When Hacking Team was hacked…
We all learned a lot more about “Hacking Team” thanks to the always entertaining “hacking the hackers” exploits over the weekend. Hacking Team is a Milan, Italy based IT firm that produces and sells offensive intrusion and surveillance software packages to government agencies around the world.
Stories like these are always a bit of feeding frenzy of schadenfreude and I will admit that I had quite a strong bout of smug pleasure from the information bleed that Hacking Team experienced. The facts of the matter are these:
1.) Hacking Team sells software for if not illegal, at least immoral surveillance software used to spy upon the citizens of countries ranging from the USA to Sudan. Indeed in the leaked documents it appears the client list includes Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and the United States’ DEA, FBI and DoD. The company had on several occasions denied selling software to any governments which the United Nations have labelled as “human rights violators”; so this leak clearly flies in the face of those statements.
2.) For a “hacking” company they employed (as ZDNet accurately called it) “shockingly bad” passwords. I mean honestly, for a small business with no government clients at all the passwords would have been shockingly bad. For Hacking Team to have used passwords such as “P4ssword”, “wolverine”, and “universo” is just ludicrous and they deserved this for the simple stupidity of their password selection.
Many outlets were careful to hedge the news of the breach with “allegedly” and similar terminology, but news has broken that Hacking Team acknowledged the breach and while they did not verify that the 400GB torrent of leaked data was legit, they have advised all their clients to terminate the use of their products immediately. Such a recommendation would indicate that the files are legitimate.
This brings us to the next big topic aside from citizens not being able to trust their governments…
Passwords, complexity, and biometrics, oh my!
Here’s the deal. Passwords suck. They are a pain to remember, a pain to type, and just when you get muscle memory of your password down pat the password expiration policy always seems to kick in and force you to change it. The best security would be a 3-factor method of biometric, presence verification and a password. This generally proves too cumbersome and so in practical use, 2-factor authentication is the best reasonable compromise. it should be noted though, that if you are only going to use a password to secure your online accounts or LDAP domain, ect. you should follow the guidelines below:
- Use at least 8 characters minimum. More is better. Always.
- Use mixed case, numbers and special characters
- Don’t use a password based upon a dictionary word (in any language). IE: “P4ssword” – I’m lookin’ at you Hacking Team!
- Don’t use the same password for multiple services – your Gmail password should be different than your Facebook, Dropbox, and Bank passwords, for instance.
As always, use 2-factor authentication wherever possible. I use it for every account that supports it, it takes a few extra seconds to enter the unique code that gets sent to my phone, but it is by far worth it for the extra security.
You can test a prospective password at a website that specializes in calculating the actual complexity of a given password. If you’re super paranoid about typing a new password candidate into a website, you can disconnect your computer from the site before typing it in. One site that I know is safe to use (since I ripped the site locally to make sure it’s all done client-side) is https://howsecureismypassword.net/ – you can check and see that Hacking Team’s “P4ssword” password would take an average desktop computer around 15 hours to crack. A focused distributed computation cluster would only take seconds to crack that.
I don’t want to boast but one of my retired passwords would take 26 quintillion years for a desktop computer to crack. That’s a lot of years! Take the results with grain of salt, but still, it’s a decent way to gauge relative password security. I will also say that I could (and still can) a) remember it easily and b) type it in under 10 seconds.
So the cat is out of the bag on the clientele of Hacking Team and while it remains to be seen what happens to the company in the long term, all signs would point to it being a total loss. Their slogan “Rely on us.” has proven ill advice and it’s doubtful that anyone will do so in the future after this debacle.
Let this serve as a reminder for all of use that passwords are a big deal and that people with shady-at-best ethics sometimes do get their just desserts.
Until next time: go make sure your passwords are secure!