New details offer link to security firm and threats against researcherby Steve Ragan - Jul 13 2010, 13:00
In a previous story, The Tech Herald covered the overt physical threats made against security analyst Chris John Riley, his family, and friends that were circumstantially linked to Ligatt Security. New details have been discovered that clear up some of the circumstance.
The story of the threats made against Riley start with an analysis by noted security consultant and author Ben Rothke. Rothke examined the book, “How to Become the World’s No. 1 Hacker”, written by Ligatt Security CEO, and self proclaimed World’s No. 1 Hacker, Gregory Evans.
Rothke observed that the book appeared to be plagiarized in several areas when viewed through the iThenticate plagiarism checker from iParadigms. The content check for the book sparked a backlash in the InfoSec community, and it was due to this backlash that Riley sought out Evans.
In response to allegations of plagiarism, Evans discussed and agreed to an interview with Riley on his Eurotrash podcast over Skype. The phone conversation between Evans and Riley to arrange the interview happened on June 16, 2010. It was after the phone call to arrange the interview ended that things went south.
Riley says that within 15 minutes after he completed the call to Evans, he received a comment to his blog in the book section, which was clearly threatening. As seen in the images below, the threats left on the blog single out Riley, his family and friends.
“I wish I had known it was you I was just on the phone with,” the post to Riley’s blog starts.
“I can out hack you any day. I will now go after you [sic] family first! …You let me find out who you really are! Now you must go! Bitch! I will have my friend in your home country tracked [sic] down everyone you are friends with and your family and see what you are all about!”
The comment is addressed to “20Plus”, which is the name for a person on an investment board where Ligatt’s stock is discussed. Riley, as well as others who have written on the topic, share a consensus that the reference to “20Plus” is a case of mistaken identity.
When asked about the threats in a previous interview with The Tech Herald, Evans said that he was not the one who sent it. In that same interview, Evans told us that Riley had left a racist remark via Skype, the platform that was to be used for the Eurotrash Podcast interview between Evans and Riley.
“When the Skype message that came back from Chris, Chris stated, and I’ll paraphrase it because I don’t have it in front of me right now, ‘I wasn’t going to really put a fake nigger hacker…’, or some word like that, and this is the part that made me go ahead and say you know what, I’m fed up with everybody writing this verbiage and calling me a nigger,” Evans told us.
When pressed for logs and any confirmation of the claims, Evans said that he had blocked Riley on Skype and the logs were unable to be recovered.
We asked Riley to comment on the racist remarks.
“All I can say is that after sending the standard worded Skype request for ligattsecurity (the Skype name used by LIGATT) I received no response. At no point was my request accepted and no further messages were sent. This goes doubly for a racial slur, which as anybody who knows me can contest, would not be something I would ever lower myself to,” Riley said in a statement.
Riley said that without the logs, he is in a position to where he cannot prove a negative. He is correct, and at the time, the allegation that the treats against him, his family, and friends came from Ligatt or Evans himself are mostly circumstantial.
To start, there is the IP address in the comment itself. The IP address, 18.104.22.168, is assigned to a DSL line operated by BellSouth. [IP Address Details]
We asked Evans about the IP address connection. In a telephone interview last week, he commented that, “…we don’t know who BellSouth is. In my office we use a company called MegaPath, and MegaPath has no association whatsoever to BellSouth.”
At this point, Evans pointed us to thecyberwars.com, where an image of a MegaPath invoice dated for May of 2010 for T1 services to Ligatt. The image is below.
Along with the IP address, there is the context of the comment itself. The comment starts with the mention of a phone call, and at that stage, only Evans, his staff, and Riley could have been aware that it had taken place.
After the phone call reference, the threatening message was left in the book review section, and makes reference to the fact that, “I see you have books listed above but you did not write any of them.”
However, even with all of those seemingly pointed bits of fact, there was nothing to conclusively point to Ligatt or Evans as the source of the threats.
Earlier this month, The Tech Herald received an email from a source who had additional information into the threats made against Riley on his blog. The information started with the IP address that left the comment, which Evans has denied any connection to, pointedly reminding everyone that MegaPath is their provider, not BellSouth.
The comment left on Riley’s blog came from 22.214.171.124. As mentioned, this is a BellSouth IP address. This IP address is also present in E-Mail Headers from Greg Evans to The Tech Herald. There are several instances of E-Mail communication where the origin IP address present is the same one that appeared in the threats on Riley’s blog.
The IP address also has another connection to Ligatt.
The images below show a publically available 2WIRE Firewall log. The Firewall itself uses the same IP that is listed on Riley’s blog.
The image below shows the NAT information from the Firewall, where 126.96.36.199 is seen connecting to an SQL server (188.8.131.52). 184.108.40.206 is a GoDaddy IP address, and in previous discussions with Ligatt’s CEO, he has said that GoDaddy is where his company hosts the servers. [IP Address Details]
The SQL port is not publically available, and when viewing the entire Firewall page, the pinhole usage does not grant access to the database.
When the GoDaddy IP address is visited on Port 80, it redirects to ligattsecurity.com. The image below shows the redirect in action.
Given that the E-Mail Headers can be spoofed, the claim can be made that the Headers from Evans are not compelling evidence. However, the IP Address in the E-Mail Headers is the same one used to post threats to Riley’s blog. This is also the same IP Address that hosts the Firewall logs showing a clear internal link to Ligatt, as it is unlikely they would allow access to an SQL server to just anyone.
What about MegaPath? Evans has stated that they do not use BellSouth as an ISP. We spoke to a person familiar with T1 and CLEC operations inside of MegaPath.
While they asked to remain anonymous, they explained that there would be situations where MegaPath would use pre-arranged agreements with other providers to assign IP addresses. In the Atlanta area, BellSouth is one such company where an agreement would be in place.
In the event MegaPath did not have a presence in the CO, it is entirely possible for a MegaPath client to use BellSouth IP Addresses. Yet, this is not the case with Ligatt, according to another source at MegaPath.
According to the source, Ligatt canceled their service in June, one month after the invoice date in the picture provided to thecyberwars.com.
In a related matter Ben Rothke and Chris Riley were both named in a lawsuit filed by Ligatt last Friday, accusing them both of “stock bashing” in order for them to manipulate Ligatt’s stock prices.
According to a statement from Ligatt, Riley - due to the assumption that he is "20Plus" - as well as Rothke and two others, are said to have left inflammatory comments on Pink Sheet sites such as investorshub.com, which were geared to ruin the public image of the company.
The suit, filed in Gwinnett County Georgia, includes charges of “stock manipulation and slander [sic]” and seeks $5,000,000 USD in compensation. In all there are 29 people named in the suit, 25 of them are listed as John Doe.
However, when it comes to the threats made and the link to Ligatt, we have had no clear answers.
Nothing from Ligatt can explain the links between the IP Address from the threats on Riley’s blog, to the Firewall logs, E-Mail Headers, and a direct connection to Ligatt’s domain. Things that, when combined, we cannot dismiss at hand. If not Evans, or one of the staff at Ligatt, then who left that message?
What we do know for certain is that Ligatt maintains that they do not use BellSouth as an ISP.