Employees selling security holes to black-hats
Tech workers looking for cash are selling information about vulnerabilities in their own companies' products, according to a report in Fast Company by investigative journalist Adam Penenberg. (For the Olds, Penenberg is the guy who busted hacker-hoax writer Stephen Glass ten years ago. Yes, ten years. We are OLDZ.) Penenberg got Hewlett-Packard to admit they'd been compromised by "a rogue employee in France," then tracked down the guy he believes bought the info: An instructor at Paris's Institut Supérieur d'Electronique.
A self-taught hacker, Rigano says he discovered the vulnerabilities and coded the exploits on his own time, which he says is none of HP's business. "I have the right to sell what I want," he says. He told me he attracted mostly Chinese and Russian buyers, but claimed he never found takers for the HP or SAP "vulns" and exploits. He said he stopped selling black-market code in January but didn't explain why.
An HP spokeswoman admitted the company has a rogue employee in France and said it was investigating along with the FBI. When I told Rigano this, he became incensed. "This is real bullshit," he said, and threatened to sue anyone who claimed he was the target of any investigation.
He may be right: It's possible the company has been investigating another Gallic code crasher whose online nickname is t0t0, and who in May 2007 posted offers for SAP 0days that were traceable through HP's network. By connecting his various aliases with email addresses he has used over the years, I was able to track t0t0 to Paris's Institut Supérieur d'Electronique, France's premier high-tech college, where it appears he's an instructor. T0t0 didn't respond to repeated interview requests.