Hackers and Virtual Perps:

Beware of ICSA.net Sleuths

September 30, 1999




CARLISLE, Pa. -- David Kennedy carries a special pager just in case any of his employees winds up in jail.

It's a distinct possibility: Mr. Kennedy runs a posse of computer-security specialists who use some aggressive gumshoe tactics to track malicious hackers and virus writers.

[If it is a real possibility, then they are as much criminals as the ones they purport to track and keep an eye on. Anyone with half a clue in the penetration testing business knows all about indemnification agreements.]

Mr. Kennedy has his pager because he sends his undercover employees to hacker meetings such as the infamous 2600 hacker gathering in New York. His agents fit in with the crowds, which are awash in jeans, ponytails and cherubic faces. "If they get picked up," Mr. Kennedy says, "I have their 'get out of jail free' card."

[If any of his employees are 'picked up' at a 2600 meeting, then they took personal initiative and broke the law. In such a case, there is no 'get out of jail free' card short of a federal law enforcement badge that will help them. It is curious that Takahashi or Kennedy would imply illegal activity goes on at 2600 meetings, as if it a given. It certainly is not.]

His team is part of ICSA.net Inc. (www.icsa.net 1), a closely held company that assesses security threats and evaluates antivirus software for large corporations. One of the company's charters is to keep its ear to the computer underground, even to the point of infiltrating it, explains Peter Tippett, the company's chief technology officer. "You have to straddle both worlds," he says, "with one foot above ground and one underground if you want to know what's really going on." ICSA.net, which Mr. Tippett founded in 1989 as an organizer of conferences on security, isn't profitable yet. But thanks to the explosion in computer threats, revenue is doubling every four months, Mr. Tippett says.

[With ICSA's statements in the past, they couldn't possibly be helping drive this "explosion in computer threats"..]

The company shifted from its role as a trade association two years ago, focusing on security services and changing its name from the International Computer Security Association Inc. to ICSA.net. It has since raised $17 million from venture capitalists such as Greylock Venture Partners in Boston and market researcher Gartner Group Inc. in Stamford, Conn. Recent virus scares have been good business. When the Melissa virus struck earlier this year, Mr. Kennedy's IS-Recon team (short for Information Security Reconnaissance) went into action. As New Jersey authorities arrested David L. Smith of Aberdeen, N.J., the ICSA matched his name against a thick file they had collected under the name of his alleged pseudonym, VicodinES. They turned over 3,000 pages of evidence on the suspect, who has pleaded not guilty to charges associated with creating the virus, which affected more than 100,000 computers.

Viewing its mission as counterintelligence in a game of guerrilla warfare, the company is unusually aggressive among antivirus researchers. "They get to do things, under the auspices of a quasi-association, that we as a company cannot do," says Jimmy Kuo, director of antivirus research at Network Associates, which has a strict code of conduct limiting contact with virus writers.

The IS-Recon agents can hide their identities while communicating with virus writers over the Internet. They keep tabs on messages on Internet news groups such as alt.comp.virus, but more frequently rely on an Internet chatting technology called Internet Relay Chat, which allows them to tap away at their computers in live conversation on a kind of party line.

They gain acceptance in the community by showing off their own technical knowledge, says Mr. Kennedy, a 42-year-old former military security officer who supervises the IS-Recon team. Virus Web sites, especially in the wake of the Melissa virus, often require visitors to pass a test to demonstrate their technical knowledge about computer viruses before they're allowed to enter the site. Mr. Kennedy says the agents can't violate their own strict ethics agreements that prohibit them from distributing computer viruses. That can be an obstacle for the savvy virus writers who require that they be provided with virus code before they will associate with any stranger.

"But you'd be surprised at what some basic social engineering can do," Mr. Kennedy says, referring to the technique of convincing someone to offer help without being helpful in return. "Someone brags they stole data, you ask them to prove it, and they show it to you." Among the tricks: Agents occasionally offer the numbers of purportedly stolen calling-cards to befriend virus writers, Mr. Tippett says. But those cards are often being monitored by the card issuers, a tactic used to track fraud.

The team is an eclectic mix. Spread throughout the U.S. and connected via computer, the team includes the police-trained Mr. Kennedy as well as other experts in information gathering, including a former journalist. There's an academically oriented computer expert, a so-called virus "zoo-keeper" who has samples of 31,000 viruses, and a couple of recent college graduates young enough to look and act the part of virus writers. The agents work on computers that can't be traced to the company, and the zookeeper, Bruce Hughes, uses software programs dubbed "bots" to scour the Internet for activity at sites operated by virus writers.

The information gathered goes into a biweekly report, the TruSecure Monitor, that is distributed for a fee to the company's clients. A few years ago, the report averaged about 20 pages, and now it regularly fills 50 to 60 pages, thanks to the increase in security threats. Mid-size corporations -- about half of them banks -- pay $50,000 to $80,000 for annual subscriptions to ICSA.net's various services.

Virus writers apparently think of the ICSA as an opponent in a cat-and-mouse game. Self-proclaimed "reformed hackers and virus writers" periodically interview for jobs at ICSA, which turns them away. The company has been lambasted in hacker publications and its Web site gets hit by hacker attacks 22 times a day, Mr. Tippett says.

"They would take a great deal of pleasure in knowing that they could penetrate the security of a company like ours," he says.

main page ATTRITION feedback