Over the past week we saw the dismantling of one of the most reviled companies on the internet: Hacking Team. I’m sure everyone’s already read about their public shaming over the past couple days by having their dirty laundry strewn across the internet in a neatly bundled bit torrent file, but this incident leads me to think about a few other things regarding this week’s Hacking Team revelation.
· Based off these files it really shows how security companies and security professionals aren’t eating their own dog food. The code and emails that were released this past week shows we as security pros sometimes don’t follow the basic rules that we’re supposedly preaching. This is a wakeup call for everyone.
· Why aren’t we all up in arms with the countries who are using this technology in the first place? Is it because it’s easier to go after the little guy instead of taking on a Nation State? Most likely. It’s also sad that we’ve come to expect this now from our governments and that this is just status quo. What's even more revolting is having these government throw their hands up and act as if they had no part in this conspiracy. Is this really all they need to do in order to deflect the heat of this scandal and cry immunity? Seems like it.
· I’d very interested to see what VUPEN is doing internally to protect themselves from a similar compromise. With these vulnerability-for-hire companies making a living off compromising others, it’s more than ironic to watch their businesses crumble by them being the ones popped. I’m sure VUPEN and similar businesses have taken notice and are no battering down the hatches. They’re the ones now have to be worried about becoming prey.
· Obviously, incident response wasn’t a strong suit of Hacking Team. Blasting out what seemed like drunk tweets, purportedly DDoSing sites that had their juicy bit torrent file, telling people the files were laced with malware and threatening jail time is not the way to react to a data breach. It's definitely not the way you want a company to react, but this was most likely due to embarrassment and pride. Either way, don’t do what they did during a data breach.
· Since Hacking Team was in possession of at least two zero-day vulnerabilities, the question must be asked: How do you protect these pesky exploits? If you’re running a bug bounty like Google, Facebook, etc. how are you keeping these zero day vulnerabilities safe and hidden once they’re discovered? It’s very interesting, but if someone was able to determine or compromise the systems these companies are housing this data, they’d have a constant submission of zero-days flowing in for consumption. Not cool, my friend.
Companies aiding governments which are suppressing their citizens and developing tools that have most likely lead to countless captures, arrests or worse, receive no remorse for what happened. We do need to learn from this though, because every moment is a teachable moment, and understand that we need to protect our sensitive data better now. This is not an option and we’re seeing companies, even bad ones like Hacking Team, could have had this crisis reverted (thankfully the news is out) if they followed proper data protection techniques.