Hacking Team Leak Could Lead to Policies Curtailing Security Research

While the disclosure of Hacking Team's marketing of zero-day flaws has roiled the security community, the reaction of policy makers could have a lasting impact on legitimate security research.

Hacking Team Fallout 2

The sensitive documents stolen from offensive-security firm Hacking Team contain few real surprises, but the leaks resulting from the theft could have serious implications for the security industry.

Security and privacy experts knew the company created tools for infecting and monitoring targeted computers using acquired exploits for previously unreported, or "zero-day," vulnerabilities and sold those tools to governments worldwide.

Yet, some of the details were unexpected. Hacking Team's tools could exploit seven zero-day flaws. The firm had mobile surveillance tools more advanced than what many experts had expected. And the company worked—or had worked, as its CEO stresses—with governments that had a history of tracking, imprisoning and killing dissidents.

The full list of Hacking Team's government clients surprised Adriel Desautels, CEO of security firm Netragard, which had acted as a broker, selling information on at least one of the zero-day vulnerabilities to the firm. While he stated in a leaked 2013 email to Hacking Team hosted by Wikileaks that "we do understand who your customers are both afar and in the U.S. and are comfortable working with you directly," Netragard did not know the full extent of the company's dealings, Desautels told eWEEK.

"After the hack, when we saw Hacking Team's customer list was exposed and I saw who they were working with, at first I was angry, and then I realized that, despite our efforts, we could not control their ethics," he said. "There is no framework in place to control that, and we could not rely on the contracts that we had."

Within days, Netragard decided to exit the business of brokering exploit sales—a minor part of its overall business—until better regulations and laws could guarantee sold exploits went to legitimate authorities.

The decision underscores that the breach of Hacking Team's network, and the resulting leak of sensitive business information, is continuing to have major impacts in the security industry.

The disclosure of seven zero-day vulnerabilities—four in Adobe Flash, two in Windows and one in Internet Explorer, according to vulnerability management firm Bugcrowd's tally—has already enabled commodity attack software sold in underground malware markets to target otherwise protected systems.

"Those exploits were out there, but they were being used in a limited fashion," Kymberlee Price, senior director of researcher operations at Bugcrowd, told eWEEK. "Now, they are being used extensively."

Research has shown that a dramatic spike in usage, sometimes as much as a factor of 100,000, can occur following the public release of an exploit in popular software.

Yet, the ultimate impact may be on the discussion regarding vulnerability disclosure and the sale of exploits for zero-day vulnerabilities. Exploit sales had already become a controversial issue before the outing of Hacking Team's business, but the snapshot of who buys and sells exploits has ratcheted up the debate.

"I think it will have little effect on the underground market, in their ability to sell or trade exploits to others," Adam McNeil, malware intelligence analyst at Malwarebytes Labs, told eWEEK. "I think where it will have an effect is security researchers; these incidents will used as catalysts in the development of new laws and regulations regarding the research and disclosure of the sales of vulnerabilities."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...