Hacking Team Hacked, Attackers Grab 400GB of Internal Data

Several readers sent word that notorious surveillance company Hacking Team has itself been hacked. Attackers made off with 400GB worth of emails, documents, and source code. The company is known for providing interception tools to government and law enforcement agencies. According to the leaked files, Hacking Team has customers in Egypt, South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, Mongolia, Russia, Germany, Sudan, and the United States — to name a few. It has been labeled an enemy of the internet by Reporters Without Borders. "Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online." Nobody knows yet who perpetrated the hack.

Find the source code on GitHub

[Anonymous Coward]

Someone started uploading all the HackingTeam source code to GitHub: https://github.com/hackedteam?... [github.com]
There are also some signing keys for kernel drivers in here.

That's a bad day for Hacking Team and a good day for everyone else.

Re:

[xxxJonBoyxxx]

>> https://github.com/hackedteam/... [github.com]
>> https://github.com/hackedteam/... [github.com]

ndisk, eh? With a couple of components to collect, report and transmit?

This thing kind of looks like the kit used in Shamoon, Sony, Icefog/Korea, etc.

Re:

[mystuff]

Brilliant, people can start translating the comments in the source code from Italian [github.com] to English! Would be even funnier it people started filing issues and fix bugs in their code.

But more to the point, will this help bona fide security researchers with their work on fighting exploits on all platforms or is there not much of interest there? Any experts on the matter?

Re:Find the source code on GitHub

[johanw]

Some 0-day leaks were found too, so I think MS will be quick to patch them.

Re:

[xxxJonBoyxxx]

>> people can start translating the comments in the source code from Italian to English!

Really, you can't follow the code without English comments?

>> will this help bona fide security researchers with their work on fighting exploits on all platforms?

It gives us a couple more signatures to look for. I'm really getting sick of the "fake driver" vector though; it's 2015 and still trivial to get Windows platforms to cough up anything you'd want. As long as AV vendors ignore things like this (e.g.,

Re:

[Anonymous Coward]

>> people can start translating the comments in the source code from Italian to English!

Really, you can't follow the code without English comments?

Surely if it needed comments in the first place then it implies that the code isn't easy to follow, even for the original author.

Re:

[xxxJonBoyxxx]

>> Surely if it needed comments in the first place then it implies that the code isn't easy to follow

(facepalm)

Re:Find the source code on GitHub

[jimbolauski]

Really, you can't follow the code without English comments?

I pray you don't write any software that other people have to use. Most companies will flat out reject code if it has not been properly documented.

Re:

[Demonoid-Penguin]

Really, you can't follow the code without English comments?

I pray you don't write any software that other people have to use. Most companies will flat out reject code if it has not been properly documented.

Maybe you should have watched all the "be professional programmer" webinars.

Re:Find the source code on GitHub

[dunkelfalke]

Comments aren't there for following the code - even a code monkey like me can do that. They are to explain the reasoning behind the code.

Re:

[Mikkeles]

As had been said before: if the comments and code don't match, then both are probably wrong.

Re:

[SethJohnson]

They are to explain the reasoning behind the code.

This is a huge purpose for comments. Also, maybe I can interpret the code perfectly well without comments. How well can I depend on everyone else who is modifying the code to be able to interpret it properly.

Well-documented code helps protect it from the introduction of bugs by later contributors.

Re:

[myowntrueself]

They are to explain the reasoning behind the code.

This is a huge purpose for comments. Also, maybe I can interpret the code perfectly well without comments. How well can I depend on everyone else who is modifying the code to be able to interpret it properly.

Well-documented code helps protect it from the introduction of bugs by later contributors.

Imagine comments like "Manager asked me to implement this to make it easier for to target " Not so interesting wrt the code, very useful though for anyone interested in the meta game.

I bet theres all kinds of incriminating stuff in there of no interest to programmers.

Re:

[myowntrueself]

>> people can start translating the comments in the source code from Italian to English!

Really, you can't follow the code without English comments?

>> will this help bona fide security researchers with their work on fighting exploits on all platforms?

It gives us a couple more signatures to look for. I'm really getting sick of the "fake driver" vector though; it's 2015 and still trivial to get Windows platforms to cough up anything you'd want. As long as AV vendors ignore things like this (e.g., https://www.google.com/webhp?s... [google.com]) it will continue to be easy for nearly anyone to write their own "advanced persistent threat."

Comments often contain all kinds of juicy info. Its not about following the code its about getting insights into all kinds of non-code related things.

Re:

[140Mandak262Jamuna]

Brilliant, people can start translating the comments in the source code from Italian [github.com] to English!

Comments in Italian is actually a blessing for English speaking coders. Dijkstra's dictum was: "Never debug the comments. Always debug the code". (I could not find the reference, if he did not say it, someone equally great said it, because it is certainly not my original idea. ) Often comments are redundant, insanely stupid, misleading or obsolete. The only useful comments I find in my own code are along the lines of: "Yes, this function searches through the entire edge list, we tried to speed it up, but t

Also driver and closed-device rooting projects?

