The CEO of Hacking Team tells how his surveillance company is recovering from the hack that stole all its data
Hacking Team
Very few companies are officially listed by Reporters Without Borders as an "enemy of the internet."However, that title is one of the tamer snipes that's been thrown at Italian surveillance software firm Hacking Team in recent weeks.
Hacking Team is a software company that creates digital surveillance tools for government departments and law enforcement agencies. Its customer list includes the US Federal Bureau of Investigation (FBI) and UK National Crime Agency (NCA). Reporters Without Borders believes its products are used to spy on and suppress dissent in countries with weak free speech laws, such as Morocco and the UAE.
The company made headlines on July 6 after a group of hackers broke into its network and stole 400GB of its data.
The data dump included everything from the software vulnerabilities used by Team Hacking products to spy on people, to email and customer records. The leaked data also contained documents suggesting Hacking Team sold its surveillance products to countries that the United Nations, NATO, European Parliament, and the US have placed under export restrictions either due to human rights violations or because Hacking Team's products would be designated as weapons.
Business Insider reached out to Hacking Team CEO David Vincenzetti to hear his side of the story.
BI: Can you give me a breakdown of what happened on the day of the attack?
DV: Hacking Team became aware of the attack at approximately 3:15 AM on July 6. I immediately called our engineers to the office where they physically took all systems offline. We also immediately directed all clients to suspend using the system in order to protect their surveillance data.
It is [our] clients that conduct investigations using Hacking Team technology, not Hacking Team itself, and the data they collect is maintained on the computer systems of clients. So an attack on Hacking Team would not reveal information from investigations conducted by law enforcement or other government agencies using our system.
However, we could not immediately determine the extent of the attack, so we directed clients to stop operations as a precaution.
Through the rest of the first week after the attack, Hacking Team engineers built a patch to further protect client data and rebuilt the company's own internal communications and data systems.
BI: Does Hacking Team know how the hackers managed to get into its systems?
DV: We have analysed the attack and learned a good deal about the techniques used, exactly what was taken, and how. That has allowed us to take steps to protect new systems that are now in place. Of course, we cannot provide details since to do so would provide valuable information for anyone wishing to attack our company in the future.
BI: How far along are you restoring service to your customers?
DV: The initial work is done so that we understand the extent of the attack and the damage that occurred from the theft of company data and publication on the Internet.
We have also cooperated with law enforcement in Italy, and an investigation is underway to determine who broke into the Hacking Team systems and stole data.
We now must thoroughly assess the new environment for surveillance and we are developing new systems to operate within that environment. Then Hacking Team will provide those new systems to our clients. We are not predicting how long this will take.
BI: What's been the response from customers since the attack?
DV: Though clients are concerned, of course, they generally support us. They recognise that a crime has been committed against our company, and they also value the solution we provide for doing surveillance in an age when criminals and terrorists have many ways to communicate via encrypted systems using digital technology.
As our clients know from their own experience, the system that we have provided is the most powerful, comprehensive and easy to use software available for digital surveillance.
BI: What are your future business recovery plans?
DV: We will continue to develop a new version of our software based on work that our engineers were doing before the attack and that was not compromised.
BI: How do you respond to the allegations Hacking Team sold its tools to blacklisted countries like the Sudan?
DV: Hacking Team has separated business relations with three former clients who we have identified - Russia, Sudan and Ethiopia. Although the sales to these countries were legal when they were made, the company voluntarily decided to end the relationships based on changes in the political climate of these countries and our own evolving business practices.
BI: If it's not illegal, are there any groups or countries you absolutely will not sell your services to?
DV: Yes, there are a number of countries we have rejected as clients. Some are obvious such as North Korea, Syria or Iran and, of course the countries I just mentioned. However, there are also other examples that I will not name.
BI: How would you respond to claims Hacking Team's tools help governments infringe on citizens' privacy?
DV: In the digital age, criminals and terrorists take full advantage of the secrecy provided by the Internet, encrypted communications over mobile and fixed devices and Internet services such as Tor to conduct crime.
Each of us runs the risk of becoming a victim of fraud, extortion or worse because of this situation. There are examples of crime every day, such as the theft of financial data, that have a direct impact on both consumers and business.
Law enforcement must have a way to do what it has always done, that is to track criminals and prevent or prosecute crime. With the development of global terrorism and especially the 'lone wolf' terrorist, this requirement is even more important.
Hacking Team has helped fight crime by providing a surveillance tool to law enforcement. The company believes this is a small step toward a more secure world for all who wish to used the Internet and digital tools lawfully.
BI: What are your personal views on web privacy?
DV: Privacy is an important value, of course, but so is security. The developing challenge is to provide the proper balance.
Hacking Team has always followed laws and regulation, and the company has complied immediately with new regulation such as the Wassenaar protocols that went into effect in Italy in January of 2015.
In fact, we have worked to provide a perspective on new regulation being developed in Europe and want to be a part of the ongoing conversation.
[The Wassenaar protocols are part of an international agreement between over 40 nations, including the US and UK, designed to control and manage arms deals. The US government has proposed changes to add cyber research and surveillance tools to the arrangement's list of controlled goods.]
Is Hacking Team nervous about the Wassenaar Arrangement's proposed changes?
DV: Hacking Team has worked with Italian regulators in implementing the Wassenaar Arrangement's current protocols, and we have given input to the current process that may result in changes.
We are committed to providing services in accordance with the rules, and as regulation has changed in the past, Hacking Team has taken whatever steps were required to operate under the law. We will do so in the future, should the regulations change again.
BI: As I understand it, finding hackable software flaws is core to your business, do you ever disclose any of the security vulnerabilities you find to vendors?
DV: Zero day vulnerabilities are not core to Hacking Team's business. The core is providing a system to law enforcement that allows surveillance in the digital space.
Essential to that is a process of continuous updates to the software to assure that it can be operated securely. Zero day exploits are only one way in which clients may choose to deploy Hacking Team software.
[Zero-days are software vulnerabilties that are found by hackers before the general research or tech community.]
BI: Is the first significant attack on Hacking Team, or do you face attacks on a fairly regular basis?
DV: There have been a number of attempts to break into our systems, to break into our offices and to threaten our executives. Like any lawful business, Hacking Team deserves the protection of law and order. In the case of attacks of this kind that happened this summer, that protection has not been great enough to prevent significant damage.