2011
06.04

So I’m sure most of you who are active in the security community are fully aware of the events that occurred. For those of you who aren’t, and consider yourself a security professional, well I’m not sure you should be reading this as you might find it offensive.

Let me start off by saying I do not condone the cyber terrorism, hacktivism, cyber warfare or whatever the key buzzwords are these days for anyone that causes any type of damage. However, unlike ISC2 I do condone security research of all kinds as long as it is performed within a contained environment. If it wasn’t for hackers, tinkerers what have you we wouldn’t have any on the cool technology we have today.

Now that I have gotten the basic disclaimers out of the way, I want to point you out to something very interesting that LulzSec had inadvertently pointed me to.  Karim Hijazi who may or may not be real, but he does associate himself with Infragard. He allegedly approached LulzSec to “hack” his competitors. I haven’t been able to validate that so I will leave it at that however, if he was able to pull a fast one on the “Security Leaders” of today, then we might be in for an even ruder awakening.

All of the recent media attention, I hope has raised awareness to why security is required, but if you don’t know what your doing then these boutique consulting firms are going to exploit those weaknesses and get you to buy whatever shit they are peddling.

As I am writing this, Karim has updated his site with a press release on how lulzsec is blackmailing him and blah blah blah, I don’t care either way, it doesn’t matter. Think outside as a real security professional, only people who think outside the box will see the potential con here…

Ok paper guys, I’m tired I’ll give you a hint, and please don’t quote me on this as fact as it’s only an educated guess.

 

  • Hackers use social engineering techniques such as pretexting to build “security” companies, which sell what appears to be to the casual IT/ITSec leader a market leader using buzzwords

  • They initiate huge attacks that scare the shit out their potential client base

  • Sales Made, product doesn’t do shit, but who cares? Company isn’t legit and you damn well know if you just asked for X dollars to bring in the latest and greatest only to find out it doesn’t do anything, you are not telling anyone. That project will just stale out and go away. Hell the attacks stopped all good till next time.

 

I’d be willing to put money on the fact that Unveillance and his other projects were pretexts to the long con.

Here is what I have been able to validate. Unveillance.com popped up out of nowhere with a elegantly designed website claiming to provide “Real Time Actionable Intelligence”. Sounds Great doesn’t it? Well, you security guys that don’t get security might be able to translate this for me, as I don’t get it.

“Unveillance has developed the first zero false-positive approach at analyzing the malware infection and botnet participation status of organizational networks.  Unveillance is able to develop this intelligence completely passively without the use of any hardware or locally installed software.

Focusing on the indisputable proof of data egressing a corporate or governmental network, Unveillance is able to produce critical actionable intelligence on the exact moment the data exited the private network to the command & control server, the port, the protocol, the type of infection that facilitated the theft and in special cases* the content of the payload.

Combining multiple parameters that include the size of a given network, the scope and scale of the infection, the severity of the threats and the entity’s score in relation to the rest of the world, Unveillance has developed the industries first Data Leak Intelligence (DLI) score. This score is used for a variety of purposes including security and compliance validation, sector trending, investor assurance and remediation confirmation.”

*Reserved for law enforcement and/or governmental use.

Put away your checkbooks guys, save them for you’re CISSP renewal fees. They have developed the first zero false-positive approach at analyzing an infection without looking at any data. “Indisputable Proof” of data leaving your network. “When malicious traffic exits your network and beacons to one of our sinkholes, we pick it up and notify you in real time”. Sounds Magical.

Where do you I sign up for this magical service???? Well Timmy, here is some information on this magical service, which is no doubt provided by Aliens.

http://www.unveillance.com/solution/engaging-us/

Just make sure to provide Your Name, IP Address, and Phone number for authentication purposes, and don’t forget your CIDR Ranges.

Are we having fun yet??? No, ok lets go have some more. Unveillance.com was registered on July 21stth 2010 by??? No Guesses? Ok paper guys, WHOIS is a service that you should learn.

