Until today it’s probably safe to say that barely anyone beyond a handful of people in security and privacy circles paid much attention to Italy’s Hacking Team, a software surveillance firm that could be described as ‘infamous’ if it weren’t so obscure.
The word ‘breach’ has changed all of that. There have probably been more stories written about a shadowy but apparently legal organisation in the last 12 hours than in its entire history combined.
Techworld has covered Hacking Team on several occasions in the last three years while people were more preoccupied with other events and stories. So why the massive fuss now? It's similar in its operation to the better-known UK-German firm behind the FinFisher spyware, which has always attracted more negtaive publicity.
According to one report and some hacked data on a Torrent site, the company has been torn wide open, exposing possibly 400GB of data, including a spreadsheet purporting to list every one of Hacking Team’s government clients, including South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia and Egypt and probably a host of others at various points in the past.
The Twitter account was also hacked, almost as significant because Hacking Team was almost certainly using some form of verification to protect the account.
Breaches are newsworthy these days, and rightly so. Now add the firm’s modest notoriety and privacy campaigners smell some useful publicity for an issue the average citizen normally ignores.
Why might countries use a private organisation accused of selling surveillance malware to a number of unpleasant regimes?
In all honesty the list isn’t that surprising and, if correct, accords with what has been suspected about this sort of firm operating in this sort of market - countries buy its products and services because they lack advanced spying operations of the sort the NSA would have laughed at a decade ago.
Another possible motivation might be the ability to firewall state surveillance from intelligence services, a sort of parallel track for spying on individuals of interest, usually dissidents of one kind or another. The sort of people Hacking Team would be hired to watch are suspicious, mobile and possibly well protected. They are harder to reach and almost certainly beyond the borders of any nation buying its software.
The potential damage to Hacking Team is impossible to estimate this early on, but it would be an irony if the first business to fall to a breach and disappear was one engaged in surveillance of its own.
On the one hand this all looks terrible for Hacking Team. One of the firm’s employees, Christian Pozzi, reportedly had a password store compromised that included such gems as HTPassw0rd, Passw0rd!81, Passw0rd, Passw0rd!, Pas$w0rd, and Rite1.!!. Anything that includes any variation of the word ‘password’ is not a serious password. If this is genuine, that is simply crazy.
The firm hasn't so much ended up with egg on its face as covered head to foot in unpleasant raw omelette. But on the other hand, the breach appears to say very little about the really important data, that of the operation of Hacking Team’s dedicated spyware programs whose names are advertised but which are rarely detected (unless, that is, the source code has been compromised too, yet to be confirmed).
That is why Hacking Team might yet have a way back from disaster and humiliation. The plain fact is that small-scale malware surveillance of the sort that make up its business remains pretty much undetectable, or is discovered only every now and then and long after the fact. Customers still value this.