Report: InfoSec community launches campaign against security firmby Steve Ragan - Jun 23 2010, 10:38
Since April, Ligatt Security [link] has been in the crosshairs of the Information Security community. In the last week, the war on both sides has heated up, with charges of racism from Ligatt’s CEO, and self proclaimed World’s No. 1 Hacker, Gregory Evans. Here’s the story so far.
Given that Gregory Evans has taken a considerable amount of heat from the InfoSec community, the claims against him are listed below. His responses to said claims are quoted if he addressed them in his interview with The Tech Herald on June 18, 2010.
Update: We added a statement from Chris John Riley on page 3.
Threats and stolen books
It all started with a book [link]. Titled “How To Become The World's No. 1 Hacker,” the book was analyzed by noted security consultant and author Ben Rothke, who detailed his findings in a report on the RSA blog [link]. Rothke observed that most of the book appeared to be plagiarized when viewed through the iThenticate plagiarism checker from iParadigms.
Due to that observation, Chris John Riley, who co-hosts the Eurotrash Podcast, contacted Ligatt CEO Gregory Evans, author of the allegedly plagiarized book, to schedule an interview. After a brief phone call, the interview was set over Skype, and things looked good -- until a comment was posted 15 minutes later to Riley’s blog.
With that single post, things went south, as the anonymous blog post contained threatening remarks including those of a physical nature. The post, left in a section for book reviews on Riley’s blog, addressed “20Plus” which is the name for a person on an investment board where Ligatt’s stock is discussed.
“I wish I had known it was you I was just on the phone with,” the post starts, and from there progressed to, “I can out hack you any day. I will now go after you [sic] family first! …You let me find out who you really are! Now you must go! Bitch! I will have my friend in your home country tracked [sic] down everyone you are friends with and your family and see what you are all about!”
The 20Plus reference is clearly a case of mistaken identity. This is noted by several people who have written about the incident, including Praetorian Prefect [link] and Riley’s own blog [link]. However, many felt that Ligatt’s CEO made the threats himself.
There are a lot of BellSouth users based in Atlanta -- this is an important note to make. At the same time, because of the location of the post on Riley’s blog in relation to book reviews, the content of the post itself, the references to a previous call, and the location of Ligatt Security, many InfoSec observers said that the post came from Evans or a member of his company.
In our talk with Ligatt’s CEO, we asked him about this incident. He was unaware of the remarks and denied sending them. Evans said that when Riley requested to be added to Skype, he informed him that the interview was going to be canceled, due to them linking Riley to 20Plus, and blocked him on the video messaging application.
We attempted to explain the issue further, but Evans only had a short comment for it as he moved on to other topics:
“I never sent this gentleman, I’m not even going to call him a gentleman, I never sent this guy an email. I never went to his site and posted anything there. I run a computer security company with five offices. Now we didn’t grow to be this big by going around lying about our credentials, or faking that we know how to do security.”
The other topic he wanted to move on to was the subject of Rothke and the charges of plagiarism. According to Evans, he had reached out to Rothke regarding the plagiarism post, but said that calls were not returned. This led him to what he sees as the most important issue on the topic:
“It’s funny that everybody’s saying that I plagiarized all this stuff, but the people who are claiming they own the original content, not one person has contacted my office saying ‘Greg you used my stuff’ at all. Not at all.”
One of the chapters supposedly plagiarized in the book came from The Ethical Hacker Network (EHN) [link], where Chris Gates wrote an article on MS Terminal Server Cracking. On Twitter, Gates has said he was never paid for the article to be used in the book, and mentioned that Donald Donzal was not paid either. When looking at what appears in the book and the images from EHN, the content is the same.
Evans said the posts related to plagiarism hurt and, due to the fact that he had previously contacted EHN to purchase the site, he had Donzal’s cell number. Evans said he called Donzal about the posts on the site, at which point Evans was told he jumped the gun. At this juncture, Donzal was busy and couldn’t discuss the issue further, causing Evans to leave his cell number and request a call back.
In emails sent to The Tech Herald by Evans, which appear to be copies dating from December 17, 2009, there is communication regarding the purchase of EHN. However, the purchase offer was turned down and, during our interview, Evans said that no return call was given related to the postings on the EHN website.
This led Evans to explain the process of the book publishing.
The “How To Become The World's No. 1 Hacker” book was outlined at the end of 2008. Evans said that he sent the word out that he was writing a book and looking for original content on security. He stated that he said he was willing to pay for the content.
“Now the releases that I signed, and the confidentiality agreements that I have with the people who gave it to me, it stated that ‘you are the original owner of this work’. In addition to that, ‘I do not have to use your name or give you any credit whatsoever, in exchange for me paying you x-number of dollars’.”
The compensation, Evans said, was an amount from $500 - $5,000 USD.
“People are saying that the work that was in my book is something that we took off a website. No. Some of this work I may have purchased before it was ever put on a website. You just don’t know that, because I didn’t come out with the book yet. It was sitting around, and the reason it was sitting around is because I’m running a company, and I didn’t have time to go through everything,” Evans explained.
When he does go through everything, he said he “took a little from this and a little from that” and he got everybody to sign releases.
“There would be no reason for me to go out, go to some boards, copy some people’s work, stick it in a book, knowing that the same people that I’ve just stolen their work would read the book and say ‘hey that’s my work’. Not one person has contacted us and said that the content in the book belongs to [them]”
“The stuff that they're claiming that I took from other boards, if I paid for it, before it was posted at those boards, that means that those boards stole my content.”
Evans made it clear in our conversation that Rothke and Gates never reached out to him and discuss any plagiarism claims. It is a sticking point to his argument. In all of the talk of theft, no one has come to him personally or his company over the matter. He mentioned that the book wasn’t written for “computer nerds” it was written for the laymen.
We asked for proof of the confidentiality agreements.
“No. Here’s the deal. I can right now, and I could’ve already done this, scan and post all of those on the page, but I’m not. Reason why is, I’m not doing it to satisfy you guys. I’m really not. What I am doing is, if one of the people who are claiming that they wrote this content, and they can prove that they wrote this content, and they have an attorney, their attorney and my attorney can work that out.”
“Right now, all I have is a whole bunch of player-hatin’ IT security people who claim that they’re better hackers and cannot believe that there’s a black hacker out there, that I stole his stuff. I’m not pleasing him.” [The ‘him’ mentioned by Evans is in reference to Gates.]
Another topic that was up for discussion are the comments by Evans that he bonded with and befriended Kevin Mitnick while incarcerated in 1998. Evans has stated that he took Mitnick under his wing, and quickly became friends with him, even offering advice to Mitnick when he was debating taking a deal on his federal charges.
An interesting aside between the two men however, is that they shared the same judge. Much as been made about Evans’ criminal past, and it is something that seemed to bother him when listening to him explain his interaction with Mitnick. However, it should be said that anyone, no matter their race or reason for being there, will have an issue with being locked up.
“I was locked up with him,” Evans said. “No one in there liked Kevin. The Blacks didn’t like him, the Mexicans didn’t like him, and the Whites didn’t like him.”
He went on to explain that intellectual people liked Mitnick, but the drug dealers and murderers didn’t like him because of the press he was getting. Before he arrived at 5South, Evans noted, people used to pick on Mitnick.
“So Kevin and I bonded when we were there. What he may say now, totally different, but when Kevin got that phone call and had to work this deal, to take the deal, I am the one who talked to Kevin,” Evans said.
“When Kevin got the call from his attorney and he was talking about going on 60 Minutes with Ed Bradley, Kevin was a fat kid. Look at his history pictures he was a fat kid. Soon as he found out, that day, he was going on 60 Minutes, Kevin and I used to, cause there’s this little walking area gym/basketball area on our floor, Kevin and I would go out there in the mornings, during lunchtime and the afternoons, and work out.”
Mitnick responded to an interview request about Evans’ comments, and told us that he was never taken under anyone’s wing, and that “we spoke a little bit about Phreaking in general.”
“Another inmate in custody would be the last person I would discuss my case with. I don’t recall what we talked about in generalities, but I do know it had nothing to do with plea agreements. When you’re in custody you can’t trust anyone,” Mitnick said.
