Re: [ISN] ICSA employes an undercover hacker spy.

From: mea culpa (jerichot_private)
Date: Sun Jul 05 1998 - 01:39:12 PDT

  • Next message: mea culpa: "Re: [ISN] ICSA employes an undercover hacker spy."

    [Moderator: David Kennedy is with the ICSA btw.. so you don't have
     to jump down and check his sig. :)]
    
    Reply From: David Kennedy CISSP <dmkennedyt_private>
    
    >Reply From: Brian Macke <macket_private>
    >
    >Forgive my shady memory, but wasn't there an article on this list less
    >than a month ago stating that ICSA didn't hire "black hats", or as the
    >article put it "reformed hackers"?
    
    We do not.  We will not.
    
    >[Moderator: 6-15-98 "First-Ever Insurance Against Hackers", an article by
    > Therese Poletti from Reuters says:
    >
    > "Then, ICSA tests a client's security by using typical hacker methods,
    >  through its 100 or so employees, none of whom are reformed hackers."
    >
    > Ya know.. it says "not reformed". This means they could hire unreformed
    > hackers still active in the scene. Wonder which it is...]
    >
    >
    >It seems like ICSA's been shaving with Occam's razor lately if they're
    >willing to hire someone that stalks hackers in the shady back rooms of the
    >Internet (i.e. The guy reads BUGTRAQ. Big Friggin' Deal.) - yet won't hire
    >someone who might have done some bad things in their past. Maybe they just
    >prefer to have their hackers be script-kiddies?
    >
    >
    >> Forwarded From: William Knowles <erehwont_private>
    >> 
    >> [Forbes Digital Tool, By Adam L. Penenberg] (http://www.forbes.com)
    >
    >> ICSA [...] hired J3 (not his real name [)]
    >
    >Really now? I'm glad that Forbes clarified that point.
    >
    >> J3 is very busy. Recently, a group of European hackers released 
    >> a Trojan horse-like program that would enable them to set up 
    >> backdoors in geeky programs known only to network administrators, 
    >> such as "named" programs related to domain name servers, a basic 
    >> component of any network connected to the larger Internet. J3 
    >> found out about it in the course of his monitoring, passed it 
    >> on to ICSA, and the company informed CERT (Computer Emergency 
    >> Response Team) which posted an advisory.
    >
    >Can anyone verify this story? It sounds all too hokey to be true. The BIND
    >vulnerability was one of those annoying hacks that didn't see first light
    >on BUGTRAQ, or even USENET. It was my understanding that CERT got first
    >word from people who got hit, and was without verifiable source to begin
    >with. They're notifications were quite humourous for their lack of
    >concrete evidence of WHAT was happening.
    
    I'll verify it, but I don't guess you'll look at me as objective, and
    that's OK, I'm not.  Don't believe it if you don't want to.  That works for
    me just fine 8-)
    
    >> "I'm proud of a lot of the work we do," J3 says. "I've found a
    >> company's entire password file posted to a web site, or that 
    >> hackers have root in a network or that a merchant site with a 
    >> database of credit cards has been compromised. I then contact 
    >> the companies and warn them."
    >
    >Before or after they front the $20,000 blood money for ICSA?
    
    LOL.  Well, seeing as how they pass me the information and I make the call
    to the companies and tell them, for free, I guess that would make it
    *before* they front us any money.  And I don't ask for money, that
    tantamount to extortion.  I make the calls for two reasons, to protect my
    guys' identities and to anticipate social engineering alarms at the other
    end.  It's pretty easy to check me out either by web search, or in paper
    directories like American Society for Industrial Security or International
    Association of Chiefs of Police.  Only if the customer asks about any of
    our services do I refer them to Sales.  If they don't bring it up, they
    won't get a second call.  Indeed, if I can find a PGP key for an Admin or
    Security type, I even don't call 'em.  A couple months ago I encrypted and
    sent a password file to an ISP.  The file had been posted to a web site.
    Turned out it's a bait file they return when they get a phf probe, but it's
    a good example of a no-sales-call notification.
    
    >> J3, who works mostly nights since the Internet never sleeps, 
    >> isn't just a full-time worker. He's also a graduate student 
    >> working on his Ph.D. in psychology. And his area of study?
    >>  
    >> Hackers, of course.
    >
    >Love the Scooby Doo ending. Wish all Security incidents ended with a
    >punchline.
    
    We're so glad you enjoyed it.
    
    Regards,
    
    Dave Kennedy CISSP
    International Computer Security Assoc http://www.ncsa.com
    Protect what you connect.
    Look both ways before crossing the Net.
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:57 PDT