UPDATE: Robert Winkel (@RobertWinkel) reports that he has found the original LIGATT email that the header information was copied from to produce the document referenced in this article. Winkel states that the original email was part of the leaked data from the LIGATT network breach earlier this year, and posted the original header at Pastebin HERE. That still leaves a lot of good questions to be answered. Namely, who is producing these items and why? Thanks to Mr. Winkel for his efforts and alerting us.
* * *
On June 7, Infosec Island posted an article based on a press release issued at Free-Press-Release.com that announced LIGATT Security was engaged in an investigation of the hacker collective LulzSec.
The press release stated that LIGATT had successfully gathered information that would reveal the identities of several members of LulzSec, and that the company planned to release the data to the public as well as provide it to the FBI.
Rumors began circulating via Twitter posts that the press release was a forgery, and subsequently Infosec Island contacted LIGATT CEO Gregory Evans for comment.
Evans indicated that the press release "was completely made up," and that it had not been produced or submitted by any member of the LIGATT staff.
"They took elements of our real press releases and used them. they even added the Safe Harbor Act," Evans explained. "And we only use PR NewsWire, we never use Free Press Release."
Infosec Island updated the article to reflect the statements from Evans that the press release was in fact fraudulent. Free Press Release subsequently removed the posting.
Except for uncovering who might have issued the false press release and why, it was pretty much mystery solved. Right?
Wrong.
The update fueled some speculation in infosec circles that the media-hungry Evans may have manufactured the "false" release in an effort to garner some attention from the press. Speculation is one matter, and having evidence of such a manipulation of the press is another matter entirely.
In today's Google alerts for "LIGATT", right below links to the Free Press Release posting and Infosec Island's coverage, appeared the headline "Lulzsec and Infosecisland you're being played - Pastebin.com" with a link to an anonymous Pastebin posting.
The Pastebin posting appears to display an email sent by Evans on June 5th to a staff member instructing them to produce the LulzSec investigation press release that Evans claimed was fraudulent, and to distribute the release through outlets the company does not normally use.
The full Pastebin posting is as follows:
Lulzsec and Infosecisland you're being playedReceived: (qmail 3276 invoked from network); 05 June 2011 06:49:33 -0000
Received: from unknown (HELO p3pismtp01-001.prod.phx3.secureserver.net) ([10.6.12.2])
(envelope-sender )
by p3plsmtp11-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for ; 05 June 2011 06:49:33 -0000
X-IronPort-Anti-Spam-Result: AqcDANNxFk1AyqW1kGdsb2JhbACkRQEBAQEJCQwHEQMdBIgvtVKFSgSEZYYfgzeIZA
Received: from smtpauth01.prod.mesa1.secureserver.net ([64.202.165.181])
by p3pismtp01-002.prod.phx3.secureserver.net with SMTP; 05 June 2011 23:49:31 -0700
Received: (qmail 21276 invoked from network); 05 June 2011 06:49:31 -0000
Received: from unknown (69.94.218.141)
by smtpauth01.prod.mesa1.secureserver.net (64.202.165.181) with ESMTP; 05 June 2011 06:49:31 -0000
From: Gregory Evans
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Luizsec PR campaign
Date: Sun, 05 June 2011 01:49:29 -0500
Message-Id:
Cc: Greg Evans
To: Melanie Banks
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
X-Nonspam: NoneI want you too create a PR peice saying we are going to out the lulzsec groups. Say that we are doin this because we have two FBI agents in our board and we are respond to the infraguard hack. We need press for Ligatt and Hitechcrimesolutions since we moved to los angels. Make the pr from another place then our usual place and make sure its FREE!! I aint spendin money on this!! Have the new girl write the pr shes a good writer.
Make sure I see it before you post it!
Have A Blessed Day!
Gregory D EvansCEO
LIGATT Security International/Hitechcrimesolutions
6050 Peachtree Pkwy Ste 240-147
Norcross, GA 30092
Phone: (866) 517-1831 Fax: (678) 291-9631
Twitter: @GregoryDEvans
Facebook: www.facebook.com/GregoryDEvansPage
There seem to be two possible explanations for the posting: One, someone out there has a lot of time on their hands and knows a lot about Gregory Evans, LIGATT, and how to present a well-spoofed email header.
The alternate possibility is that the email is legitimate and Evans manufactured the entire LulzSec investigation press release for publicity, as the text in the Pastebin posting suggests.
Infosec Island has no interest in participating in the dissemination of false information, nor do we want to assist anyone else in the manipulation of the facts, so we are simply presenting the evidence along with some informed analysis and will let you, the reader decide what may be fact or fiction.
First, we made attempts to contact Gregory Evans at the same number we contacted him at for the prior article, as well as another that is included in the email in question, and were simply met with a recorded message: "The number you have dialed is unavailable from your calling area."
So we decided to contact several industry experts who are known to have done extensive research on the LIGATT emails that were leaked earlier this year following the company's well publicized breach.
Given Evans' extremely litigious tendencies, our contacts were happy to discuss the suspect email, but only Steve Ragan of The Tech Herald was willing to go on the record with some analysis.
We went over the Pastebin post with Ragan line by line, comparing the header and text to those known to be from Evans and LIGATT, and certain patterns stood out that would imply that the email is either legitimate, or an extremely well conceived hoax.
Text Analysis:
"Looking at the Pastebin document, a few things immediately stand out. First, there are the errors when dealing with proper nouns, in addition to the misspelling of LulzSec in the subject line. Notice, that his own company names are used properly, while the others are not. This is typical LIGATT, with regard to email communications," Ragan stated.
"Next, there is the use of 'too' instead of 'to' in the first sentence, as well as 'doin' instead of 'doing' in the second sentence. Slight slang and grammatical errors are another hallmark of LIGATT emails and communications."
Header Analysis:
"If you look at the IP address in the headers, 64.202.165.181 is owned by GoDaddy. Anyone who has ever researched LIGATT knows that they are GoDaddy customers. Also, it is known that since Spoofem was given a name change, LIGATT's IP addresses with GoDaddy changed some," Ragan noted.
"For example, the IP address in the same block can be seen in emails delivered to me at The Tech Herald. I was able to locate one from June 18 2010, the address in the header is 64.202.165.39. The same IP appeared in an email from December of that year as well. Both were from LIGATT's PR."
"GoDaddy would have likely moved LIGATT to a new system after their growth, but the IP addresses would remain close to, if not the same, as the originals. The public has been aware of LIGATT's server changes based on public comments and statements. So tagging a fake message with correct information isn't a hard task."
"Given everything that is known about LIGATT, as well as how emails and press releases are constructed, it wouldn't be a hard task to create a fake message. Anyone who read the leaked company emails will have plenty of examples on how to talk like GDE," Ragan surmised.Conclusion
"In short, there is a high degree of likelihood that the email is legitimate. LIGATT would have no problem creating drama in order to profit from it. In interviews to your outlet, he has stated as much. According to Evans, LulzSec has generated business for his organization. So a fake press release - in an attempt to turn him into the next HBGary Federal - would be plenty of drama that could spin into what he would consider PR gold," said Ragan.
"However, this could be a case of someone spending a good deal of time to learn the technical and grammatical details needed, in order to create a replica LIGATT message. The question I'd have is why would anyone bother?"
And so, without the ability to reach Evans for comment, all we have is some reasoned speculation and conjecture, but given the level of involvement Infosec Island apparently has with the matter, we felt we should go ahead and present what we have.
On the one hand there could be an orchestrated campaign by an unknown party to put LIGATT and Evans in a position where they would be prime candidates for some LulzSec pwnage similar to what HBGary Federal experienced at the hands of Anonymous earlier this year.
This is not far-fetched, given the general level of disdain for Evans and his companies among many in the technology field.
Alternately, we have a company with a poor professional reputation where business practices are concerned, in the process of attempting to build a new brand, lead by a CEO who has been repeatedly sanctioned for a wide variety of indiscretions who and is known to be a skilled media player.
Considering how Evans consistently portrays himself as a victim, it struck me as odd that he was so absolutely pleased about the "false" press release and the attention he had already gained from discussing LulzSec in the press.
"They've been good for business... I did twenty interviews in the last week... Hackers are job security," Evans had said.
Until further evidence is presented either way, we simply have to leave it to our readers to decide for themselves just what the circumstances are behind the "false" press release and the unsubstantiated email.
We welcome your thoughts and comments on this whole brouhaha.
Editors Note: A special thanks to Steve Ragan for taking the time to provide some insight on the matter.
Saturday, June 11, 2011
LIGATT Email on LulzSec Dox PR Appears to be Fake
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment