When Hackers Got Hacked !


the dark SecretS of Hacking Team THAT REACHED THE SMALL ISLAND OF Cyprus 
Hacking Team Logo

Anything is ‘hackable’ and so the irony becomes even more apparent nd the title hackers got hacked. This week’s news were dominated by the leaks of Hacking Team, the aftermath of a total compromise of their internal network by unknown hackers more than 400GB of sensitive raw data are now publicly available on the internet. A quick glance on the material showed source code of their exploits, receipts, client communication and company’s spreadsheets exposing the company’s lovely guarded skeletons to anyone is techie enough to just Google the right words!

Cyprus Delivery Report

Delivery Report on the equipment sold to Cyprus Intelligence Service

Hacking Team Controversy

The Hacking Team has been on the centre of bad publicity since early 2014 when CitizenLab accused the Italian company for selling surveillance equipment to oppressive regimes [3]. At the time HT denied any involvement, however today’s leaks show that Nigerian government was in their list along with Saudi Arabia, Uzbekistan, Sudan, Morocco and Turkey classified as the worst human right violators in the international community. The infamous company was openly marketing for government agencies and law enforcement by offering them customised solutions to bypass encryption and intercept data; often stepping into a grey area.

One of their latest products was branded as “Remote Control System Galileo” and gave the power to the adversary to exploit at least 2 different 0-day vulnerabilities in Flash (CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123) to compromise and potentially take over Windows, Linux and OS X machines. According to the latest updates, their most common attack vector was a Microsoft Word (.doc) format file that silently loads an Adobe Flash in the background compromising the victim’s computer.

HT team Advertisement for Remote Control System, Galileo targeting state agencies

Angry Agents all over the World

As Business Insider reported Hacking Team has been advising its customers to disable their software stop any activities immediately as their exposed to a risk [2]. Moreover to add more confusion, sources report that their equipment was purposely backdoored and watermarked which means not they could remotely control the customer’s target machine but they could also access the outcome of any ongoing surveillance [2]. I am almost certain that this kind of ‘features’ were not communicated to their customers and as Bruce Scheiner said it’s not very pleasant to make international secret agencies upset [1]!

Cyprus, the Island for all Seasons !  <— shameless advertisment!

Among the thousands of files leaked, a client list containing the Cyprus Intelligence Service as a client, purchasing services from the Italian hackers since 2012. Financial statements record a total amount of 375,000 euros were paid by the Cypriot government to acquire state of the art surveillance malware for surveillance purposes. A licence for 5 instances of Remote Control System Galileo seems to be sold to CIS for Windows and Android targets along with maintenance and customisation services.

HT Spreadsheet

The 1st instalment of €70,000 from a total of €375,000 contract with HT

As a result of a few published articles and media coverage on the topic, citizens became concerned about two specific issues. I would try to give my view on the issue without trying to pretend I am a legal expert and focusing more on the technical aspect of the issue.

Q: Is surveillance conducted by Cyprus Intelligence Service legal?

Continue reading

Privacy Leaks from Wi-Fi Probing


In a modern era where smartphone use has exponentially increased, we investigate the amount of private information an adversary can extract by looking at the active service discover in Wifi where a wireless station broadcasts the list of its preferred wireless networks, without user’s consent or knowledge. This report describes a range of different techniques which violate users’ privacy by using Wi-Fi fingerprints emitted from devices. One of the main points of the report include the relationship discovery that was first implemented by Cunche, et al and explains how to infer relationships between users through their SSIDs sets. Other attacks can be mounted that will reveal not only a social link between users but the actual path that a device follows in real time.

Wi-Fi Probing Diagram

Figure 1.0 – Wireshark was used to capture the probing requests that include MAC addresses and SSIDs in plain text.

During the last decade the number of portable Wi-Fi devices such as smartphones, tablets, and notebooks have increased dramatically. Nowadays, the majority of users constantly carry their mobile devices with them not only at workplace but also at home. For this reasons, it has become the most preferable way to provide internet access for medium range connectivity.In this regard many recent scientific papers have investigated how much information can be obtained from user interaction with a Wi-Fi network. Particularly observing the fields that are transmitted in plaintext such as probe requests In order to connect to the network a mobile phone is sending the probes requests that contain the SSID name of previously associated networks. This mode is called Active Discovery Mode (ADM). Wi-Fi supports encryption and authentication standards (e.g. WPA2) to ensure that the transmitted data between a client and an Access Point are safe from eavesdroppers.

However, before we reach the phase of credentials exchanging there is the phase of Network Discovery where a Wi-Fi enabled client discovers and contacts the AP for the first time. In this phase there are several messages exchanged between the two parties (e.g. network discovery probe requests) that are transmitted necessarily in plaintext. These packets (also called frames) include in their headers, among others, the Media Access Control (MAC) address of the Wi-Fi enabled device. This address serves as a unique identifier for the said device. Based on this two features: unique identifier MAC and probes it seems feasible to identify users with a high probability.This fact enables the identification of a user by its device’s MAC address. Practically, the device serves as an interface to reach the user behind and the MAC address of the device becomes as a nickname of the user.

As a result, the user becomes vulnerable to what we would call fingerprinting attacks. Fingerprinting is called “the process by which a device, it’s driver or the OS a machine is running can be uniquely identified by its externally observable characteristics”. Therefore an adversary can extract information about someone previous history location or even track him down in small proximity.

The reports outlines the most important attacks including the following :

  1. Infer Social Link
    1. Location proximity
    2. Spatio-temporal co-occurrence probability
  2. Wi-Fi Tracking 
    1. Stalker Attack
    2. Beacon Replay Attack
  3. Estimating Smartphone Trajectories

* If you would like to read the full report please click here : Privacy Leaks from Wi-Fi Probing

For this project the following information security students contributed :

  • Pejman Najafi
  • Andreas Georgiou
  • Dina Shachneva
  • Ioannis Vlavianos