The Shadowy World of Cybersecurity Mercenaries

While the dangerous breadth of modern state surveillance has been rightfully exposed by whistleblowers like Edward Snowden, many of the forces that allow this underhanded Internet spying have gone remarkably unnoticed. In fact, an unexplored world of private sellers surreptitiously collaborates with intelligence agencies to help maintain their expansive snooping apparatuses. These security agents for our digital panopticon receive virtually no scrutiny thanks to their privileged, yet nuanced, relationships with powerful groups (and subsequent lack of mainstream-media coverage). But this month, the shadowy world of mercenary exploit sales finally had its huge Snowden moment.

In early July, an activist hacker known as "PhineasFisher" effortlessly infiltrated the systems of a notorious Italian zero-day exploit seller, called "Hacking Team." ("Zero day" refers to security vulnerabilities that are unknown to vendors, which "exploit sellers" often make available to the highest bidder.) PhineasFisher dumped 400 Gigabytes of documentation online for the world to browse. The trove confirmed what many in the security community had long suspected, including bombshell revelations that Hacking Team maintained business relationships with almost 40 different governments including the United States and Russia, sold spyware to brutal dictatorial regimes, and sold products that directly targeted journalists, software developers, and activists for surveillance and monitoring.

The transparency imposed on the rogue Hacking Team was incredibly valuable on its own; in fact, one of the company's own vendors has called it a "blessing in disguise" to shed light on the industry and begin a discussion of zero-day sales reform. But the Hacking Team hack also provides important lessons about the broader security ecosystem and the thinning line between private and public entities as we adapt to the age of hacking without borders.

The Hacking Team was typical of an above-ground business operating legally in the exploit market. Like Germany's Trovicor, France's Amesys, the UK's BlueCoat, and previous PhineasFisher target Gamma International, Hacking Team profits by selling exploits of popular computer software to powerful groups under the guise of "cybersecurity." When firms offer to look for and report any vulnerabilities so the firm that hired them can patch up and improve their software, this can be a wholly legitimate and beneficial trade. Often, however, these groups merely sell governments different ways to spy on or manipulate political enemies and even innocent citizens.

Indeed, the difference between these kinds of groups and the more stereotypical, hoodie-wearing, lone wolf hacker-for-hire is often one of style rather than ethical substance. Both of these groups make money by discovering or purchasing unknown computer bugs and selling them to governments, political parties, or even terrorist groups for a healthy mark-up.

Zero-day vulnerabilities are incredibly useful to parties wishing to unknowingly manipulate other people online. They are a bit like having a monopoly on a secret entrance to a popular computer program that only you know about. Zero-days can be exploited to remotely inserted malware or spyware that will activate anytime a user sends an online payment or updates iOS or runs Adobe Flash Player. (Incidentally, it might be a good idea to uninstall Flash for now, since we now know Hacking Team sold not one but two Flash exploits.) Other times, exploit merchants use vulnerabilities that are already known and target people running older, unpatched versions of popular software instead. This type of exploit service constituted the bulk of Hacking Team's portfolio.

The trade in software exploits to further government surveillance is troubling enough from a privacy perspective. Activist groups such as the Electronic Frontier Foundation (EFF) and Reporters Without Borders have long criticized such practices for violating human rights and expanding the global net of digital surveillance.

But there are grave security implications as well. Selfishly hoarding zero-day vulnerabilities intentionally ensures that the Internet will remain systemically insecure. Going a further step and exploiting any kind of vulnerability for political surveillance or oppression could potentially introduce catastrophic weaknesses beyond the scope that the initial exploiters ever anticipated. A responsible netizen finds a zero-day and reports it to the public so that we can all be more secure. An unscrupulous sociopath sells it to Ethiopia for $1 million to crack down on U.S. journalists and wreck huge parts of the Internet in the process.

Security researchers pored through the Hacking Team document-dump on Wikileaks to determine which software vulnerabilities Hacking Team was selling so they could warn the public about which products needed to be updated or uninstalled. They have found three zero-days so far: the two Flash bugs and another for the Windows kernel. While those who practice good cyber hygiene will be able to inoculate themselves against these revealed exploits, the vast majority of less sophisticated Internet users may still be vulnerable to attack as prepackaged "exploit kits" of all three bugs are being sold to newbie hackers.

It is clear that "security" was far from the top priority for Hacking Team because their own security sucked. Hacking Team was not a sophisticated cybercastle whose alligator-filled moat nonetheless failed, it was an inflatable bounce-house with a paperclip lock. Their password was "P4ssword"—when it wasn't "wolverine," "universe," or "Pssw0rd," that is. In the middle of a sensitive email exchange with an outside associate, Hacking Team COO Giancarlo Russo suddenly remembers to ask, "Do you have PGP [email encryption] by the way? We really do need to encrypt these emails." This one moment of late foresight is far outweighed by the firm's incomprehensive encryption and poor user operational security.

By not-so-secretly stockpiling destructive exploits and engaging in ample public boasting, Hacking Team was more or less begging to be attacked. Their one-stop-shop arsenal of poorly-protected cyberweapons proved too tempting a target for rival hackers. Really, Hacking Team CEO David Vincenzetti should have known better. A veteran of the anti-authoritarian, pro-privacy Cypherpunk hacking movement, Vincenzetti cut his radical teeth developing a "file tampering detector" that would identify and repel intruders like Hacking Team from computer systems in 1992.

But Vincenzetti has changed quite a bit since the days when he participated in the same listservs as Wikileaks founder Julian Assange and EFF co-founder John Gilmore. His security chops have certainly suffered. Despite being an early promoter of email-encryption software, emails show that Hacking Team hardly used PGP at all.

More fundamentally, the "freedom hacker turned government tool" angle of the Hacking Team story reveals the unfortunate incentive structure presented to the tiny elite of hackers capable of building—or breaking—the global surveillance network that tracks our every online move. They can choose to fight or expose the system, risking media demonization, foreign asylum, and even lifelong prison sentences for the heinous crime of defending our freedoms online. Or they can sell out and enjoy fat retirements as cyberweapons dealers of choice for the world's repressive states. Either way, this episode is an important reminder that the enemies of an open Internet are not limited to the state.