The topic of Seria Mullen, and the Ligatt Security news and information portal, National Cyber Security (www.nationalcybersecurity.com), has been one of the largest issues Evans has faced, next to the allegations that he plagiarized one of his books.
Ligatt’s news portal has been seen posting articles under the by lines of other people, without credit or back links to the original material. In addition, one of the authors on Ligatt’s portal, Seria Mullen, used an image of Chloe White Kennedy [link], a reporter for Knoxnews.com until earlier this month.
“National Cyber Security has all original content at its website. Unlike a lot of security portals, they put up news articles from Googles [sic], from API, some of these other companies, and they just place it all at one website. Nothing’s exclusive. At National Cyber Security, everything’s exclusive.” – Greg Evans
The previous comment was sent to us via a video created by IronGeek, and posted to the Praetorian Prefect blog. [link] The video was created to show several examples of plagiarized news content posted under Seria Mullen’s name. The quote from Evans appears at the beginning of this video, but we have not been able to locate the exact date it was given.
We asked about Seria Mullen during our interview with Evans. He said that she was one of Ligatt’s new researchers, and while he never really goes onto the National Cyber Security website, he noticed the image was different the day of our interview with him, compared to the one that was on the site a week previously.
Why the image changed is unknown. We attempted to locate other images, but the only cached images that were available for National Cyber Security related to Mullen were the ones of Kennedy. Evans, when discussing Mullen, also explained the content side of things.
“National Cyber Security brings things in through a news feed. It’s not that we go out and copy stories and paste them, we have this service that we build in-house - a script - that goes out and subscribes to news feeds or regular RSS [feeds], and we take the stories and we then put them in parts of National Cyber Security,” he said.
“For some reason, [the script] was not putting in the portions where it said where the source came from. Now we noticed this before, about two months ago, because none of these stories are ours, we don’t write these stories that come up there, but we like to give people credit for the work that they do. I know I like credit for the work that I do, and [the script] was putting it in there. For some reason, it wasn’t doing it any more.”
Evans was not sure why the script stopped working. While we were talking, there was some work being done on the site, as Kennedy’s image disappeared under Mullen’s name. At one point, articles under the by line of Seria Mullen were replaced by Avery Mitchell, another researcher for Ligatt. The switch was corrected before the weekend was out.
Racism within the InfoSec community
The debate over the book plagiarism moved forward on Friday with a news release [link] from Ligatt that said Evans was called the “N-word”, more than 100 times in the last year. Looking into that statement, we noticed that most of the racist posts are on his YouTube videos, and speaking to Evans during our interview, he recounted a story related to Chris John Riley.
Shortly after Riley had messaged Evans to arrange the Eurotrash interview, when Evans explained to him that he discovered his apparent connection to 20Plus and canceled the interview, Evans said he received a message containing racial slurs.
“When the Skype message that came back from Chris, Chris stated, and I’ll paraphrase it because I don’t have it in front of me right now, ‘I wasn’t going to really put a fake nigger hacker…’, or some word like that, and this is the part that made me go ahead and say you know what, I’m fed up with everybody writing this verbiage and calling me a nigger.”
At the time this article was posted, Chris John Riley was unavailable for comment. Once we hear from him, we will update this section of the report with his response to the allegations.
Update: 6-23-2010 2:34 a.m. EST.
Chris John Riley sent us the following statement:
"I read with interest the comments from Mr. Evans regarding my Skype. All I can say is that after sending the standard worded Skype request for ligattsecurity (the Skype name used by LIGATT) I received no response. At no point was my request accepted and no further messages were sent. This goes doubly for a racial slur, which as anybody who knows me can contest, would not be something I would ever lower myself to."
"I would request that Mr. Evans make the log files of this "supposed" message public, as I'm sure it would help prove his point. I'm in the unfortunate situation where I cannot prove a negative. I can only say what did happen, and not prove what didn't."
