While many people were watching the final match of the Women’s World Cup last week, the Hacking Team was hacked. Hacking Team, an Italian digital security company, provided surveillance software to law enforcement agencies. Their clients are government agencies, but they have been accused of selling to oppressive regimes, despite embargoes like the Wassenaar Arrangement. Last week’s hack proved that they have in fact sold software to Sudan and a number of other oppressive regimes, including Ethiopia, Azerbaijan and Saudi Arabia.
Why should you care about these hackings? And if a digital security company can get hacked, what can you and I do to prevent ourselves from becoming victims as well?
The power of a strong password is not a myth
Passwords are an important aspect of digital safety because they act as a form of authentication, often times as the only method. It’s important not just for individual accounts, but also for bigger organizations. So, how strong were the Hacking Team’s passwords?
Apparently, not strong enough. Their Twitter account was hijacked and used to spread the cache of files published in the hack. The Twitter password was one of many passwords that were stored in files that anyone with access could read (i.e., in plain text). I can presume this was how their Twitter account was compromised.
Poor policies around how passwords are selected and stored are what led to the publishing of passwords for the Hacking Team and one of their software engineers, Christian Pozzi. As lampooned by security professionals on Twitter, the majority of the passwords Pozzi used were variations on the word ‘password.’
What’s the major takeaway here? That the best practices of choosing strong passwords, not reusing passwords and storing them safely are just as important as we’re always told.
A strong password isn’t enough: Get to know your software
With the exception of having a long password, not everyone agrees on what constitutes a strong password. If you know your password has been compromised, you can be notified and immediately change it. But not all threats to one’s digital data are as transparent and easy to address. You especially need to be aware of what kind of software you have installed on your computers.
In the world of cyber warfare, there are holes in software that are discovered but remain undisclosed and unpatched. They are known as “zero-day exploits” (0-day) because they are released on or before the day an exploit is publicly revealed. It essentially means that some person or some organization/agency might be able to install malicious software without you, the software provider, or any defensive software (e.g., antivirus) knowing.
This issue is serious because there is a thriving market where people can purchase these exploits, which disincentivizes security researchers from disclosing their findings.
Hacking Team used 0-day exploits to hide their surveillance software. As of today, three 0-day exploits for flash have been revealed from Hacking Team’s files. How can you avoid this yourself? Always make sure that you upgrade your flash player and keep it updated. Or better yet, consider having it set to run selectively by using the option “click to run” when on a website that requires flash.
The more software you have installed (especially out of date and/or unnecessary software), the more chances there are for exploits to be used to compromise your system. This is even truer on mobile phones, which receive fewer software updates.
In addition to removing unnecessary software and keeping necessary ones updated, it is crucial to understand the limitations of software you are using. While not a new vulnerability, Hacking Team also had a Skype decoder to listen in on Skype calls. The published files revealed that they had this software from around 2006. Understanding the software you are using is essential to prevent having a false sense of security.
In the now immortal words of the Hacking Team “If your company hasn’t been #hacked, it will be.”
If your organization works with personally identifiable data,it is crucial to make sure the data is safe. Learn more about digital safety in our brand new upcoming course, Basics of Digital Safety. The course begins on August 17, lock in early bird rate now!