Former Hacking Team supplier stops selling zero-day exploits on ethical grounds

U.S.-based Netragard has terminated its zero-day exploit selling program in response to revelations about Hacking Team's customers

Security in cloud computing

Security in cloud computing

Italian surveillance software maker Hacking Team recently claimed that it hasn't lost any customers after the massive leak of its internal data two weeks ago. But it has lost at least one business partner: U.S.-based penetration testing specialist and zero-day exploit broker Netragard.

Over the weekend, Netragard announced that it is terminating its long-time running Exploit Acquisition Program (EAP), citing revelations about Hacking Team's customers as one of the reasons.

Set up in 1999, EAP allowed Netragard to broker the sale of exploits for unpatched vulnerabilities -- also known as zero-day exploits -- between private researchers and select organizations interested in such computer intrusion tools.

Internal email communications recently leaked from Hacking Team revealed that the Milan-based company had a business relationship with Netragard and bought at least one zero-day exploit through its program.

Hacking Team developed a remote computer surveillance program called Galileo or RCS and sold it to law enforcement and other government agencies from around the world. As part of the package the company also offered zero-day exploits that could be used to silently install its program on systems targeted for surveillance when their owners visited a particular website or opened a certain document.

On July 5 one or more hackers leaked over 400GB of email communications, source code, documentation, client lists and other internal files stolen from Hacking Team. Researchers have found four zero-day exploits in the data cache so far, three for Flash Player and one for Windows, prompting Adobe Systems and Microsoft to release emergency fixes.

Other files revealed that Hacking Team sold its services to governments with a track record of violating human rights, including Egypt, Sudan and Ethiopia; this apparently enraged Netragard.

"The breach of HackingTeam is a blessing in disguise," said Netragard's CEO Adriel Desautels in a blog post soon after the leak. "The breach exposed their customer list which contained a variety of questionable countries known for human rights violations. Their customers are the very same customers that we've worked so hard to avoid. It goes without saying that our relationship with them is over and we've tightened our vendor vetting process."

However, it seems that severing ties with Hacking Team was not enough and the incident served as a wake-up call for Netragard, which is now stepping away from the exploit selling business.

"We've decided to terminate our Exploit Acquisition Program (again)," Desautels said in a new blog post over the weekend. "Our motivation for termination revolves around ethics, politics, and our primary business focus."

The Hacking Team breach proved that Netragard cannot sufficiently vet the "ethics and intentions" of potential zero-day exploit buyers, Desautels said. "While it is not a vendor's responsibility to control what a buyer does with the acquired product, HackingTeam's exposed customer list is unacceptable to us. The ethics of that are appalling and we want nothing to do with it."

According to Desautels, the termination of EAP will not affect Netragard much, because the company's core business is penetration testing services, not brokering exploit sales.

However, the company remains in "strong favor" of ethical development, sale and use of zero-day exploits and might revive the EAP in the future if the market is correctly regulated and a legal framework is created to hold buyers accountable for how they use such technology, Desautels said.

The selling of zero-day exploits to government agencies or private companies has long been a topic of debate in the security community. Some critics argue that this practice makes everyone less safe because it incentivizes researchers to keep vulnerabilities secret from affected vendors, delaying potential fixes and giving malicious attackers time to discover the same issues on their own.

Others have compared selling zero-day exploits to selling cyberweapons and that also seems to be the interpretation of the U.S. Department of Commerce. In May, the DOC's Bureau of Industry and Security (BIS) proposed changes to an international arms control pact called the Wassenaar Arrangement that would require a special license to export intrusion software, Internet surveillance systems and related technologies.

Many companies from the security industry, independent researchers and even companies like Google, are against the DOC's proposal, primarily because its broad language could restrict their ability to research, report and defend against computer threats.

Netragard is also against using Wassenaar to regulate software exploits.

"It's important that the regulations do not target 0-days specifically but instead target those who acquire and use them," Desautels said. "It is important to remember that hackers don't create 0-days but that software vendors create them during the software development process. 0-day vulnerabilities exist in all major bits of software and if the good guys aren't allowed to find them then the bad guys will."

Other researchers share that opinion.

"The current BIS rules are so open-ended that they would have a powerful chilling effect on our industry," said Robert Graham, the CEO of security firm Errata Security, in comments submitted to the DOC. "The solution, though, isn't to clarify the rules, but to roll them back. You can't clarify the difference between good/bad software because there is no difference between offensive and defensive tools -- just the people who use them."

"There is no solution that stops bad governments from buying 'intrusion' or 'surveillance' software that doesn't also stop their victims from buying software to protect themselves," Graham said. "Export controls on offensive software means export controls on defensive software. Export controls mean the Sudanese and Ethiopian people can no longer defend themselves from their own governments."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags NetragardintrusionsecurityExploits / vulnerabilitiesspywaremalwareHacking Team

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?