"As you commented in your article, Mr. Evans is a great salesman and marketeer. Like anything he says however, 2 and 2 equal 3. There must be a logic to it somewhere, but currently all I see is discrepancies, misrepresentation, and an ongoing refusal to backup anything he claims with anything stronger than a firm tone of voice. All of these allegations could be put to rest with him providing cold hard facts that he has at hand (contracts, chat logs ...). Until that happens however, all I see is the same responses regurgitated again and again with a slightly different spin."
Kids as Hackers
A video posted to YouTube, seen here [link], shows a child who appears to be in his early teens, discussing his employment with Ligatt Security. It has been shown, that the minor is Matthew Prater, an actor in Norcross, Georgia where Ligatt is located. The actor’s profile page [link], and even the clothing in the video, prove that Mathew did appear in the video. However, the profile itself shows that Matthew was a commentator in a commercial for Ligatt Security.
While in our interview we never had the chance to ask about Matthew, and his employment, Evans did refer to him with the statement below. We’ve emailed Evans for clarification on this topic, at the time this article was posted, he had not responded. In addition, requests for comment from Matthew were not answered. If either of those situations changes, we’ll update this report.
“I got a kid 13 now, started when he was 11, hopefully he’ll come back for us at the end of this summer. But this kid hacked into a credit union at age 11. He did a video up on our site. People thought he was an actor. He’s not an actor. He actually did it. So when I sit back and I say that we’ve got good hackers, and am I the world’s number-one hacker, I’m like Kobe Bryant, I’m only as good as the rest of my damn team. If I have a BS team, I can’t win. I’m no good. What makes me good is that I surround myself around great people, smart people, and I pay for that talent. That’s what I do.”
A job posting on Ligatt Security’s employment section lists an opening for a personal assistant for Evans. This posting is another area that the InfoSec community has singled out in the past few days as another example of Ligatt’s overall business practices.
The image seen below comes from a screen capture taken by The Tech Herald on June 21, 2010. It shows the job posting [link] on Ligatt’s site that requires a personal assistant to send photographs of themselves along with their resume and a corrected copy of the job posting itself.
When this posting appeared over the weekend in the InfoSec community, it once again fueled the debate against Ligatt. In addition to the picture requirement, there are other Equal Opportunity Employment violations. One such example is mentioned by Attrition.org, who pointed out that telling mothers who need babysitters that the job might not be for them is discriminatory.
“First, by telling candidates with young kids that require babysitting the position "may not be for [them]", he is effectively discriminating against sex. Requiring that a candidate not have young kids, or kids that require attention, is not a lawful job requirement.” – Attrition.org. [link]
The sum of the issues for many who have commented on Ligatt’s operating practices is, given the comments made by Evans that are at time contradictory, the plagiarism allegations, the marketing strategy for the company stock, hiring practices, and false claims of employment for both contracts and employees, the company is a marketing front.
While never addressed in our interview, Evans referenced the perception several times with various remarks. He does not agree with them, and said most of the negative attention has done wonders for his book sales.
We asked Evans to address these charges. At the time this report is posted, emails to him over the issue have not been returned.
Hacking the hacker
Several times during the month of June, domains operated by Ligatt Security were targeted and attacked. Images below, taken by The Tech Herald, show some of the Cross-Site Scripting flaws discovered.
We asked Evans in a follow-up to address this issue. As with the other follow-up questions, he has not responded by the time this report was published.
Attrition.org has additional examples and information. [link]
Conclusion and reference
The InfoSec community has raised other issues against Gregory Evans and Ligatt Security. However, aside from the sections mentioned, we listed only the areas discussed in our interview with Evans, as to keep things as fair as we could.
The 90 minute interview covered a lot of topics, but also repeated many of the same things that have already been stated by Evans. Again, to be fair, before this report was published, we attempted to reach him for follow-up.
Our opinion on the matter is that, like him or not, he is a great speaker and marketer. However, if you have doubts about a company that offers security services, then you must do your research on them before entering into any business dealings. If anything, we hope that this report is a useful tool for anyone researching the topic.
In addition the links and sources below will add more information.
Evans Video and National Cyber Security article speaking to racism:
Reference articles with additional links from Praetorian Prefect: