This is the (so far) 3-part TalkBiz News series on the recent explosive Hacking Team revelations.
Part 1 – “Who Hacks the Hackers?” – July 6
In what may be the scariest story on digital security since the hacking of systems to spy on the international community’s discussions with Iran over it’s nuclear program, a firm called “Hacking Team” has been hacked. In a big way.
The firm sells tools to governments to spy on their citizens, even when they’re using encrypted communications.
According to early reports, these tools allow anyone who has them to break into virtually any mobile device. There seems to be no country the firm won’t sell to, regardless of their record of abuses.
The 400 gigabytes of data stolen from the firm and released to the public includes source code.
Wired has a good summary of the story, at:
They don’t really get into the potential security issues down the road, as the story focuses more on the Snowden-like implications of the disclosure. It’s also difficult to know just how dangerous that source code might be in the wrong hands without knowing exactly what was released.
400 gigs is a lot to go through, and the leak only appears to have happened last evening (Sunday, July 5).
The worst case scenarios are pretty bad. As in, security nightmares for hundreds of millions of people. Depending on what’s in there, we could soon have random hackers gaining access to spy systems installed and operated by governments. Or the digital creeps could use that code to bring botnets and identity theft to a whole new level.
It’s likely we’ll see companies using the code and/or the contacts to expand their industrial espionage systems.
Small-scale tools could easily come out of this, too. It may well be another source for “spy on your spouse/ex/kids/employees” malware.
Given the degree of control over remote devices that are implied in the stories I’ve read so far on it, this is way beyond just tracking locations.
Of course, sunshine doesn’t always mean a burn. As Justice Brandeis remarked, “Sunlight is said to be the best of disinfectants.”
It is possible that security firms like Kaspersky could use that code to find ways to remove or block Hacking Team’s tools, and governments which are responsive to their citizens could face huge backlash against this level of spying. Given the timing, that seems to be the likely goal of the release.
The political fallout is almost guaranteed to be significant. As for the implications for individuals and companies, a lot will depend on that code.
I’ll be keeping an eye on this story, and will update you as more information makes its way out from security analysts and bleary-eyed coders.
This could become very interesting.
Part 2 – “Freaking Team” – July 8
Hacking Team, the company that sells the literal spyware that I mentioned last issue, is freaking out. I suspect their customers are, too.
According to Motherboard, they’re telling all the countries and spy agencies they’ve sold it to that they need to shut the software down, completely.
It also appears the various entities who bought the product, called Galileo, got “watermarked” copies. That could make it possible to tell which agencies were tracking which people or groups.
This has the potential to be more politically and diplomatically explosive than Edward Snowden’s leaked documents.
Digital spying and crippled encryption is among the most important civil rights issues facing people throughout the world right now. Hopefully, this kind of leak will create enough backlash to get things moving back in the right direction for a while.
I can imagine the chaos in some spy circles at the moment. And as far as Hacking Team… As Bruce Schneier put it, “It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads.”
Or, to paraphrase Jerry Lee Lewis, “There’s a whole lotta freaking going on.”
Further bulletins as events warrant.
Part 3 – “More on Hacking Team” – July 15
There’s bad news and good news on the fallout from the release of all those files stolen from surveillance software form Hacking Team.
The bad news: So far, the discoveries include 3 zero day exploits in Adobe’s Flash software, 1 in Windows Internet Explorer, and 1 in the Windows kernel. These were previously unpublished, which means they were exploitable until after these files were stolen and released.
Of those, fixes have been rolled out for all but the 3rd Flash exploit, as of this writing. One assumes that last one will be patched soon. So, update Flash and install any Windows updates that may be waiting. The relevant Windows patch was released July 14th.
The IE bug was nasty. It allowed for remote code execution, which opens vulnerable machines to all sorts of nasty abuses, including drive-by downloading and installation of malware.
The Flash bugs were the last straw for some folks. Firefox and Chrome both changed their default settings to disable the Flash plugins. You have to explicitly change those to make it work without intervention on a case-by-case basis. Alternatively, you can leave it off, and allow individual Flash elements (like videos) to play when you’re confident of the source.
I’ve left it turned off and found very little that I really wanted to see enough to enable it even on a one-time basis. It’s interesting to see how many ads use Flash, though.
The new security chief at Facebook wants Adobe to set a date to kill Flash once and for all. He, like many people in the field of digital security, has gotten tired of the incessant flow of critical vulnerabilities in the software.
I can’t disagree. I’ve had to update Flash for security reasons more than any software I’ve ever used. Well, except for Windows, but that’s a lot more complex than just Flash.
That kind of industry pressure is part of the good news, as is the patching of all those gaps.
More good news comes in the fact that anti-virus/security software companies are said to be modifying their products to detect and remove the Hacking Team code. Nothing definitive yet, but that’s not surprising. Lots of stuff to go through.
Back on the bad news front, it seems HT also developed and sold a BIOS-based root kit. It is said to require physical access to a device to install it, but once it’s there, it stays. You can’t even get rid of it by swapping in a brand new blank hard drive.
You’d have to re-flash the BIOS to remove it. And how many people are going to know that’s an option, much less understand how to do it? (Added: It’s also not uncommon to brick a machine in the process of flashing the bios.)
The network-savvy will find it scary that Hacking Team, in conjunction with the Italian government, also used a BGP hijack to recover access to some of the targets they lost when their spammer-friendly hosting service went down.
That’s dangerous in all sorts of ways.
The political issues involved in having the kind of surreptitious access to someone’s computers that this stuff allows are serious. Those are fodder for a later discussion, though. They boil down to how far you trust a given government.
On a more practical note, you need to stay aware of these things as you go through your digital routines. This software allows tracking someone through pretty much any sort of security. As an example, the FBI wanted to use it to identify someone through a TOR connection, and were told that, with certain conditions being met, they could do so. (One hopes they had a warrant for that…)
And these kinds of exploits allow for planting files on remote machines. Yep, just like in the movies, where the target’s computer is seeded with phony evidence, and all traces of the real source eliminated.
Can you say phr4m3d?
Governments aren’t the only ones who might want to use this kind of “feature.” If you operate a WordPress site, you know, as you’ve probably had hackers drop files on your server without permission already. Or if you’ve ever had a computer infected with malware.
The worst is the stuff that turns your machine into a torrent node. You have no clue what kind of illegal trash might be getting routed through your system when that happens, and you may well be legally responsible for all of it.
An interesting aspect of this story is the degree to which these folks rely on social engineering to get their software onto the targets’ machines. The approaches range from blunt tactics like crude spams to more long-term trust development through fake personas.
In the end, though, it seems to most productive methods involved exploiting the end user, rather than just technological weaknesses.
Apparently, their customer in Azerbaijan had a hard time wrapping his head around that concept. 😉
On the good news front, it seems each governmental customer got a copy of the software that was traceable to them. So, with the spreadsheets in the released file dump and a copy of the software, you can see a lot about who’s tracking whom.
Well, that’s not good news if you’re a legitimate LEO going after a genuine terrorist. It is if you’re a reporter or political activist who’s being tracked by a government hostile to free speech or dissent, though.
Now, let’s shift gears for a minute. We’ve been talking about governments having this kind of ability. What about private entities?
What if someone could track every move you make, listen in to all of your phone conversations and much of the chatter in your home or office, and turn on your webcam or the camera on your phone any time they wanted?
Let’s call the main “secret agents” in this trend Siri, Cortana, Alexa, and … Google.
No, I’m not suggesting that Apple, Microsoft, Amazon, or Google are eavesdropping on everything you say. Just that they could. Those voice-activated helper apps have to be listening all the time to know when to activate, after all.
And they’re only one good hack away from being hijacked by not-so-benevolent critters. A much more serious concern, I think.
Some of the apps that are available for phones and tablets can do all of what I just described and much more. And I don’t give them anywhere near the benefit of the doubt I’d give Apple or Amazon. Some of them are pure malware in games’ clothing.
Look at the permissions before you install anything. And, if you’re using an Android system, install DCentral1 and check the permissions of apps you’ve already installed.
If you use Apple products and only download from the iTunes store you’re probably okay, as far as that end of things goes.
Android is a whole other kettle of fish.
Back to the Hacking Team stuff.
The really good news is that this has helped push more attention to the use of digital espionage by governments. Hitting at the same time as the push by various western spy agencies to cripple encryption, this may help make folks more aware of just how widespread data surveillance has become.
The UK is on the verge of simply criminalizing the use of strong encryption by private citizens. Prime Minister Cameron seems to have no clue the damage his policies would do to legitimate businesses and individuals.
The US agencies are taking a more nuanced tack. They’re trying to get the various services involved to leave them back doors and access to encryption keys. Same damage potential as the Cameron approach, just less clumsy.
These folks should look into the encryption wars of the 90s. This fight has already been done, and the “no secrets” crowd lost. And that’s back when there were a whole lot fewer people involved, and a lot less at stake.
And it’s not just the Good Guys who’re watching.
To give you a hint of the kinds of problems all this digital tracking can create without you knowing, consider…
“An Apple a Day Keeps No-one Away”
According to Virgin Radio Toronto, your iPhone may be a serious threat to your safety and privacy. Nifty feature called “Frequent locations” that most people don’t know about.
They give the following instructions to find it:
“Go to Settings, Privacy, and Location Services. Then go to System Services and find the Frequent Locations menu. There, you will see your home address and basically anywhere you’ve been recently, from malls to restaurants to your friends’ houses.”
Click on one of those items. It shows your home address, when you arrived at the specific location, and how long you stayed. And, if you use some geo-tracking systems on your phone, the person holding it could even tell how you travelled to get there.
For some folks this won’t matter. For others, it might be a huge deal. And some of us object purely on the principle of the thing.
If you don’t want anyone being able to see your every move just by getting hold of your phone, here’s how you fix that.
Under the frequent locations menu, clear the history and just turn the option off.
Another landmine in the digital terrain avoided.
I may get into some of the reasons law-abiding people should care about this in an upcoming issue. In the mean time, just be more aware of what’s going on with your portable devices, eh?
And don’t make public posts on Facebook announcing when you’re going to be on vacation away from home.
This series originally appeared in TalkBiz News. To subscribe (it’s free) visit http://talkbiz.com