Hacking Team Hacked, Attackers Grab 400GB of Internal Data

Several readers sent word that notorious surveillance company Hacking Team has itself been hacked. Attackers made off with 400GB worth of emails, documents, and source code. The company is known for providing interception tools to government and law enforcement agencies. According to the leaked files, Hacking Team has customers in Egypt, South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, Mongolia, Russia, Germany, Sudan, and the United States — to name a few. It has been labeled an enemy of the internet by Reporters Without Borders. "Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online." Nobody knows yet who perpetrated the hack.

Find the source code on GitHub

Someone started uploading all the HackingTeam source code to GitHub: https://github.com/hackedteam?...
There are also some signing keys for kernel drivers in here.

That's a bad day for Hacking Team and a good day for everyone else.

Re:Find the source code on GitHub

[xxxJonBoyxxx]

>> https://github.com/hackedteam/...
>> https://github.com/hackedteam/...

ndisk, eh? With a couple of components to collect, report and transmit?

This thing kind of looks like the kit used in Shamoon, Sony, Icefog/Korea, etc.

Re:Find the source code on GitHub

[mystuff]

Brilliant, people can start translating the comments in the source code from Italian to English! Would be even funnier it people started filing issues and fix bugs in their code.

But more to the point, will this help bona fide security researchers with their work on fighting exploits on all platforms or is there not much of interest there? Any experts on the matter?

Re:Find the source code on GitHub

[johanw]

Some 0-day leaks were found too, so I think MS will be quick to patch them.

Re:Find the source code on GitHub

[xxxJonBoyxxx]

>> people can start translating the comments in the source code from Italian to English!

Really, you can't follow the code without English comments?

>> will this help bona fide security researchers with their work on fighting exploits on all platforms?

It gives us a couple more signatures to look for. I'm really getting sick of the "fake driver" vector though; it's 2015 and still trivial to get Windows platforms to cough up anything you'd want. As long as AV vendors ignore things like this (e.g., https://www.google.com/webhp?s...) it will continue to be easy for nearly anyone to write their own "advanced persistent threat."

Re:Find the source code on GitHub

>> people can start translating the comments in the source code from Italian to English!

Really, you can't follow the code without English comments?

Surely if it needed comments in the first place then it implies that the code isn't easy to follow, even for the original author.

Re:Find the source code on GitHub

[xxxJonBoyxxx]

>> Surely if it needed comments in the first place then it implies that the code isn't easy to follow

(facepalm)

Re:Find the source code on GitHub

[jimbolauski]

Really, you can't follow the code without English comments?

I pray you don't write any software that other people have to use. Most companies will flat out reject code if it has not been properly documented.

Re:Find the source code on GitHub

[dunkelfalke]

Comments aren't there for following the code - even a code monkey like me can do that. They are to explain the reasoning behind the code.

Re:Find the source code on GitHub

[140Mandak262Jamuna]

Brilliant, people can start translating the comments in the source code from Italian to English!

Comments in Italian is actually a blessing for English speaking coders. Dijkstra's dictum was: "Never debug the comments. Always debug the code". (I could not find the reference, if he did not say it, someone equally great said it, because it is certainly not my original idea. ) Often comments are redundant, insanely stupid, misleading or obsolete. The only useful comments I find in my own code are along the lines of: "Yes, this function searches through the entire edge list, we tried to speed it up, but the complexity and the cost of maintaining a sorted set of edges were not worth it". Something that documents a dead end code that had been removed.

Re:Find the source code on GitHub

[Demonoid-Penguin]

Really, you can't follow the code without English comments?

I pray you don't write any software that other people have to use. Most companies will flat out reject code if it has not been properly documented.

Maybe you should have watched all the "be professional programmer" webinars.

Re:Find the source code on GitHub

Comments are also useful (if kept up to date) for distinguishing between what the coder intended vs what he actually wrote.

I mean really, you've never seen code that didn't match the comments? (Which immediately raises the question, which should I believe?)

Re:Find the source code on GitHub

Don't call him Shirley...

Re:Find the source code on GitHub

[SethJohnson]

They are to explain the reasoning behind the code.

This is a huge purpose for comments. Also, maybe I can interpret the code perfectly well without comments. How well can I depend on everyone else who is modifying the code to be able to interpret it properly.

Well-documented code helps protect it from the introduction of bugs by later contributors.

Re:Find the source code on GitHub

If only my colleagues understood this. Once I actually get them to document, they document the obvious, writing in the comments what the lines of code do, but then in English.

I can see what the code does by looking at the code. I wanna know why the code was written the way it is.

Re:Find the source code on GitHub

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA

Sorry - 25 years of being a software developer caught up with me after reading your comment. (wipes eyes)

Re:Find the source code on GitHub

[myowntrueself]

>> people can start translating the comments in the source code from Italian to English!

Really, you can't follow the code without English comments?

>> will this help bona fide security researchers with their work on fighting exploits on all platforms?

It gives us a couple more signatures to look for. I'm really getting sick of the "fake driver" vector though; it's 2015 and still trivial to get Windows platforms to cough up anything you'd want. As long as AV vendors ignore things like this (e.g., https://www.google.com/webhp?s...) it will continue to be easy for nearly anyone to write their own "advanced persistent threat."

Comments often contain all kinds of juicy info. Its not about following the code its about getting insights into all kinds of non-code related things.

Re:Find the source code on GitHub

[Mikkeles]

As had been said before: if the comments and code don't match, then both are probably wrong.

Re:Find the source code on GitHub

[myowntrueself]

They are to explain the reasoning behind the code.

This is a huge purpose for comments. Also, maybe I can interpret the code perfectly well without comments. How well can I depend on everyone else who is modifying the code to be able to interpret it properly.

Well-documented code helps protect it from the introduction of bugs by later contributors.

Imagine comments like "Manager asked me to implement this to make it easier for to target " Not so interesting wrt the code, very useful though for anyone interested in the meta game.

I bet theres all kinds of incriminating stuff in there of no interest to programmers.

Re:Find the source code on GitHub

I believe the point of the OP was that if you can't read code without comments, that's very bad. The point wasn't that comments aren't helpful, or that you don't NEED to comment things.

Re:Find the source code on GitHub

I pray you don't write any software that other people have to use. Most companies will flat out reject code if it has not been properly documented.

no need to pray... that's pretty funny though. you can also say that most companies will flat out go bankrupt within a few years of starting business. correlation?

Re:Find the source code on GitHub

If there is a god: Please let their RCS and PGP breaking code be somewhere in that heist.

Petard.
Governments / Militaries / 5 Eyes spies / Immoral Internet companies.
Hoist!

CAPTCHA: banking

Re: Find the source code on GitHub

I think comments are crazy useful. But another perspective is "comments are lies waiting to happen"

Another turn of the screw

[fustakrakich]

*What's good for the goose...*

Schadenfreude...

SubjectsInCommentsAreStupid

[lesincompetent]

Serves those maggots well.

Re:SubjectsInCommentsAreStupid

[D.McG.]

How does a group like that not notice 400GB of traffic exiting the building? If it were done in a single day, the hackers would need to draw down 4,629,629 bytes per second sustained for 24 hours.

Re:SubjectsInCommentsAreStupid

[s0litaire]

Probably thought it was one of their bit-torrent clients..

Even evil hackers require an extensive porn collection to do their job...

Re:SubjectsInCommentsAreStupid

Maybe they get so much interception traffic to sort through, that the data evasion was lost in the noise?

Re: SubjectsInCommentsAreStupid

Which is a pretty slow bandwith nowadays... I would get 400gb down in roughly 22 hours with my lazy connection at home... i could bet the involved parties both have a little more speed at hand

Re: SubjectsInCommentsAreStupid

[Flavianoep]

If I've got my calculations right, to complete the downloading of that amount of data in a single day, it would need a 37,9259 Mib/s bandwidth -- 37,9255 Mib/s on last 6/30 --, which is quite trivial in some places.

