Surveillance

The Shadowy World of Cybersecurity Mercenaries

The Hacking Team sold many governments-including ours-products to directly target journalists, software developers, and activists for surveillance.

|

While the dangerous breadth of modern state surveillance has been rightfully exposed by whistleblowers like Edward Snowden, many of the forces that allow this underhanded Internet spying have gone remarkably unnoticed. In fact, an unexplored world of private sellers surreptitiously collaborates with intelligence agencies to help maintain their expansive snooping apparatuses. These security agents for our digital panopticon receive virtually no scrutiny thanks to their privileged, yet nuanced, relationships with powerful groups (and subsequent lack of mainstream-media coverage). But this month, the shadowy world of mercenary exploit sales finally had its huge Snowden moment.

Robbert van der Steeg/Flickr

In early July, an activist hacker known as "PhineasFisher" effortlessly infiltrated the systems of a notorious Italian zero-day exploit seller, called "Hacking Team." ("Zero day" refers to security vulnerabilities that are unknown to vendors, which "exploit sellers" often make available to the highest bidder.) PhineasFisher dumped 400 Gigabytes of documentation online for the world to browse. The trove confirmed what many in the security community had long suspected, including bombshell revelations that Hacking Team maintained business relationships with almost 40 different governments including the United States and Russia, sold spyware to brutal dictatorial regimes, and sold products that directly targeted journalists, software developers, and activists for surveillance and monitoring.

The transparency imposed on the rogue Hacking Team was incredibly valuable on its own; in fact, one of the company's own vendors has called it a "blessing in disguise" to shed light on the industry and begin a discussion of zero-day sales reform. But the Hacking Team hack also provides important lessons about the broader security ecosystem and the thinning line between private and public entities as we adapt to the age of hacking without borders.

The Hacking Team was typical of an above-ground business operating legally in the exploit market. Like Germany's Trovicor, France's Amesys, the UK's BlueCoat, and previous PhineasFisher target Gamma International, Hacking Team profits by selling exploits of popular computer software to powerful groups under the guise of "cybersecurity." When firms offer to look for and report any vulnerabilities so the firm that hired them can patch up and improve their software, this can be a wholly legitimate and beneficial trade. Often, however, these groups merely sell governments different ways to spy on or manipulate political enemies and even innocent citizens.

Indeed, the difference between these kinds of groups and the more stereotypical, hoodie-wearing, lone wolf hacker-for-hire is often one of style rather than ethical substance. Both of these groups make money by discovering or purchasing unknown computer bugs and selling them to governments, political parties, or even terrorist groups for a healthy mark-up.

Zero-day vulnerabilities are incredibly useful to parties wishing to unknowingly manipulate other people online. They are a bit like having a monopoly on a secret entrance to a popular computer program that only you know about. Zero-days can be exploited to remotely inserted malware or spyware that will activate anytime a user sends an online payment or updates iOS or runs Adobe Flash Player. (Incidentally, it might be a good idea to uninstall Flash for now, since we now know Hacking Team sold not one but two Flash exploits.) Other times, exploit merchants use vulnerabilities that are already known and target people running older, unpatched versions of popular software instead. This type of exploit service constituted the bulk of Hacking Team's portfolio.

The trade in software exploits to further government surveillance is troubling enough from a privacy perspective. Activist groups such as the Electronic Frontier Foundation (EFF) and Reporters Without Borders have long criticized such practices for violating human rights and expanding the global net of digital surveillance.

But there are grave security implications as well. Selfishly hoarding zero-day vulnerabilities intentionally ensures that the Internet will remain systemically insecure. Going a further step and exploiting any kind of vulnerability for political surveillance or oppression could potentially introduce catastrophic weaknesses beyond the scope that the initial exploiters ever anticipated. A responsible netizen finds a zero-day and reports it to the public so that we can all be more secure. An unscrupulous sociopath sells it to Ethiopia for $1 million to crack down on U.S. journalists and wreck huge parts of the Internet in the process.

Security researchers pored through the Hacking Team document-dump on Wikileaks to determine which software vulnerabilities Hacking Team was selling so they could warn the public about which products needed to be updated or uninstalled. They have found three zero-days so far: the two Flash bugs and another for the Windows kernel. While those who practice good cyber hygiene will be able to inoculate themselves against these revealed exploits, the vast majority of less sophisticated Internet users may still be vulnerable to attack as prepackaged "exploit kits" of all three bugs are being sold to newbie hackers.

It is clear that "security" was far from the top priority for Hacking Team because their own security sucked. Hacking Team was not a sophisticated cybercastle whose alligator-filled moat nonetheless failed, it was an inflatable bounce-house with a paperclip lock. Their password was "P4ssword"—when it wasn't "wolverine," "universe," or "Pssw0rd," that is. In the middle of a sensitive email exchange with an outside associate, Hacking Team COO Giancarlo Russo suddenly remembers to ask, "Do you have PGP [email encryption] by the way? We really do need to encrypt these emails." This one moment of late foresight is far outweighed by the firm's incomprehensive encryption and poor user operational security.

