Jack Koziol of the InfoSec Institute (infosecinstitute.com) gave a presentation in 2010 titled "Advanced Persistent Threat: Understanding attacks on America's most sensitive computer networks uncovers startling security gaps". The slides can be found on the ISI web site or slideshare.net, uploaded by 'Infosec Institute'. According to the PowerPoint advanced properties, they were created on Wednesday, July 21, 2010 by author 'Jack Koziol', but the company shows 'Georgia Tech'. Google searches showed no link between Koziol and Georgia Tech, but searches did reveal the source of his slide deck.
Based on a comparison, Koziol copied a slide deck from John Copeland, used a significant amount of material without editing, and then added additional slides to it. Copeland's PowerPoint file shows the author as 'Copeland John', company listed as 'Georgia Tech' and created Monday, April 21, 2008.
The following table details Koziol's slides that were taken from other sources, making up 65% or more of the material. Given the variety of sources used, it is clear that Koziol willfully infringed copyright and plagiarized most of the material. Given the list of ISI clients he includes at the beginning, it is disturbing that so many agencies and companies have paid them for services.
Several slides appear to be written by Koziol, but contain typo/spelling and technical errors. For example, on slide 52 he uses "drives" instead of "drivers". On slide 40, he states "because it is a zero day, [Adobe] Reader is unpatched, Antivirus has no signature for the attack, ASLR is defeated". ASLR is not inherently defeated just because an attack happens to be zero-day, and neither is ASLR a reactive technology like Antivirus.
| Koziol Slide # | Original Source |
| 6 | Definition of APT taken from Wikipedia |
| 7 | Slide 2 of Copeland's E-spionage Presentation |
| 8 | Slide 3 of Copeland's E-spionage Presentation |
| 9 | Slide 4 of Copeland's E-spionage Presentation with minor edits |
| 10 | Slide 5 of Copeland's E-spionage Presentation |
| 11 | Slide 6 of Copeland's E-spionage Presentation with some text removed |
| 12 | Part of slide 7 of Copeland's E-spionage Presentation |
| 13 | Part of slide 8 of Copeland's E-spionage Presentation |
| 14 | Most of slide 9 of Copeland's E-spionage Presentation |
| 15 | Part of slide 10 of Copeland's E-spionage Presentation |
| 16 | Slide 11 of Copeland's E-spionage Presentation |
| 17 | Slide 12 of Copeland's E-spionage Presentation |
| 18 | Part of slide 13 of Copeland's E-spionage Presentation |
| 19 | Slide 14 of Copeland's E-spionage Presentation |
| 20 | Part of slide 15 of Copeland's E-spionage Presentation |
| 21 | Part of slide 17 of Copeland's E-spionage Presentation |
| 22 | Slide 24 of Copeland's E-spionage Presentation |
| 25 | Zero Day Attack definition from Wikipedia |
| 27 | Secunia 40034 |
| 31-36 | Bypassing Browser Memory Protections by Sotirov / Dowd |
| 39 | Image taken from Internet (e.g., emailinternetroute.jpg) |
| 41-42 | Image and text from The Rootkit Arsenal by Bill Blunden |
| 44-46 | Three Ways to Inject Your Code into Another Process |
| 47-49 | From pages 177, 192 and 198 of The Rootkit Arsenal by Bill Blunden |
| 51 | Summarized from The Rootkit Arsenal by Bill Blunden |
| 53-60 | From pages 208, 209, 212, 396 and 397 of The Rootkit Arsenal by Bill Blunden |
| 65 | Stegtunnel vendor page |
| Total Slides Plagiarised |
| 44 / 67 (65%) |
