Hacking Team Is Hacked - Schneier on Security
https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html
More from: schneier.com
show/hide source |
https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html
The 400GB of internal company data include a spreadsheet listing every government client, when they first bought the surveillance software, and how much money they have paid the company to date.Several tweets with first reviews of the data under #hackingteam. Also interesting:
Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure.Tags: surveillance exploits hacking
More from: schneier.com
show/hide source |
Hacking Team Is Hacked Someone hacked the cyberweapons arms manufacturer Hacking Team and posted 400 GB of internal company data. Hacking Team is a pretty sleazy company, selling surveillance software to all sorts of authoritarian governments around the world. Reporters Without Borders calls it one of the enemies of the Internet. Citizen Lab has published many reports about their activities. It's a huge trove of data, including a spreadsheet listing every government client, when they first bought the surveillance software, and how much money they have paid the company to date. Not surprising, the company has been lying about who its customers are. Chris Soghoian has been going through the data and tweeting about it. More Twitter comments on the data here. Here are articles from Wired and The Guardian. Here's the torrent, if you want to look at the data yourself. (Here's another mirror.) The source code is up on Github. I expect we'll be sifting through all the data for a while. Slashdot thread. Hacker News thread. EDITED TO ADD: The Hacking Team CEO, David Vincenzetti, doesn't like me: In another [e-mail], the Hacking Team CEO on 15 May claimed renowned cryptographer Bruce Schneier was "exploiting the Big Brother is Watching You FUD (Fear, Uncertainty and Doubt) phenomenon in order to sell his books, write quite self-promoting essays, give interviews, do consulting etc. and earn his hefty money." Meanwhile, Hacking Team has told all of its customers to shut down all uses of its software. They are in "full on emergency mode," which is perfectly understandable. EDITED TO ADD: Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure. Tags: breaches, cyberweapons, hacking, malware, privacy, surveillance Posted on July 6, 2015 at 12:53 PM • 47 Comments Comments Anura • July 6, 2015 1:05 PM I'm kind of hoping that this will spark criminal charges against people within Hacking Team. I mean, what they are doing is far worse than what the vast majority of hackers do (especially selling to the Sudan, which is aiding genocide). They do supply Western governments which you would expect to offer them protection, but this is the kind of hack that can completely destroy their business and cause their long-time customers to turn their backs. Of course, I figure at most they will be fined and file for bankruptcy, resulting in no further damage than has already been done. Joshua Bowman • July 6, 2015 1:11 PM Oh geez, there's actually one guy who kept a spreadsheet of his personal and corporate passwords, and most of them were some variation on "p4$$w0rd". :facepalm: alvi • July 6, 2015 1:42 PM This makes me unbelievably happy. A cursory glance over HT's clients list makes for grim reading. To whoever is responsible for this leak, THANK YOU! brain o'blivion • July 6, 2015 1:45 PM So Aaron Barr found gainful re-employment? How nice. Paul Henning • July 6, 2015 2:06 PM Whoever gets a copy of this, PLEASE make a collection for it and upload it to the Internet Archive. They'll take the data I imagine. All the old LulzSec releases have vanished from being seeded. Wikileaks hasn't hosted this data sadly, yet. It should live on not just for transparency purposes but for historical reasons for future generations. In fact if any of you have the old FucktheFBIFriday releases, please drop them onto IA. Whoever did this hack, THANK YOU. You rule. Diana • July 6, 2015 2:13 PM Bruce you are mentioned by Hacking Team: http://www.forbes.com/sites/thomasbrewster/2015/07/06/us-gov-likes-hacking-team/ Boo • July 6, 2015 3:13 PM Never read so many garbage passwords in one spot before. I even saw a password for an online bookie that was based on 'password'. Well ... the odds of them surviving this are pretty much nil .... which is great considering their complete lack of care for who they sold their products to. Joking aside ..... this will be a treasure trove for lots of folks. Interesting to see that their iOS stuff relied on devices being jailbroken. All sorts of interesting things to consider: will their customers really stop using HT stuff? How was this hack pulled off? How much new malware will we see doing the rounds based on the publication of their source code? I'd love to see a really concise analysis of all the HT stuff in terms of how to minimize the chances being hit by such malware (ambitious, I know for now, considering the sheer expanse of data to analyze) and detecting if you have been hit. Also looking forward to how different vendors will respond ... cue a slew of patches. Now .... there was me wondering what to get for some vacation reading! albert • July 6, 2015 3:15 PM Great news! Exposing those who ruin the Internet by hacking. Kudos to those folks. We need more of this. Leak everything, starting with those who profit on misery. Let it all hang out. Funny how the Hacking Team accuses Bruce of exploiting FUD, when that's their entire business model:) I doubt seriously that they have any sort of advanced products; they probably have good sales folks. Really, how smart is the average security technology procurer? . ... Hans Gautschi • July 6, 2015 3:45 PM The Hacking Team are fucking Italian idiots, just like all Italian spaghetti munchers. Today, the Swiss tabloit "Blick" wrote that the Zurich city police (mind you: a local police, not even on county level) purchased for $500k their snooping shit / vaporware. The "Blick" even published their bill. http://tinyurl.com/n9qe8nq Well, let these idiot boys (I mean the Zurich city police) snoop as much as they want. I leave my cell at home, switch it off, & put it in a Faraday bag. When I am on the road, I got a pager and a public phone card. V • July 6, 2015 3:47 PM @Bruce At least I'm glad to read you are making 'hefty money' Hans Gautschi • July 6, 2015 3:50 PM @Diana. Thanks for the link. However, we should not believe everything we read. I believe we overestimate those Italian idiots. Observateur • July 6, 2015 4:24 PM Anyone knows an easy, direct, URL where I could just see the full customer list? I didn't come up with it yet, and it may take some time before I could sift through all that stuff. Tnx! John Laprise • July 6, 2015 4:33 PM The Motherboard article is even more damning... http://motherboard.vice.com/read/hacking-team-asks-customers-to-stop-using-its-software-after-hack frank • July 6, 2015 4:44 PM Seems they have had some nice things to say about you also, Bruce;) Omri • July 6, 2015 4:45 PM So, they sell "tailored access" using 0-days to governments. And they sell pentests and audits to banks. Is it really wise to get your security audit from someone who possesses 0-day exploits and intends to hold on to them? Such an auditor would have ample opportunities to misrepresent his work and his results, and misrepresent the quality of your existing software and hardware environment, at the expense of his competitors. tyr • July 6, 2015 4:49 PM I followed up one of the thread links and was regaled with a squabble over the implications of homelessness before it got to some of the meat. Dumping the source is going to haunt the net for quite awhile. Security types have been prophesying this for a long time and noe it is loosed on IT in general. The side show about the glorious freedom loving South Koreans paints a dichotomous picture of them but both sides are ignoring the context of an unresolved war that still haunts the world. I remember when Pak was shot in his own office by the head of the ROK military because he was such a model of democratic leadership. If I was Palantir I'd be minimizing the attack surface since I imagine they have moved to the head of someone's list. Hans Gautschi • July 6, 2015 4:49 PM It is all on http://hacking.technology Hans Gautschi • July 6, 2015 4:53 PM Stupid Italians: Cannot even compile a correct customer list. Where is Zurich police? http://pastebin.com/MP8zpQ26 BlueLIghtMemory • July 6, 2015 5:18 PM My compliments and a big thanks to those who hacked the Hacking Team. If you would, or if you could ask those who are able, to hack into the Department of Energy and release all the chemtrail documents to the public. It's about time the lying tongues of government, the intelligence agencies, the military and big corporations be put to silence. dbm • July 6, 2015 5:23 PM only slightly off topic... but you got to check out this PhD thesis: "Elliptic curve cryptography and security of embedded devices", Vincent Verneuli, 2012 http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCEQFjAA&url=http%3A%2F%2Flfant.math.u-bordeaux1.fr%2Fseminar%2Fslides%2F2012-06-13-Vincent_Verneuil.pdf&ei=pP-aVYu-N8GmsQWY8oLYDQ&usg=AFQjCNEBeiIUbhYGjB6gZyA9hDFNTfQ7ew&bvm=bv.96952980,d.b2w interesting attacks against ECC, modular arithmetic, and AES (Rijndael). He also provides advice to implementers to provide countermeasures. Jonathan Wilson • July 6, 2015 5:46 PM I wonder how hard its going to be for the entities concerned to revoke the various private signing keys etc that appear to be in this dump... kevinjl • July 6, 2015 6:05 PM @V I think it is a disgrace that he makes that "hefty money" from selling books as opposed to selling spy software. Ok admittedly some of their customers have unpleasant reputations for torturing and killing dissidents but compared to writing books its obvious who is in the right. I wonder who got the job of phoning up those customers and telling them that their contract info is out in the open and also the