Hacking Team fiasco exposes weak passwords and VPN use

Overnight social media site Twitter lit up with news that an organisation named Hacking Team were themselves a victim of a hack with a cache of documents released.

Although the dubiously named “Hacking Team” sound like a black hat hacking group it is actually an officially registered company in Italy and rather than defacing websites as the name might suggest their operation focuses on selling spying software to government organisations around the world to snoop on their citizens.

Uh Oh, bad news in Italy

The news broke on the Hacking Team twitter account via a message that stated they had nothing to hide so were uploading all of their data. The message, of course, was a spoof message and came from the group behind the hack. Although the tweets have now been removed it was too late for Hacking Team as the original message contained links hosted on Kim DotComs’s Mega and elsewhere that supplied a torrent file giving access to the bulk of files.

Hacking Team tweet

The torrent file gave access to a huge 400GB treasure trove of documents stolen from Hacking Team that contained everything from their emails, source code, files and even the browsing history of some of their employees with a file bookmarking some choice adult video links.

While the employee in question might be rather red faced over the release of his porn browsing habits the detrimental effect of the leak has a much more serious consequence for Hacking Team. Detailed in the leaks are lists of police, government and other organisations who they have done business with which contains an almost who’s who of government organisations that are either corrupt or have questionable histories on human rights issues.

Hacking Team were recently quizzed by the United Nations on their involvement with Sudan who have an embargo against them prohibiting dealings from taking place with them for certain types of wares.

Hacking Team claim to have no affiliation with Sudan which a recent UN letter clarifies, however, the latest document cache release suggests otherwise and may open up a legal can of worms for Hacking Team who it would appear in 2012 billed the National Intelligence and Security Services in Sudan the princely sum of 480,000 Euros for a “Remote Control System” of which it was a 50% payment.

Terrible password choices aid hack

While the hack and release of documents is bad enough for Hacking Team another angle has been made clear from the story, that a security team who deal with government agencies around the world succumbed to the dreaded condition that many of us suffer daily, namely poor password choice. Reports suggest from those who have delved deep inside the documents that the Managing Director of Hacking Team continually used the password, “Passw0rd” and similar variations across a range of systems that should have been secure.

With poor password choice such as this, one has to wonder just how easy it was for the team that hacked Hacking Team to breach their security knowing such simple password choices have been used. While Hacking Team essentially have egg on their face and rightly so if some quarters are to believed it reminds us as users that strong password choices and using unique passwords across a range of sites can often make the difference between a minor breach on your personal accounts and a major one that can spread across your whole online life.

Further details revealed suggest that Hacking Team advised the Lebanese Army and clients in Egypt to use VPN services in the United States and Germany to surf the web to both protect their privacy and obfuscate their browsing habits.

Hacking Team VPN

While Twitter has exploded with news of the leak leading to the term “Hacking Team” trending worldwide earlier in the day users are being reminded that downloading the released cache of documents could be a criminal offence and anyone downloading via torrents or accessing the files are being advised to do so via a VPN. While the online community rejoices seeing the hack as an eye for an eye individual users should be cautious about the legal implications for downloading such stolen documents.

Hacking Team VPN Tweet

Leave a Reply

Your email address will not be published. Required fields are marked *