So I’m sure most of you who are active in the security community are fully aware of the events that occurred. For those of you who aren’t, and consider yourself a security professional, well I’m not sure you should be reading this as you might find it offensive.
Let me start off by saying I do not condone the cyber terrorism, hacktivism, cyber warfare or whatever the key buzzwords are these days for anyone that causes any type of damage. However, unlike ISC2 I do condone security research of all kinds as long as it is performed within a contained environment. If it wasn’t for hackers, tinkerers what have you we wouldn’t have any on the cool technology we have today.
Now that I have gotten the basic disclaimers out of the way, I want to point you out to something very interesting that LulzSec had inadvertently pointed me to. Karim Hijazi who may or may not be real, but he does associate himself with Infragard. He allegedly approached LulzSec to “hack” his competitors. I haven’t been able to validate that so I will leave it at that however, if he was able to pull a fast one on the “Security Leaders” of today, then we might be in for an even ruder awakening.
All of the recent media attention, I hope has raised awareness to why security is required, but if you don’t know what your doing then these boutique consulting firms are going to exploit those weaknesses and get you to buy whatever shit they are peddling.
As I am writing this, Karim has updated his site with a press release on how lulzsec is blackmailing him and blah blah blah, I don’t care either way, it doesn’t matter. Think outside as a real security professional, only people who think outside the box will see the potential con here…
Ok paper guys, I’m tired I’ll give you a hint, and please don’t quote me on this as fact as it’s only an educated guess.
- Hackers use social engineering techniques such as pretexting to build “security” companies, which sell what appears to be to the casual IT/ITSec leader a market leader using buzzwords
- They initiate huge attacks that scare the shit out their potential client base
- Sales Made, product doesn’t do shit, but who cares? Company isn’t legit and you damn well know if you just asked for X dollars to bring in the latest and greatest only to find out it doesn’t do anything, you are not telling anyone. That project will just stale out and go away. Hell the attacks stopped all good till next time.
I’d be willing to put money on the fact that Unveillance and his other projects were pretexts to the long con.
Here is what I have been able to validate. Unveillance.com popped up out of nowhere with a elegantly designed website claiming to provide “Real Time Actionable Intelligence”. Sounds Great doesn’t it? Well, you security guys that don’t get security might be able to translate this for me, as I don’t get it.
“Unveillance has developed the first zero false-positive approach at analyzing the malware infection and botnet participation status of organizational networks. Unveillance is able to develop this intelligence completely passively without the use of any hardware or locally installed software.
Focusing on the indisputable proof of data egressing a corporate or governmental network, Unveillance is able to produce critical actionable intelligence on the exact moment the data exited the private network to the command & control server, the port, the protocol, the type of infection that facilitated the theft and in special cases* the content of the payload.
Combining multiple parameters that include the size of a given network, the scope and scale of the infection, the severity of the threats and the entity’s score in relation to the rest of the world, Unveillance has developed the industries first Data Leak Intelligence (DLI) score. This score is used for a variety of purposes including security and compliance validation, sector trending, investor assurance and remediation confirmation.”
*Reserved for law enforcement and/or governmental use.
Put away your checkbooks guys, save them for you’re CISSP renewal fees. They have developed the first zero false-positive approach at analyzing an infection without looking at any data. “Indisputable Proof” of data leaving your network. “When malicious traffic exits your network and beacons to one of our sinkholes, we pick it up and notify you in real time”. Sounds Magical.
Where do you I sign up for this magical service???? Well Timmy, here is some information on this magical service, which is no doubt provided by Aliens.
Just make sure to provide Your Name, IP Address, and Phone number for authentication purposes, and don’t forget your CIDR Ranges.
Are we having fun yet??? No, ok lets go have some more. Unveillance.com was registered on July 21stth 2010 by??? No Guesses? Ok paper guys, WHOIS is a service that you should learn.
Administrative, Technical Contact:
Hijazi, Karim Unveillance
2711 Centerville Road Suite 400
Wilmington, DE 19808 US
Anyone want to take a guess what lives at that address? Come on you can do it, I know you can use Google right? The Company Corporation 2711 Centerville Road, Suite 400 Wilmington, DE 19808 Ph: (302)636-5440
This is the address for the Company Corporation, which for $50 bucks acts as your corporate charter. Wait it get’s better… We have this magical company with alien capabilities and no physical address. I got my checkbook ready, you too? But wait, being a diligent security professional I’d like to get some more information on this obviously brilliant individual who is the President of Unveillance and apparently the president of another “Security” firm called Demiurge Consulting according to his Linkedin Profile[i].
Karim Hijazi is a “Security & Intelligence Consultant” who is currently the President of Demiurge Consulting, which I’ll talk about in a minute. As of this moment, there is no mention of Unveillance in his profile. However, let’s take a further look at Unveillance.
They have a D&B# 966829553 must be legit huh? So someone is already on their way to establishing a credit score for this phenomenal product. $230 dollars is all you need to establish legitimacy.
Next up, LinkedIn Company profile is a must for that legitimate feeling. Well, obviously Unveillance has that. Wonderful, they have 2 new hires and a total of 2 employees[ii]. Chief Scientist Matt T and Director of Threat Analysis Meaghan M. These 2 individuals had both come from a company called DefenceIntelligence. While I haven’t done much research, the site [iii] I can tell you according to the Wayback machine [iv] the site hasn’t been updated in over a year. The Twitter account however just popped up after over a year of inactivity[v]. I’m not going to make a determination on if these individuals are involved or not.
At this point I’d be kicking him out of my office, but your not convinced. I get it you spent your money, took a whole week worth of boot camps to become the hard core security professional you are. You think this thing is better than sliced bread, and you’re so scared of becoming Sony that you’ll spend your whole security budget on the next “Big” Thing. And he does a fancy web site. Ok, You need to buy his product and stop reading right now.
I mean it go away. The rest of this stuff might be over your head, as it requires using a web browser, a search engine and some common sense. $500 dollars only gets you 5 characters, not common sense.
Ok so Mr Hijazi is the founder of a company called Demiurge Consulting LLC and has worked there from 2001. Interesting, So needless to say www.demiurgeconsulting.com is not a production site anymore, but I did find something very interesting. A company called FoxLogic Productions, who owns the domain had updated the DNS record less than a month ago [vi]
Hmm… Could it be a fluke? Well. Karim home address (The one he uses, not where he get’s pizza according to Lulz) and Foxlogic are on the same street. Woah, What’s going on? Coincidence. Hmm. Karims Address
So what else do we know about Demiurge? Well, we know Mr. Hijazi got himself published in SC magazine “Now, physical security is controlled in a lot of capacities by IT,” says Karim Hijazi, founder andCTO of cybersecurity services firm Demiurge Consulting.” [vii], can’t find the original article though. Ok Demiurge is starting to look like it might be a respectable firm.
Wait, What’s this? From December 24, 2009 – February 23rd 2010 Demiurge Consulting was replicating none other than the blog of our very own Bruce Schneier [viii]. Oooh ahh, you want street cred as a security guy, pretending to be Bruce will definitely get you some. Wait, hold on. Demiurge Consulting does firearms training?? [ix] Where do I sign up??? Needless to say the site is no longer there, and we can thank Google Cache for the information. Look at the Partner Links.. Anyone look Familiar? I’m pretty sure that Demiurge was yet another fake, but let’s take a look at one more thing. Look what was just updated. “Updated 3/10/2011 – This profile of Demiurge Consulting, LLC was created using data from Dun & Bradstreet and Florida Department of State”
Not satisfied yet that this guys in for the long con????
I won’t go any further, but there are other references to companies on his linkedin, which seem to be just as shady. I could of saved a couple of hours researching, if I had gone through the comments on Bruce’s Blog, but I’m not the brightest of the bunch at 4am.
I have hopefully demonstrated what a few hours worth of googling can uncover. So please explain to me how Karim here was able to join an organization which was set up by law enforcement to enable knowledge transfer between public and private sectors?
In 1999 I had attended the NYC Infragard meeting at which Marcus Ranum presented and I was very interested in the mission of the group. The agent who had started the presentations had gone through what the typical “hacker” profile is and of course I was the only guy in the room under 25. My boss threw me under the bus to get a laugh, little he did know ;).
I was just amazed at the charter of the group and the overall goals. Thought it would be awesome to be a part of that. That group would not of let Karim here join. If this guy can pull one off on a group consisting of Law enforcement and supposed security leaders, then where do you think you stand?
The question I have left somewhat unanswered is easy. Who is to blame? We are, well some of us. The Security professionals who don’t give a shit enough about safeguarding your clients and/or employers and the professionals who don’t know enough to do shit.
I’m glad to say that the latter far outnumbers the first. Security Professionals are not like most IT guys. We don’t do 9-5, we live and breathe this stuff. We might sometimes pull the whole ego thing, but we have to slow down to explain things to you. I have talked to some amazing individuals over the last couple of weeks, and I have to say that I feel dumb when I speak to them. I’m done with the elitist view, let me leave you with this last thought. ISC2 will not teach you to think like a security person. You want to be a security person, forget the boot camp. Take every book on their reading list, lock yourself in a room for 3 months and then you will have a much stronger foundation to build on then a boot camp. In the last couple weeks, I have been on and off trolling their forum and came upon the “recommended reading list”.
I’d give them more credit if passing the test required the reading. I have read every single one of those books in the last 14 years or so.