Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cracking the hacker underground

From: InfoSec News <isn () c4i org>
Date: Wed, 19 Nov 2003 01:19:05 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>
cc: ptippett () trusecure com, newsonline () bbc co uk

These uber-h4x0r (do I fit in Mr. Tippett?) security team fluff pieces are
getting really old: http://www.attrition.org/errata/www/icsa.008.html.
Hopefully Mr. Tippett can shed some light on a few of the questions I have
below since there seems to be contradictions and confusion.

: http://news.bbc.co.uk/2/hi/technology/3246375.stm
: By Jo Twist
: 14 November, 2003

: Net security companies like TruSecure in the US, have the job of keeping
: an eye on these groups to work out which weak net spot they are planning
: to attack next.
:
: It currently tracks more than 11,000 individuals in about 900 different
: hacking groups and gangs.

Side note.. Feb 2000, AntiOnline profiled 7,200 individuals. Jump
forward three years and TruSecure is tracking 11,000. Wonder if they
bought the AO database?

: "There are 5,500 net vulnerabilities that could be used theoretically to
: launch an attack, but only 80 or 90 are being used," says Mr Tippett.
:
: "Only 16 of 4,200 of vulnerabilities actually turned into attacks last
: year."

Huh? Only 16 of 4,200 vulns turned into attacks.. 5,500 net vulns that
could be used.. am I the only one lost on these figures?

No way Tippett is stupid enough to claim only 16 vulnerabilities were
actually exploited last year. Does he mean only 16 were used in worms
or something? What do these figures mean?

: "We refuse to hire hackers, that would be crazy," says Mr Tippett. "We
: don't do anything illegal, but we impersonate hackers."

Hah, that you know about. Amusing that this elite A-team leader (can I
call you Hanibal?!) can't even sniff out the hackers working for him.

: IS/Recon gave the FBI over 200 documents about the Melissa virus author
: after they were asked to get closer to suspects.
:
: Although they did not know his real name, they knew his three aliases
: and had built a detailed profile of the author.

It's a damn shame when you can't keep your lies straight.

http://www.attrition.org/errata/www/icsa.008.html

  When the Melissa virus struck earlier this year, Mr. Kennedy's IS-Recon
  team (short for Information Security Reconnaissance) went into action.
  As New Jersey authorities arrested David L. Smith of Aberdeen, N.J., the
  ICSA matched his name against a thick file they had collected under the
  name of his alleged pseudonym, VicodinES. They turned over 3,000 pages
  of evidence on the suspect, who has pleaded not guilty to charges
  associated with creating the virus, which affected more than 100,000
  computers.

So, back in 1999, Kennedy's team (under the management of Tippett)  
said they matched Smith's name and gave 3,000 pages of evidence. In
2003, Tippett now says they couldn't match his name and gave 200 pages
of evidence. Both are clearly dramatic, and they completely contradict
each other. Which is right?

: The team's work also helped identify the author of the high-profile
: LoveSan virus.
:
: "We could say what dorm and what floor the author of the LoveSan virus
: was on," Mr Tippett says.

If TruSecure is referring to the author of the W32.BlasterB (symantec)
aka W32/Lovesan.worm.c (mcafee), that would have been Jeff Parson, aka
"teekid". According to http://news.com.com/2100-1009-5070000.html:

  Parson allegedly created MSBlast.B, a variation that differed from the
  original worm mainly in that two files had been renamed--one with
  Parson's screen name, "teekid"-- and a couple of profane messages aimed
  at Microsoft and Bill Gates had been added.

So he puts his name on the worm (teekids.exe), defaces sites under the
name "teekids", and even registers his own domain. Using that k3wl
speak we learned from Tippett:

  Domain: t33kid.com

  Registrant (JP397-IYD-REG)
    Jeff Parson
    root () t33kid com
    603 8th Ave S.
    Hopkins, Minnesota 55343 US

Articles specifically state that authorities (that isn't TruSecure)
tracked him down the same way I listed above:
http://www.extremetech.com/article2/0,3973,1236321,00.asp

What is confusing here, is that authorities seized 7 computers from
his home, and CNN calls him a high school student:
http://www.cnn.com/2003/TECH/internet/08/29/worm.arrest/

If that is the case, what is TruSecure's reference to "dorm floor"? Or
have they really found the author to the original Blaster worm, and it
hasn't hit news? Considering Microsoft just released a bounty on
virus/worm writers, specifically listing the Blaster and SoBig worms,
it certainly suggests that TruSecure is talking about Parson, not the
author of the original strain.

Mr. Tippett care to clarify any of these points? ISN readers are curious.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: