Former Hacking Team supplier stops selling zero-day exploits on ethical grounds

U.S.-based Netragard has terminated its zero-day exploit selling program in response to revelations about Hacking Team's customers

Security in cloud computing

Security in cloud computing

Italian surveillance software maker Hacking Team recently claimed that it hasn't lost any customers after the massive leak of its internal data two weeks ago. But it has lost at least one business partner: U.S.-based penetration testing specialist and zero-day exploit broker Netragard.

Over the weekend, Netragard announced that it is terminating its long-time running Exploit Acquisition Program (EAP), citing revelations about Hacking Team's customers as one of the reasons.

Set up in 1999, EAP allowed Netragard to broker the sale of exploits for unpatched vulnerabilities -- also known as zero-day exploits -- between private researchers and select organizations interested in such computer intrusion tools.

Internal email communications recently leaked from Hacking Team revealed that the Milan-based company had a business relationship with Netragard and bought at least one zero-day exploit through its program.

Hacking Team developed a remote computer surveillance program called Galileo or RCS and sold it to law enforcement and other government agencies from around the world. As part of the package the company also offered zero-day exploits that could be used to silently install its program on systems targeted for surveillance when their owners visited a particular website or opened a certain document.

On July 5 one or more hackers leaked over 400GB of email communications, source code, documentation, client lists and other internal files stolen from Hacking Team. Researchers have found four zero-day exploits in the data cache so far, three for Flash Player and one for Windows, prompting Adobe Systems and Microsoft to release emergency fixes.

Other files revealed that Hacking Team sold its services to governments with a track record of violating human rights, including Egypt, Sudan and Ethiopia; this apparently enraged Netragard.

"The breach of HackingTeam is a blessing in disguise," said Netragard's CEO Adriel Desautels in a blog post soon after the leak. "The breach exposed their customer list which contained a variety of questionable countries known for human rights violations. Their customers are the very same customers that we've worked so hard to avoid. It goes without saying that our relationship with them is over and we've tightened our vendor vetting process."

However, it seems that severing ties with Hacking Team was not enough and the incident served as a wake-up call for Netragard, which is now stepping away from the exploit selling business.

"We've decided to terminate our Exploit Acquisition Program (again)," Desautels said in a new blog post over the weekend. "Our motivation for termination revolves around ethics, politics, and our primary business focus."

The Hacking Team breach proved that Netragard cannot sufficiently vet the "ethics and intentions" of potential zero-day exploit buyers, Desautels said. "While it is not a vendor's responsibility to control what a buyer does with the acquired product, HackingTeam's exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."

According to Desautels, the termination of EAP will not affect Netragard much, because the company's core business is penetration testing services, not brokering exploit sales.

However, the company remains in "strong favor" of ethical development, sale and use of zero-day exploits and might revive the EAP in the future if the market is correctly regulated and a legal framework is created to hold buyers accountable for how they use such technology, Desautels said.

The selling of zero-day exploits to government agencies or private companies has long been a topic of debate in the security community. Some critics argue that this practice makes everyone less safe because it incentivizes researchers to keep vulnerabilities secret from affected vendors, delaying potential fixes and giving malicious attackers time to discover the same issues on their own.

Others have compared selling zero-day exploits to selling cyberweapons and that also seems to be the interpretation of the U.S. Department of Commerce. In May, the DOC's Bureau of Industry and Security (BIS) proposed changes to an international arms control pact called the Wassenaar Arrangement that would require a special license to export intrusion software, Internet surveillance systems and related technologies.

Many companies from the security industry, independent researchers and even companies like Google, are against the DOC's proposal, primarily because its broad language could restrict their ability to research, report and defend against computer threats.

Netragard is also against using Wassenaar to regulate software exploits.

"It's important that the regulations do not target 0-days specifically but instead target those who acquire and use them," Desautels said. "It is important to remember that hackers don't create 0-days but that software vendors create them during the software development process. 0-day vulnerabilities exist in all major bits of software and if the good guys aren't allowed to find them then the bad guys will."

Other researchers share that opinion.

"The current BIS rules are so open-ended that they would have a powerful chilling effect on our industry," said Robert Graham, the CEO of security firm Errata Security, in comments submitted to the DOC. "The solution, though, isn't to clarify the rules, but to roll them back. You can't clarify the difference between good/bad software because there is no difference between offensive and defensive tools -- just the people who use them."

"There is no solution that stops bad governments from buying 'intrusion' or 'surveillance' software that doesn't also stop their victims from buying software to protect themselves," Graham said. "Export controls on offensive software means export controls on defensive software. Export controls mean the Sudanese and Ethiopian people can no longer defend themselves from their own governments."

Join the CSO newsletter!

Error: Please check your email address.

Tags NetragardintrusionsecurityExploits / vulnerabilitiesspywaremalwareHacking Team

More about Adobe SystemsDepartment of CommerceGalileoGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts