Hacking Team Leak Could Lead to Policies Curtailing Security Research
While the disclosure of Hacking Team's marketing of zero-day flaws has roiled the security community, the reaction of policy makers could have a lasting impact on legitimate security research.The sensitive documents stolen from offensive-security firm Hacking Team contain few real surprises, but the leaks resulting from the theft could have serious implications for the security industry. Security and privacy experts knew the company created tools for infecting and monitoring targeted computers using acquired exploits for previously unreported, or "zero-day," vulnerabilities and sold those tools to governments worldwide. Yet, some of the details were unexpected. Hacking Team's tools could exploit seven zero-day flaws. The firm had mobile surveillance tools more advanced than what many experts had expected. And the company worked—or had worked, as its CEO stresses—with governments that had a history of tracking, imprisoning and killing dissidents. The full list of Hacking Team's government clients surprised Adriel Desautels, CEO of security firm Netragard, which had acted as a broker, selling information on at least one of the zero-day vulnerabilities to the firm. While he stated in a leaked 2013 email to Hacking Team hosted by Wikileaks that "we do understand who your customers are both afar and in the U.S. and are comfortable working with you directly," Netragard did not know the full extent of the company's dealings, Desautels told eWEEK.
"After the hack, when we saw Hacking Team's customer list was exposed and I saw who they were working with, at first I was angry, and then I realized that, despite our efforts, we could not control their ethics," he said. "There is no framework in place to control that, and we could not rely on the contracts that we had."