Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government The Internet Your Rights Online

Hacking Team Breach Leaks Zero-Days, Renews Fight To Regulate Cyberweapons 123

Patrick O'Neill writes: In the days following a massive hack that confirmed Hacking Team's dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation's backers say that "this is an industry that has failed to police itself," ACLU's Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help. In addition, wiredmikey points out that a number of exploits have been released in the wake of the hacking: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as "the most beautiful Flash bug for the last four years since CVE-2010-2161." In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched. Adobe told SecurityWeek that it's aware of the reports and expects to release a patch on Wednesday.
This discussion has been archived. No new comments can be posted.

Hacking Team Breach Leaks Zero-Days, Renews Fight To Regulate Cyberweapons

Comments Filter:
  • by NotDrWho ( 3543773 ) on Wednesday July 08, 2015 @02:31PM (#50071499)

    experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians.

    Are their any governments left that DON'T do this as a matter of practice?

    • by blueg3 ( 192743 )

      Do you think the US and UK treat journalists and human rights activists the same way they are treated in Egypt and Sudan?

      • Do you think the US and UK treat journalists and human rights activists the same way they are treated in Egypt and Sudan?

        Depends on whether the human rights activists are fighting oppressors the US likes, or doesn't like.

      • Do you think the US and UK treat journalists and human rights activists the same way they are treated in Egypt and Sudan?

        Of course not. When it comes to using spyware and backdoors to spy on journalists, the US and UK are *MUCH* worse.

    • by GuB-42 ( 2483988 )

      Are their any governments left that DON'T do this as a matter of practice?

      Greece, because they don't have the money.

  • by Jonathan P. Bennett ( 2872425 ) on Wednesday July 08, 2015 @02:43PM (#50071575)

    First, the entire idea of cyberweapons is laughable. Exploits are only possible because of flaws in the code. That is no more a weapon than an unlocked door.

    Second, you cannot regulate them as they are immaterial. It would be possible to discover a previously unknown vulnerability, and then not record the finding anywhere. Congratulations, you have a cyberweapon in your brain. Good luck regulating that.

    • The EFF is right, since if written poorly, 'ping -f' could be considered a cyber-weapon, and one that's widely distributed by many open source O/S platforms.
    • While the term "cyberweapon" is ludicrous, I think there is still a valid question concerning what the legal consequences are of selling zero-day vulnerabilities or tools that use them. Is it even illegal? Or is only illegal if they are used for an illegal activity? And if that is the case, how is illegal activity defined in an international governmental context? This will likely all get worked out by case law, but maybe it would help to write or revise some laws as well.
    • You're conflating the vulnerability with the weapon. The weapon is not the vulnerability, the weapon is the piece of code that exploits or attacks the vulnerability. Those pieces of code are most certainly material.

    • First, the entire idea of cyberweapons is laughable. Exploits are only possible because of flaws in the code. That is no more a weapon than an unlocked door.

      I also find the idea of lockpicks laughable. Lockpicking is only possible because of fundamental design flaws in locks. They are no more a weapon in a thief/spy's arsenal than an unlocked door.

    • by AmiMoJo ( 196126 )

      Exploits are not cyberweapons. That's not what the word means.

      Look at what this company offers. It's a suit of software, with on-going updates and support, designed to make attacks on people's computers. It's a number of exploits that have been turned into a useful and complex tool, supported and maintained. They will even sell you boxes with it pre-installed and set up for your needs, just plug in and start oppressing.

      Regulating such things is easy. They require significant amounts of work to develop, and

  • So, who, effectively, is going to regulate them? They'll just find a place where the regulatory regime will permit (if not actively encourage) their activities. The regulation argument is hilarious.

    • Regulation isn't the answer, no - you can't get rid of them that way any more than you can get rid of weapons. The ones that we've been successful at banning are the ones nobody really saw as being effective or necessary anyway (Chemical weapons, and some countries have gotten rid of land mines - but not the ones with heavily fortified armed borders).