Re: SubjectsInCommentsAreStupid

[o_ferguson]

I have a friend who lives in a Condo in Toronto and his residential pipe is 100/100 for 40 bucks a month, and they offered to boost it to 400/400 for an extra 30 bucks a month, but he has no need for that much speed. (Note, this is atypical for Canada, but it's the same building Deadmau5 used to live in, and he augured to bring in a high-end ISP.)

Re:SubjectsInCommentsAreStupid

Who downloads and stores porn locally? This is 2015 internet, not America Online era internet.

Yay!

[spiritplumber]

It's 2015, I just finished competing in BattleBots, and this is front page news. 12 year old me would be very happy about how things are going.

Re:Yay!

[Jason+Levine]

What's your bot? (My boys and I are watching the show on ABC.)

Re:Yay!

[Curunir_wolf]

What's your bot? (My boys and I are watching the show on ABC.)

What a horrible job they did of putting that show together. Battles are only 3 minutes, but with all the commentary, backgrounders, interviews and fluff, they can only fit FOUR battles into an hour-long show. Worse, they include so much commentary they actually EXCLUDE about 1/2 the battles, and just show a few highlights from some.

Imagine if a network covered the NBA playoffs like that? Producers at ABC certainly showed a lot of incompetence with that show.

Re:Yay!

[spiritplumber]

I think they did a better job than CC did... and yeah we didn't pay a whole lot of attention to the commentators :) The two battles that weren't shown had a big problem: underpowered weapons. Basically very little happened.

Re:Yay!

Narcissist much? I care more about this news story, then _your_ BattleBot.

Re:Yay!

[jandrese]

In other words they covered it exactly the same way they cover the Olympics?

Re:Yay!

[myowntrueself]

What's your bot? (My boys and I are watching the show on ABC.)

What a horrible job they did of putting that show together. Battles are only 3 minutes, but with all the commentary, backgrounders, interviews and fluff, they can only fit FOUR battles into an hour-long show. Worse, they include so much commentary they actually EXCLUDE about 1/2 the battles, and just show a few highlights from some.

Imagine if a network covered the NBA playoffs like that? Producers at ABC certainly showed a lot of incompetence with that show.

Let me guess, they also flick the video fast never lingering on a single scene for more than a few seconds so you can't really follow anything?

Re:Yay!

[Jason+Levine]

And yet, it's still better than pretty much any reality show on TV. Not saying much, I know, but I'd rather watch Battlebots (poorly put together or not) than Survivor: Yet Another Location.

Re:Yay!

[NeMon'ess]

The battles don't need to be longer than 3 minutes. I think there was a single match so far that went to a split decision and could have benefited from an extra minute.

ABC excluded less interesting preliminary fights. Now that a viewing audience has built up all the matches get shown.

lol ooooops n/t

whoopsie!

Aliens did it

(Brass) Yaku: It was hacked... by aliens!
(Brass) *gasp* They're invading the channel now!
(Yaku) are they the dick sucking kinda aliens?
(Yaku) or the brain eating ones?
(Brass) Yaku: Either way, I don't think you have anything to fear.

- http://bash.org/?81858

Monty Python.

[Ukab+the+Great]

We apologize for corporate and govt data breeches. Those responsible have been
hacked.

---

We apologise again for the data breeches. Those responsible for hacking
the people who have just been hacked,
have been hacked.

Re:Monty Python.

[LaurenCates]

Came in just to make this joke. I have no mod points, but I will clap together empty halves of a coconut in approbation.

Re:Monty Python.

Breeches:
1.
plural \bri-chz also br-\
a : short pants covering the hips and thighs and fitting snugly at the lower edges at or just below the knee
b : pants
2.
a : the hind end of the body : buttocks
b : breech presentation; also : a fetus that is presented breech first
3.
: the part of a firearm at the rear of the barrel

Re:Monty Python.

So you're saying the joke as written was about the violation of somebody's data buttocks?

Re:Monty Python.

[ArcadeMan]

Why? Are you going somewhere?

Re:Monty Python.

Yes, apparently the hackers found a back door.

Re:Monty Python.

[LaurenCates]

Why, Camelot, of course!

