Hacking Team Hacked? - Lessons learned!

SECURITY AFTERWORKSSummer Special: Hacking Team Hacked?!

1

Agenda

1) Hacking Team Hacked? – Lessons Learned!- The Company- The Hack- The Revelations- The Take-Aways

2) Aktuelle Lücken in RC43) sbaPRIME Kick-Off Event

4) Gemütlicher Ausklang22015 - SBA Research gGmbH

SBA – Key Facts

• Founded in 2006 • biggest research center for IT security and one of the largest

security service providers in the DACH countries• Know-how in research, audits, consulting, implementation

and operation under one roof• Over 90 employees and approx. 70+ FTEs• Management

– Edgar Weippl, Research& Science– Andreas Tomek, Services & Sales– Markus Klemen, General Management & Secure Software

32015 - SBA Research gGmbH

SBA – Action Fields & Values

• Research– Teaching at UAS & universities – national & international– Security research & prototypes

• Competencies– Pool of experts for information security– Innovative approaches like security & insurance with AON– Consulting, trainings, Managed Services, product implementation from

research & practice• Responsibility

– Common good & studies (e.g. Heartbleed analysis)– Providing knowledge– Platform for security (events, ISC2, IEEE, etc.)


HACKING TEAM HACKED

The Company

5

Hacking Team

• Italian company (Milan) founded in 2003– Venture Capital supported

• Several offices (USA, Asia)• ~50 employees

• Sells malware & related services to– Governments– Government agencies– Private companies

• Main software is called RCS (Remote Control System)62015 - SBA Research gGmbH

RCS Unique Selling Points (USPs)

72015 - SBA Research gGmbHSource: https://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf

HACKING TEAM HACKED

The Hack

8

The Hack

92015 - SBA Research gGmbHSource: https://twitter.com/mattblaze/status/618107272552677377

The Hack

• ~ 400GB of data published via bitTorrent– Internal E-Mails– Internal Presentations– Customer Data– Internal Software (e.g. pirated IDA Pro)– Source Code– Images– Phone Conversations


Who did it?

• Unknown: Attribution is very hard• Some hints online like…


HACKING TEAM HACKED

The Revelations

12

HT violated their customer policy


Customer Lists


Customer Statistics


HT did a Waltz with Bashir

• Why is this bad?• Sudan president Omar

Al Bashir wanted for war crimes!


HT possibly did a demo in Austria (in 2012)


HT knows they do “bad” things … and prepare for bad press


Valid Certificates

• HT tries to install their malware via known-good channels – e.g. official Android Marketplace

• Lesson Learned: This raises (again) questions about the CA system


What was HT doing with absolute paths like “C:\Utenti\pippo\pedoporno.mpg”?

• …but we should keep calm…

202015 - SBA Research gGmbHSource: https://twitter.com/TheRegister/status/618137815923101696

Stored Customer Skype Calls

• Lesson Learned: Be very cautious when storing sensitive customer data


Server Logins

• Lesson Learned: Do not keep plaintext password lists


Their Passwords

• Lesson Learned:– Also Techies have

weak passwords


HT bought 0days from Third Party Distributors

• Vitaliy Toropov• Netragard• Qavar• VUPEN• Vulnerabilities Brokerage Internationa (VBI)• Rosario Valotta• COSEINC• Ability Ltd• DSquare Security• Keen Team• LEO Impact Security• Security Brokers


Many Exploits leaked (and patched)

• Flash – CVE-2015-5119 – CVE-2015-5122– CVE-2015-5123

• Windows Kernel– CVE-2015-2387– CVE-2015-2425 (IE)– CVE-2015-2426

• To be continued? ...252015 - SBA Research gGmbH

Mobile Malware

• Fake Apps – E.g. BeNews in GooglePlayStore

was available until 07.07.2015• Unclear if test or productive• Contains no exploit code

– To get accepted by app-stores– Loads exploit code upon opening the app– Valid Certificate! (Apple & Android)

262015 - SBA Research gGmbHSource: http://www.techspot.com/news/61427-how-hacking-team-published-fake-google-play-app.html

iOS

• Their agent cannot be installed on an iPhones without Jailbreak


• WiFi Hacking Technology should be brought to victims via drones

• TNI (Tactical Network Injector)• Man-in-the-Middle of (Guest-) WLANs

282015 - SBA Research gGmbHSource: https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infect-computers-drone/

HT backdoored their own products

• Lesson Learned: Be cautious which software vendor you trust


HT uses UEFI BIOS Rootkit to keep RCS 9 Agent in Target System• Lesson Learned

– Do not only reinstall the OS after a security incident

– Policy Suggestion:

302015 - SBA Research gGmbHSource: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

0-Day Pricing


HT wanted to sell to the Bavarian Police … but the person in charge was on vacation


HT wanted to sell to Belgium … but Belgium had no Government then

332015 - SBA Research gGmbHSource: https://wikileaks.org/hackingteam/emails/emailid/602524

No Exploits for Tor Network


HTTPSEverywhere

• HT sees HTTPSEverywhere (or more precise their SSLObservatory) as a risk

• Their rogue certificates might be exposed

352015 - SBA Research gGmbHSource: https://twitter.com/bcrypt/status/618132217382834176

