Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Hacker's Account of How He Took Down Hacking Team's Servers (softpedia.com) 70

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.
This discussion has been archived. No new comments can be posted.

Hacker's Account of How He Took Down Hacking Team's Servers

Comments Filter:
  • by Anonymous Coward
    FYI MongoDB databases with no passwords have exposed details of 191 million US voters. But those were probably set up by unskilled admins. A mistake like this from a company called "Hacking Team" is irony at its finest
    • Re:MongoDBs (Score:5, Insightful)

      by Anonymous Coward on Sunday April 17, 2016 @12:58PM (#51927425)

      sigh, MongoDB.
      On install
      1. no authentication, no passwords
      2. default read access to everything for any user
      3. no granularity.
      4. data sent in the clear
      5. no encryption
      6. binds to all available interfaces

      It's like we've learned nothing

      • Re:MongoDBs (Score:5, Interesting)

        by JustAnotherOldGuy ( 4145623 ) on Sunday April 17, 2016 @01:15PM (#51927493) Journal

        sigh, MongoDB.
        On install
        1. no authentication, no passwords
        2. default read access to everything for any user
        3. no granularity.
        4. data sent in the clear
        5. no encryption
        6. binds to all available interfaces

        If I didn't know better (and I don't) it would seem that one of MongoDB's design goals was "easy to hack right out of the box".

      • MongoDB was designed to be configured and used out of the box by developers, not security minded folks like sysadmins or system architects (devops).

        • Re: (Score:3, Insightful)

          by AlphaBro ( 2809233 )
          If you perceive developers as not being security minded, the ones you've encountered aren't very good. Developers are the first line of defense as their actions dictate what vulnerabilities are present in the software they're developing. A good software developer knows far, far more about software security than most sys admins because sys admins generally don't need to understand the nuances of vulnerabilities. In short, they only need to understand the threat, not the technical details about the vuln.

          Th
          • And to expand on this, some developers that are especially skilled at security develop specialized software known as exploits. ;)
          • It really depends on what exactly we're talking about. In this case, the parent is speaking specifically around the configuration and deployment of MongoDB, and my response is that a SecDevOps architect is going to a much better job in the design, configuration and security than your standard developer with such a product. Keep in mind that security doesn't just focus on keeping the baddies away, it also includes high availability for services and ensuring data integrity.

            It's true that many devs are secur

      • Re:MongoDBs (Score:5, Informative)

        by Viol8 ( 599362 ) on Sunday April 17, 2016 @02:41PM (#51927813) Homepage

        7. Unholy mash up of Javascript and bespoke query language to operate on the data and administer the DB.

        8. Max size limit of data in a key-value that can be indexed

        9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.

        • >> 8. Max size limit of data in a key-value that can be indexed,

          If you're wanting to store large blobs over 16MB in size, then use something like GridFS, which breaks up large blobs into smaller ones for easy storage.

          >> 9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.

          It depends on what you're wanting to do. Replica Sets are good for redundancy while sharding is ideal for large amounts of data that

  • Fascinating (Score:5, Interesting)

    by JustAnotherOldGuy ( 4145623 ) on Sunday April 17, 2016 @01:14PM (#51927485) Journal

    I read the whole account, and although I by no means understood everything, it was a fascinating read.

    It appears that almost any route into a system will lead to more exploitable routes, and those lead to even more, and so on, until you're basically free to roam at will, read and change key files, install all the backdoors you like, and so on. He basically ended up with an embarrassment of riches, so to speak, with as much (or likely more) access than all of the legit admins combined.

      It would appear that truly locking down a large, complex network is next to impossible- there are so many moving parts and so many places to prod and poke that sooner or later, someone will find that one little vulnerability that opens the door.

    It's hard not to admire someone with skills and the persistence it took to do this.

    • Re:Fascinating (Score:5, Insightful)

      by E-Rock ( 84950 ) on Sunday April 17, 2016 @02:01PM (#51927685) Homepage

      Seems like this was a hard shell, gooey center setup. So once he got in, he found the mis-configured iSCSI, and then the game was over.

      Really drives home that you need layers in place to block/detect lateral movement.

    • That is a deep observation.

      How do we build secure systems? Patching up all the thousands of holes one by one is not a solution.

      Certainly, penetration testing needs to be carried out from inside the fire wall.

      But beyond that, the only solution I see is a focus on simplicity. That means less features, but implemented with a view that the code can be understood.

