Hacking Team, an Italian company that sells hacking tools to the FBI and DEA, as well as less friendly governments such as Sudan, was hacked this week. The hackers stole about 400 gigabytes of internal emails, financial documents, source code and other goodies. The hackers quickly published the data that was hacked, presumably to embarrass the company.
For example, the leaked documents indicate that the FBI spent almost a million dollars buying tools to hack into people’s phones. Whether they obtain a warrant before using it is not clear. What is clear is that this is not your father’s FBI. Hacking into suspects phones to get information is the new FBI.
Also included in the dump was source code to their remote access tools, hard coded IP addresses for their command and control servers (which I assume have now been changed, but if a company has logs, they could see what devices HAD BEEN talking to those servers and crush and shred the devices.
One file listed current and inactive clients.
The leak also included zero day – previously unknown – Flash exploits, for which Adobe, yet again, released an emergency patch this week. I have lost track of how many patches Adobe has had to make to Flash this year.
Also leaked were the root passwords to all of their production servers. Whether the hackers imaged those servers before releasing that information is unknown, but could be useful to further embarrass the company.
What is interesting is that there were enough details in the leaked documents that exploit tool kits – several of them – were using this exploit within 2 days of it being released. That is way faster than Adobe could release a patch and companies could deploy it.
Privacy advocates were quite pleased with the treasure trove of information about methods and techniques that are now public and therefore way less useful.
As part of Hacking Team’s damage control effort, once they got control of their Twitter account back, they told people that they should not open Christian Pozzi’s (one of HT’s security engineers) Firefox password file that was snared in the breach because it contained a virus. Highly unlikely that it did, but likely containable if it did. Another reason why the convenience of storing your password file in the cloud may not be worth it.
How were they hacked. No one has officially said, but some information that was disclosed in the breach could give a clue:
- The userid and password to their MySQL datatbase was root and Ht2015. That seeems secure. Not!
- Other server passwords revealed include Fuzzing1.!, P4ssword and HTPassw0rd . Apparently, even hackers don’t read the news. At least they did not use 123456.
- One administrator password was Kittens
- License fees for their software were in the $40k to $250k per module per customer, so unless the FBI got a big discount, their million bucks didn’t buy them much.
- Apparently, their biggest customer is Mexico, followed by Italy.
- A maintenance contract with Barclays Bank for $18,000 Euros. The legality of Barclays using this is cloudly. They do not have any governmental immunity from hacking laws. They should expect a knock on the door from law enforcement any time now.
In any case, some would say that them being hacked is good; others would say it is bad, but it certainly gives us a view into the governmental use of hacking that we did not have before.
Information for this post came from Dark Reading.
For more details on how the breach happened, see information at SC Magazine.