By not-so-secretly stockpiling destructive exploits and engaging in ample public boasting, Hacking Team was more or less begging to be attacked. Their one-stop-shop arsenal of poorly-protected cyberweapons proved too tempting a target for rival hackers. Really, Hacking Team CEO David Vincenzetti should have known better. A veteran of the anti-authoritarian, pro-privacy Cypherpunk hacking movement, Vincenzetti cut his radical teeth developing a "file tampering detector" that would identify and repel intruders like Hacking Team from computer systems in 1992.

But Vincenzetti has changed quite a bit since the days when he participated in the same listservs as Wikileaks founder Julian Assange and EFF co-founder John Gilmore. His security chops have certainly suffered. Despite being an early promoter of email-encryption software, emails show that Hacking Team hardly used PGP at all.

More fundamentally, the "freedom hacker turned government tool" angle of the Hacking Team story reveals the unfortunate incentive structure presented to the tiny elite of hackers capable of building—or breaking—the global surveillance network that tracks our every online move. They can choose to fight or expose the system, risking media demonization, foreign asylum, and even lifelong prison sentences for the heinous crime of defending our freedoms online. Or they can sell out and enjoy fat retirements as cyberweapons dealers of choice for the world's repressive states. Either way, this episode is an important reminder that the enemies of an open Internet are not limited to the state. 

NEXT: Obama Promises to 'Correct As Many Injustices As Possible' Through Clemency

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Their password was “P4ssword”?when it wasn’t “wolverine,” “universe,” or “Pssw0rd,” that is.

    This is just… babytown frolics.

    1. What’s important is that you posted the first comment and got home safely.

    2. You forgot “gandalf”.

      1. You know who else caused explosions over the Shire?

  2. Their password was “P4ssword”?when it wasn’t “wolverine,” “universe,” or “Pssw0rd,” that is.

    Sounds like somebody’s qualified to be director of the Office of Personnel Management.

  3. 1234 is a vast improvement. It’s what I use for my luggage.

    1. In libraries you deal with a lot of people who need email addresses but are in no state to ever remember their password. I learned quickly that they actually relied on me to remember this data for them.

      As a consequence, there are probably hundreds of people out there with a password of aaaa1111!!!! – this is viewed as an EXTREMELY strong password by gmail, yahoo, etc.

      Too bad all of these people combined don’t have any information worth stealing (and that I’m not a thief).

      1. It’s considered strong because it has letters, numbers, and special characters.
        If I run software to try all the alphabet characters on an 8 character password, the amount of possible passwords is 26 to the 8th power. If you add numerals, the equation is 36 to the 8th. If you add special characters, I don’t remember the number. Also, if you add capitals, the number is 62 to the 8th just for alphanumeric characters.
        It could take years to run that many possibilities through randomly.
        There are other tools, such as rainbow charts, lists of most common words, etc.

  4. “Their password was “P4ssword”?when it wasn’t “wolverine,” “universe,” or “Pssw0rd,” that is.”

    Could be worse: the mainframe password could have been “guest.”

    1. username: admin
      password: admin

    2. …the mainframe password could have been “guest.”

      I ALREADY MADE A REFERENCE TO THAT.

  5. Well, we can toss out the notion that bureaucratic software development incompetence would save us.

  6. Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do…… ?????? http://www.online-jobs9.com

  7. (Incidentally, it might be a good idea to uninstall Flash for now, since we now know Hacking Team sold not one but two Flash exploits.)

    Unnecessary. Install “NoScript” (which you should do anyway) and set Flash to be “ask before activation”. (This can be done directly within Firefox, also, but you get more granularity of control with NoScript.) Then you can still watch YouTube, but don’t have to worry about some random website activating Flash and installing a trojan on your computer.

    Incidentally, this also eliminates autoplay videos…

  8. They can choose to fight or expose the system, risking media demonization, foreign asylum, and even lifelong prison sentences for the heinous crime of defending our freedoms online. Or they can sell out and enjoy fat retirements as cyberweapons dealers of choice for the world’s repressive states.

    It’s not just that. Lots of even pure white hats have gotten in trouble because a company didn’t want its vulnerabilities revealed, but refused to fix them. And then when they announced the insecurity, so people could A.) know there was a risk, and B.) put pressure on the company to fix it, they ended up getting sued or charged with malicious cracking.

  9. Everything I’ve read says their software was crap, script kiddie level stuff.

    1. Why do you hatez the script kiddies? Oh, won’t somebody think of the script kiddies?

  10. Google pay 97$ per hour my last pay check was $8500 working 1o hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I cant believe how easy it was once I tried it out.
    This is wha- I do…… ?????? http://www.online-jobs9.com

Please to post comments

Comments are closed.