Jack Koziol APT Presentation Plagiarism

Wed Nov 2 16:25:51 CDT 2011

Jack Koziol of the InfoSec Institute (infosecinstitute.com) gave a presentation in 2010 titled "Advanced Persistent Threat: Understanding attacks on America's most sensitive computer networks uncovers startling security gaps". The slides can be found on the ISI web site or slideshare.net, uploaded by 'Infosec Institute'. According to the PowerPoint advanced properties, they were created on Wednesday, July 21, 2010 by author 'Jack Koziol', but the company shows 'Georgia Tech'. Google searches showed no link between Koziol and Georgia Tech, but searches did reveal the source of his slide deck.

Based on a comparison, Koziol copied a slide deck from John Copeland, used a significant amount of material without editing, and then added additional slides to it. Copeland's PowerPoint file shows the author as 'Copeland John', company listed as 'Georgia Tech' and created Monday, April 21, 2008.

The Plagiarism

The following table details Koziol's slides that were taken from other sources, making up 65% or more of the material. Given the variety of sources used, it is clear that Koziol willfully infringed copyright and plagiarized most of the material. Given the list of ISI clients he includes at the beginning, it is disturbing that so many agencies and companies have paid them for services.

Several slides appear to be written by Koziol, but contain typo/spelling and technical errors. For example, on slide 52 he uses "drives" instead of "drivers". On slide 40, he states "because it is a zero day, [Adobe] Reader is unpatched, Antivirus has no signature for the attack, ASLR is defeated". ASLR is not inherently defeated just because an attack happens to be zero-day, and neither is ASLR a reactive technology like Antivirus.

Koziol Slide # Original Source
6 Definition of APT taken from Wikipedia
7 Slide 2 of Copeland's E-spionage Presentation
8 Slide 3 of Copeland's E-spionage Presentation
9 Slide 4 of Copeland's E-spionage Presentation with minor edits
10 Slide 5 of Copeland's E-spionage Presentation
11 Slide 6 of Copeland's E-spionage Presentation with some text removed
12 Part of slide 7 of Copeland's E-spionage Presentation
13 Part of slide 8 of Copeland's E-spionage Presentation
14 Most of slide 9 of Copeland's E-spionage Presentation
15 Part of slide 10 of Copeland's E-spionage Presentation
16 Slide 11 of Copeland's E-spionage Presentation
17 Slide 12 of Copeland's E-spionage Presentation
18 Part of slide 13 of Copeland's E-spionage Presentation
19 Slide 14 of Copeland's E-spionage Presentation
20 Part of slide 15 of Copeland's E-spionage Presentation
21 Part of slide 17 of Copeland's E-spionage Presentation
22 Slide 24 of Copeland's E-spionage Presentation
25 Zero Day Attack definition from Wikipedia
27 Secunia 40034
31-36 Bypassing Browser Memory Protections by Sotirov / Dowd
39 Image taken from Internet (e.g., emailinternetroute.jpg)
41-42 Image and text from The Rootkit Arsenal by Bill Blunden
44-46 Three Ways to Inject Your Code into Another Process
47-49 From pages 177, 192 and 198 of The Rootkit Arsenal by Bill Blunden
51 Summarized from The Rootkit Arsenal by Bill Blunden
53-60 From pages 208, 209, 212, 396 and 397 of The Rootkit Arsenal by Bill Blunden
65 Stegtunnel vendor page


Total Slides Plagiarised
44 / 67 (65%)