When a notorious hacking firm with a rather dubious reputation is themselves the victim of a thorough hack, what happens with their dirty laundry? More to the point, what is appropriate with their dirty laundry?
Hacking Team is an Italian security company that develops and sells surveillance and malware tools, in many cases to governments and law enforcement organizations. While the company claims to sell only to "ethical" governments, there has long been evidence of their tools being used by questionable, if not outright oppressive, regimes.
Sunday evening my Twitter timeline lit up with reports that Hacking Team had themselves been the subject of a severe hack, with 400 gigabytes of company data stolen and shared publicly on the Internet. This data included company email, contracts, customer lists, passwords, malware exploits, and source code for their surveillance products.
The released data may have included much more.
Over the next 24 hours, "amateur investigators" around the globe downloaded and dug through the breach data and began to share things they found. The earliest revelations included lists of internal company passwords - passwords to database and server administration accounts, passwords of a nature that one would expect an "elite security firm" to know better. Passwords such as "Passw0rd!", "wolverine", and "HT2015". While every password can eventually be broken or stolen, every security consultant worth her salt knows the basic rules: long, unique, random passwords are far less likely to be cracked.
As the day progressed though, the revelations became more disturbing.
It should come as no surprise that government organizations such as the US Federal Bureau of Investigations and Drug Enforcement Agency would buy commercial cyber espionage tools. More interesting though are reports that Hacking Team - while stating on the record that they did not do so - did business with nations embargoed by the European Union (of which Italy is a member).
The divulged source code included what appears to be yet another Flash Player exploit, apparently useful against even the most current version of Flash Player. If you have not done so already, make your browser plugins "click to play." It truly is negligible inconvenience and provides a good layer of safety.
Worse though was a snapshot of source code, possibly taken out of context either by a novice programmer or by one that knew but intended to mislead (though possibly portrayed accurately).
An image circulating yesterday showed programming code that suggested a Hacking Team malware product actually planted child pornography. I can think of no legitimate reasons to do this, but can think of a few quite nefarious reasons. The most obvious would be setting up extortion/blackmail schemes.
An individual that reviewed the rest of the code says it is actually looking for, not planting, these files, and that the piece of code in question is likely a test routine used to demonstrate it to a potential customer. For reasons I will explain momentarily, I have not downloaded or reviewed the code myself.
#HackingTeam dump brings up the question of ethical/legal concerns for using hacked data as evidence in academic & policy journal pieces
— Drew Herrick (@DrewHerrick) July 6, 2015
This leads directly into my purpose in writing today. Downloading and commenting on data from major breaches has become something of a sport for amateur investigators (a term I use intentionally). I am not qualified to speak of the legality of accessing formerly-private data that has been made public. Personally I see it as similar to rummaging through a found purse or wallet: possibly acceptable to identify the owner, but ethically questionable otherwise.
I am however qualified to speak a word of caution to would-be armchair investigators.
Hackers with malicious intent managed to break into Hacking Team's network and exfiltrate an enormous amount of information. How they got in is not yet clear, but if they could compromise a professional security company, are you certain they could not also compromise you or your company?
Malicious hackers are also known to use newsworthy events as bait to trap new victims. They are experts at search engine optimization, in which they use various tricks to make their links appear at the top of Google or Bing search results. Can you be sure the "400GB Hacker Team Torrent" you are about to download is the real thing and not a fake bundle of malware?
Finally, and most importantly, you cannot know in full what the breach data contains before downloading it. Certain types of information (in particular, child pornography images or videos) are illegal to even possess if one is not an authorized law enforcement officer investigating a crime - and even in those cases, the investigators prefer to deal with file hashes (uniquely identifying markers) rather than the actual files. Given the suggestion that this firm plants contraband material, it raises suspicion that the breach data could contain the same. Sure, that suggestion may be completely misleading, but do you want to risk it? I don't.
Professional investigators have a legitimate reason to peruse this data. There will be some involved in investigating the crime that took place (breaking into and stealing data from Hacking Team). There may well be national or international investigations into the business practices Hacking Team engaged in. Malware and security businesses worldwide have a distinct interest in reverse-engineering the exploits and malware code Hacking Team developed, they they can in turn add protection to their respective security software.
Aside from those purposes (by individuals trained in safe handling of suspected-malicious content), I urge caution.
I'd be very careful Cybersecurity companies on downloading breach data files on your corporate network. #HackingTeam
— Marcus J. Carey (@marcusjcarey) July 6, 2015
Update 7 July: The Flash Player exploit from the breach has been added to at least one crimeware kit, and is actively being used to deliver cryptolocker ransomware to FULLY PATCHED Windows PCs. A patch is expected on Wednesday; in the meantime, the only effective protection is to either remove Flash from your PC, or set the plugin to "click-to-play". If you require the Flash Player, I strongly suggest setting your browsers to ask before running Flash content.
