Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker's Account of How He Took Down Hacking Team's Servers (softpedia.com)

Posted by EditorDavid on from the in-your-base dept.

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.

6 of 70 comments (clear)

  1. Re:MongoDBs by Anonymous Coward · · Score: 5, Insightful

    sigh, MongoDB.
    On install
    1. no authentication, no passwords
    2. default read access to everything for any user
    3. no granularity.
    4. data sent in the clear
    5. no encryption
    6. binds to all available interfaces

    It's like we've learned nothing

  2. Re:Fascinating by E-Rock · · Score: 5, Insightful

    Seems like this was a hard shell, gooey center setup. So once he got in, he found the mis-configured iSCSI, and then the game was over.

    Really drives home that you need layers in place to block/detect lateral movement.

  3. Here's the breakdown of vulnerabilities: by golgotha007 · · Score: 4, Insightful

    The main weaknesses found are: unpatched network appliance exposed to public, services on deep network layers exposed to less secure subnets, using mongo with no authentication, passwords in plaintext found in backups, weak, bruteforcable passwords across the board, no password rotation in place and unpatched windows boxes.

  4. Re:And he had to go and ruin it right at the end.. by Required+Snark · · Score: 5, Insightful
    I have a counter proposal: pull your head out of your ass before you lay into someone else.

    When you client list is oriented towards repressive regimes that suppress dissent using tactics like torture and murder, it's not just "These guys just sell the software, they don't use it". It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing.

    They are in the same category as drug cartels or the pirates of West Africa. The only difference is that Hacking Team has a veneer of legitimacy, and they also sell to first world countries like the US and Germany. Frankly I expect that "legitimate" governments abuse this software to engage in illegal acts both at home and all over the world.

    Pulling the "shades of grey" argument in this case is utter bullshit. We know who they are, we know what they do, and we know who they work for. They have chosen to work for some of the worst governments on the planet. They have no excuse.

    And if you had any doubts about the political motivation of Hacking Team, the emails revealed

    Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla".

    That translates as "death to traitors".

    --
    Why is Snark Required?
  5. So, what to do about it. by aberglas · · Score: 1, Insightful

    That is a deep observation.

    How do we build secure systems? Patching up all the thousands of holes one by one is not a solution.

    Certainly, penetration testing needs to be carried out from inside the fire wall.

    But beyond that, the only solution I see is a focus on simplicity. That means less features, but implemented with a view that the code can be understood.

    Not using the C/++ programming language would remove about half the vulnerabilities, fat chance of that happening though.

    What is not the solution is a Windows operating system that is riddled with hundreds of deamons that nobody really understands and takes minutes to shut down (let alone fully boot).

    So how do we go beyond patch Tuesday and arrive at something that is secure by design?

  6. Re:MongoDBs by AlphaBro · · Score: 3, Insightful

    If you perceive developers as not being security minded, the ones you've encountered aren't very good. Developers are the first line of defense as their actions dictate what vulnerabilities are present in the software they're developing. A good software developer knows far, far more about software security than most sys admins because sys admins generally don't need to understand the nuances of vulnerabilities. In short, they only need to understand the threat, not the technical details about the vuln.

    Think about it this way: developers are making the security patches you apply.