V3.co.uk

Hacking Team plays the victim card as it defends surveillance services

Italian firm hits back at critics, claiming it always operated within the law

name-and-shame-finger-pointing
Hacking Team says it has been unfairly treated
  •  
  •  
  • Save this article  
0 Comments

Italian surveillance software firm Hacking Team has issued a strongly worded statement attacking the criticism it received after it was hacked at the start of the month, claiming it is the true victim of the incident.

The hack of the company took place some weeks ago, and led to a rash of discoveries of major security vulnerabilities in tools such as Flash and Windows, which were being used by the firm's tool to help regimes spy on citizens.

This led to major criticism of the firm and claims that it was selling to nations that it should not be, such as Sudan. However, in a statement, Hacking Team has hit back at this, saying it has been unfairly treated.

“There is only one violation of law in this entire episode, and that one is the criminal attack on Hacking Team. The truth is that the company itself has operated within the law and all regulation at all times," it said.

“However, commentators dislike the fact that strong tools are needed to fight crime and terrorism, and Hacking Team provides them. So the company is being treated as the offender, and the criminals who attacked the company are not.”

The company also claimed that any sales to repressive regimes such as in Ethiopia, Sudan and Russia were done strictly within the law. It also said that claims its entire source code had been leaked were unfounded.

“Important elements of our source code were not compromised in this attack, and remain undisclosed and protected.”

The statement also denied claims that the information revealed the firm had installed a backdoor in its software that allowed it to see how its tool is being used, adding that clients are able to examine the software code to prove this themselves.

Security flaws uncovered

The leak of some 400GB of data from Hacking Team's database led to the discovery of several major security flaws in key products used on most computers around the world, including Adobe Flash.

In response to thi Google's research team Project Zero announced it is working to develop fixes for Adobe Flash after a number of zero-day exploits were recently discovered within the Hacking Team data leak.

Working in collaboration with Adobe, Google Project Zero is aiming to help fix the gaps in security currently found in the software. By isolating different types of memory contents, using a type of partitioning, the Google team will implement various structural changes it believes will reduce the number of successful attacks against Flash.

Meanwhile, Project Zero advised users to download the most up-to-date software version of Flash, v18.0.0.209, currently available for Windows, Macintosh and Linux. It updates critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

Currently, the new Project Zero defences are only fully implemented in the Flash version included in Google Chrome, with the team now working to bring every fix to other browsers. If you're running Google Chrome, you can visit about:version to check the versions of various components. Similarly, on Windows you can visit chrome://chrome in order to boot the auto updater.

Alongside the latest patch, Project Zero said users should ensure their build of Flash matches their Chrome browser's capabilities, in order to get the full benefit of the patch.

"Now is a good time to upgrade to a 64-bit browser and Flash," they explain.

"If you're using Chrome on Windows 7 x64 (or newer), you might be running a 32-bit browser on a 64-bit capable system", the team added, explaining that this could lead to potential vulnerabilities.

The team at Project Zero are still analysing data to test for further Flash solutions.

"For every mitigation landed by defenders, attackers will attempt to devise a counter-mitigation. It's a cat-and-mouse-game," they said.

"We'll be looking out for attackers' attempts to adapt, and devising further mitigations based on what we see. Perhaps more importantly, we're also devising a next level of defenses based on what we expect we might see."

Adobe too has promised to do it all can to improve the security of its much maligned Flash tool, in response to recent criticisms from the new chief security officer of Facebook and Mozilla blocking the tool from its Firefox browser.

The company said in a blog post that it is working hard to fix problems that came to light after data was leaked from the server of Italian surveillance software firm Hacking Team.

Adobe went on to say that Flash is widely used and is naturally a target for hackers, but that the firm is confident of maintaining an adequate level of security for the product.

"Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world and, as such, is a target of malicious hackers," the blog said.

"We are actively working to improve Flash Player security and, as we did in this case, will work to quickly address issues when they are discovered."

The comments come after Mozilla took the notable step of blocking Flash from its browser in light of security concerns that came to light in the past 10 days.

Mark Schmidt, head of Firefox support at Mozilla, confirmed that all versions of Flash up to the most recent 18.0.0.203 release have been added to the official Mozilla blocklist.

This came after incoming Facebook chief security officer Alex Stamos called for Adobe to announce an ‘end-of-life date’ for Flash given the problems it is causing.

“Even if it's 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he added.

Adobe has issued two major updates for Flash since the flaws were revealed. The first patch fixed the CVE-2015-5119 vulnerability. The firm was soon forced to issue a second patch for two further flaws that were uncovered, termed CVE-2015-5122 and CVE-2015-5123, as explained in a post on its website.

"Critical vulnerabilities have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux," it said.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."

Adobe rates the flaws as critical and firms have been urged to upgrade as soon as possible. The firm also thanked researchers at FireEye and Trend Micro for uncovering the vulnerabilities.

The revelations are just the latest information to come to light since the Hacking Team breach. Other data revealed that the FBI is a customer of Hacking Team, and is reported to have spent $775,000 on the firm's software.

The revelations from the hack have not come as a huge surprise to those who have criticised Hacking Team in the past, and the firm has been labelled an "enemy of the internet" by Reporters Without Borders.

"Hacking Team describes its lawful interception products as 'offensive technology' and has been called into question over deliveries to Morocco and the United Arab Emirates," the organisation said.

"The company’s 'Remote Control System', called DaVinci, is able, it says, to break encryption on emails, files and internet telephony protocols."

The attackers behind the hack have not yet come to light, but they too were clearly keen to embarrass and discredit Hacking Team, not only releasing the data from its systems but defacing its Twitter account and posting company emails.

The firm’s bio on Twitter was changed to read: 'Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.'

The leaked information allegedly includes contracts the company signed with repressive governments such as in Sudan, Uzbekistan and Russia. Hacking Team had denied ever working with Sudan after a report in 2014 accused it of doing so.

  •  
  •  
  • Save this article  

V3 Latest

blog comments powered by Disqus