Re: [ISN] Cracking the hacker underground

From: InfoSec News (isn@private)
Date: Tue Nov 18 2003 - 23:19:05 PST

  • Next message: InfoSec News: "[ISN] Liu Die Yu needs a computer!"

    Forwarded from: security curmudgeon <jericho@private>
    cc: ptippett@private, newsonline@private
    
    These uber-h4x0r (do I fit in Mr. Tippett?) security team fluff pieces are
    getting really old: http://www.attrition.org/errata/www/icsa.008.html.
    Hopefully Mr. Tippett can shed some light on a few of the questions I have
    below since there seems to be contradictions and confusion.
    
    : http://news.bbc.co.uk/2/hi/technology/3246375.stm
    : By Jo Twist
    : 14 November, 2003
    
    : Net security companies like TruSecure in the US, have the job of keeping
    : an eye on these groups to work out which weak net spot they are planning
    : to attack next.
    :
    : It currently tracks more than 11,000 individuals in about 900 different
    : hacking groups and gangs.
    
    Side note.. Feb 2000, AntiOnline profiled 7,200 individuals. Jump
    forward three years and TruSecure is tracking 11,000. Wonder if they
    bought the AO database?
    
    : "There are 5,500 net vulnerabilities that could be used theoretically to
    : launch an attack, but only 80 or 90 are being used," says Mr Tippett.
    :
    : "Only 16 of 4,200 of vulnerabilities actually turned into attacks last
    : year."
    
    Huh? Only 16 of 4,200 vulns turned into attacks.. 5,500 net vulns that
    could be used.. am I the only one lost on these figures?
    
    No way Tippett is stupid enough to claim only 16 vulnerabilities were
    actually exploited last year. Does he mean only 16 were used in worms
    or something? What do these figures mean?
    
    : "We refuse to hire hackers, that would be crazy," says Mr Tippett. "We
    : don't do anything illegal, but we impersonate hackers."
    
    Hah, that you know about. Amusing that this elite A-team leader (can I
    call you Hanibal?!) can't even sniff out the hackers working for him.
    
    : IS/Recon gave the FBI over 200 documents about the Melissa virus author
    : after they were asked to get closer to suspects.
    :
    : Although they did not know his real name, they knew his three aliases
    : and had built a detailed profile of the author.
    
    It's a damn shame when you can't keep your lies straight.
    
    http://www.attrition.org/errata/www/icsa.008.html
    
      When the Melissa virus struck earlier this year, Mr. Kennedy's IS-Recon
      team (short for Information Security Reconnaissance) went into action.
      As New Jersey authorities arrested David L. Smith of Aberdeen, N.J., the
      ICSA matched his name against a thick file they had collected under the
      name of his alleged pseudonym, VicodinES. They turned over 3,000 pages
      of evidence on the suspect, who has pleaded not guilty to charges
      associated with creating the virus, which affected more than 100,000
      computers.
    
    So, back in 1999, Kennedy's team (under the management of Tippett)  
    said they matched Smith's name and gave 3,000 pages of evidence. In
    2003, Tippett now says they couldn't match his name and gave 200 pages
    of evidence. Both are clearly dramatic, and they completely contradict
    each other. Which is right?
    
    : The team's work also helped identify the author of the high-profile
    : LoveSan virus.
    :
    : "We could say what dorm and what floor the author of the LoveSan virus
    : was on," Mr Tippett says.
    
    If TruSecure is referring to the author of the W32.BlasterB (symantec)
    aka W32/Lovesan.worm.c (mcafee), that would have been Jeff Parson, aka
    "teekid". According to http://news.com.com/2100-1009-5070000.html:
    
      Parson allegedly created MSBlast.B, a variation that differed from the
      original worm mainly in that two files had been renamed--one with
      Parson's screen name, "teekid"-- and a couple of profane messages aimed
      at Microsoft and Bill Gates had been added.
    
    So he puts his name on the worm (teekids.exe), defaces sites under the
    name "teekids", and even registers his own domain. Using that k3wl
    speak we learned from Tippett:
    
      Domain: t33kid.com
    
      Registrant (JP397-IYD-REG)
        Jeff Parson
        root@private
        603 8th Ave S.
        Hopkins, Minnesota 55343 US
    
    Articles specifically state that authorities (that isn't TruSecure)
    tracked him down the same way I listed above:
    http://www.extremetech.com/article2/0,3973,1236321,00.asp
    
    What is confusing here, is that authorities seized 7 computers from
    his home, and CNN calls him a high school student:
    http://www.cnn.com/2003/TECH/internet/08/29/worm.arrest/
    
    If that is the case, what is TruSecure's reference to "dorm floor"? Or
    have they really found the author to the original Blaster worm, and it
    hasn't hit news? Considering Microsoft just released a bounty on
    virus/worm writers, specifically listing the Blaster and SoBig worms,
    it certainly suggests that TruSecure is talking about Parson, not the
    author of the original strain.
    
    Mr. Tippett care to clarify any of these points? ISN readers are curious.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 19 2003 - 01:54:22 PST