(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for June 21st, 2010

#LIGATT A Cautionary Tale of Cyber-Security Snake Oil

with 10 comments

The Charlatan of the Intertubes:

Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;

1) Plagiarism is just wrong.

2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.

Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.

Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;

  • His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
  • None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
  • His site is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
  • None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
  • He immediately played the race card in response to the allegations of his plagiarism and fraud
  • In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)

Here are some more examples via Twitter:

#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts

#LIGATT Mark Wilkerson author. Anyone know this guy?

#LIGATT Meet Rex Frank (cyber sec expert) and “author” Funny, I see no creds there..

#LGTT Meet Avery Mitchell Ligatt flunky He’s their top guy

#LIGATT None of these “authors” actually write anything on they just add their names

♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actor NICE

Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.

Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.

This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!

The “Industry”

The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.

Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.

The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…

I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.

Security is a voyage… Not a destination:

This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.

I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.

It’s really all about the basics…

So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…