From: InfoSec News (alertsinfosecnews.org)
Date: Fri Apr 11 2008 - 03:11:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.pcworld.com/article/id,144412-c,companynews/article.html

By Robert McMillan
IDG News Service
April 10, 2008

Five months after being arrested by Italian authorities on hacking and
wiretapping charges, the founder of a controversial company that sells
unpatched computer vulnerabilities says he'll remain on board.

Roberto Preatoni was arrested in November for his role in an ongoing
scandal at Italy's largest telecommunications company, Telecom Italia,
that has been front-page news in Italy for the past year. After
remaining out of the public eye since his arrest, he suddenly reappeared
Thursday, posting a note to his company's blog and saying that he'd
decided to continue to work for the company he founded.

"The questions I kept asking myself in the last months were: What will
happen to [WabiSabiLabi] if I will stay?" he wrote."Will my private life
and troubles effect negatively the project? Should I keep representing
publicly the project?"

After talking to fellow security researchers, he decided to stay.

"I will stay and continue to put pressure to security lobbies. Things
must change, researchers and their discoveries should be considered
beneficial to the whole security cycle," he wrote.

Preatoni's trouble reportedly started with his previous security
consulting work as a penetration tester -- a security expert hired to
test working networks for vulnerabilities.

According to news reports, Preatoni helped staff a 10-member "Tiger
Team," ostensibly set up to test Telecom Italia's information security
system. Members of this team are now charged with hacking and spying on
Carla Cico, CEO of Brasil Telecom; Kroll Inc., an investigative agency;
and journalists Fausto Carioti and David Giacalone of the newspaper
Libero.

In January 2007, four others were charged with spying in connection with
the scandal. They included Fabio Ghioni, vice president and security
chief technology officer at Telecom Italia, and Giuliano Tavaroli, the
telecom's former head of security.

At the time of those arrests, Tiger Team members were charged with using
a Trojan Horse program to steal sensitive data from the computer of
Vittorio Colao, former CEO of the Rizzoli Corriere della Sera publishing
group.

Preatoni's company has been the subject of controversy since it was
launched in July 2007. The company sells information on unpatched
software bugs using an eBay-style marketplace that is hosted on its Web
site.

While the company argued that its vulnerability auction business simply
helped researchers establish a fair market value for their work, others
in the industry argued that it would put computer users at risk by
selling bugs to people who might misuse them in attacks.

Security researchers say that an unpatched software vulnerability can
earn them $50,000 in the underground marketplace.

Preatoni said he was working on a "surprise" partnership that would be
announced soon. His next public appearance on behalf of WabiSabiLabi
will be at the Web Security Summit next month in Johannesburg.

He was released from custody on Nov. 28. In an e-mail, he declined to
comment further on the matter because the case is still open.

As Preatoni tells it, the case reads like the jacket notes from a John
le Carre novel: "Probably, nobody will ever be able to picture it
completely right," he wrote, "as it's a case involving a hundred of
arrested people, the Italian Secret Services, the US Secret Services,
some Italian corrupted police and financial police officers, some
Italian and US investigation companies, a multi-billionaire struggle
between Telecom Italia and Brasil Telecom, an extraordinary rendition
(kidnapping) of a presumed Islamic terrorist, and last but not least,
the suicide (but many say murder) of a Telecom Italia Security top
manager."

___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]