The controversial Italian surveillance company Hacking Team, which sells spyware to governments all around the world, including agencies in Ethiopia, Morocco, the United Arab Emirates, as well as the US Drug Enforcement Administration, has been seriously hacked. Hackers have made 400GB of client files, contracts, financial documents, and internal emails, some as recent as 2015, publicly available for download.
What’s more interesting, the unknown hackers announced their feat through Hacking Team’s own Twitter account.
Wikileaks released over one million searchable emails from spyware contractor #HackingTeam Click Here
Last year, a hacker who only went by the name “PhineasFisher” hacked the controversial surveillance tech company Gamma International, a British-German surveillance company that sells the spyware software FinFisher. He then went on to leak more than 40GB of internal data from the company, which has been long criticized for selling to repressive governments.
That same hacker has now claimed responsibility for the breach of Hacking Team, that sells a similar product called Remote Control System Galileo.
So how on earth HT got hacked ?
The attacker who stole Hacking Team's data gained access to an employee's computer while the victim was still logged in.
The attacker either had direct physical access to security engineer Christian Pozzi's PC or they used malware to achieve a similar level of access. Whichever way it was, it seems that Christian was logged in at the time simply by looking at a folder name among the files that were leaked onto the internet.
Christian's password files have been published online and most commentators have focussed on the low quality of many of these passwords. However, look at the folder in which these files were stored: /Truecrypt Volume/.
Christian stored his passwords in text files that were encrypted inside a TrueCrypt volume. Presumably Christian felt that such valuable data should be protected, and he'd be right. But there are clearly security limitations to using encrypted volumes. It is very likely that the victim was logged in and had opened this volume when the files were stolen.
The lesson to learn from this story is that even excellent encryption has its limits. Hard disk encryption is great for protecting lost or stolen computers and disks, but it won't hinder attackers who have access to your computer while you are logged in. Whether they creep over to your desk during a rest break, or install malware remotely over the internet, it amounts to the same thing.
Benefit from Hacking Team's failure by reconsidering the wisdom of storing passwords on the computer. That last recommendation is not trivial to implement and most likely will include some level of white-listing, which can be effective but a pain to implement - either for the administrator or the user.