Re:Monty Python.

[CreatureComfort]

It's a very silly place.

Re:Monty Python.

[ArcadeMan]

It's only a model...

Re:Monty Python.

[LaurenCates]

And a bit suspect, I think.

Re:Monty Python.

[LaurenCates]

Shhhh!

Re:Monty Python.

Well, there's plenty of backdoor access for everyone.

Re:Monty Python.

[Kevin+by+the+Beach]

ROFL... thanks for the absurdity break

Crying because it sooooo true.

400GB

[troon]

"400GB worth of emails, documents, and source code"

Seems unlikely. There's going to be a lot of... binary data in there, surely.

Re:400GB

[bobbied]

"400GB worth of emails, documents, and source code"

Seems unlikely. There's going to be a lot of... binary data in there, surely.

They got it all from /dev/null and used compression.

Re:400GB

[AmiMoJo]

Git repositories, with history going back... Now on Github for your convenience: https://github.com/hackedteam?...

Re:400GB

[jandrese]

If you think 400GB of email alone is too much you clearly have never worked in a company that allows you to mail powerpoints around.

Re:400GB

I can't wait for folks/companies to start looking at this for copied code violating their copyrights/licences, and the ensuing fun and games. (To clarify: code that Hacking Team has been selling as their own but was copied from elsewhere in violation of any license terms.)

[Adds 'popcorn' to the grocery list.]

de haxx0rz be haxx0red na0

Not anybody knows what really happened. It's an excuse to bandy around meaningless but scary-sounding terms yet once more. Any excuse will do.

Lame

Clearly Hacking Team is not worth their salt. I'll never do business with them.

What a happy day!

You could not have made my day any brighter.

App appers apped!

Clearly this never would have appened if Hacking Team was Apping App and apped apps instead of writing Luddite software!

Apps!

GeoTrust signing keys

[fulldecent]

Can someone please explain the significance and consequences of publishing this:

GeoTrust_SigningCertificateExported_2011.pfx

https://github.com/hackedteam/...

Re:GeoTrust signing keys

Can someone please explain the significance and consequences of publishing this:

It means that anything signed by that key can't be trusted and probably contains a government Trojan.

Re:GeoTrust signing keys

[mwvdlee]

From the looks of it, this key seems to be used for signing Windows binaries, not for SSL certificates.
Surely somebody more knowledgeable can confirm or deny this?

Re:GeoTrust signing keys

It's confirmed. One of the news stories (can't remember which one) said that HT would recommend that their clients purchase digital certs to sign the malware they bought in order to skirt anti-virus scans. Apparently most antivirus software will ignore legitamite looking signed apps with certs that have been timestamped. The GeoTrust cert is probably a test cert that HT uses.

Re:GeoTrust signing keys

Certificate has been revoked. It is also only valid for code signing.

The significance should be nil by now

Re:GeoTrust signing keys

Do you have a link to this information?

Re:GeoTrust signing keys

[dissy]

Can someone please explain the significance and consequences of publishing this:
GeoTrust_SigningCertificateExported_2011.pfx

It's another couple good patters for antivirus software to look for and trigger upon finding.
Anyone infected with their rootkitted drivers four years ago and haven't had the malware update may find out about being infected with it.

If they used the same company name for their 2015 certificate as is used in the certs published, that would be another signature for AV software to trigger on if they kept your rootkitted drivers updated.

That's about it however.

The certificate is long expired so can't be used to sign any new code with.
You can also be pretty certain their next certificate (to be issued any day now, if not already) will be under a different name as well.

Re:GeoTrust signing keys

Idea

Write a histogram app, that sorts all signed modules by unique key and directory.

With a bit more thought self signed modules in the wrong directories should stand out.

Now take a checksum, and some clearing house can finger the standouts. You could also take a baseline, and compare to future snapshots. Progressively check each against revoked certificates.

The AV should be doing this already.

Another stupid law enforcement name

[Applehu+Akbar]

It's a lame attempt at coolness, like "Black Asphalt" as a code for stealing random drivers' money during traffic stops. The name "Hacking Team" does not make it an actual hacking team.

Re:Another stupid law enforcement name

Mod "-1 Oblivious"

Re:Another stupid law enforcement name

They aren't LEO. I hate to break it to you Gramps, but " Team" is de rigueur for hot-shot dev studios these days.

Really the Hackers got hacked?

Yea, and they are going to say somebody else did it....

We all know who did it.. Got caught running the IIS exploit scripts again eh guys?

apple issued enterprise dev cert to ht

https://twitter.com/FredericJa...

Subject: UID=DE9J4B8GTF, CN=iPhone Distribution: HT srl, OU=DE9J4B8GTF, O=HT srl, C=IT

Re:apple issued enterprise dev cert to ht

[jandrese]

Which means they sent $100 to Apple? Is this shocking?

Oh ya.

[AndyKron]

Oh ya, we're fucked.

it's obviously the Finns!

A moose once bit my sister

ob: it's not 1997 anymore slashdot, you ruined a perfectly good joke with you shoddy unimacode support

51603bff88e0a1b3bad3962614978929c9d26955

magnet

Were Hackingteam planting evidence?

[eyenot]

Kevin Mitnick's twitter has this update:

https://twitter.com/kevinmitni...

Loser.

[godel_56]

From first link: "Hacking Team's Christian Pozzi was personally exposed by the incident, as the security engineer's [poor quality, easily guessed] password store from Firefox was published as part of the massive data dump. The websites indexed include social media (Live, Facebook, LinkedIn), financial (banks, PayPal), and network related (routers with default credentials)."

What kind of security conscious person uses Firefox for storing important passwords, let alone someone calling themselves a security engineer? I hope the hackers had fun accessing his bank accounts. :-)

Re:Loser.

[greenfruitsalad]

please elaborate on why it's dangerous to store passwords protected by a strong password in firefox sync. mozilla have no access to decrypted passwords, nobody has. the code is open source and the server can be your own instead of mozilla's.

Funny a month ago

[johnsnails]

http://dilbert.com/strip/2013-...

Also driver and closed-device rooting projects?

[Ungrounded+Lightning]

... will this help bona fide security researchers with their work on fighting exploits on all platforms ... ?

I wonder if this will also help people trying to write open software for closed devices? Signing keys, driver sources with spyware installed, ... Not only does it expose the malware bypassing the user's security, it may also expose the internal details of how the devices are driven and/or how to compromise the malware's and devices' anti-user "security".

(I have often wondered how many of the closed-driver devices have the code closed just for business reasons and how many are closed because that's where the spyware has been installed and they can't let the source out - even sanitized - because that would lead to the spyware's exposure.)

Projects on github should "git fetch" NOW!

[Ungrounded+Lightning]

Someone started uploading all the HackingTeam source code to GitHub ... There are also some signing keys for kernel drivers in here.

IMHO:

Anyone with a project hosted on git hub should pull a backup copy NOW!

Hosting this leak on git hub could lead to moves by authorities to contain it - which could have the side effect of making GitHub and/or some projects on it unavailable - temporarily or permanently.

Better safe than sorry.

Re:Projects on github should "git fetch" NOW!

You can't just take down GitHub.

China and India tried, that didn't work so well.

Re: Projects on github should "git fetch" NOW!

[ZeroWaiteState]

No but a judge in the US with a bad hair day could do it in minutes.

Re: Projects on github should "git fetch" NOW!

he surely can try (and probably will)... but his sure failure will be hilarious :-)

Android Security Rewards Program

[eliotstock]

Looks like some interesting stuff in there for Android, but none of it will now qualify for the Android Security Rewards Program: "Bugs initially disclosed publicly, or to a third-party for purposes other than fixing the bug, will typically not qualify for a reward." Source: http://www.google.com/about/ap...

Re:Android Security Rewards Program

[ZeroWaiteState]

I doubt Google will fix them anyway, if they are on a carrier-locked device. They haven't even fixed TLS on the system default browser on a lot of their devices. 80% of Android installs are abandonware.

Mandatory...

[pruedz]

Oh! The irony! Etc... Etc...