When spyware merchants get hacked

The comprehensive hack on spyware and exploit merchant extraordinaire Hacking Team should serve as a warning to everyone, police included, that ethics and attention to detail in the IT security business are mandatory, not optional.

An enormous amount of data was leaked - over 370GB - including sensitive emails between Hacking Team and its customers, invoices from police forces and oppressive regimes as well as source code for the spyware the company sells to government buyers.

Over the next few weeks, the trove of documents will be analysed, casting a light on the seedy underbelly of IT security. It’s a safe bet that those doing business with Hacking Team can look forward to some uncomfortable details being made public.

But it should be asked: what did Hacking Team customers expect? The company itself knew it was skating on thin ice legally and sought legal advice on whether it was safe to do business with some particularly nasty regimes around the world.

How different in concept is Hacking Team’s flagship Da Vinci remote control system (RCS) software to, for instance, the Blackshades remote administration tool (RAT), which infected thousands of victims' computers and saw hundreds of hackers arrested?

Not very. The main difference is Da Vinci has a veneer of respectability, meaning law enforcement in Western countries are happy to spend hundreds of thousands on it.

This is clearly sensitive stuff. The Australian Federal Police has been outed as a customer of both Hacking Team and its competitor, Gamma Group, which sells the FinSpy suite of spyware.

Our enquires have been stonewalled so far - the AFP doesn't comment on "operational matters".

Now both Hacking Team and Gamma Group have been hacked, due to what appears to be some seriously sloppy security practices: Hacking Team didn't encrypt data and used “Passw0rd” and “P4ssword” as credentials, as one example.

Similarly, several snippets of source code from Hacking Group’s products appear to contain what could potentially be backdoors, or in some cases, log file altering functions used to frame people whose computers are infected with the RCS.

These are the people our police forces do business with. It would never be acceptable in the financial industry, yet for law enforcement it’s fine. Where is the oversight? Is there any?

The expression “lie down with dogs, get up with fleas” seems very true when it comes to Hacking Team. This breach should make its law enforcement customers sleep less easy.