Security Scene Errata


September 30, 1999
Hackers and Virtual Perps:
Beware of ICSA.net Sleuths
By DEAN TAKAHASHI 
Staff Reporter of THE WALL STREET JOURNAL

CARLISLE, Pa. -- David Kennedy carries a special pager just in case any of
his employees winds up in jail.
It's a distinct possibility: Mr. Kennedy runs a posse of computer-security
specialists who use some aggressive gumshoe tactics to track malicious
hackers and virus writers.

[If it is a real possibility, then they are as much criminals as the ones
they purport to track and keep an eye on.]

Mr. Kennedy has his pager because he sends his undercover employees to
hacker meetings such as the infamous 2600 hacker gathering in New York.
His agents fit in with the crowds, which are awash in jeans, ponytails and
cherubic faces. "If they get picked up," Mr. Kennedy says, "I have their
'get out of jail free' card."

[If any of his employees are 'picked up' at a 2600 meeting, then they took
personal initiative and broke the law. In such a case, there is no 'get out
of jail free' card short of a federal law enforcement badge that will help
them. It is curious that Takahashi or Kennedy would imply illegal activity 
goes on at 2600 meetings, as if it a given. It certainly is not.]

His team is part of ICSA.net Inc. (www.icsa.net 1),
a closely held company that assesses security threats and evaluates
antivirus software for large corporations. One of the company's charters
is to keep its ear to the computer underground, even to the point of
infiltrating it, explains Peter Tippett, the company's chief technology
officer. "You have to straddle both worlds," he says, "with one foot above
ground and one underground if you want to know what's really going on."
ICSA.net, which Mr. Tippett founded in 1989 as an organizer of conferences
on security, isn't profitable yet. But thanks to the explosion in computer
threats, revenue is doubling every four months, Mr. Tippett says.

[With ICSA's statements in the past, they couldn't possibly be helping drive
this "explosion in computer threats"..]

The company shifted from its role as a trade association two years ago,
focusing on security services and changing its name from the International
Computer Security Association Inc. to ICSA.net. It has since raised $17
million from venture capitalists such as Greylock Venture Partners in
Boston and market researcher Gartner Group Inc. in Stamford, Conn.
Recent virus scares have been good business. When the Melissa virus struck
earlier this year, Mr. Kennedy's IS-Recon team (short for Information
Security Reconnaissance) went into action. As New Jersey authorities
arrested David L. Smith of Aberdeen, N.J., the ICSA matched his name
against a thick file they had collected under the name of his alleged
pseudonym, VicodinES. They turned over 3,000 pages of evidence on the
suspect, who has pleaded not guilty to charges associated with creating
the virus, which affected more than 100,000 computers.

Viewing its mission as counterintelligence in a game of guerrilla warfare,
the company is unusually aggressive among antivirus researchers. "They get
to do things, under the auspices of a quasi-association, that we as a
company cannot do," says Jimmy Kuo, director of antivirus research at
Network Associates, which has a strict code of conduct limiting contact
with virus writers.

The IS-Recon agents can hide their identities while communicating with
virus writers over the Internet. They keep tabs on messages on Internet
news groups such as alt.comp.virus, but more frequently rely on an
Internet chatting technology called Internet Relay Chat, which allows them
to tap away at their computers in live conversation on a kind of party
line.

They gain acceptance in the community by showing off their own technical
knowledge, says Mr. Kennedy, a 42-year-old former military security
officer who supervises the IS-Recon team. Virus Web sites, especially in
the wake of the Melissa virus, often require visitors to pass a test to
demonstrate their technical knowledge about computer viruses before
they're allowed to enter the site. Mr. Kennedy says the agents can't
violate their own strict ethics agreements that prohibit them from
distributing computer viruses. That can be an obstacle for the savvy virus
writers who require that they be provided with virus code before they will
associate with any stranger.

"But you'd be surprised at what some basic social engineering can do," Mr.
Kennedy says, referring to the technique of convincing someone to offer
help without being helpful in return. "Someone brags they stole data, you
ask them to prove it, and they show it to you."
Among the tricks: Agents occasionally offer the numbers of purportedly
stolen calling-cards to befriend virus writers, Mr. Tippett says. But
those cards are often being monitored by the card issuers, a tactic used
to track fraud.

The team is an eclectic mix. Spread throughout the U.S. and connected via
computer, the team includes the police-trained Mr. Kennedy as well as
other experts in information gathering, including a former journalist.
There's an academically oriented computer expert, a so-called virus
"zoo-keeper" who has samples of 31,000 viruses, and a couple of recent
college graduates young enough to look and act the part of virus writers.
The agents work on computers that can't be traced to the company, and the
zookeeper, Bruce Hughes, uses software programs dubbed "bots" to scour the
Internet for activity at sites operated by virus writers.

The information gathered goes into a biweekly report, the TruSecure
Monitor, that is distributed for a fee to the company's clients. A few
years ago, the report averaged about 20 pages, and now it regularly fills
50 to 60 pages, thanks to the increase in security threats. Mid-size
corporations -- about half of them banks -- pay $50,000 to $80,000 for
annual subscriptions to ICSA.net's various services.

Virus writers apparently think of the ICSA as an opponent in a
cat-and-mouse game. Self-proclaimed "reformed hackers and virus writers"
periodically interview for jobs at ICSA, which turns them away. The
company has been lambasted in hacker publications and its Web site gets
hit by hacker attacks 22 times a day, Mr. Tippett says.

"They would take a great deal of pleasure in knowing that they could
penetrate the security of a company like ours," he says.

URL for this Article:
http://interactive.wsj.com/archive/retrieve.cgi?id=SB938637421701976364.djm