It’s hard to even know where to begin with the Hacking Team breach. Perhaps the basic facts: here we have a security organisation building offensive exploits targeted primarily at governments around the world who now has 400 odd gigabytes worth of their data dumped on the public web. Some more contentious facts: the exploits were allegedly sold to nation states with “questionable” human rights histories and may have been used in ways most of us would consider unconscionable. Allegedly. Well it was “allegedly” and this is where the whole thing starts to unravel.
There are a lot of different angles with this breach and clearly one of the most obvious is how on earth did the guys who are meant to be the experts in this space get so comprehensively owned? One clue may be in the lack of fundamental security practices, for example the use of the password “P4ssword” by one of their security engineers. Shortly after the breach and the circulation of Chris’ questionable password choice, his Twitter account was taken over. That may be coincidental. May be…
One of the major upsides of this breach will almost certainly be a more secure technology world. Well actually, it may be one which is more exploited in the immediate term as their treasure trove of hacker goodies is plundered by evildoers, but we’re already seeing software vendors embracing the opportunity to strengthen their products based on what’s been exposed by the breach. This will ultimately be a good thing.
Of course another angle (and this could be an upside or a downside depending on your perspective), is that there’s now going to be a heap of transparency as to which nation states were engaged in using Hacking Team’s products and in what ways. It could be an upside insofar as it will hold some dystopian nations to account, but their products were used by plenty of other law enforcement agencies in ways that most of would consider reasonable as well. As much as we’d like to see a bunch of these “rogue” nations held to account, we can’t escape the fact that the breach will also adversely impact “the good guys”, for want of a better term.
One upside of exposing the inner workings of an organisation like this is that we get more insight into which security defences actually work really well. For example, they really dislike Tor and there’s some very interesting info in the dump about how much of a challenge it posed to them. Another interesting outcome of all this was that they had no exploits for un-jailbroken iPhones. That’s genuinely useful info for those looking at what mobile platform to choose. Oh – and before jumping on the “yeah but the NSA has back-doored them anyway” bandwagon, the US government has been very vocal about their dislike for how effective the Apple devices are becoming at keeping the owner’s things private.
But perhaps the biggest impact of the whole episode is that this breach is going to seriously detriment the effectiveness of the tools they’ve built to the point where they’ll become near useless. I’ve already mentioned how software vendors will be actively patching vulnerabilities Hacking Team’s products targeted. Antivirus companies were trawling through the source code as soon as it hit the airwaves and will be pushing new virus definitions within days at the most. Targets of the products will update their things and the effectiveness of the software their overseers paid so handsomely for will rapidly approach zero. In fact Hacking Team is already advising customers to stop using their tools. That’s a very significant outcome of this event.
A lot more news will unravel over the coming days and weeks. We’ll learn more about who their customers were (I think it’s safe to say “were” rather than “are”), how they were using the tools against their targets and indeed what sort of vulnerabilities they were exploiting. In terms of security news, this breach will be the gift that just keeps on giving for some time to come yet.