 

Administrative, Technical Contact:

Hijazi, Karim  Unveillance

2711 Centerville Road Suite 400

Wilmington, DE  19808 US

800-540-8478

 

Anyone want to take a guess what lives at that address? Come on you can do it, I know you can use Google right? The Company Corporation 2711 Centerville Road, Suite 400 Wilmington, DE  19808 Ph:   (302)636-5440

This is the address for the Company Corporation, which for $50 bucks acts as your corporate charter.  Wait it get’s better… We have this magical company with alien capabilities and no physical address. I got my checkbook ready, you too? But wait, being a diligent security professional I’d like to get some more information on this obviously brilliant individual who is the President of Unveillance and apparently the president of another “Security” firm called Demiurge Consulting according to his Linkedin Profile[i].

Karim Hijazi is a “Security & Intelligence Consultant” who is currently the President of Demiurge Consulting, which I’ll talk about in a minute. As of this moment, there is no mention of Unveillance in his profile. However, let’s take a further look at Unveillance.

They have a D&B# 966829553 must be legit huh? So someone is already on their way to establishing a credit score for this phenomenal product. $230 dollars is all you need to establish legitimacy.

Next up, LinkedIn Company profile is a must for that legitimate feeling. Well, obviously Unveillance has that. Wonderful, they have 2 new hires and a total of 2 employees[ii]. Chief Scientist Matt T and Director of Threat Analysis Meaghan M.  These 2 individuals had both come from a company called DefenceIntelligence. While I haven’t done much research, the site [iii] I can tell you according to the Wayback machine [iv] the site hasn’t been updated in over a year. The Twitter account however just popped up after over a year of inactivity[v]. I’m not going to make a determination on if these individuals are involved or not.

At this point I’d be kicking him out of my office, but your not convinced. I get it you spent your money, took a whole week worth of boot camps to become the hard core security professional you are. You think this thing is better than sliced bread, and you’re so scared of becoming Sony that you’ll spend your whole security budget on the next “Big” Thing. And he does a fancy web site. Ok, You need to buy his product and stop reading right now.

I mean it go away. The rest of this stuff might be over your head, as it requires using a web browser, a search engine and some common sense. $500 dollars only gets you 5 characters, not common sense.

Ok so Mr Hijazi is the founder of a company called Demiurge Consulting LLC and has worked there from 2001. Interesting, So needless to say www.demiurgeconsulting.com  is not a production site anymore, but I did find something very interesting. A company called FoxLogic Productions, who owns the domain had updated the DNS record less than a month ago [vi]

Hmm… Could it be a fluke? Well. Karim home address (The one he uses, not where he get’s pizza according to Lulz) and Foxlogic are on the same street. Woah, What’s going on? Coincidence. Hmm. Karims Address

So what else do we know about Demiurge? Well, we know Mr. Hijazi got himself published in SC magazine “Now, physical security is controlled in a lot of capacities by IT,” says Karim Hijazi, founder andCTO of cybersecurity services firm Demiurge Consulting.” [vii], can’t find the original article though. Ok Demiurge is starting to look like it might be a respectable firm.

Wait, What’s this? From December 24, 2009 – February 23rd 2010 Demiurge Consulting was replicating none other than the blog of our very own Bruce Schneier [viii]. Oooh ahh, you want street cred as a security guy, pretending to be Bruce will definitely get you some. Wait, hold on. Demiurge Consulting does firearms training?? [ix] Where do I sign up??? Needless to say the site is no longer there, and we can thank Google Cache for the information. Look at the Partner Links.. Anyone look Familiar?  I’m pretty sure that Demiurge was yet another fake, but let’s take a look at one more thing. Look what was just updated. Updated 3/10/2011 – This profile of Demiurge Consulting, LLC was created using data from Dun & Bradstreet and Florida Department of State”

 

Not satisfied yet that this guys in for the long con????

I won’t go any further, but there are other references to companies on his linkedin, which seem to be just as shady. I could of saved a couple of hours researching, if I had gone through the comments on Bruce’s Blog, but I’m not the brightest of the bunch at 4am.

I have hopefully demonstrated what a few hours worth of googling can uncover. So please explain to me how Karim here was able to join an organization which was set up by law enforcement to enable knowledge transfer between public and private sectors?

