Most information security researchers fit into one of three categories: White hat hackers, who are professionals paid by organizations to test the security of their networks; Black hat hackers, who target victims for fun or personal gain; and gray hat hackers, who hack systems without the authorization, which white hat hackers obtain, but without malicious intent.
However, an emerging category, which is not easy to place on that continuum, is “lawful intercept” organizations that find vulnerabilities in products and sell access to them — or ready-to-deploy exploits which leverage those vulnerabilities — to government intelligence or law enforcement agencies seeking to use those resources to gain access to the private information of persons of interest.
While some of these offerings are delivered on a Software-as-a-Service (SaaS) model, by merit of the fact that government agency workers are the ones actually hacking targets, companies which develop and sell these resources appear not to violate any laws. With the amount of money that governments are typically willing to spend on law enforcement, the lawful intercept industry has become quite lucrative, attracting startups.
SEE: SMB security pack: Policies to protect your business (Tech Pro Research)
Because of this, a mass of startups with poor operational security have entered the market of selling vulnerabilities and exploit kits to governments. When these groups are hacked, the data of investigation targets are also leaked, potentially tipping off suspects that they are being investigated.
A recent history of hacker insecurity
This week, a Motherboard report detailed an incident in which the German lawful intercept group “Wolf Intelligence” maintained an unprotected command and control server, and improperly allowed public access to a Google Drive folder, which was discovered by CSIS Security. According to researchers at that firm, this exposed 20 GB of data, some of which is data of surveillance targets — one of whom, they claim, is a human rights defender — as well as recordings of customer meetings, and scans of the founder’s passport and credit cards. CSIS Security researchers noted that the malware offered by Wolf Intelligence is “just copy paste from open source projects.”
In May, a report indicating that Securus — a company that sells smartphone location tracking tools to law enforcement agencies — was hacked, with thousands of pieces of data including account credentials leaked. While Securus focused on the law enforcement market, the backend service provider of that company was LocationSmart, according to a ZDNet report. Immediately following that report an unsecured product demo LocationSmart’s website was discovered, allowing any user to find the location of any arbitrary mobile phone. Critically, the demo has no protection against users interacting with the backend API, potentially allowing malicious users to access the location of users, to say nothing of gaining access to LocationSmart’s product without paying.
The Securus/LocationSmart saga is made substantially worse by the fact that mobile network operators were selling access to user data to the companies to begin with, which under pressure from Sen. Ron Wyden, have pledged to end.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
There are a number of historical anecdotes of similar security malpractice. In 2015, 400 GB of data–including source code–was dumped as part of a hack of the uncreatively-named Italian firm “Hacking Team” by a hacker identified as “Phineas Fisher,” the same hacker behind the Gamma Group (FinFisher) hack a year earlier. The business conduct of Hacking Team and Gamma Group have received scrutiny, as FinFisher has been linked to government targeting of dissidents in Bahrain, while ZDNet reported in 2015 that “Hacking Team” previously denied selling spyware to Sudan, while a receipt for €480,000 ($530,000) from Sudan was found among the leaked documents. Rather than independently researched exploits, the Italian company was selling were open-source code from security researchers such as Collin Mulliner.
Despite these incidents, white hat security professionals seem unconcerned that the conduct of “lawful intercept” groups will cast a negative impression of their industry. Colin Bastable, CEO of Lucy Security, notes that “‘Lawful intercept’ companies operate in totally different ways to ethical hackers, and the market knows this. We help build defenses by exposing weaknesses — they profit from exploiting weaknesses.”