      Not using the C/++ programming language would remove about half the vulnerabilities, fat chance of that happening though.

      What is not the solution is a

      • How do we build secure systems? Patching up all the thousands of holes one by one is not a solution.

        To be frank, I'm not sure there is a solution. Complex systems are, well, complex...and complexity almost invariably leads to mistakes. (Heh, ask me how I know...)

        But I don't see how something like a network can ever be reliably secured....too many different bits of this and that to keep track of, patch, upgrade, etc etc. Things can be secured to a point, sure, but in real life all that stuff changes over time and it seems impossible to me to ever keep up with it 100%.

        You may have a team of 20 top-notch sys

  • FinFisher (Score:2, Interesting)

    by Anonymous Coward

    FinFisher, the hacker that broke into Italian firm Hacking Team

    I'm pretty sure FinFisher is the name of a competitor of Hacking Team [wikipedia.org], not the name of the hacker who broke into Hacking Team's network.

  • by golgotha007 ( 62687 ) on Sunday April 17, 2016 @02:10PM (#51927723)

    The main weaknesses found are: unpatched network appliance exposed to public, services on deep network layers exposed to less secure subnets, using mongo with no authentication, passwords in plaintext found in backups, weak, bruteforcable passwords across the board, no password rotation in place and unpatched windows boxes.

    • The linked article doesn't mention this but the way FinFisher got into the Backup server was by simply mounting its iSCSI volumes which required no authentication at all. (Technically, the iSCSI targets were supposed to be on a separate network, but it turns out you could still get at them from the main network.)

      The lesson there: It doesn't matter which network the service is in, turn on authentication!

  • ... by getting on his cross, polishing his halo and talk about "stopping their human rights abuses". Oh get over yourself son. The world isn't black and white, its shades of grey. The quicker you learn that fact the sooner you can pull that rod out of your arse. These guys just sell the software, they don't use it. If you really want to sort out human rights abuses there are plenty of governments and islamic terrorist networks you can try and hack. Though the latter might actually involve real personal dang

    • by Required Snark ( 1702878 ) on Sunday April 17, 2016 @07:22PM (#51928781)
      I have a counter proposal: pull your head out of your ass before you lay into someone else.

      When you client list is oriented towards repressive regimes that suppress dissent using tactics like torture and murder, it's not just "These guys just sell the software, they don't use it". It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing.

      They are in the same category as drug cartels or the pirates of West Africa. The only difference is that Hacking Team has a veneer of legitimacy, and they also sell to first world countries like the US and Germany. Frankly I expect that "legitimate" governments abuse this software to engage in illegal acts both at home and all over the world.

      Pulling the "shades of grey" argument in this case is utter bullshit. We know who they are, we know what they do, and we know who they work for. They have chosen to work for some of the worst governments on the planet. They have no excuse.

      And if you had any doubts about the political motivation of Hacking Team, the emails revealed

      Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla".

      That translates as "death to traitors".

      • by Viol8 ( 599362 )

        "pull your head out of your ass before you lay into someone else. "

        I don't own a donkey and if I did I wouldn't put my head up its arse.

        "It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing. "

        Bollocks - its based on money. Its no different to selling weapons. I'm sure this company would have no problem selling to you if you stump up the cash. I'm not going to pretend they're saints, but they're not the cartoon evil people would lo

        • "It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing. "

          Bollocks - its based on money. Its no different to selling weapons. I'm sure this company would have no problem selling to you if you stump up the cash. I'm not going to pretend they're saints, but they're not the cartoon evil people would love these sorts of companies to be either.

          Say you're an arms dealer, selling to the national army of Bulgaria is one thing, selling to Boko Haram, completely different.

          • by Viol8 ( 599362 )

            So do you have any evidence this company has told to terrorist organisations then? If so please share, i'm sure many law enforcement agencies would love to know.

            • No, I was just making the point that the morality of selling something is just as much who you sell to as what you sell. These people sold to despotic governments for spying on their own people. The guy in TFA provided the evidence of that. Please try to keep up instead of moving goalposts.
    • By publishing their source code he protected journalists and activists that were being targeted by the governments you talked about, at least temporarily with the AV updates, and further by exposing the fact that they were selling to sanctioned countries.

      Your "shades of gray" BS doesn't apply here. One thing is to sell a weapon, another is to sell a weapon to a known murderer. Do you think there should be no problems on selling uranium to NK? It's just selling, not using...

      It makes much more sense to cut th

Keep up the good work! But please don't ask me to help.

Working...