I no longer have the restrictions applied to me as before. There are some obscure conflict of interests I am still not able to do but feel free to offer me something and I will tell you all about the few restrictions I have to operate under.
I have a new position and because of this I am no longer able to take freelance work. So any posts where I implied or said I was available for services are no longer valid. I am quite happy to be posting this as well.
Just remember that do your research when hiring a security professional. Meet them in person and do not be afraid to ask for references. There are many good people out there and with some diligence and research you will find them if you need them.
Don’t keep naked photos on your phone.
It seems like a simple instruction to avoid all kinds of problems later, but as a person who smoked off and on and on and off and still will grab a cig if available now and then, I cannot really point fingers at all.
It would be one thing to smoke and then have a Gnome track you down and give you cancer. Then it would be best not to smoke but it would be better still to get rid of the Cancer Gnomes. Same with Porn Trolls
Like it or not, naked phone pictures are a part of the intimate and private lives of people these days and are at least as common aids in intimacy candles, Clown shoes and 24/7 loops of anteaters destroying termite mounds projected on the ceiling.
I am not a person who pays attention to celebrities. It bothers me that I pick up information on the vile Not_going_to_write_their_name_here family just by reading the news online or waiting to purchase mouthwash at Duane Reade. But that family seems to plan for the loss of privacy (I suspect their press kits include a speculum) and are probably much more worried about their depilatory budget slipping out in public than an unruly nipple or two.
Celeb Jihad is a bit different. It’s business model is to post fake nudes of celebrities interspersed with real nudes, often available from films they have done and then just enough stolen images that are real to make one wonder how many of the “fake nudes” may also be real.
Of course that is akin to having your house robbed, seeing someone wearing your Clown Shoe (don’t judge me) and claiming you had permission to use it from the owner, who stole it. Celebrity or not it is not right to have someone’s privacy put up to ridicule or other activities simply because they have been on TV or are famous.
One of my theories of Cyber Crime is that if you expose the person behind the crime, many more incidents will stop. This is because it tends to be the same people behind similar activities. Too many “Cyber Security” people will think that if you stop one, another takes it place, but without exposure to the elements and to the law they just start over again. I suspect the same is true with “PR Nightmares” so I figured I would do an experiment and try to track down the likely owner of Celeb Jihad.
—-edit—–
I succeeded in tracking down the actual owner. Nice guy it turns out. As with everything, things are not as they appear in the world of “Celebrity Hacking”. Plus people get weird. I mean really weird. Like “OMG I better call the FBI before someone gets hurt.” weird.
So, No crimes were actually committed. Think about that for a second. Because you can say things like “but wait…but what about..” Yep. No crime.
Certain people who pass my own background checks will be allowed to see my methods and results. Email me.
Like any vain person I google myself. I am pretty boring and I am fine with that.
But one thing that shows up is this link How Not To Handle Security Problems.
This was from when I worked at Arvixe in support. There was a scanner that created false positives for the heartbleed vulnerability when our servers used a non vulnerable OpenSSL and were not susceptible to Heartbleed but Scott Havens, did not seem to get this so he wrote a post exposing our great technical support staff by name on his blog back in 2014.
Most of us left Arvixe when it was transferred over to EIG via A Small Orange Webhosting. From the time Scott Haven’s wrote about us we never once had our OpenSSl on any server cracked or hacked or any information stolen via the Heartbleed bug because we were never vulnerable. Anything that happened after October 1st 2015 I cannot comment on since I was not working there after that date but in case people google names and say to themselves “Wow, they did not patch for Heartbleed! I am not going to hire them!” I just want to say that Hrishakesh W. James G., Michael Carr, Ryan C., and Patrick Stein + all the other folks I worked with at Arvixe were great and we handled this request the best we could because Scott Havens did not understand that Heartbleed scanners did not work on our OpenSSL version. We were never vulnerable, so therefore there was nothing to handle so we handled the non-security issue perfectly.
At some point we read in the news about a murder for an amount of money that seems senseless, especially given the amount. I cannot recall the story exactly but there was one where a person in a homeless shelter was murdered over a debt of tube-socks.
In the homeless world where clothing and shoes are donated, socks are not, so discount socks become a valuable commodity. Quite sad this happened but as one goes up the socioeconomic ladder we see crimes that reflect the values of the class and perpetrators. An Oxy addicted bank robber might kill someone over $2000.00 to $4000.00, a typical amount taken when a threatening note is passed to a teller. An Armored car robber might not bother killing someone for that fee and certainly would not bother to kill someone over socks, but at over $100,000? I am sure its been done for that amount or less.
Some jobs pay well. A few years ago I was involved in a Penetration test where we had to “capture the flag” (present the contents of a file to a supervisor) for pay plus a bonus if a glaring weakness was discovered. I set about trying to get into the company from within, since I figured they would have shiny new firewalls and a 24/7 admin team and someone, someone always knows that a Pen Test is going to happen because most people are terrible at keeping secrets and no one wants to look bad.
I did a google search on the company. Nothing really interesting but that is always my first step. The next I did a whois search and found that they had 4 nameservers, 2 were third party, most likely secure, and 2 were of the same domain name and in a sequential IP address . So I did a “host -al domain.name ns1.domain.name” type lookup and all the subdomains popped up and they all had IP addresses not belonging to the webhost.
A quick scan of port 80 and port 443 revealed open ports on a number of internal servers. One that looked interesting to me was hr.domain.name. I pointed my web browser to the HR site and it had all types of useful information including the procedure for starting your first day on the job. The person to see, what to bring (photo ID for passport, Drivers License and job ID) . It also had instructions for supervisors. One was that the supervisor had to have the resume of the new hire on file within 2 months after the 1 month trial period for new hires had ended. That was a 3 month limit. I signed up on their “careers” site and applied for a job as a network admin and submitted a 17k jpg file saved as a txt file and then a .docx file…so it was gibberish. (I would submit again if needed) and I was emailed back a Thank You for Applying notice that gave the Job ID.
The next day I followed instructions on the HR server, talked to who I was supposed to talk to, filled out tax forms, signed an agreement that I was employed for 1 month only on a trial basis (the term “A Good Fit” was not used then, but I am sure it is now) I watched a video on diversity and harassment policy, I agreed not to ask anyone out on a date and then I reported to the Senior System Administrator. I was also told to bring my resume again as they were not able to read the one they had on file for some reason.
He was baffled as to why I was there. He said “who hired you?” and I said “I don’t think he is here now or he would have met me” and he said “Dave”. You must be hired for the second shift.
I left and had a coffee, then I had about three beers, then a coffee and then some Life Savers and went back for the start of second shift. I met “Dave” and said “Bob told me I was on second shift”
And I was in.
I got the file easily as I had access to everything from the start. The next morning I contacted my supervisor for the gig and told him the contents of the file. Then I told him how I got it.
He was quite angry, He said it was a penetration test of the firewall and passwords and other technical things. I got paid for the job but I did not get the bonus.
Then I wondered, what would have happened had I just quit my security gig after getting the Network Admin gig? I would have had a job that paid about $90,000 per year if I made it through the one month trial period. I would have known about the file and protected it and made my team look really good. But I would have gotten the job via fraud. If I was ever discovered people would have had a good reason to never hire me again for anything.
But it could have been a crime that paid. I likely would have never gone to jail for it even if I had been discovered. I probably would have never even been arrested.
People are deceptive at job interviews all the time. People exaggerate on their resumes quite often, this would have just been one step above that by never actually going to an interview.
For $90,000 there are people out there who would kill for that amount, but $90,000 + health and dental & a 401k and maybe some profit sharing and a chance for a promotion and Christmas bonus for 5 years or more?
That is tempting and perhaps I was foolish for doing the job I was hired to do instead of doing the job I was never hired to do for more money and more stability, but here I am now.
I have always had this in the back of my mind. I wondered who has done this? Who has done something similar? A well crafted career fraud can pay better than most crimes and be legal and have your proceeds “laundered” because you have been getting them as a legitimate paycheck and paying taxes on it.
Yesterday on LinkedIn I saw a “Trending” story about an ex-poker player named Haseeb Qureshi who landed a $250k job with Airbnb with about 1 year experience as an instructor at one of those “coding camps”. The interesting thing about the story is that Qureshi had previously been involved in a poker scam where fake accounts and references were used to produce a profit. More later as I investigate this.
And it might be the guy is completely legitimate but I saw a bit of my penetration testing technique in his story so I have to check it out.
A friend of mine asked about Johnny Mathis.
Its cutting to the middle of the story, so you have to imagine that this is one of those films that starts in a non-linear way:
I was standing in my underwear with a gun in my mouth…No, that’s Breaking Bad. Like I said, it has been 17 years.
We did not find the painting in the truck and we had to get to LA. One of the deliveries in LA was to the house of Johnny Mathis.
Johnny Mathis lives in one of those houses that you must be very careful not to drown in his living room. He has a pool there.
This was not a concern in other houses I had been to.
Anyway, he had this door that was made of this rough iron that was sort of scalloped. It was as if, instead of a door, you had a very stylish cheese grater that you used to enter your house.
I cut my finger on the door/grater. I moved my hands so much with driving and lifting art that the infection never quite went away until I got back to New York.
My girlfriend* asked me “What happened to your finger?” and I said “Johnny Mathis”.
*My wife wants it known that this was 17 years ago and I am not allowed, or able to obtain, mistresses.
This article was published in The Denver Post:
Colorado Man Buys Odd Welcome Mat
In this article it claimed I went to the New York Times:
“”Instead of coming to me about it, he went to The Times,” Tendell said, adding that he didn’t claim the site earlier because of “personal issues” that consumed his time.”
Not entirely true. I contacted both hackerslist.com and neighborhoodhacker.com via “chat” and neighborhoodhacker.com was contacted via phone before I contacted The New York Times. When I contacted Mathew Goldstein I just asked if he found a link between the two and then he went with that additional information. I had all the information I needed to make a post here and that was what I cared about. In fact I thought it was a possibility that someone had set up Tendell with a fake whois registration because it was akin to carrying carrying a sack with a dollar sign drawn on it; so obvious that there would be no way money could really be in there.
Anyway. I was contacted by Azorian Cyber Security and I told them I would be happy to talk with them once they got rid of their “hacker for hire” freelance business model as I have no wish to associate myself with anything that even has the taint of cyber-crime. I would also add that submitting past jobs, successful and failed for an independent audit might help in explaining their side of this issue.
Since my last post I have been asked how I got into doing investigations both as a side profession and as a hobby. I usually tell people it involves a painting by Cubist Jean Metzinger, a Fundamentalist Christian with a penchant for prostitutes, The Teamsters, Russian thugs and crooner Johnny Mathis.
Then I say, “It’s a long story and the short version is more interesting that the long version”.
Which is true.
The short version allows you to create a whole world of intrigue. You can almost see Peter Lorre lurking somewhere in a fedora smiling or scheming or perhaps lots of fist-fights and maybe an explosion or two. Certainly art being stolen would involve someone in a black turtleneck sliding across a floor on K-Y Jelly following their grappling hook.
But its not like that. Real art theft involves someone in a position of trust walking off with something. That something was Man with a Pipe (Portrait of an American Smoking) and that someone in a position of trust was an employee of Atelier 4 Art shipping and I was also an employee of Atelier 4 as a truck driver and I was blamed for the painting being stolen.
I have to apologize as I have been telling people for years the painting was recovered after a PI talked to me and I was deprived of both back pay for wrongful termination and a reward for finding a painting. It turns out the painting was never returned.
http://en.wikipedia.org/wiki/Man_with_a_Pipe
“Man With a Pipe was gifted to the Wriston Art Center Galleries, Lawrence University, by Howard Green.[3][4] The painting, shown here in a black and white half-tone photographic reproduction, has been missing since 1998, having disappeared in transit while on loan, between 27 July and 2 August.
In 2000 I was told by someone who was still working with Atelier 4 that the painting was returned and the person in possession of the painting was given $5000.00 as a “finders fee” but I honestly cannot remember who told me or if it really was an employee of Atelier 4. It was almost 17 years since the theft and 15 since I remember the talk taking place so it would seem I am either mistaken or someone lied to me but I cannot say which is which only I know that it is not true now.
—more later. It is going to be long and parts will be boring.
“Hacking” as cracking and illegal compromise of accounts and systems online is now called, is a big industry. A hacked WordPress site (many of them are) can easily bring in $1 to $20 a day for the operator. This does not sound like much but if you control thousands of these hacked sites and live out of reach of countries prone to prosecute you it can be a really good income.
So that is why we have companies that protect things like websites, email and social media accounts. Local Law Enforcement still has to be given a finger puppet show to explain what the complaint is, what law was broken and why they should care (its been getting better over the years, but still quite slow) so we need security companies and security services to act where Law Enforcement cannot or refuses to act. They also serve as intermediaries between Law Enforcement, Web hosting companies and web sites and can make a frustrating situation easier…for a price.
The other day I had a wave of curiosity about this. I wondered if anyone who offered a security service for “hacking” would also offer a hacking service.
It would be a good plan. You could use your leads created by the hacker for hire site to solicit customers for your white hat website.
So I googled “hackers for hire” and eventually found an article written by Matthew Goldstein found here:
Need Some Espionage Done? Hackers Are For Hire Online
The article is about a website called Hackers List. This is a clearing house for services that are often illegal and the site owners get a cut once a job has been finished. (from the article)
“It is done anonymously, with the website’s operator collecting a fee on each completed assignment. The site offers to hold a customer’s payment in escrow until the task is completed.”
Some of the things quoted on Hackers List are this:
University Grade alteration (hacking into School computers was illegal last time I looked…I never looked…I have guessed this and I assume I am correct) facebook accounts and an odd thing called McKinnley for $200 to $300 (I was tempted to join as “Czolgosz” and bid on that one) so seems like the site owners are making money off of crime and benefiting from both volume of business and price.
The really interesting part came later in the article when an ethical hacking company or White Hat was quoted:
“Still, the market for hackers, many of whom comply with the law and act more like online investigators, shows no signs of slowing. Many companies are hiring so-called ethical hackers to look for weaknesses in their networks.
David Larwson, a director of operations with NeighborhoodHacker.com, which is incorporated in Colorado, said he had seen increased demand from companies looking to make sure their employees are not obtaining sensitive information through hacking. He said in an email that companies were increasingly focused on an “insider threat” leading to a breach or unauthorized release of information.
On its website, NeighborhoodHacker describes itself as a company of “certified ethical hackers” that works with customers to “secure your data, passwords and children’s safety.” “
I did some checking and found out that the two companies, neighborhoodhacker.com and hackerslist.com seem to have the connection making both a Grey Hat company (one being a conduit for legal security work and the other being a conduit for illegal work and profiting from both)
The WHOIS of NEIGHBORHOODHACKER.COM
And the WHOIS of HACKERSLIST.COM before the 1/15/2015 article
Registry Domain ID: 1882636295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-10-28T19:43:27Z
Creation Date: 2014-10-28T19:43:25Z
Registrar Registration Expiration Date: 2015-10-28T19:43:25Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984×200
Reseller: iwantmyname http://iwantmyname.com
Domain Status: clientTransferProhibited – http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Charles Tendell
Registrant Organization:
Registrant Street: 590 W Hwy 105 ste 274
Registrant City: Monument
Registrant State/Province: CO
Registrant Postal Code: 80132
Registrant Country: US
Registrant Phone: +1.7204320389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@neighborhoodhacker.com
Registry Admin ID:
Admin Name: Charles Tendell
Admin Organization:
Admin Street: 590 W Hwy 105 ste 274
Admin City: Monument
Admin State/Province: CO
Admin Postal Code: 80132
Admin Country: US
Admin Phone: +1.7204320389
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: info@neighborhoodhacker.com
Registry Tech ID:
Tech Name: Charles Tendell
Tech Organization:
Tech Street: 590 W Hwy 105 ste 274
Tech City: Monument
Tech State/Province: CO
Tech Postal Code: 80132
Tech Country: US
Tech Phone: +1.7204320389
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: info@neighborhoodhacker.com
Name Server: ns1.iwantmyname.net 62.116.159.99 2001:4178:0003:a357:0062:0116:0159:0099
Name Server: ns3.iwantmyname.net 89.146.248.96 2a01:0130:2000:0118:0089:0146:0248:0096
Name Server: ns4.iwantmyname.net 74.208.254.95
Name Server: ns2.iwantmyname.net 217.160.113.131 83.169.55.71 2a01:0488:2000:0c02:0083:0169:0055:0071
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
And on January 16th 2015, one day after the article appeared.
Domain Name: HACKERSLIST.COM
Registry Domain ID: 1882636295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-10-30T10:21:01Z
Creation Date: 2014-10-28T19:43:25Z
Registrar Registration Expiration Date: 2015-10-28T19:43:25Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984×200
Reseller: iwantmyname http://iwantmyname.com
Domain Status: clientTransferProhibited – http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: David Harper
Registrant Organization:
Registrant Street: Po Box 11671
Registrant City: Wellington
Registrant State/Province: CO
Registrant Postal Code: 6142
Registrant Country: NZ
Registrant Phone: +64.11111111
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 1534387e@opayq.com
Registry Admin ID:
Admin Name: David Harper
Admin Organization:
Admin Street: Po Box 11671
Admin City: Wellington
Admin State/Province: CO
Admin Postal Code: 6142
Admin Country: NZ
Admin Phone: +64.11111111
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 1534387e@opayq.com
Registry Tech ID:
Tech Name: David Harper
Tech Organization:
Tech Street: Po Box 11671
Tech City: Wellington
Tech State/Province: CO
Tech Postal Code: 6142
Tech Country: NZ
Tech Phone: +64.11111111
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 1534387e@opayq.com
Name Server: duke.ns.cloudflare.com
Name Server: gene.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
We can see some similarities here that are hard to deny.
I contacted tech support for a quote from both companies and both support technicians were not able to comment either due to lack of knowledge or company policy (both were very polite).
I do not think it is unreasonable to question the practices of both companies. Or to one Charles Tendell who, according to his web site, is a Certified Ethical Hacker.
http://charlestendell.com/about/certifications/
http://azoriancybersecurity.com/
Also for Fox News and Lockheed Martin. I do not know, perhaps it is a smear job against Mr. Tendell (always possible) but I would think most smear jobs would be better known and not found out because some guy with a day off had a brain fart and access to google and whois.
—update—
Not a smear job. New York Times article will be up on 5/13/2015
When I was unemployed I was taken aback by how difficult it was to get a regular job then (2012 and 2013) compared to 2006. In 2006 I had six years of Unix experience and I decided I wanted a new job, so I sent out 2 resumes to jobs I found on craiglist and out of those two jobs I sent out for I got two job offers and one I accepted that ended up being a wonderful job filled with really sharp people whose companionship I enjoyed immensely.
In 2012 I assumed it would function much the same way. I see a job online and I apply for it and I get an interview.
Wrong.
The jobs I saw often did not exist.
I learned this the hard way when I applied for (what I thought) was a very good position with Windstream. It was only for 4 months and in upstate New York but it payed well enough where I could have afforded a very temporary place up there and still kept my apartment in New York. My fiance (now wife) was very supportive as we assumed it would be a cash infusion right before our wedding and give us some time after to enjoy ourselves.
The company that I dealt with was Keshav Consulting out of North Carolina. Everyday someone named “Steve” would call me (his accent made me guess Americans have trouble pronouncing his name so he adopted “Steve” to be easier) and ask me some questions and finally he would say that the Client, Windstream, had rejected my offer of $50 an hour and would only pay $48. Calls like that kept coming every day, Taking a $1 or $2 off before the interview could be set up. I think I was down to about $40 per hour when I decided to do some research and contacted Windstream. They told me that no job existed in the place I was applying for and we both scratched our heads. They said Keshav Consulting was on their list of consultants but had no idea as to why I was in salary negotiations with them about a job that would be impossible to get. I asked Keshav consulting about this in an email and the reply I got from Akhil Reddy was this:
“Erik,
Yes, you can not give authority to other recruiter to submit your resume to Windstream, if you do also Windstream will not accept your resume as we already representing you. Also for each position we are supposed to submit 2 consultants and as of now we only submitted you and unless until we submit one more resume we will not remove the posting from Dice.
Regards”
Windstream advised I deal with them directly and that they had no idea why I was being told that another recruiter would not be able to represent me with them.
But anyway, it was weird and something was clearly wrong.
So now I frequently still get solicitations based on my earlier Dice profile so I investigate them now.
I have now decided to reveal my investigations on a per job basis, based on what was emailed to me and by whom.
First candidate is Ramy Infotech Inc
This is from
“MOI: Phone Then F2F
Job Responsibilities:
Operational support of Linux OS (RHEL 5.x, 6.x) and VMWAre ESXi 5.5 environment.
Migration of RHEL operating systems to VMWare environment.
Post-migration monitoring and tuning of virtualized systems.
Capacity planning of virtual environment
Job Requirements:
5+ years of Linux systems administration experience
5+ years of VMWare ESXi systems administration experience
Experience with OS imaging and conversion utilities (Storix, VMWare converter, Platespin, etc)
Experience with Cisco UCS Blade Infrastructure (Desired but not necessary)
Experience with enterprise storage systems (EMC, Hitachi, etc) ”
It was from Pramila Kafalia on February 23rd.
So I googled the part of the job description: “Experience with Cisco UCS Blade Infrastructure (Desired but not necessary)
Experience with enterprise storage systems (EMC, Hitachi, etc) ” since I thought that would be unique and I got this:
http://www.simplyhired.com/job/inwnyfmwhz
Its from a job by a company called Focusmindz.com and it was closed on Jan 15th. This was just a cut & paste of an expired job emailed to me as a current job.
If you want a job that exists with them, check here:
http://focuzmindz.com/job-openings
Who knows where your resume will end up and for what purpose if you sent it to Ramy Infotech Inc.