Researchers, Be Discrete

I left the malware research stuff behind long, long ago, just as the pay-for-research game was starting to bloom.  I miss the puzzles, but I don’t miss the lab, the long days and nights.  Many have remarked over time that they have never heard of me in security circles, and couldn’t vouch for me in interviews and other venues.  To me that is success.  I’m not after fame, but if fortune decides to sit in my lap, I will sit still for the table-dance.  I maintain that I am quite content with less notoriety and a simple, happy life.

If you are one of those curious few that have taken up Security Research for the common good, as a hobby, or as a paying profession, please be very careful.  I have warned friends, colleagues, and acquaintances that the time would come when strong-arm tactics from those that operate in the shadows would come into play.  When you discover, study and report a new malware agent or variant, when you PoC an exploit that was detected in the wild, when you reverse engineer some obscure and specialized botnet code, you are unravelling the plans and financial investment of the organized criminal element, loose in our society.  They might not like it.

Unveillance has been the target of a sophisticated group of hackers now identified as LulzSec.  Unveillance is not a security company, it does not provide security services to other companies.  They are a private botnet monitoring service, which is why they were targeted.  They provide clients with an analysis tool for identifying botnet infections in their computer networks.

During this past two week period, Karim Hijazi, CEO of Unveillance claims to have been personally contacted by several members of the LulzSec group who made threats against him and his company to try to extort money, and to force him into revealing sensitive data about his botnet intelligence operations.  That information would have put many other businesses, government agencies and individuals at risk of Distributed Denial of Service (DDoS) attacks.  In spite of these threats, he refused to pay off LulzSec or to supply them with access to this sensitive botnet information.

“I do not regret refusing to cooperate with LulzSec.  My data is of national security importance. I could not and cannot, in good conscience, agree to release my botnet intelligence to an organization of hackers.”

They operate from unknown places with unknown resources, but be assured, they have made a lot of money.  Keep your head down, don’t frivolously advertise what it is that you do, especially around the InfoSec industry, and be sure to maintain your anonimity until you have the resources and ability to protect yourself.  Even then, we had better all start thinking about hackers and hacktivists as the organized criminals that they are.  They have the luxury of physical obscurity.  They could be walking beside you, standing behind you in the elevator, or working alongside you during your next project.  How would you know?

Whether or not this Unveillance incident is true (which I tend to believe) or a grab for headline space, the fact remains.  They can see you, but you cannot easily see them.