In 1999 I had attended the NYC Infragard meeting at which Marcus Ranum presented and I was very interested in the mission of the group. The agent who had started the presentations had gone through what the typical “hacker” profile is and of course I was the only guy in the room under 25. My boss threw me under the bus to get a laugh, little he did know ;).

I was just amazed at the charter of the group and the overall goals. Thought it would be awesome to be a part of that. That group would not of let Karim here join. If this guy can pull one off on a group consisting of Law enforcement and supposed security leaders, then where do you think you stand?

The question I have left somewhat unanswered is easy. Who is to blame? We are, well some of us. The Security professionals who don’t give a shit enough about safeguarding your clients and/or employers and the professionals who don’t know enough to do shit.

I’m glad to say that the latter far outnumbers the first. Security Professionals are not like most IT guys. We don’t do 9-5, we live and breathe this stuff. We might sometimes pull the whole ego thing, but we have to slow down to explain things to you. I have talked to some amazing individuals over the last couple of weeks, and I have to say that I feel dumb when I speak to them. I’m done with the elitist view, let me leave you with this last thought. ISC2 will not teach you to think like a security person. You want to be a security person, forget the boot camp. Take every book on their reading list, lock yourself in a room for 3 months and then you will have a much stronger foundation to build on then a boot camp.  In the last couple weeks, I have been on and off trolling their forum and came upon the “recommended reading list”.

I’d give them more credit if passing the test required the reading. I have read every single one of those books in the last 14 years or so.


[ii] http://www.linkedin.com/company/unveillance?trk=fc_badge

[iii] http://www.defintel.com/

[iv] http://wayback.archive.org/web/20090601000000*/http://www.defintel.com/

[v] http://twitter.com/#!/defintel

[vi] http://whois.domaintools.com/demiurgeconsulting.com

[vii] http://www.thefreelibrary.com/An+urge+to+converge%3a+Physical+and+logical+identity+and+access+…-a01612020889

[viii] http://www.schneier.com/blog/archives/2010/02/the_doghouse_de.html

[ix] http://webcache.googleusercontent.com/search?q=cache:Yh9xIUsV-8IJ:www.demiurgeconsulting.com/category/security-training/+demiurge+Consulting+llc&cd=14&hl=en&ct=clnk&gl=us&source=www.google.com

34 comments so far

Add Your Comment
  1. excellent post.. spot on.

  2. Security firm OR government sting operation? Listening to the Unvelliance conference call LulzSec released sounded to me like a group of Feds chatting. Think about it.

    • you know I was thinking that this morning. No way the feds would be that sloppy

      • No way the feds would be that sloppy?

        You sir, have a lot of unwarranted faith in the feds.

        The military-like advancement process in the federal crime sector is not well matched for the speed of evolution in the security sector of the information age. I think you’d be awfully surprised at how sloppy the antiquated dinosaurs (generally anyone over 23, when you’re talking about NetSec) over at the FBI are.

        • hahaha… No I don’t have much faith in the feds, but I hang around on those boards too. I’m sure they got a shitload of dummy domains they could inject historicals into. Maybe your right and I’m secretly hoping were not that fucked

  3. Great post. Some worthwhile thoughts.

  4. Outstanding analysis! Thank you!

    When real professionals post relevant information on the Internet, my world changes for the better, after reading that posted information. Bravo!

    • Luke, very much appreciated. Please come back soon.. I’m working on a bunch of really cool things.

      • And even more good news!

        Thank you for the tip, Boris. I’m already watching for those really cool things to show up!

        Vivat!

  5. You should go listen to the taped teleconference between Unveillance and Delloitte..kind of revealing and I think it dismisses your whole theory, but good post anyways..

    • I don’t have a theory, I have facts regarding the history of the site and the ethics of Hijazi. I have heard some of the calls, and Delloitte along with the other Big 4 vendors are directly related to the problem. Big 4 doesn’t produce security guys, they produce auditors.

      • Personally, I am unconvinced about the auditors the Big 4 produce, let alone the “security” “professionals” they have. (two sets of quotes because not only is their security approach mostly laughable, but their professionalism is comical).

        • Don’t get me started on big 4. They are a huge contributor to the problem. Recruit guys out of college, get them CISA prepped and send them on their way to clients with checklists.

