Recapped: A quick round up of developments since Hacking Team was hacked

One week later, here's a recap of the latest developments to come out of the Hacking Team incident

hackingteam hacked logo
Credit: Steve Ragan / Twitter

It's been more than a week, and each day something new has emerged from the 400GB cache of files taken from Hacking Team, an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.

Since breaking the Hacking Team story last week, Salted Hash has followed the developments during the aftermath, including several from the emails published by WikiLeaks.

Here's a brief recap of those items.

The leaks are now obsolete, Hacking Team says:

On July 6 Hacking Team issued a statement that said in part:

"...Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so..."

Now, one week later, the company says things got better:

"...While it is true that the criminals exposed some of our source code to Internet users, it is also true that by now the exposed system elements are obsolete because of universal ability to detect these system elements. Today we believe it is extremely unlikely that this obsolete code can be used to surveil cell phones, mobile devices or computer communications..."

They promise to deliver a new system later this year, which is a total replacement to the existing Galileo platform.

Flash collection:

Hacking Team had access to at least three zero-day exploits that targeted unknown vulnerabilities in Adobe's Flash Player.

Last week, researchers discovered the first exploit for Flash, and it was immediately incorporated into the Neutrino and Angler exploit kits. Adobe patched the vulnerability being targeted within 24-hours of notification, but later in the week, two additional exploits were discovered.

Symantec and Hacking Team:

On Twitter, a researcher discovered that Symantec issued an enterprise code-signing certificate to Hacking Team, proving that the malware developers knew the power of signing code, and went to the largest anti-malware firm on the planet to make it happen.

The Australian government was in talks with Hacking Team:

Emails published by WikiLeaks show that the Australian Federal Police, NT Police, NSW Police, ASIO, and Victoria's IBAC were all talking to Hacking Team in order to obtain demos, or get quotes for services. ABC News has more.

BGP Hacking in Italy:

OpenDNS reported on Sunday that Hacking Team helped the Raggruppamento Operativo Speciale (ROS) – the Special Operations Group of the Italian National Military Police – gain control over servers at Santrex in 2013 by hijacking BGP. The details of the campaign appeared in emails archived by WikiLeaks.

From their post:

"The WikiLeaks documents show how ROS worked with the Italian network operator AS31034 (aka Aruba S.p.A) to get the prefix announced in BGP and bring up a new “Anonymizer” server with the IP address 46.166.163.175. ROS also was hoping that other Italian ISPs wouldn’t filter that hijacked announcement..."

Marco d’Itri, an Italian researcher, is credited for discovering the ROS details.

Change in Cyprus:

After documents in the Hacking Team cache showed that the Cyprus Intelligence Service (KYP) purchased services from the surveillance company, the head of the KYP, Andreas Pentaras, resigned. The actions of the KYP, it was argued, violated the country's privacy laws.

“In light of the revelations that surfaced with regards to use of a specific tracking system by the Cyprus Intelligence Service and in order to protect the integrity of the department, the head of the service Mr. Andreas Pentaras has today handed in his resignation which in turn was accepted by the President of the Republic,” Government Spokesman Nicos Christodoulides said in a statement.

A breakdown of the Hacking Team RATs:

Bromium Labs has published a solid write-up on the source code published along with the Hacking Team cache. The post covers what platforms can be targeted, the types of information that the malware is looking for, etc. It's worth a read if you're wanting more details on the code.

Jailbroken or not, iPhones can be targeted:

Lookout Labs has posted details from the Hacking Team cache they believe is proof that non-jailbroken iPhones can be targeted.

"When it comes to iOS, public reports to-date have claimed that the Hacking Team spyware can only infect jailbroken iOS devices. In an effort to educate iOS users about the potential risks, we did some additional research and determined this is not the case."

The reason is that Hacking Team, until Apple revoked it, possessed a legitimate Apple enterprise certificate. Thus, apps that were signed with it could be installed on iOS.

32,000 email addresses added to "Have I Been pwned?"

Finally, researcher Troy Hunt has stated that 32,000 emails have been added to the "Have I been pwned?" database.

The HIBP database allows people to check and see if their email address has been compromised during a given data breach. For example, when I search for one of my alternate addresses, it shows that this single address was exposed during the Adobe breach, and the Hack Forums breach.

"What I decided to do was just load the email addresses that appear in the PSTs. This may be a sender or a recipient or even a mention of the email in the body or in an address book, but they’re all just from the PSTs. Of the 32k addresses in there, some of them are completely inconsequential; password reset links, support queues, spam etc.

"But the vast majority are of consequence and the question of establishing context was solved once Wikileaks published the PSTs. They’re all now searchable which means that given a single email address that appears in HIBP against the Hacking Team breach, a Wikileaks search can establish the context."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.