The business of hacking is dark and deep, and it’s hard to know who the good guys and bad guys are. The recent hack at the surveillance company Hacking Team highlights just that.
But, with Hacking Team fresh in our mind, this could mark an inflection point for some ingrained cybersecurity practices.
The Italy-based company, which is known for selling surveillance technology to numerous organisations (many of whom have been considered very questionable actors in the international community) recently had its networks hacked. The hacker put all of the company’s data into a torrent file. And then, the documents were indexed and put on WikiLeaks for all to search and see.
In these thousands of Hacking Team documents we can see all of the crazy business the company has done, be it with US companies or foreign governments. And to many this has been deemed detrimental to the many clients that purchased Hacking Team tools.
But one security company whose name surfaced in this hack has a very different perspective.
Netragard is a security company that offers anti-hacking services. Its catchphrase is “We protect you from people like us.” The company’s services help customers test their own networks for any security vulnerabilities in addition to assessing any risk.
But Netragard also offers a service called an Exploit Acquisition Program (EAP). An EAP essentially works as an exploit broker, selling to researchers what a hacker has discovered.
The ethics of EAPs are interesting to say the least. Selling a not-yet-discovered exploit — which is known as a 0-day in the industry — to another entity could be seen as malicious if it gets in the wrong hands. A hacker could use the exploit to cause damage to companies connected to the exploit. But, if 0-day exploits get in the right hands, security researchers can use the information to protect future attacks.
And Netragard, according to the company, worked hard to make its EAP as ethical as possible. “Our goal was to provide researchers with safe and trusted place to sell their exploits with the comfort of knowing that their exploits wouldn’t end up in questionable hands,” the company wrote in a new blog post explaining its business with Hacking Team.
But with Hacking Team, Netragard made a mistake. The security company sold Hacking Team an exploit for the price of about $US100,000. Now, Netragard is apologizing for doing such business. “[Hacking Team’s] customers are the very same customers that we’ve worked so hard to avoid. It goes without saying that our relationship with them is over and we’ve tightened our vendor vetting process.”
But there is one glimmer of hope, says the company, who is clearing trying to spin these revelations in their favour. Not only is the exploit Netragard sold to Hacking Team useless because it was revealed with this huge breach, but the whole ordeal brings to light how tenuous and oftentimes questionable the market is for such exploits.
In light of this, hopes Netragard, this could bring about some change. It goes so far to call this entire saga a “blessing in disguise” — but it’s also hard not to see this as a classic case of PR damage control from a company caught doing business with those it vowed not to.
The blog post writes, “Hacking Team is just one example of why the zero-day exploit market needs to be thoughtfully regulated.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.