Earlier this month, “The Hacking Team”, a Milan-based information technology company, was breached, and their data was published on the Internet. Although Breaches to organizations occur quite frequently – there are two things specifically interesting about this breach: The breach included more than 400GB of data from various company resources – Internal e-mails, source code, customers invoices, and even mobile pictures from the employees whatsapp. And the leaked data included zero days exploits that “The Hacking Team” sold to government agencies worldwide.
Much was said about this breach. In this blog, I’d like to refer to the security aspects of the breach and to what can we learn from it.
- Awareness is not enough – The hacking team are a group of security researches that definitely knew what they are doing. Nonetheless, they were hacked. This proves us that awareness, by itself, is not enough, and that proactive defenses must be used and maintained.
- Attack propagation – It can be seen by looking at “The Hacking Team” published data, that the attackers got into one place on their network, and continue the attack from there. For example, one of the folders shows a configuration file containing a password to the database, and on the sub-folder, the content of the database was shown. In order to mitigate such breaches, add security layers, such as database password encryption, so unauthorized attackers will not be able to access it.
- Encryption – Some of the breached data was encrypted, but was still accessed. To keep data-at-rest secure, make sure that the encryption is implemented with the highest security standards, and that the encryption keys are secure. Having encrypted data, and keeping the security keys in an unsecured/obfuscated manner, is like the old-saying “lock the door, and keep the keys under the door mat”.
- Attack surface – The breach to the Hacking team, includes many layers of attacks: different servers, laptops and mobile phones – For strong security, make sure that end-points and BYOD devices are fully protected.
- Single point of breach – In order to have strong security, make sure no single individual (either inside employee or an attacker for this matter) have full access to the encryption keys / credentials, which are usually stored on a single location.
- Auditing – it took the attackers of “The Hacking Team” some time to breach all network places and copy 400GB of data.. By adding security defense mechanisms that include auditing and anomaly detection, such breaches can be revealed and stopped at the early stage.
- Passwords – Company initials along with “Passw0rd” isn’t secure enough. Use strong passwords.
And a word on The Hacking Team deliverables – The Hacking team customers, as can be seen on the breach, revealed many Governments that are buying attacking tools. It means that not just independent hackers are using these tools, but security agencies with large budgets. Also, soon after the breach companies such as Microsoft released security patches to Windows OS. It means that before the breach, “The Hacking Team” zero days exploits were at the hands of many organizations and they could potentially be used as attacks. Microsoft and others had patched the vulnerabilities, although additional zero days exploits are still available on the Internet today, and this means data itself should be protected in a way that keeps it secret even in the event of a massive breach