Saturday, July 11, 2015

What I Learned when Hacking Team became Hacked Team

There are many takeaways from this hack which has effectively named and shamed many and (possibly) relegated Hacking Team to history (good riddance to an arrogant lot). I am sharing some lessons which I have learned as a security practitioner and will touch upon some issues (e.g. NDAs are worthless and a waste of time; they can't cover gossip, resumes et al) 
(my apologies for the flowery language which is prompted by my glee at the fall of this organization for personal reasons of my own)
Security bloopers courtesy the hacking team (RIP)
Learning # 1 -  If you are in the security business (or any unsavory business) and you are dealing in sh**, crack, LSD, heroin, 0-day, malware or any such crap ...make sure your emails and data is encrypted - saves your clients the embarrassment of dealing with a debauched organization 
Learning # 2 -  Remember your underpants always smell but you will never know how bad; once put out in public and you will know how bad it stinks ... and you will also learn you have holes in the wrong places wink emoticon
Learning # 3 - Once your privates are exposed be prepared for ridicule about your size, morals, hygeine, etc... and don't be surprised if the guys at Daesh / ISIS / Al Qaeda are leading the criticism - just goes to show how low you are in the reputation index
Learning # 4 - Just because you have all the 0-days in the world in your kitty OR all the kings of the world at your doorstep wanting to buy your wares.... this does not mean someone 'cannot' screw you because arrogance rising from your mal-knowledge and a big order book corrupts you as bad as power in hand (remember to respect the forces of humanity and nature)
Learning # 5 - You think you know the world and it's underbelly but then it brings you into the gutter yourself.... and then it is survival you against the real shi****s and they will always win because you are a wannabe shi****
Learning # 6 - When the sh** hits the ceiling you can be kicked off the throne without the opportunity to wipe your ass ... and we all know what happens when you are soiled
Learning # 7 - When underground stay there and make sure everything you own is also there... air gap, pgp, whatever
Learning # 8 - We all know doctors do not follow their own advise... as security guys we do not indulge in data classification, encryption, backup, etc... that sermon is for our clients
Learning # 9 - What goes round comes round... if you sell cyber weapons or surveillance stuff and think it cannot come back and hit you... you do not even deserve to live in Wonderland too as Alice will be scandalized
Learning # 10 - An intelligence agency is not setup to be ethical or maintain loyalties to anyone except their government... if HT expected their tools will not be used on them by every buyer they needed a reality check
Learning # 11 - You are never "there" in security even if you are the cat's whiskers so stay grounded, say your prayers diligently and make sure you ask your God to keep you safe from the omissions and commissions of your vendors and other malicious trespassers !
If there are any learning you can add to my list please be my guest and help the community!

No comments: