When Hacking Team suffered an embarrassing and public compromise, they became a statistic. Like hundreds of other companies over the last few years, they had sensitive information compromised and exposed to the public. So what's next for Hacking Team, and what lessons can be learned?
When Hacking Team suffered an embarrassing and public compromise, they became a statistic. Like hundreds of other companies over the last few years, they had sensitive information compromised and exposed to the public.
But this case was different. Hacking Team is universally hated among privacy advocates, so when the company's files were leaked to the public it became a feeding frenzy. Their secrets were exposed, and many researchers were enjoying a bit of schadenfreude at their expense.
The leaked cache of files, 400GB in total, contained a number of newsworthy items, including questionable business dealings, an eye opening look at the market value of exploits and how they're used, and details on vulnerabilities in Adobe Flash, iOS, and Internet Explorer – complete with working exploit code.
Salted Hash recently spoke to with Ian Amit from ZeroFox about the Hacking Team incident, discussing possible lessons that could be learned by other organizations (if any), and the interesting fact that Hacking Team's methodologies relied heavily on social engineering.
Most of the Hacking Team fallout is behind us, given that Microsoft and Adobe have issued patches for the leaked vulnerabilities. So what's next, where can Hacking Team go from here in your opinion?
IA: I believe that while most of the technical elements of the Hacking Team hack is behind us, we are still left to deal with the bulk of the issue here.
That is, the practice and behavior of a player of this magnitude in the industry, and the political, diplomatic, and ethical implications of the breach.
From an intelligence analysis perspective, the emails allow us a unique understanding of the inner workings of one of the more intricate industries out there. [The emails gave us] methods of communications, sales tactics, channels to questionable clients, M&As, supporting clients in their field operations, overcoming sales restrictions, and probably a lot more.
The combination of outward facing emails (to clients/partners) and internal ones (corroborating facts, discussions on relationships with partners/customers, etc...) are a treasure trove.
Talk about your observations during the Hacking Team story, there were a number of social engineering vectors in the company's methodology, what are your thoughts?
IA: One of the first things that everyone was looking for in the breach were 0-days and the technical infrastructure employed by the spying tools.
However, when looking into the specifics of the attack vectors and through the sales and support materials, it is apparent that albeit the existence of an 0-day here and there, most of the attack vectors rely on one form or another of social engineering and infections through eliciting the target to click on a link or open an application/file.
Observing developer files related to the analysis of Facebook and Twitter page structure and their workings also leaves a strong indication that these were often used to elicit interactions with malicious content.
What are some lessons that organizations can take from the Hacking Team incident?
IA: There are several lessons that organizations should take away from this:
Encryption isn't a magic solution
Albeit some customers/partners insistence on using PGP encrypted communications, all the emails that Hacking Team stored on its servers were decrypted. This is a major violation of how encryption should be used (i.e. access to the plaintext should only be allowed in the presence of the decryption key).
Asset mapping and threat modeling
Through the incident, a multitude of statements were made by both Hacking Team representatives as well as other organizations affected by the breach. A lot of these statements turned out to be false or misleading, as more data was analyzed and correlated.
The initial assumptions of these representatives seem as were made under the guise that a lot of the historical facts, or that certain assets were not exposed. If those organizations had conducted a proper asset mapping and have a threat model in place, they would have realized the exact extent of the breach and would have been able to apply mitigating actions.
Statements such as "we have never done, nor never will have any business relations with country X", which then falls into pieces when emails, files, and invoiced reveal the exact opposite, can be detrimental to a company's (and a person's) reliability.
The same goes for statements such as "the source code is old and cannot be used to build a working product", to later be crushed with multiple demos of how the entire product (multiple agents, proxies, and backend servers) are built and ran.
Large organizations have a lot of work on their hands, analyzing the existence of their own and any of their partners/suppliers mentions in the email communications. Understanding that your subsidiaries in certain countries were doing business with HT has major implications on your global operations.
The same goes for anyone in your supply chain (clients, partners, suppliers) as these almost immediately expose your organization to inadvertent leaks for which a full analysis of what exactly was discussed between the third parties and HT were.
Clients of Hacking Team (not necessarily all government entities...) find that their most sensitive information is fully exposed to the public. From what kinds of products are installed in their infrastructure, to their apparent security posture based on a penetration test report.
These were all un-encrypted, and some clients had data that went back years (showing changes in security posture over time - an even more valuable insight to potential attackers).
A "simple" graph map analysis of the email communications over the years will reveal a daunting picture of "who's talking to whom and about what."
Performing a frequency analysis of edge communications (emails sent from/to), overlaid with the top keywords mentioned through those conversations, will in turn unravel a lot of the business practices employed by HT (and in turn the rest of the "lawful interception" players) in order to increase their market share, and potentially reach to clients that are supposedly restricted by law.
There is a demanding market out there for what Hacking Team offers, and they're not the only company doing this type of work. Does this hack change anything, will there be a void to fill or do you think Hacking Team will recover, and things will go back to how they were?
IA: The void for the lawful interception market will undoubtedly be filled quickly.
After both Gamma, and now Hacking Team getting breached to the extent of essentially losing this line of business, the rest of the players (NSO, Elbit, IAI, Nice, Verint, etc...) are surely picking up the pieces left (with the nice help of a full inventory of who was sold what).
Additionally, other, smaller players are surely tempted to jump into this and fill the void. Especially after realizing the low maturity of the solutions offered. Technically, both the Gamma and Hacking Team breach revealed that we're not talking about very complex tools - sometimes to the extent of reusing existing bypass techniques such as Themida to 'protect' the spy software from detection.
All that's left is the chutzpa to reach out to the market and hawk your goods.