Italian surveillance software maker Hacking Team recently claimed that it hasn’t lost any customers after the massive leak of its internal data two weeks ago. But it has lost at least one business partner: U.S.-based penetration testing specialist and zero-day exploit broker Netragard.
Over the weekend, Netragard announced that it is terminating its long-time running Exploit Acquisition Program (EAP), citing revelations about Hacking Team’s customers as one of the reasons.
Set up in 1999, EAP allowed Netragard to broker the sale of exploits for unpatched vulnerabilities—also known as zero-day exploits—between private researchers and select organizations interested in such computer intrusion tools.
Internal email communications recently leaked from Hacking Team revealed that the Milan-based company had a business relationship with Netragard and bought at least one zero-day exploit through its program.
Hacking Team developed a remote computer surveillance program called Galileo or RCS and sold it to law enforcement and other government agencies from around the world. As part of the package the company also offered zero-day exploits that could be used to silently install its program on systems targeted for surveillance when their owners visited a particular website or opened a certain document.
On July 5 one or more hackers leaked over 400GB of email communications, source code, documentation, client lists and other internal files stolen from Hacking Team. Researchers have found four zero-day exploits in the data cache so far, three for Flash Player and one for Windows, prompting Adobe Systems and Microsoft to release emergency fixes.
Other files revealed that Hacking Team sold its services to governments with a track record of violating human rights, including Egypt, Sudan and Ethiopia; this apparently enraged Netragard.
“The breach of HackingTeam is a blessing in disguise,” said Netragard’s CEO Adriel Desautels in a blog post soon after the leak. “The breach exposed their customer list which contained a variety of questionable countries known for human rights violations. Their customers are the very same customers that we’ve worked so hard to avoid. It goes without saying that our relationship with them is over and we’ve tightened our vendor vetting process.”
However, it seems that severing ties with Hacking Team was not enough and the incident served as a wake-up call for Netragard, which is now stepping away from the exploit selling business.
“We’ve decided to terminate our Exploit Acquisition Program (again),” Desautels said in a new blog post over the weekend. “Our motivation for termination revolves around ethics, politics, and our primary business focus.”
The Hacking Team breach proved that Netragard cannot sufficiently vet the “ethics and intentions” of potential zero-day exploit buyers, Desautels said. “While it is not a vendor’s responsibility to control what a buyer does with the acquired product, HackingTeam’s exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it.”
According to Desautels, the termination of EAP will not affect Netragard much, because the company’s core business is penetration testing services, not brokering exploit sales.
However, the company remains in “strong favor” of ethical development, sale and use of zero-day exploits and might revive the EAP in the future if the market is correctly regulated and a legal framework is created to hold buyers accountable for how they use such technology, Desautels said.
The selling of zero-day exploits to government agencies or private companies has long been a topic of debate in the security community. Some critics argue that this practice makes everyone less safe because it incentivizes researchers to keep vulnerabilities secret from affected vendors, delaying potential fixes and giving malicious attackers time to discover the same issues on their own.
Others have compared selling zero-day exploits to selling cyberweapons and that also seems to be the interpretation of the U.S. Department of Commerce. In May, the DOC’s Bureau of Industry and Security (BIS) proposed changes to an international arms control pact called the Wassenaar Arrangement that would require a special license to export intrusion software, Internet surveillance systems and related technologies.
Many companies from the security industry, independent researchers and even companies like Google, are against the DOC’s proposal, primarily because its broad language could restrict their ability to research, report and defend against computer threats.
Netragard is also against using Wassenaar to regulate software exploits.
“It’s important that the regulations do not target 0-days specifically but instead target those who acquire and use them,” Desautels said. “It is important to remember that hackers don’t create 0-days but that software vendors create them during the software development process. 0-day vulnerabilities exist in all major bits of software and if the good guys aren’t allowed to find them then the bad guys will.”
Other researchers share that opinion.
“The current BIS rules are so open-ended that they would have a powerful chilling effect on our industry,” said Robert Graham, the CEO of security firm Errata Security, in comments submitted to the DOC. “The solution, though, isn’t to clarify the rules, but to roll them back. You can’t clarify the difference between good/bad software because there is no difference between offensive and defensive tools—just the people who use them.”
“There is no solution that stops bad governments from buying ‘intrusion’ or ‘surveillance’ software that doesn’t also stop their victims from buying software to protect themselves,” Graham said. “Export controls on offensive software means export controls on defensive software. Export controls mean the Sudanese and Ethiopian people can no longer defend themselves from their own governments.”