What We Can Learn From the Hacking Team Hack

July 27, 2015 • Devin Partida


There is one word that strikes fear into the heart of government agencies and firms engaged in dealings of a secretive and questionable nature. “Hacktivism” has inspired decentralized groups of hackers dedicated to routing out unlawful espionage, corporate greed and human rights violations wherever they occur.

And sometimes other hackers are the target of such attacks. Hacking Team, the surveillance firm established by two Italian programmers, is infamous for intentionally injecting target malware into sites and services like YouTube and Microsoft Live.

The team’s actions received unwanted attention earlier in June when the security company accused of selling digital intrusion tools to any government or organization willing to pay, had 400GB of data stolen and leaked to BitTorrent.

This information reportedly included internal documents, five and six-figure invoices, email communications, contract details and client lists that clearly showed the firm had been providing software to private companies and repressive regimes.

Among them were the FBI, the Saudi Arabian Central Intelligence Directorate, the Egyptian Ministry of Defence and the Lebanon Army Forces, to name a few.

An Argument for the Arms Pact

Hacking Team’s Twitter feed was also hijacked, renamed “Hacked Team,” and controlled for nearly 12 hours. During this time, the hackers distributed samples of the exposed files along with URLs for where the information could be found.

A service maintenance list shared to social media by @SynAckPwn indicated “unofficially supported” contracts with Russia’s Intelligence Kvant Research and Sudan’s National Intelligence Security Service.

Despite the aftermath of such revelations, proposed revisions to the Wassenaar Arrangement have been widely condemned for the limitations they place on security research and the negative impact they would have on penetration testing tools.

Promoting Accountability in Placing Blame

This was a serious breach and one that represents a major threat. Publication of the code used by Hacking Team would allow anyone with the know-how to purposefully and maliciously attack any target of their choice.

The reality is commercial security software is needed to combat the programs of Black Hat computer hackers the world over, and if the restrictions to the Wassenaar Arrangement were enacted, consumers would be at their mercy.

Simply installing effective security software alone, however, will not be enough to stop an individual or group intent on stealing private data. To safeguard one’s identity and information in a meaningful way, users must accept some level of responsibility.

Here’s what you can and should be doing:

lines of code

1. Never Reuse or Email Your Passwords

Once a person has access to your email password, they have access to everything — all of the accounts you have used at other web addresses, everything you’ve ever sent or received, and, worst of all, the means to override your permissions.

Since the way the world operates has shifted to accommodate electronic transaction receipts and statements, email accounts are your identity gatekeepers. While reports allude to insider help from former employees, it’s entirely possible the intruders infiltrated Hacking Team’s system using email passwords.

2. Protect Yourself with Anti-Virus Software

In a study of daily email-based malware attacks, security consultant Brian Krebs compiled the results of 42 days’ worth of information and found the top-performing anti-virus programs were only able to detect intrusions 24.47 percent of the time.

Anti-virus software is a partial solution to the problem, and if you receive an email from an unfamiliar source asking you to click on anything, don’t. You don’t want to risk the one-in-five chance of exposing your system to backdoor intrusion techniques.

3. Encrypt All Sensitive Information

Even if you’re not running a business, encryption offers the user next-level protection. This process involves scrambling information so it can’t be read by third-parties without the key to decode it.

If Hacking Team took the time to encrypt its sensitive information, it likely wouldn’t be in the situation it’s in now. While top tech companies are working to offer this solution as standard for both desktop and mobile devices, there are a number of alternatives available for use across popular operating systems.

4. Set Yourself Up For Two-Step Verification

This is something people are seeing more of these days since mobile technology is never far from arm’s reach. Once again, had Hacking Team implemented this added defense layer, the intruders wouldn’t have been able to highjack the Twitter account in the first place.

The benefit of setting up two-step verification for your email, Dropbox and social media channels is that even if your password is somehow cracked, anybody wanting to use this against you would need the security code sent to your phone.

Of course, these are only a few of the things you should take into account when taking steps to secure your private information. Learn from what happened to Hacking Team and teach yourself to embrace a preventative mindset. You’ll be glad you did.

Image by Negative Space