The sensitive documents stolen from offensive-security firm Hacking Team contain few real surprises, but the leaks resulting from the theft could have serious implications for the security industry.
Security and privacy experts knew the company created tools for infecting and monitoring targeted computers using acquired exploits for previously unreported, or “zero-day,” vulnerabilities and sold those tools to governments worldwide.
Yet, some of the details were unexpected. Hacking Team’s tools could exploit seven zero-day flaws. The firm had mobile surveillance tools more advanced than what many experts had expected. And the company worked—or had worked, as its CEO stresses—with governments that had a history of tracking, imprisoning and killing dissidents.
The full list of Hacking Team’s government clients surprised Adriel Desautels, CEO of security firm Netragard, which had acted as a broker, selling information on at least one of the zero-day vulnerabilities to the firm. While he stated in a leaked 2013 email to Hacking Team hosted by Wikileaks that “we do understand who your customers are both afar and in the U.S. and are comfortable working with you directly,” Netragard did not know the full extent of the company’s dealings, Desautels told eWEEK.
“After the hack, when we saw Hacking Team’s customer list was exposed and I saw who they were working with, at first I was angry, and then I realized that, despite our efforts, we could not control their ethics,” he said. “There is no framework in place to control that, and we could not rely on the contracts that we had.”
Within days, Netragard decided to exit the business of brokering exploit sales—a minor part of its overall business—until better regulations and laws could guarantee sold exploits went to legitimate authorities.
The decision underscores that the breach of Hacking Team’s network, and the resulting leak of sensitive business information, is continuing to have major impacts in the security industry.
The disclosure of seven zero-day vulnerabilities—four in Adobe Flash, two in Windows and one in Internet Explorer, according to vulnerability management firm Bugcrowd’s tally—has already enabled commodity attack software sold in underground malware markets to target otherwise protected systems.
“Those exploits were out there, but they were being used in a limited fashion,” Kymberlee Price, senior director of researcher operations at Bugcrowd, told eWEEK. “Now, they are being used extensively.”
Research has shown that a dramatic spike in usage, sometimes as much as a factor of 100,000, can occur following the public release of an exploit in popular software.
Yet, the ultimate impact may be on the discussion regarding vulnerability disclosure and the sale of exploits for zero-day vulnerabilities. Exploit sales had already become a controversial issue before the outing of Hacking Team’s business, but the snapshot of who buys and sells exploits has ratcheted up the debate.
“I think it will have little effect on the underground market, in their ability to sell or trade exploits to others,” Adam McNeil, malware intelligence analyst at Malwarebytes Labs, told eWEEK. “I think where it will have an effect is security researchers; these incidents will used as catalysts in the development of new laws and regulations regarding the research and disclosure of the sales of vulnerabilities.”
Hacking Team Leak Could Lead to Policies Curtailing Security Research
Already, the signatories of the Wassenaar Arrangement—an international accord by which developed countries control weapons and dual-use technology—have sought to add software exploits to the list of banned weapons.
Over the past few months, a request for public comment on the latest proposed changes to Wassenaar spurred debate in the United States. Google, for example, told U.S. officials that the current vague rule could make security research fraught with legal peril.
“We believe that these proposed rules, as currently written, would have a significant negative impact on the open security research community,” Neil Martin, Export Compliance Counsel for Google, said in a statement on July 20. “It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure.”
While the Wassenaar Arrangement should likely be modified to rein in the unrestricted trade in exploit code, the treaty needs to keep any such restrictions extremely narrow, Netragard’s Desautels said.
“The Wassenaar treaty is too broad and far-reaching, and effectively makes it impossible to own a zero-day and disclose a zero-day,” he said. “You are going to disarm legitimate researchers and you are going to prevent them from doing that legitimate research, but you are not going to impact the bad guys.”
Dealing with fast-changing political alliances is also very difficult. Leaked emails show that Hacking Team, for example, did sell surveillance software to countries considered to have poor human-rights records, such as Ethiopia, Sudan and Russia. Yet, the company has argued that it has rejected business from other countries who intended to use the software for purposes other than fighting crime, and if a current client misused the technology, it ended its business relationship.
“Ignored is the fact that, as the company’s thinking about public policy developed and as situations changed in these three countries, Hacking Team of its own volition ended these business relationships,” David Vincenzetti, CEO of Hacking Team, stated in a letter published in the International Business Times.
Any regulations controlling exploit sales need to take into account the ever-changing political climate, agrees Malwarebytes’ McNeil said.
“It would be a large task to place on a company beforehand to say, ‘Okay, it is your responsibility to ensure that the country you are selling this to is not going to use it for nefarious reasons,'” he said.
What will be least impacted is nations’ ability to spy or monitor criminals and other targets, researchers said. While Hacking Team has argued that criminals and terrorists gain breathing room because of the breach, security researchers believe that legitimate law enforcement groups and intelligence agencies will quickly find new products to help them retain their ability to spy on targets and investigate criminals.
“While the exposure of Hacking Team will temporarily disrupt the surveillance operations of their customers, these customers will find new sources for exploits and malware,” Bugcrowd’s Price said. “If Hacking Team ceases to exist, the employees will find new jobs doing the same work for the same customers.”