Hacking Team, the (in)famous Italian company that provides offensive intrusion and surveillance software to governments, intelligence and law enforcement agencies around the world, has been hacked.
Here are some of the comments Help Net Security received.
Martin McKeay, Akamai Sr. Security Advocate
Hacking Team appears to have committed two of the classic mistakes in security: Never use simple passwords and never reuse passwords. For a security company that’s this high profile, there’s no excuse for these sins. We don’t know yet how the attackers got into HT’s systems, but given the poor passwords that have been revealed in the documents, it could have been as simple as brute-forcing the passwords on a few system.
The other major mistake made by HT was not noticing that 400Gb of data was leaving their systems. Extrusion detection for an organization that specializes in malware and monitoring should be one of the defenses they concentrate on, because it’s what other people would use to detect their tools. Expect your tools to be used against you is a basic warfare tenet.
The politics of who is a client of HT should make for some interesting fallout. For an organization that continually stated they didn’t deal with oppressive governments, there’s an amazing number of exactly that type of government in their client list. How other governments react will make for interesting reading.
Vladimir Jirasek, CEO at Jirasek Security Consulting & Research Director at CSA UK
As the news and more detail of the hack of the Hacking team company unfolds, one has to ask who should be better prepared for cyber attack than a company that is public enemy of the Internet. A company that sells software to oppressive governments to spy on its citizens.
However, putting moral arguments aside, it is clear that the company has not had good security controls in place. We can deduce it from juts looking at the passwords leaked in the stolen material: “HTPassw0rd,Passw0rd!81,Passw0rd,Passw0rd!,Pas$w0rd,Rite1.!!” Had the Hacking team followed 20 Critical Cyber Controls and implemented Advanced controls in the guidance, the hack might not have happened.
It is also worrying that the first indication of the hack was a tweet from a compromised company account. A company operating in the territory attack acting so much of public attention should take security monitoring seriously. It is true that only small percentage of companies spot a cyber attack within days, however that statistics is from large population of various companies.
Can this company recover from the incident? Perhaps yes, but should it?
Brian Honan, CEO of BH Consulting and Special Advisor to Europol Cybercrime Centre
From the information that has been released we can see that a firm that specialises in security software itself did not seem to employ good security practises, over 400GB of data leaving their network undetected would be one such example.
Of particular interest will be how we see Hacking Team react to this breach, given the type of clients they deal with I would expect regular, concise, and factual based updates, however their lack of communications and updates so far has been very poor.
Whatever your views are on the ethics of how Hacking Team conducts its business I think this breach is an opportune moment for everyone to reflect on how effective their defences are and what preparations they have in place should a major beach occur.
Raj Samani, VP and CTO EMEA at Intel Security
What is particularly interesting in this case is that data is being dumped publicly in a potential attempt to discredit the impacted organization. Typically we would expect to see breach victim data being sold on for profit, however this and more recent cases have involved organizational data simply being dumped online or being offered for free.
This trend should sharpen focus regarding the potential reputational impact on a firm, particularly where the client base has a high expectations regarding the security in place.
Javvad Malik, Security Evangelist at AlienVault
It looks like poor and reused passwords combined with a lack of data exfiltration monitoring has led to HT’s compromise.
The breach appears to be motivated by an agenda to discredit HT. So it will be interesting to see if other companies that operate in this space will step up to try and displace HT from governments that have been exposed. If that happens, it may prove to be a breach from which HT may find it extremely difficult to recover from fully.
Trust is a key component in any security offering – and with this breach HT has potentially lost it in the eyes its customers as well as whatever credibility it had in the eyes of others. Because of this I anticipate HT will try to go after the perpetrators aggressively – but that may be a case of too little too late.
Mark James, Security Specialist at ESET
From their point of view, it’s very bad situation. The type of software they sell relies on a very high degree of not only secrecy but trust. Unfortunately for them both of those have been compromised overnight, the type of data found included invoices and agreements from governments and organisations they clearly have stated they have no affiliation with. Along with that, source code was found and released for their software that will cause anyone still using it to quickly get it taken offline or disabled for security reasons. Passwords and personal information was also taken allowing access to other systems including twitter and other social networks.
Frode Hommedal, Infosec Lead at Telenor CERT
What I find most interesting with the Hacking Team breach is neither that it happened, nor that the data got leaked. I think this was bound to happen; the Internet is full of people who like to dispense vigilante justice on companies with percieved dubious morals. Rather, I find the potential insight into the gray area of contracted espionage to be of much greater interest.
As the cyber arms race progresses, we see more and more outfits like Hacking Team entering the game. Hacking Team has always claimed they operated within the boundaries of Italian and international law. Regardless of whether they did, we can be sure several of their competitors won’t: the promise of money, regardless of who’s paying, is too big a lure.
I believe security professionals, law enforcers and law makers should take this opportunity to learn more about how these companies operate, if for no other reason than that we soon will be fighting them in our networks.
Robin Wood, Freelance Security Consultant
Having seen the quality of the passwords leaked in the dump and the amount of services they are spread across I think it is going to take them a long time to regain control of all their assets and being able to fully trust them again is going to be difficult.
There is going to have to be some burning of accounts and new set ups I reckon. Just trying to generate a list of all compromised sites is going to take a long time and I doubt it is high priority at the moment so the hijacking will continue for a while.