software sold to them had watermarks. I have dealt with some pissed off clients in the past but never ones who have their own death squads. rgaff • July 6, 2015 6:20 PM @ kevinjl said, "I have dealt with some pissed off clients in the past but never ones who have their own death squads." ^^^ THIS! To former "Hacking Team" employees: stop polishing resumes, consider going into hiding instead, considering your own angry former client list! Spaceman Spiff • July 6, 2015 6:35 PM I loved this quote from a Hacking Team staff member: Christian Pozzi, one of the firms employees, tweeted to say that the documents contained false lies about the services the company offers. Note the double negative "false lies". So, is he saying that the company is lying and that the documents contain the real truth? Hans Gautschi • July 6, 2015 6:35 PM The question is: What conculsion are we - as individuals - drawing from that incident? (Let me add: apart from the fact that the Zurich police always have been corrupt; check out Chillis on Google.) Sorry, only in French. http://tinyurl.com/ps3ecye mb • July 6, 2015 7:37 PM Isn't that just genuine good news? It put a smile on my face and it's not going to go away for a while. Nick P • July 6, 2015 7:50 PM @ Bruce You mean an iPhone is a safe bet against the Italian, Hacking Team. NSA slides mocked iPhone and its users as among easiest to compromise. So it's not clear-cut. There's also phones such as Cryptophone and those using hypervisors to reduce attack surface. tyr • July 6, 2015 7:51 PM Angelina did it !! http://www.hopesandfears.com/hopes/future/technology/214663-hackers-watching-hackers-the-movie Dirk Praet • July 6, 2015 8:03 PM I enabled the "submit and check certificates for non-public DNS names and signed by non-standard root CA's" in the SSL Observatory advanced options of the HTTPS Everywhere add-on when I read in one of the documents that this was causing serious problems for some of their exploits injecting bogus certificates. I hope the usual suspects will make good use of the document trove to publish CVE's and updated AV, IDS and YARA signatures. Too bad @PwnieAwards nominations were closed last week. @HackingTeam would undoubtedly have won first prize in the category "Epic Fail". And props to @GammaGroupPR for pwning the cr*p out of these scumbags. rgaff • July 6, 2015 8:04 PM @Spaceman Spiff He claimed that the dump contained a virus... But he didn't mention that the virus it contained was actually the one that his company wrote and had been downloading onto all of our computers for years.... and that it is in source code format, so that we can make our systems resilient to it... Pseudonymous Coward • July 6, 2015 8:07 PM Most of those junk passwords were for accounts that the user probably didn't place a high value on. There were noticeable exceptions, but I use variations on Passw0rd for accounts I don't care about; if somebody starts impersonating me in letters to the New York Times, it's not a big deal, unlike accounts that involve money or privacy. And using obvious weak passwords reduces the likelihood that I'll use a variation on my better passwords when I'm setting up an account like that (so the NYT may get NYT-passw0rd, but won't get NYT-r34l-S3kr17-Passwoid when my bank has BofA-r34l-S3kr17-Passwoid.) me • July 6, 2015 8:23 PM So people are starting to pull out working zero days from the archive. I've seen talk of a working flash 0day that supports Windows and OSX. If you still have flash on your systems, this should give you some incentive to uninstall it. On browsers that have it bundled (eg. chrome), at least activate click-to-play. Stay safe. me • July 6, 2015 8:28 PM Re: iPhone security - Appelbaum has said repeatedly NSA/GCHQ are doing hotmic on iPhones and that they both rely on the same bug. I believe him. Hopefully the story will get done and the docs released. d33t • July 6, 2015 8:47 PM "Hacking Team" ... souls who hop miniature, hobby trains (fished out of MIT dumpsters .. cool tunnels I bet)? This story kind of reminds me of "teamloosh" or other criminal type goofballs doing stupid stuff that adds to the sentencing of decent people when caught in modern day (21st century) civil disobedience actions. Hack, Hacker, Hacking ... needs to be re-re-re-purposed. Also, setting weak passwords for stuff you know will get (has been) owned can be a good strategy. gordo • July 6, 2015 9:45 PM Someone Just Leaked The Price List for Cyberwar Patrick Tucker | Defense One | July 6, 2015 [T]he hack brought to light the companys price list, a blue book for surveillance and malware products. Its a first-of-its-kind window into the going rate of cyberwar and espionage capabilities. Of the many offenses the company seems to have committed, price gouging seems to be one. http://www.defenseone.com/technology/2015/07/someone-just-leaked-price-list-cyberwar/117043/ Hayu • July 6, 2015 9:59 PM Has anyone started downloading the torrent? A 24mb .torrent file is pretty huge and when I try to load it into Deluge it's marked as invalid. I get 26183ae8f24e798a15d77dd3476f5ed9 as the md5sum for the .torrent file. haha • July 6, 2015 10:28 PM Couldn't have happened to a nicer bunch of folks. /s They should get in touch with Sony and ask for some advice on how to secure their networks! Nick P • July 6, 2015 11:35 PM @ Hayu Working fine for others. Try it with a client other than Deluge. Preferably, a major Bittorrent client with lots of usage, community, and so on. The only problem I had with it is that they leaked so much stuff that mine could barely scroll and just loading it kicked the fan into high gear. I just closed it for the sake of the old computer haha... Fred Foreman • July 7, 2015 12:03 AM Sounds like five eyes scored one on the mafioso. packrat • July 7, 2015 12:29 AM Honest question here, having not followed this story much. This supposed "source code" of Hacker Team's that everyone's worried about, is there any indication that it's more than just a rebranded Metasploit framework? From what little I've read, they don't sound competent enough to come up with anything original. Diddily Darn • July 7, 2015 12:44 AM So... sorry for the dumb question but what does this mean for the average computer/internet user not living in one of the 3rd world countries? Reinstall Mint, wipe Android, burn Windows Phone? Ste • July 7, 2015 1:17 AM In a sane world, these dumb fucks would go to jail for their misdeeds. Human scum, willing and boasting instruments of repression. In reality, they will receive protection from the western political sphere, walk off scot free and receive carte blanche to continue. Law enforcement, also in the west, has become too addicted to the tools and ideology of repression. Yet one must never give up hope. I hear about lawsuits being prepared. Meanwhile let's analyze that torrent and give 'em hell. Lolek2 • July 7, 2015 1:46 AM Confidential Bitstamp Incident Report covered by Slovenian Zine (Slo-Tech.com): http://pdfsr.com/pdf/270137312-bitstamp-incident-report-2-20-15.pdf P4ssword • July 7, 2015 1:59 AM Good job, the scums will experience themself the benefits of exposure. rgaff • July 7, 2015 2:33 AM "What goes around comes around" as the old saying goes... in this case, trying to promote and profit from generally weak computer security throughout the industry means eventually you will be the victim right behind all of your own victims... It's like a law of nature. Seriously though, all "Hacking Team" former employees really should stop polishing their resumes and think about going into hiding, given their angry former clients are the worst repressive regimes with death squads and things for their dissidents... This is a life and death matter, not a joke. It's not just weak security that's gone around, it's literally death that's gone around... look out for THAT coming back too! I'm not trying to threaten (I am not personally a dictator of a repressive regime), just trying to warn, and save lives. Fiddle Faddle • July 7, 2015 2:46 AM "EDITED TO ADD: Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure." I LOL'ed. Thomas • July 7, 2015 3:39 AM > EDITED TO ADD: Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure. I'm using a dumb-phone. Switching back from a "smart"-phone was less traumatic than I thought it would be, and I love the battery life. I know it's still insecure, but at least there's much less temptation/opportunity to put anything interesting on it. Subscribe to comments on this entry Leave a comment Name (required): E-mail Address: URL: Fill in the blank: the name of this blog is Schneier on ___________ (required): Comments: Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> ← NSA German Intercepts Photo of Bruce Schneier by Per Ervland. Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc. About Bruce Schneier I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I write books, articles, and academic papers. Currently, I'm the Chief Technology Officer of Resilient Systems, a fellow at Harvard's Berkman Center, and a board member of EFF. Related Entries More on Hacking Team's Government Spying Software How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID More on the HP Board Spying Scandal Hackers Taking Over Webcams Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities Featured Essays It's Time to Break Up the NSA How the NSA Threatens National Security Terrorists May Use Google Earth, but Fear is No Reason to Ban It In Praise of Security Theater The Eternal Value of Privacy Terrorists Don't Do Movie Plots more essays Blog Archives Archives by Date 100 Latest Comments Blog Tags privacy terrorism surveillance squid air travel NSA academic papers cryptography DHS homeland security law enforcement economics of security hacking crime national security policy Schneier news encryption TSA essays malware laws computer security fraud psychology of security police courts cost-benefit analysis physical security fear vulnerabilities more tags Latest Book more books Blog Newsletter Books Essays News Events Crypto About Me