The attacker who stole Hacking Team’s data gained access to an employee’s computer while the victim was still logged in.
The attacker either had direct physical access to security engineer Christian Pozzi’s PC or they used malware to achieve a similar level of access. Whichever way it was, we can tell that Christian was logged in at the time simply by looking at a folder name among the files that were leaked onto the internet.
Christian’s password files have been published online and most commentators have focussed on the low quality of many of these passwords. However, look at the folder in which these files were stored: /Truecrypt Volume/.
The detail that jumped out at me, but does not seem to have been mentioned in (m)any reports, is that Christian stored his passwords in text files that were encrypted inside a TrueCrypt volume. TrueCrypt is a free but no-longer-supported program.
Presumably Christian felt that such valuable data should be protected, and he’d be right. But there are clearly security limitations to using encrypted volumes.
It is very likely that the victim was logged in and had opened this volume when the files were stolen.
Encryption like TrueCrypt is excellent at protecting data when the user is logged off. Greg Hoglund of HBGary once told me that it’s such an effective system that if his team couldn’t crack a volume in a few days they would simply give up.
The lesson to learn from this story is that even excellent encryption has its limits. Hard disk encryption is great for protecting lost or stolen computers and disks, but it won’t hinder attackers who have access to your computer while you are logged in. Whether they creep over to your desk during a rest break, or install malware remotely over the internet, it amounts to the same thing.
Benefit from Hacking Team’s failure by reconsidering the wisdom of storing passwords on your computer.
You could also reduce the length of time that encrypted volumes are mounted to the minimum; press Windows logo key + L (Lock) before you leave your Windows PC unattended; and invest in anti-malware solutions that are capable of detecting and blocking targeted attacks.
That last recommendation is not trivial to implement and most likely will include some level of white-listing, which can be effective but a pain to implement – either for the administrator or the user.
This article was originally published on Simon PG Edwards’ blog.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
4 comments on “How was Hacking Team hacked?”
What possible methods could be used? You infer from your article that it is a physical thing. Locking your PC would not prevent an open/unencrypted file system being compromised, if the attacker had root. Is there any info that could show the MO of the attacker past or present?
It's a ruse. If you're compromised across a network, they are either you or the OS. File/disk-based encryption security is designed to protect you when the system is off. Truecrypt wasn't compromised. It was open and therefore, useless.
Of cause the big question is the network. A company making these bundles of cash has its secrets connected to the net? And this long enough to leech this amount of data without anyone noticing? The speed needed would probably be either internal network or outside wlan access to a router.
Sooo tell me again:
How was Hacking Team hacked? /clickbait