Forwarded from: security curmudgeon <jericho@private> cc: ptippett@private, newsonline@private These uber-h4x0r (do I fit in Mr. Tippett?) security team fluff pieces are getting really old: http://www.attrition.org/errata/www/icsa.008.html. Hopefully Mr. Tippett can shed some light on a few of the questions I have below since there seems to be contradictions and confusion. : http://news.bbc.co.uk/2/hi/technology/3246375.stm : By Jo Twist : 14 November, 2003 : Net security companies like TruSecure in the US, have the job of keeping : an eye on these groups to work out which weak net spot they are planning : to attack next. : : It currently tracks more than 11,000 individuals in about 900 different : hacking groups and gangs. Side note.. Feb 2000, AntiOnline profiled 7,200 individuals. Jump forward three years and TruSecure is tracking 11,000. Wonder if they bought the AO database? : "There are 5,500 net vulnerabilities that could be used theoretically to : launch an attack, but only 80 or 90 are being used," says Mr Tippett. : : "Only 16 of 4,200 of vulnerabilities actually turned into attacks last : year." Huh? Only 16 of 4,200 vulns turned into attacks.. 5,500 net vulns that could be used.. am I the only one lost on these figures? No way Tippett is stupid enough to claim only 16 vulnerabilities were actually exploited last year. Does he mean only 16 were used in worms or something? What do these figures mean? : "We refuse to hire hackers, that would be crazy," says Mr Tippett. "We : don't do anything illegal, but we impersonate hackers." Hah, that you know about. Amusing that this elite A-team leader (can I call you Hanibal?!) can't even sniff out the hackers working for him. : IS/Recon gave the FBI over 200 documents about the Melissa virus author : after they were asked to get closer to suspects. : : Although they did not know his real name, they knew his three aliases : and had built a detailed profile of the author. It's a damn shame when you can't keep your lies straight. http://www.attrition.org/errata/www/icsa.008.html When the Melissa virus struck earlier this year, Mr. Kennedy's IS-Recon team (short for Information Security Reconnaissance) went into action. As New Jersey authorities arrested David L. Smith of Aberdeen, N.J., the ICSA matched his name against a thick file they had collected under the name of his alleged pseudonym, VicodinES. They turned over 3,000 pages of evidence on the suspect, who has pleaded not guilty to charges associated with creating the virus, which affected more than 100,000 computers. So, back in 1999, Kennedy's team (under the management of Tippett) said they matched Smith's name and gave 3,000 pages of evidence. In 2003, Tippett now says they couldn't match his name and gave 200 pages of evidence. Both are clearly dramatic, and they completely contradict each other. Which is right? : The team's work also helped identify the author of the high-profile : LoveSan virus. : : "We could say what dorm and what floor the author of the LoveSan virus : was on," Mr Tippett says. If TruSecure is referring to the author of the W32.BlasterB (symantec) aka W32/Lovesan.worm.c (mcafee), that would have been Jeff Parson, aka "teekid". According to http://news.com.com/2100-1009-5070000.html: Parson allegedly created MSBlast.B, a variation that differed from the original worm mainly in that two files had been renamed--one with Parson's screen name, "teekid"-- and a couple of profane messages aimed at Microsoft and Bill Gates had been added. So he puts his name on the worm (teekids.exe), defaces sites under the name "teekids", and even registers his own domain. Using that k3wl speak we learned from Tippett: Domain: t33kid.com Registrant (JP397-IYD-REG) Jeff Parson root@private 603 8th Ave S. Hopkins, Minnesota 55343 US Articles specifically state that authorities (that isn't TruSecure) tracked him down the same way I listed above: http://www.extremetech.com/article2/0,3973,1236321,00.asp What is confusing here, is that authorities seized 7 computers from his home, and CNN calls him a high school student: http://www.cnn.com/2003/TECH/internet/08/29/worm.arrest/ If that is the case, what is TruSecure's reference to "dorm floor"? Or have they really found the author to the original Blaster worm, and it hasn't hit news? Considering Microsoft just released a bounty on virus/worm writers, specifically listing the Blaster and SoBig worms, it certainly suggests that TruSecure is talking about Parson, not the author of the original strain. Mr. Tippett care to clarify any of these points? ISN readers are curious. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 19 2003 - 01:54:22 PST