers already. But what's your opinion now that everyone else can deploy this technology too?
(Score: 5, Insightful) by vux984 on Thursday July 09 2015, @10:22PM
Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.
Yes, yes, we read your list of customers already.
Indeed!
But what's your opinion now that everyone else can deploy this technology too?
It clear what their opinion is: They are pissed that they are not being paid for it.
(Score: 3, Insightful) by DECbot on Friday July 10 2015, @12:13AM
I could imagine Hacking Team (1) claims copyright over the zero-days in question, (2) files suit against the hackers using the exploits, demanding payment for every use and potential use of the lost zero-days, (3) files injunctions against the parties attempting to patch the vulnerabilities. Look at it this way. If I had government sponsorships, a team of bat-shit-crazy-hookers-&-blow lawyers, and had just lost my business product/model, well, suing the shit out of everybody would make a lot of sense.
cats~$ sudo chown -R us /home/base
(Score: 2) by frojack on Friday July 10 2015, @12:22AM
I'm sure there is a DMCA case in there somewhere....
No, you are mistaken. I've always had this sig.
(Score: 2) by etherscythe on Tuesday July 14 2015, @05:55PM
Two of them, probably. I expect that the exploits were discovered in a manner which violated the DMCA, in addition to the obvious.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 2) by Joe Desertrat on Friday July 10 2015, @02:38AM
Look at it this way. If I had government sponsorships, a team of bat-shit-crazy-hookers-&-blow lawyers, and had just lost my business product/model, well, suing the shit out of everybody would make a lot of sense.
That IS the business model for too many people/organizations (Donald Trump anyone?). Start a business, start suing, hope to cash in and run before...
(Score: 0) by Anonymous Coward on Friday July 10 2015, @03:00AM
Chuck a free trade agreement in there and you're golden.
(Score: 2) by jimshatt on Thursday July 09 2015, @10:22PM
(Score: 5, Insightful) by tibman on Thursday July 09 2015, @09:07PM
Now those zero-days will be patched and the world will be more secure. Could have happened sooner if the holes weren't being exploited. But there isn't as much profit in that.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by GoonDu on Friday July 10 2015, @01:43AM
Problem is, how many more of these kinds are there? And how deep does the rabbit hole goes? I mean, they could be just the tip of iceberg. I'm sure Russia or even other state agencies have more sophisticated tools than these. If any, it serves as another good public awareness article however, it's not exactly a big step in software security.
(Score: 3, Funny) by No Respect on Thursday July 09 2015, @09:42PM
So "due to the acts of criminals" they will be unable to control which other criminals have access to their software. Nice.
(Score: 3, Insightful) by takyon on Thursday July 09 2015, @09:54PM
Not accurate. Hacking Team have too much money and government backing to be considered criminals, no matter what they did 🗽
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by penguinoid on Thursday July 09 2015, @09:55PM
You'll be mildly in more danger of cyberattacks for a little while, followed by being safer as these vulnerabilities are patched.
RIP Slashdot. Killed by greedy bastards.
(Score: 5, Interesting) by DarkMorph on Thursday July 09 2015, @10:26PM
Actually, no. It is in fact the exact opposite. It would have continued to be misused had it remained under their control, but now the information is free and the flaws that made the exploits possible can readily be fixed. I'd say the "criminals" used the information the best way possible for the benefit of everyone globally. To misuse it would be to have taken the information but keep it secret and misuse it like the group it was taken from rather than set up torrents and spread the knowledge as quickly as possible.
(Score: 2) by MichaelDavidCrawford on Thursday July 09 2015, @10:41PM
... smallest violin playing "My Heart Bleeds".
The Hacking Team's real problem is that now know what all those zero-days really are so they can be patched.
Maybe I'll submit some resumes today.
Yes I Have No Bananas. [gofundme.com]
(Score: 0, Troll) by Anonymous Coward on Friday July 10 2015, @11:38AM
What is a "zero-day"? Oh. OH!
You meant a "technology"! Yeah, it's an important distinction. A zero-day is something villains use to get access to your computer in order to mess up your My Documents folder! HackingTeam isn't a bunch of thugs. They use technology to help governments cyber-spy on the cyber-bad-guys. Learn some terms MDC, sheesh.
(Score: 3, Insightful) by Snotnose on Thursday July 09 2015, @11:56PM
Anyone doubt the NSA/CIA/FBI/whatever already knew about these exploits, and withheld them so they could use them against us?
Maybe I'm wearing rose colored contacts, but if these TLAs would focus on protecting us instead of spying on us we'd all be a lot safer.
When the dust settled America realized it was saved by a porn star.
(Score: 4, Insightful) by zocalo on Friday July 10 2015, @07:05AM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Friday July 10 2015, @07:59PM
Seriously, they're not the MPhIAA, RIcoAA, etc, and have no legal protection, so why can't they be sued by their victims?
(Score: 2, Interesting) by purple_cobra on Saturday July 11 2015, @01:19PM
These people are arms dealers and have dealings with some very dodgy governments/agencies, hence they should be prosecuted as such. The release of this information should make investigation a little easier, even if it isn't itself admissible in court.
(Score: 2) by Yog-Yogguth on Monday July 13 2015, @09:15PM
Amnesty International comes to mind as someone who ought to be interested in doing that, maybe PEN, ACLU, EFF, and others too. If the systems of the world actually worked in favor of humanity/all common people like they're “sold” as then the UN and the EHRC etc. should have jumped at it.
Another issue is how long the people who worked at “Hacking Team” and their families should expect to be alive since /they backdoored the backdoors/ which they sold to people who might want physical revenge on them when they realize they've been had. It's exactly the same as how any mafia would make very clear examples of people playing them for fools.
I wonder if that thought has ever even crossed the mind of the “Hacking Team”.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))