I got an email earlier this week with the subject heading, “Hacking Team Hacked.” I wasn’t quite sure what that was all about, so I did a little Web snooping. The Hacking Team, I learned, is an Italian company that, according to eSecurity Planet:
… provides hacking tools (or, as the company puts it, "effective, easy-to-use offensive technology") to governments worldwide.
The hackers released 400GB of files and then hijacked the Hacking Team’s Twitter account to brag about it. According to CNET, the files included lists of clients, allegedly including the United States, and software code secrets. This surveillance software is meant to take over someone’s computer and is supposed to sniff out potential terrorists and the like. Various articles report that there have been concerns of the company selling their software to countries with known human rights violations and that have an unfriendly relationship with journalists. Did that play a role in this hack? It wouldn’t surprise me.
This particular hack has so many facets. For instance, the surveillance angle and what governments will do to spy on citizens and/or each other. As Tim Erlin, Tripwire’s director of IT Security and Risk Strategy, said to me in an email:
While it’s tempting to focus on the potential for scandal spread throughout this data, the details disclosed also provide insight into a previously difficult to characterize economy around custom exploit development. From the data revealed, it appears that government and law enforcement agencies around the world are willing to spend millions of dollars for the type of services that Hacking Team provides.
Or we can focus on how this relates to the business world. After all, Craig Young, computer security researcher for Tripwire, told me, surveillance software isn’t just for government:
These tools could be used by a private corporation to monitor employees. For example, a company concerned about employees stealing trade secrets may pre-load employee computing devices with monitoring software. It could also be the case that some companies would like to glean information from competitors. In some cases, the software may also be used to gain intelligence on customers like a bank validating whether funds are coming from an illegal enterprise. The worst case would be private corporations using this type of software to gain marketing intel by spying on the customers and the general public.
And then there is this. Even companies that specialize in hacking aren’t immune from the same stupid mistakes that have led to so many high-profile and small organization attacks. According to CNET:
Some on Twitter noted the very poor passwords apparently used on Hacker Team's systems, including variations on the word "password," such as "passw0rd," spelled with a zero instead of the letter o (Normal Internet users aren't much better, but hackers and security experts are expected to be more cautious).
So, we’ve got likely hacktivism, lazy password systems, nations paying a lot of money to be able to cyber-spy, and hints that this could spill over to private enterprise. Even Hollywood can’t make up stuff like this.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba