While running the Attrition Defacement Mirror, we found out that some security companies were using the mirror to solicit new customers. This blatant ambulance chasing is pathetic and represents the worst of the security industry.
Sent to the webmaster of a site that had just been defaced:
Please respond to email@example.com To: firstname.lastname@example.org cc: GNSS_ERT@globalnss.com Subject: GNSS | EMERGENCY RESPONSE TEAM ****************************************** ** GNSS EMERGENCY RESPONSE TEAM ID ** ** INCIDENT: 842380 ** ** COMPANY: 56429 ** ** DOCUMENT: GN9.17b/at_68 ** ** RECORD No: 131 ** ** AT_SEND: MTM ** ****************************************** http://www.globalnss.com/attacked.htm TEL: 323 417 4749 E-MAIL: GNSS_ERT@globalnss.com Dear Sir, We've been alerted through the Cybercrime Dept of the FBI that as of "5/9/2001" your companies web presence was defaced by "as/kr3w" (although a different alias was used); and, you may be in need of specialized security services. GNSS is not affiliated by the FBI, but we provide the services and post-defacement actions as recommended by the National Security Advisor to the Senate. IF POST-RECOVERY STEPS HAVE NOT ALREADY BEEN STARTED: -Disconnect all workstations and servers from network connections and hubs -Copy an image of the compromised system We hope you are, or have started taking these appropriate steps: -Discover whether any files or data could have been stolen to ease access to other servers -Was your LAN viewed -Assess whether any customer data including mailing lists or credit card identity (including financials) has been accessed -Ensure no hidden programs were placed to allow re-access into your system -Rebuild your system to prevent this action from re-occurring -Consulting with management -Consulting with legal counsel -Consulting Law Enforcement Agencies GNSS can conduct all the above steps for you as well as: -Look for modifications made to system software and configuration files -Look for modifications to data -Look for tools and data left behind by the intruder -Review log files -Look for signs of a network sniffer -Check other systems on your network -Check for systems involved or affected at remote sites and * -Install a clean version of your operating system -Disable unnecessary services -Install all vendor security patches -Consult GNSS advisories and external security bulletins -Consult GNSS advisories, summaries, and vendor-initiated bulletins -Caution use of data from backups -Change passwords -Review current security -Install security tools -Enable maximal logging -Configure firewalls to defend networks -Ensure you are LIVE and DEFENDED in minimal time GNSS specializes in defacement & intrusion recovery. We can aid in the recompiling of your server and bring it back to life as soon as possible. We will secure the appropriate exploits. If you wish to make an insurance claim, we're authorized to appraise damages and investigate for prosecution. GNSS has traced 57 hackers this year in conjunction with law enforcement officials around the world. We're tenacious and thorough as detectives in our field. According to Gartner Group Report, 43% of attacks are repeat attacks and very often the intruder embeds or leaves hidden changes to allow for re-entry regardless of the new security. We assume you've taken the initial steps to remedy your most current attack. GNSS is fully licensed, insured, and certified by most major software and hardware manufacturers to guarantee our service is professional. We encourage you to contact us immediately, rather than wait any longer. It's time to build confidence in your future, and we can help. http://www.globalnss.com/attacked.htm Respectfully, James Sinclair President & CTO Global Network Security Services Inc. T: 323 417 4749 F: 323 417 4885 C: 323 828 9797 Direct Line: 323 957 1870 email@example.com www.globalnss.com ------------------------------------------------------------ CISCO - NORTEL - MICROSOFT - NOVELL - IBM > Certified ------------------------------------------------------------