Reactions…

• Leaked Exploits used in japanese APT campaign

• Discovered 9 days after HT leak

362015 - SBA Research gGmbHSource: https://www.fireeye.com/blog/threat-research/2015/07/second_adobe_flashz.html

Reactions…


Reactions…

• Browsers begin to block Adobe Flash per default


Reactions…

392015 - SBA Research gGmbHSource: http://www.marietjeschaake.eu/2015/07/written-questions-on-the-italian-company-hacking-teams-potential-violations-of-eu-sanctions/

Source: https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638

HACKING TEAM HACKED

The Take-Aways

40

What Users should learn (© Alexander Riepl from cert.at)

• Don't reuse passwords• Don't use weak passwords• Use Two-Factor-Authentication• Don't spend your day playing browser games• Don't have plaintext-password lists• Change default credentials


A word on 2FAActivate were possible

• Check out https://twofactorauth.org/ for a quick review of your personal services


https://twofactorauth.org/

What Admins should learn (© Alexander Riepl from Cert.at)

• Don't expose your monitoring systems to the network

• Have network monitoring in place• External reachable unpatched software is a no-

go- Update your CMS!

• Restrict or disable Flash on all managed devices• (Deploy) HTTPS and Strict Transport Security!


What Companies should learn (© Alexander Riepl from Cert.at)

• Don't assume you are not a target!• Don't be light-hearted!• OPSEC is hard - but try!• Open Source can help!• Develop an Information Security Management

System (ISMS)– This helps cover all the necessary topics and will make

you prepared for the day you get hacked.442015 - SBA Research gGmbH

Additional References

• Twitter– #HackingTeam– #HackingTeamTransparencyreport

• Good Article about the 0day market– http://tsyrklevich.net/2015/07/22/hacking-team

-0day-market/

• Wikileaks– https://wikileaks.org/hackingteam/emails 452015 - SBA Research gGmbH

http://tsyrklevich.net/2015/07/22/hacking-team-0day-market/

http://tsyrklevich.net/2015/07/22/hacking-team-0day-market/

https://wikileaks.org/hackingteam/emails

AKTUELLE LÜCKEN IN RC4

HTTPS und mehr

46

Neue Angriffe auf RC4

• “All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS”

• “Attacks Only Get Better: Password Recovery Attacks Against RC4”

• USENIX Security 2015



• RC4 = Stromchiffre von Ron Rivest• Extrem elegant, von 1987• HTTPS, WEP, WPA/TKIP, VPN, …

• Verwenden bekannte Schwachstelle (aus 2001)• Angriffe werden praktisch durchführbar (ca. 226,

227)• In Wirklichkeit: 75-300 Stunden



• Immer noch weitest verbreitete Cipher im Internet• Gefährlich auch bei Downgrade Angriffen:

– FREAK, Logjam– „Export Cipher“, RC2, …

• RC4 in HTTPS:– zufällige Stichprobe von 2 Millionen Hosts– 61.74 % akzeptieren RC4– 16.03 % (=350.000) bevorzugen RC4!



• Eigene Scans zu E-Mail:– IPv4-weit!– Mehr als 10 Milliarden TLS Handshakes– Mehr als 17 Millionen Hosts & Konfigurationen


51Source: http://www.google.com/transparencyreport/saferemail/


• Wie kann ich mich schützen?– Modernen Browser verwenden (Chrome,

Firefox)– RC4 serverseitig verbieten

• Testen unter https://www.ssllabs.com/ – „Test your server“– „Test your browser“


https://www.ssllabs.com/


• RC4 ist tot!• RFC7465 (Draft): „Prohibiting RC4 Cipher Suites“

• Gute Konfigurationshilfen:– https://bettercrypto.org– RFC7525: Recommendations for Secure Use of

Transport Layer Security (TLS) …", May 2015


https://bettercrypto.org/

ANKÜNDIGUNG

sbaPRIME Kick-Off Event: 5. November 2015

54

sbaPRIME Kick-Off Event5.November 2015• sbaPRIME = Kommunikations- und Informationsplattform

– Schnittstelle zwischen Forschung, Beratung und Wirtschaft

• sbaPRIME Kernangebote für Mitglieder– quartalsweise Events & Workshops– Austausch unter Mitgliedern– Gastvorträge internationaler Experten und Expertinnen– Informationsupdates, Security News & Whitepapers– zwei Kursteilnahmen pro Jahr– Analystengespräche– Review innovativer Security-Lösungen– Softwareprodukte aus dem Forschungsumfeld ohne Lizenzkosten– Möglichkeit sbaPRIME Inhalte mitzugestalten!


sbaPRIME Kick-Off Event5. November 2015

Agenda

• sbaPRIME – Kerninhalte• Security Surveys at a glance – Überblick und Analyse von über 30 Studien im

Sicherheitsumfeld• Whitepaper – Sicherheitsstrategie hinsichtlich Legacy Systemen• Tools für Mitglieder – die sichere Dateiaustauschplattform SBox• Trainings für Mitglieder – mit Sicherheit geschult• Security Conferences at a glance – die interessantesten Inhalte wichtiger

Sicherheitskonferenzen• Feedback & Gestaltung von Inhalten• Gemütlicher Ausklang

[email protected]


THANK YOU!

Have a nice week(-)end

57

Hacking Team Hacked? - Lessons learned!

Technology

Transcript of Hacking Team Hacked? - Lessons learned!