Without the proper security in place, even the hackers can get hacked and that is exactly what happened to the Hacking Team, an Italian group of cyber mercenaries who sold advanced hacking tools to the highest bidder regardless of how they would be used. The Hacking Team was exposed for all of the online world to see by rival hackers, who revealing shocking information when they dumped virtually all the group’s tools and communications online for all to see.
Even though the dangerous world of modern state surveillance has justly been exposed by whistleblowers such as Edward Snowden, the majority of forces that allow this wrongful type of internet spying have somehow managed to go unnoticed. In fact, a world that has yet to be explored. The morally and legally questionable world consists of private sellers secretly collaborating with intelligence agencies in order to assist in the maintenance of their wide range of methods for spying. These security agencies rarely receive any type of scrutiny due to their privileged relationships with influential groups that generally lack any type of mainstream media coverage. However, this month, the dark world of sordid exploit sales at last had its Snowden moment.
An activist hacker known as “PhineasFisher” in early July was able to infiltrate the systems of the Italian company.
PhineasFisher was able to dump 400 Gigabytes of information online for the world to see. At this time, the trove was able to confirm what had long been suspected, as well as shocking revelations that the Hacking Team held business relationships with several different governments, including Russia and the United States, sold spyware to ruthless dictatorial regimes, and sold items directly targeting software developers, journalists, and activists for monitoring and surveillance.
The Hacking Team hack was able to provide significant lessons concerning the vast security ecosystem as well as the diminishing line between public and private entities as we are adapting to the age of hacking lacking borders.
Hacking Team is able to profit by selling and exploiting popular computer software to important groups under the disguise of “cybersecurity."
When a firm offers to locate and report any vulnerabilities so that they can be patched or improved, this can generally be both a legitimate and beneficial trade. Unfortunately, these groups just sell government entities different ways to either spy on or manipulate innocent citizens and political enemies.
Indeed, there is a difference between these types of groups and the stereotypical hacker-for-hire who dress hoodies, is more often an individual of style instead of ethical substance. Both groups have the ability to make money by purchasing or locating computer bugs that have yet to be discovered and then selling them to terrorist groups, political parties and governments with a significant price increase.
The industry in software exploits trade to additional government surveillance is scary enough as far as privacy is concerned. Electronic Frontier Foundation (EFF) and Reporters Without Borders, both activist groups, have criticized these practices for the violation of human rights as well as the expansion of the worldwide net of digital surveillance.
For $1 million, a ruthless sociopath sells it to Ethiopia in an effort to wreak havoc on significant portions of the Internet as well as crack down on journalists in the U.S.
In an attempt to determine what software vulnerabilities the Hacking Team was trying to sell in order to keep the public warned concerning which products were in need of updates or needed to uninstalled, security researchers scoured over their dump of data on WikiLeaks. Individuals who keep good cyber hygiene will be able to keep themselves safe from such exploits, the majority of individuals who are less savvy Internet users will likely remain vulnerable to attacks that are sold as “exploit kits”.
It is obvious “security” was not the most important to the Hacking Team as their security was insufficient. Hacking Team lacked sophistication in their own cybercastle as their password was simply “P4ssword.”
During a sensitive email discussion with an associate, Giancarlo Russo, COO of Hacking Team asks, "Do you have PGP [email encryption] by the way? We really do need to encrypt these emails."
Hacking Team was essentially asking to be attacked by not-so-secretly hoarding lethal exploits and participating in significant bragging. Their one-stop-shop cyberweapons lacked sufficient protection proved too tempting even for competing hackers. CEO of Hacking Team, David Vincenzetti should have been better prepared. In 1992, Vincenzetti was responsible for the development of a “file tampering detector” that was able to repel and identify intruders just like the Hacking Team from computer systems.
Regardless of his early support of email-encryption software, Hack Team’s emails show PGP was hardly used at all.
The Hacking Team’s angle of "freedom hacker turned government tool" is revealing of the disastrous incentive structure given to the small group of elite hackers that are able to build, or break the surveillance network that is able to track all of our online activities. They can decide to fight or expose the system, running the risk of foreign asylum, media demonization or spending the rest of the lives in prison for the brutal crime of defending our online freedoms. Or, they can choose to sell out and enjoy large retirements as dealers of cyberweapons for the repressive states of the world.
Either way, this is a crucial reminder that the open Internet’s enemies are not limited to just the state.