[Ungrounded Lightning]

... will this help bona fide security researchers with their work on fighting exploits on all platforms ... ?

I wonder if this will also help people trying to write open software for closed devices? Signing keys, driver sources with spyware installed, ... Not only does it expose the malware bypassing the user's security, it may also expose the internal details of how the devices are driven and/or how to compromise the malware's and devices' anti-user "security".

(I have often wondered how many of the closed

Projects on github should "git fetch" NOW!

[Ungrounded Lightning]

Someone started uploading all the HackingTeam source code to GitHub ... There are also some signing keys for kernel drivers in here.

IMHO:

Anyone with a project hosted on git hub should pull a backup copy NOW!

Hosting this leak on git hub could lead to moves by authorities to contain it - which could have the side effect of making GitHub and/or some projects on it unavailable - temporarily or permanently.

Better safe than sorry.

Re: Projects on github should "git fetch" NOW!

[ZeroWaiteState]

No but a judge in the US with a bad hair day could do it in minutes.

Another turn of the screw

[fustakrakich]

*What's good for the goose...*

Schadenfreude...

SubjectsInCommentsAreStupid

[lesincompetent]

Serves those maggots well.

Re:SubjectsInCommentsAreStupid

[D.McG.]

How does a group like that not notice 400GB of traffic exiting the building? If it were done in a single day, the hackers would need to draw down 4,629,629 bytes per second sustained for 24 hours.

Re:SubjectsInCommentsAreStupid

[s0litaire]

Probably thought it was one of their bit-torrent clients..

Even evil hackers require an extensive porn collection to do their job...

Re: SubjectsInCommentsAreStupid

[Anonymous Coward]

Which is a pretty slow bandwith nowadays... I would get 400gb down in roughly 22 hours with my lazy connection at home... i could bet the involved parties both have a little more speed at hand

Re:

[Flavianoep]

If I've got my calculations right, to complete the downloading of that amount of data in a single day, it would need a 37,9259 Mib/s bandwidth -- 37,9255 Mib/s on last 6/30 --, which is quite trivial in some places.

Re:

[o_ferguson]

I have a friend who lives in a Condo in Toronto and his residential pipe is 100/100 for 40 bucks a month, and they offered to boost it to 400/400 for an extra 30 bucks a month, but he has no need for that much speed. (Note, this is atypical for Canada, but it's the same building Deadmau5 used to live in, and he augured to bring in a high-end ISP.)

Yay!

[spiritplumber]

It's 2015, I just finished competing in BattleBots, and this is front page news. 12 year old me would be very happy about how things are going.

Re:

[Jason Levine]

What's your bot? (My boys and I are watching the show on ABC.)

Re:

[Curunir_wolf]

What's your bot? (My boys and I are watching the show on ABC.)

What a horrible job they did of putting that show together. Battles are only 3 minutes, but with all the commentary, backgrounders, interviews and fluff, they can only fit FOUR battles into an hour-long show. Worse, they include so much commentary they actually EXCLUDE about 1/2 the battles, and just show a few highlights from some.

Imagine if a network covered the NBA playoffs like that? Producers at ABC certainly showed a lot of incompetence with that show.

Re:

[spiritplumber]

I think they did a better job than CC did... and yeah we didn't pay a whole lot of attention to the commentators :) The two battles that weren't shown had a big problem: underpowered weapons. Basically very little happened.

Re:Yay!

[jandrese]

In other words they covered it exactly the same way they cover the Olympics?

Re:

[myowntrueself]

What's your bot? (My boys and I are watching the show on ABC.)

What a horrible job they did of putting that show together. Battles are only 3 minutes, but with all the commentary, backgrounders, interviews and fluff, they can only fit FOUR battles into an hour-long show. Worse, they include so much commentary they actually EXCLUDE about 1/2 the battles, and just show a few highlights from some.

Imagine if a network covered the NBA playoffs like that? Producers at ABC certainly showed a lot of incompetence with that show.

Let me guess, they also flick the video fast never lingering on a single scene for more than a few seconds so you can't really follow anything?

Re:

[Jason Levine]

And yet, it's still better than pretty much any reality show on TV. Not saying much, I know, but I'd rather watch Battlebots (poorly put together or not) than Survivor: Yet Another Location.

Re:

[NeMon'ess]

The battles don't need to be longer than 3 minutes. I think there was a single match so far that went to a split decision and could have benefited from an extra minute.

ABC excluded less interesting preliminary fights. Now that a viewing audience has built up all the matches get shown.

Monty Python.

[Ukab the Great]

We apologize for corporate and govt data breeches. Those responsible have been
hacked.

---

We apologise again for the data breeches. Those responsible for hacking
the people who have just been hacked,
have been hacked.

Re:

[LaurenCates]

Came in just to make this joke. I have no mod points, but I will clap together empty halves of a coconut in approbation.

Re:

[ArcadeMan]

Why? Are you going somewhere?

Re:

[LaurenCates]

Why, Camelot, of course!

Re:

[CreatureComfort]

It's a very silly place.

Re:

[LaurenCates]

And a bit suspect, I think.

Re:

[ArcadeMan]

It's only a model...

Re:

[LaurenCates]

Shhhh!

Re:

[Anonymous Coward]

Yes, apparently the hackers found a back door.

Re:

[Kevin by the Beach]

ROFL... thanks for the absurdity break

Crying because it sooooo true.

400GB

[troon]

"400GB worth of emails, documents, and source code"

Seems unlikely. There's going to be a lot of... binary data in there, surely.

Re:

[bobbied]

"400GB worth of emails, documents, and source code"

Seems unlikely. There's going to be a lot of... binary data in there, surely.

They got it all from /dev/null and used compression.

Re:

[AmiMoJo]

Git repositories, with history going back... Now on Github for your convenience: https://github.com/hackedteam?... [github.com]

Re:

[jandrese]

If you think 400GB of email alone is too much you clearly have never worked in a company that allows you to mail powerpoints around.

de haxx0rz be haxx0red na0

[Anonymous Coward]

Not anybody knows what really happened. It's an excuse to bandy around meaningless but scary-sounding terms yet once more. Any excuse will do.

GeoTrust signing keys

[fulldecent]

Can someone please explain the significance and consequences of publishing this:

GeoTrust_SigningCertificateExported_2011.pfx

https://github.com/hackedteam/... [github.com]

Re:

[Anonymous Coward]

Can someone please explain the significance and consequences of publishing this:

It means that anything signed by that key can't be trusted and probably contains a government Trojan.

Re:GeoTrust signing keys

[mwvdlee]

From the looks of it, this key seems to be used for signing Windows binaries, not for SSL certificates.
Surely somebody more knowledgeable can confirm or deny this?

Re:GeoTrust signing keys

[Anonymous Coward]

It's confirmed. One of the news stories (can't remember which one) said that HT would recommend that their clients purchase digital certs to sign the malware they bought in order to skirt anti-virus scans. Apparently most antivirus software will ignore legitamite looking signed apps with certs that have been timestamped. The GeoTrust cert is probably a test cert that HT uses.

Re:

[Anonymous Coward]

Certificate has been revoked. It is also only valid for code signing.

The significance should be nil by now

Re:

[Anonymous Coward]

Do you have a link to this information?

Re:GeoTrust signing keys

[dissy]

Can someone please explain the significance and consequences of publishing this:
GeoTrust_SigningCertificateExported_2011.pfx

It's another couple good patters for antivirus software to look for and trigger upon finding.
Anyone infected with their rootkitted drivers four years ago and haven't had the malware update may find out about being infected with it.

If they used the same company name for their 2015 certificate as is used in the certs published, that would be another signature for AV software to trigger on if they kept your rootkitted drivers updated.

That's about it however.

The certificate is long expired so can't be used to sign any new code with.
You can also be pretty certain their next certificate (to be issued any day now, if not already) will be under a different name as well.

Another stupid law enforcement name

[Applehu Akbar]

It's a lame attempt at coolness, like "Black Asphalt" as a code for stealing random drivers' money during traffic stops. The name "Hacking Team" does not make it an actual hacking team.

apple issued enterprise dev cert to ht

[Anonymous Coward]

https://twitter.com/FredericJa... [twitter.com]

Subject: UID=DE9J4B8GTF, CN=iPhone Distribution: HT srl, OU=DE9J4B8GTF, O=HT srl, C=IT

Re:

[jandrese]

Which means they sent $100 to Apple? Is this shocking?

Oh ya.

[AndyKron]

Oh ya, we're fucked.

51603bff88e0a1b3bad3962614978929c9d26955

[Anonymous Coward]

magnet [magnet]

Were Hackingteam planting evidence?

[eyenot]

Kevin Mitnick's twitter has this update:

https://twitter.com/kevinmitni... [twitter.com]

Loser.

[godel_56]

From first link: "Hacking Team's Christian Pozzi was personally exposed by the incident, as the security engineer's [poor quality, easily guessed] password store from Firefox was published as part of the massive data dump. The websites indexed include social media (Live, Facebook, LinkedIn), financial (banks, PayPal), and network related (routers with default credentials)."

What kind of security conscious person uses Firefox for storing important passwords, let alone someone calling themselves a security en

Re:

[greenfruitsalad]

please elaborate on why it's dangerous to store passwords protected by a strong password in firefox sync. mozilla have no access to decrypted passwords, nobody has. the code is open source and the server can be your own instead of mozilla's.

Funny a month ago

[johnsnails]

http://dilbert.com/strip/2013-... [dilbert.com]

Android Security Rewards Program

[eliotstock]

Looks like some interesting stuff in there for Android, but none of it will now qualify for the Android Security Rewards Program: "Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward." Source: http://www.google.com/about/ap... [google.com]

Re:

[ZeroWaiteState]

I doubt Google will fix them anyway, if they are on a carrier-locked device. They haven't even fixed TLS on the system default browser on a lot of their devices. 80% of Android installs are abandonware.