          Thesd guys then in turn fil their resumes with wonderful things that they didn’t actually do.

          • The only thing that adds some “justice” is that auditors for the big 4 are so badly paid I am amazed they can afford shoes.

            Three years ago, when I was just finishing a contract in London, I got a call from an excited recruiter that Delloite wanted me to consider a security role and they were going to pay me “better than the audit team.” To cut a long story short, I went to speak to them and discovered they were looking at paying me 25% of the rate I was currently on. When I politely (never burn bridges) refused, they explained about how good it was having one of the Big 4 on your CV…..

            This is even more comical than the need for CISSP to be even the most entry level security person.

          • Yep, but that’s why they go out in the real world to make $$$, the cert allows them to falsify experience though. .

  6. Where is the reading list? I keep looking and am finding nothing. Help please :)

  7. nm

  8. fucking atrocious spelling and grammar, makes me want to gouge my eyes out

    • Please do. I’d very much enjoy helping you if at all possible. It’s ok, your CISSP entitles you to your opinion.

  9. This is really nice work Boris, many thanks! I hope it gets (and you get) widespread press attention. When you can, please take a look at http://ReportingWrongdoing.com and let me know if there is anything you or anyone you know can do to identify the source and stop these problems. See http://HappinessHabit.com and http://Defend-Dissent.com for background. I’m in Manhattan. Good luck!

  10. LOL. Wow. This article blew my mind. Seriously, they are BS. I looked at one of their “Client Testimonials” over here: http://www.unveillance.com/case-studies/pharmaceutical/ by the “Senior Manager” of a company called “GISSO”. I googled it. I cannot find it at all! Their own references not adding up???

    • GISSO is a title, they neglected to include the company.

  11. Excellent article. Ignore the whine about typos, no one really cares.

    My only point of difference is over the CISSP. Having a CISSP does not make you bad at security, in the same way that it doesnt make you good at security. The problem is not with the people who hold the certification ( which is, sadly, the default requirement if you want to work in Information Security ) and isnt really with ISC2 – it is with the hordes of HR departments, recruiters etc who are too lazy to work out what they actually need and have decided that a keyword search for five letters is good enough.

    Sadly, I have no idea how to turn the clock back and make the world better so, in order than I can continue to get through corporate policy and HR screening, I will maintain my CISSP – I now view it as the cost of doing business (several pointless certifications fall into this and are one of the reasons my rates are so high) and simply something that I have to write off against tax. Far from ideal, I admit.

    • Thanks. I agree that having a CISSP doesn’t necessarily equate to being bad at security. I am 100% paper certified myself.

      I do however firnly believe that ISC2 can’t possibly claim that it guarantees absolute competence. There marketing strategy has been very successful at getting HR deparments and industry leaders to accept candidates as competent, and that’s what needs to be changed.

      • “I do however firnly believe that ISC2 can’t possibly claim that it guarantees absolute competence.”

        I totally agree. In doing this it is setting itself up for failure.

        The reality is it shows people have a basic level of knowledge across a range of subject areas and have at least some auditable background in security. (This is risky though, as it seems fairly easy to game the 5 year requirement system).

        I have to take my hat off to ISC2 marketing team. I wish I could achieve such utter market domination with my business.

        I would love it if there was a solution – if nothing else, I could save money re-certifying as a CISSP. For a solution to work, however, whole industries need to have HR staff who have even the slightest clue what is going on. I cant imagine that ever happening.

        • Exactly, my point. They are Marketing geniuses… I’m going to try to fix that. :)

  12. 2711 Centerville Road, Wilmington, DE 19809 is CSC (Corporation Services Corp)
    https://www.cscglobal.com

    • There are a few companies linked to it.

  13. After the long con, Red Bull Technologies will be the ones that are anti hackable:
    Or they are working for bitcoins ;)

    http://www.bbb.org/atlanta/business-reviews/internet-services/red-bull-technologies-in-atlanta-ga-13002718

    http://www.asiacategory.com/co11801.html

    http://www.manta.com/c/mmqmvnr/red-bull-technologies-inc