The Hacking Team and their industry thrive on a climate of fear that they help create

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://theconversation.com/the-hacking-team-and-their-industry-thrive-on-a-climate-of-fear-that-they-help-create-44562

In what has been labelled as poetic justice by some, the Hacking Team, an
Italian company that sells mass computer and mobile device surveillance
software has itself been hacked. The alleged hackers, tweeting as Phineas
Fisher, uploaded 500GB of internal files stolen from the Hacking Team’s
systems and made them publicly available.

Details of the Hacking Team’s operations and its customers quickly started
to emerge. The Hacking Team has sold software to infect, and spy, on around
6,500 devices, by 64 different government security and law enforcement
agencies. These governments include those of countries like Chile, Morocco,
Tunisia, Sudan, Ethiopia and even Australia and the US.

Statements from Hacking Team representatives have highlighted an ambivalent
attitude to who they should or shouldn’t sell software to. Company
spokesperson Eric Rabe has claimed both that they do vet their clients and
follow international trade restrictions and at the same time declared that
it is not their job to make judgements about a country’s record of human
rights abuses.

Even claims that Hacking Team is no longer “servicing” countries like
Sudan, whose government has a long history of human rights violations,
shows up in a letter from the United Nations, asking whether Sudan was
still using its software and the nature of its contracts with that country.

The Hacking Team avoided responding, but eventually argued that, as a
private company, it couldn’t reveal the nature of its contracts with
organisations. And, besides, its software was not a “weapon”, and therefore
did not contravene any arms embargo placed on the Sudanese government.

Companies selling tools for spying on computers and phones have been around
as long as there have been those devices. There are a large number of these
companies selling billions of dollars worth of surveillance software to
government security agencies and law enforcement relatively
indiscriminately.

The software that they sell is capable of getting around encrypted
communications and record conversations, use the cameras on phones and
computers and remain undetected by antivirus software.

In fact, the rise in use of secure communications like SSL and encryption
by default by companies like Google and Apple have been used as a sales
technique by stoking fears that this will be used by terrorists to avoid
detection by security and law enforcement agencies. They have stoked these
fears further by suggesting that, through the hack, its software would now
be in the hands of “Terrorists, extortionists, and others” leading to an
“extremely dangerous situation”.

It is probably not an exaggeration on its part to state that we are in a
dangerous situation as a result of the use of this type of software.
However, software based “weaponry” is much harder to guard than its
physical counterpart, and it is inevitable that through one means or
another it will fall into the “wrong hands”.

This is made much easier the more widespread the use of this software
becomes. The eagerness of agencies to use this method of surveillance
inadvertently increases the risk that it will in turn be used against
themselves and others.

None of these considerations matter much to the spyware industry. They will
thrive in an environment of increased fear and the desire of governments to
control opposition and dissent of any kind. The more cyberattacks there are
on their customers and companies in their customers’ countries, the more
their products can be sold as a means of “offensive security”.

Despite questions being raised in the European Parliament about the
activities of the Hacking Team, it will presumably be back in operation and
resuming operations soon. The hack of its documents at least provides a
transparency of its modes of operation that perhaps will reign in its
activities with governments with poor human rights records. Given that
ultimately, this is all about making money, it is unlikely that it will do
this voluntarily.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!