Itsik Mantin, Director of Security Research at Imperva says: “Observing security breaches over the past few years, we can see that while many of them rely on vulnerable systems (e.g. breaking into an application using SQL injection) an at least equal proportion rely on the human factor.
Users in all systems may open emails from people they don’t know, or visit web sites which might be infected with drive-by-downloads. This is true also from the attacker perspective, where insiders like Snowden abuse access privileges for various reasons, ideological or material.
This security incident in the Hacking team, following recent incidents in the White House and some federal agencies, show again that no system is immune to security breaches.
The information leaked may include intellectual property of the Hacking Team and commercial secrets, as well as personal information on personnel, business information on customers, including customers like law enforcement agencies, which may be very sensitive to such leakage.
Furthermore, data stolen in this breach such as user credentials to support site, may be used, or may have been used, to extend the breach and get more data.
It is yet again a lesson for any organizations that have sensitive information (and every organization has sensitive information), that while attempting to avoid infection and penetration one must also have our plans in place to detect and contain an infection or a breach once it happens.
Otherwise, they may end up making desperate attempts to contain the damage by throwing unfounded threats on legal actions and infection by malware on curious individuals that download their precious secrets from the Internet.”
Javvad Malik, Security Evangelist at AlienVault:
· How bad is this?
“It’s a bit early to tell. Hacking Team has divided opinions for a long time, so the fact they have been breached has stirred up a lot of online debate. However, with breaches being an almost daily occurrence, it may be that outside the security community and the affected governments not many will care for very long. I think what will be most interesting is whether this will create a gap in the market where other player(s) could sell similar services to governments that may have lost confidence in Hacking Team.”
· Any clue how Hacking Team may have been compromised?
“It looks like Hacking Team were (re)using some relatively weak passwords - variants of “password” seemed common.”
· Is it odd no one’s claimed responsibility?
“Not really - I’m sure speculation will start flying soon enough before someone steps up and claims responsibility.”
Mark James, Security Specialist and IT Security Firm ESET says:
How bad is this?
“From their point of view, it’s very bad. The type of software they sell relies on a very high degree of not only secrecy but trust. Unfortunately for them both of those have been compromised overnight, the type of data found included invoices and agreements from governments and organisations they clearly have stated they have no affiliation with. Along with that, source code was found and released for their software that will cause anyone still using it to quickly get it taken offline or disabled for security reasons. Passwords and personal information was also taken allowing access to other systems including twitter and other social networks.”
Any clue how Hacking Team may have been compromised?
“There is no indication yet how the hack happened, although in most instances it stems from a targeted phishing attempt or even from the inside. The type of business they are in, along with the cliental they attract, has turned them into a very lucrative target from many internet groups including an entry on the "Enemies of the Internet" list compiled by Reporters without Borders.”
Is it odd no one’s claimed responsibility?
“It is odd how at this time no one has stepped forward and admitted responsibility although this could be so they can safely sort and distribute the data at their leisure.”
NHS data breach
Luke Brown, VP & General Manager EMEA, Digital Guardian adds: “Human error is something that many organisations forget about when working with sensitive data, often to their detriment, whether it is sending an email to the wrong
cached email address or misplacing a USB stick as in this case. This is a perfect case in point. Recent research by the Online Trust Alliance found that almost one-third (29%) of data losses are caused by staff – whether done maliciously or accidentally, so
looking within your organisation for potential threats to data security is imperative.
There are numerous technologies out there designed to combat human error, and small investments can go a long way. When organisations deploy technology that protects
data at source (data-centric), it removes the risk factor associated with human error and insider threats. Furthermore, staff quickly become aware of the impact of their actions, leading to rapid behavioural changes. Within just a month or two of deploying
data-centric security solutions, organisations typically see a dramatic drop in staff-related data breaches as a result.”