Play With Fire and You Might Get Burned
Friday June 8, 2007 at 8:10 am CST
Posted by Craig Schmugar
Wired posted an excellent article recently that highlights the pitfalls of hiring a “blackhat” to do a “whitehat’s” job. Brett Shannon Johnson was once on the U.S. Secret Service’s most-wanted fugitives list for credit-card and identity theft. After being apprehended, he was recruited to help catch the bad guys as an operative for the Secret Service. Before long he was back to his old tricks.
“It was $350 a week [from the Secret Service] vs. $5,000 or $6,000 a week” from his fraudulent tax-refund scam, Johnson told Wired News by phone. Johnson had set up a tax-refund fraud scheme. The Secret Service caught him and he was arrested again.
Although Johnson claimed to have stopped $3 million in fraud before backsliding, he noted that having to work with his former partners in crime was like “taking an unrehabilitated crack or heroin addict and placing him in a drug environment, telling him not to use drugs.”
Trustworthiness is a huge consideration security companies ponder when looking at prospective candidates–and Brett Shannon Johnson is an example why most security companies do not knowingly hire blackhats.
It has been standard policy for a long time in the anti-virus (AV) industry not to hire virus authors, largely because of the myth that it was the AV companies who wrote the threats that they then sold protection for. With the plethora of threats on the Internet today, I think most people understand that we have no reason to create any more work for ourselves. Of course, not everyone shares this zero-tolerance policy. In 2004, it was reported that Sven Jaschan, author of the Sasser worm, was hired by SecurePoint. This ended up costing the security firm a partner in the AV space; H+BEDV severed their ties with SecurePoint.
The topic of hiring someone who’s written a virus overlaps with our most recently published podcast, which tackles the issue of teaching malware authoring in higher education. For more on this topic, have a listen:
http://podcasts.mcafee.com/audioparasitics/
As for Brett Shannon Johnson, he aspires to work as a fraud consultant one day.