      That said, it's an imperfect analogy. I can't make myself and everyone else immune to a 5.56mm round from a rifle simply by knowing about its existence, wha
  • What fight to regulate cyberweapons? What cyberweapons? Jesus are people really that nuts now?

  • Regulation's backers say that "this is an industry that has failed to police itself,"

    Would you expect liquor stores to self-regulate and decide the drinking age is too low?

    Self-regulation might work for some cheap and easy things, but no industry is going to refuse to sell to a massive portion of the market voluntarily. If you want to stop them you need legal enforcement.

    • by Nutria ( 679911 )

      Of course not!! *Obviously* the Chinese and Russian governments have have a long history of secular humanism and effective promotion of their citizens' welfare.

      (Oh, wait. That's Denmark & Sweden back when they didn't have many dark-skinned immigrants.)

  • They were basically selling zero day exploits in pre-packaged kits to anyone with money. So... is that legal? Because it sounds like a winner.

    • Re: (Score:3, Insightful)

      by horm ( 2802801 )
      Considering they're based out of Milan, I doubt they were that concerned about US regulations.
  • Yet again Adobe (Score:5, Insightful)

    by Virtucon ( 127420 ) on Wednesday July 08, 2015 @03:29PM (#50071887)

    Is it just me or does Adobe's software have the worst engineering practices practices in the industry. Every other fucking week there's an Adobe vulnerability. Scratch your ass, Adobe Vulnerability. Sneeze? Adobe Vulnerability. Walk your dog? Adobe Vulnerability.

    This company needs to just be banned from producing any software, period, unless they provide the source code as well.

     

    • This company needs to just be banned from producing any software, period, unless they provide the source code as well.

      And you should be banned from holding any public office.

    • by antdude ( 79039 )

      What about other companies? :(

    • Is it just me or does Adobe's software have the worst engineering practices practices in the industry. Every other fucking week there's an Adobe vulnerability. Scratch your ass, Adobe Vulnerability. Sneeze? Adobe Vulnerability. Walk your dog? Adobe Vulnerability.

      Follow the facts to the obvious conclusion: Adobe is being *paid* to add exploits to one of the most ubiquitous pieces of software on the net - tellingly even a requirement for some banking and bill paying sites. Given this seemingly endless fount

    • Their CQ (now AEM) website CMS product also has more holes than a sieve. When they produce 'security packs', they refuse to tell you what areas they touch with it "for your security". In other words, they just give you a binary blob that may, or may not, break random aspects of your application but don't tell you what areas to test. Funnily enough, this isn't something Gartner bothered to look into before they took the money to put CQ into the 'magic quadrant'.

      It's not so much they can't write code, its tha

    • by AmiMoJo ( 196126 )

      Do we even need Adobe software any more? Okay, they do some good productivity stuff, but all the vulnerabilities are in Flash and Reader. Flash has been replaced by HTML 5, and is mostly used for adverts anyway. Chrome seems to have the right idea, built it in and heavily sandbox it if you have to run it at all. Reader is just crapware for the most part, it offers nothing that other more secure software does. In fact I'd recommend pdf.js instead of their browser plug-in, for improved browser security.

      Oh, an

  • The real problem here is willingness to fund what is necessary - refactoring all code used in critical systems to ensure they are secure - and to maintain that approach over time in an iterative basis.

    We should touch code (at least to review it) - every year - which research indicates is the sweet spot for zero-day exploits. We get more benefits if we refactor the code - effectively resetting the clock for exploit writers to find a new zero day, and develop applications to exploit it.

    Working in IT tod

  • First, the members of the Hacking Team that knew about the sales to embargoed countries should be prosecuted. Then worry about how to regulate cyber weapons. Otherwise, the most evil of the members (i.e. the ones who knew about the selling to genocidal governments like Sudan) might just go into hiding and offer their services to other evil organizations like the mafia.

Trap full -- please empty.

Working...