In this article we will go through an issue with a company that buys and sells exploits (Netragard) and the steps it was forced to take since one of their clients was attacked and various important information was leaked.
The attack on the company named “HackingTeam” forced Netragard (a company that buys and sells exploits as previously stated) to terminate its exploit acquisition program. The leakage included information on Netragard’s business with an intrusion and surveillance software developer in Italy. The leaked documents and emails showed that HackingTeam was selling its products to customers associating with oppressive regimes like Egypt and Ethiopia while officially the company had denied any accusations of dealing with such customers.
Netragard’s company policy is to deal only with US customers and as they officially stated (when the documents became public), the deal with Hacking Team was just one exception to their policy, where they only sold just one exploit and after the breach took place, Netragard immediately terminated any relationship with HackingTeam.
Furthermore, as an outcome of this breach, Netragard decided to end its exploit acquisition program “due to ethical and political issues it involves” as they officially stated. In more detail, Adriel Desautels (Netragard’s CEO) stated that the company’s motivation for terminating this program revolves around ethics, politics and the primary business focus. According to him and a blog post of his, the breach proved that the company couldn’t successfully vet the ethics and intentions of new buyers and he considers the event of the HackingTeam’s exposed customer list to be unacceptable as is the fact that they were apparently selling their technology to questionable parties (like parties known for human rights violations).
Companies that buy, sell and develop vulnerabilities and exploits (like Netragard) often receive criticism in regards to their morality as they sell such tools without being sure about how these tools will be used by their clients. These companies’ support that their business is legitimate, as long as the tools they are selling are used for defensive purposes or law enforcement operations.
Desautels mentioned that his company will consider reviving the exploit acquisition program, if and when the 0-day market is correctly regulated and a framework is created that will hold end buyers accountable for the use of this technology. According to him, regulations should target specifically those who acquire and use 0-days. Furthermore, regarding to 0-days, we should keep in mind that it’s not hackers who create them but the vendors during the process of developing their software.
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57
(Security Affairs – Netragard, exploit)