Hacking Team : A Lesson for the Future

Hacking Team is an Italian security firm that develops and sells surveillance software to governments around the world.  That all came crashing down earlier this week as the Hacking Team network was compromised with over 400 GB of source code, files, and email freely available to download on torrent sites.  There are several vulnerabilities listed in the files that gave Hacking Team customers access to systems.  Those vulnerabilities are now public for anyone to exploit.  Adobe patched an exploit in Flash earlier today so if you haven’t done so yet you will definitely want to update Flash.  Better yet you should get rid of Flash all together.

We were taken back by the pompous response from the Hacking Team.  Perhaps we shouldn’t be surprised given the company’s unethical business practices.  They make millions by helping some of the most repressive countries in the world spy on their own citizens.  We can only image the tragedies that have resulted from the use of their technology.  Now that everything is public the Hacking Team seems more than happy to blame it all on the ‘work of criminals’, but perhaps they should consider their own role in the story.  I’m sure that will never happen.

Here’s a message Hacking Team CMO, Eric Rabe, posted on their site earlier today:

It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6. HackingTeam’s investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice.

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

We believe this is an extremely dangerous situation.

HackingTeam is evaluating if it is possibile to mitigate the danger. We expect too that anti-virus companies are upgrading their programs to detect the compromised RCS.

The Hacker Team’s technology has resulted in an ‘extremely dangerous situation’ for a long time given their list of clients.  They have been selling surveillance technology to Azerbaijan, Bahrain, Ethiopia, Morocco, Russia, Saudi Arabia, Sudan, and Turkey.  Just to name a few countries who use Hacking Team’s technology to spy on users and perhaps even control their computers.  There are lessons to be learned from the events of the last few days.  First of all no matter how secure you might think you are there are always those smarter and with motivation to access your information and data.  Secondly, once the genie is out of the bottle there is no putting it back in.  We will all have to live with the results of the Hacking Team’s code being made public.