Security

Keep Computer Spies at Bay

Not so long ago, I saw only one or two computer espionage cases a year. The pace picked up about three or four years ago, when malware began turning professional. Today, computer espionage and malware go hand in hand, so it's not only surprising but amazing to me how many companies fail to grasp the seriousness of today's Trojans and worms. For far too many firms, this realization hits home in the form of serious monetary damages.

News accounts are full of cases where cybercriminals were paid by companies to burrow into a competitor's databases to extract crucial information. Do an Internet search on "corporate espionage," and most of the articles you will find talk about external attackers gaining access to internal information. Almost as many talk about trusted insiders sending private information to the competitor just before taking a new job there.

I've been involved in five spy cases recently, all very different. The first one was the simplest -- a classic social engineering attempt. The senior vice president of a large hotel company was caught asking IT for a complete download of the company's customer and lead database. He intended to give this information to his new company, where he was being appointed CEO. Of course, the fact that he was leaving for the top job with a competitor was unknown until he got caught.

It was almost luck that this senior executive got caught. In his official capacity, he often requested large data extractions for third-party manipulation, something that would not normally be suspicious. But this time, instead of making the request through the normal channels, he came to a specific IT employee, the one that usually did the actual data extraction, and asked for "everything" in a hurried manner. The IT employee reported the suspicious behavior to their boss, and the whole scheme unraveled.

[ Must you trust your outsourcing vendors and employees? See "Insane in the security membrane" and "Let your worst fears be your guide." ]

One wonders whether the VP would have been caught if he had requested less data through normal channels. A smarter crook would have made multiple, smaller queries over a period of time, gradually building the larger database our VP tried to get in one snatch. Thank goodness most crooks aren't that clever.

The second case had to do with an offshore telemarketer. This particular employee was caught using customer credit card information to buy computer equipment, for personal use and resale. The thief was especially dumb because she had all the ill-gotten gains delivered to her real home address. When caught, she turned over a DVD containing the company's entire SQL database of every customer handled by a particular client company. It contained more than 2 million credit card numbers and identifying customer information.

The third espionage case dealt with a competitor stealing bid information. The criminal in this case was a former executive that had started his own company. He had learned the CEO's password years before, and the password had never been changed. During each competitive bid process, the spy would learn what his former employer was bidding, so was able to beat the bid by a small amount. He was caught when it was noticed that a rogue copy of GoToMyPC was installed on the CEO's desktop.

The CEO had noticed GoToMyPC's appearance several years ago but assumed it had been installed by the IT folks in their normal course of business. The IT staff assumed the CEO had installed it, and they had remarked to each other, several times, how they hated the CEO's circumventing their firewall measures and his abuse of authority by not using the normal remote access program.

Subscribe to the Security Watch Newsletter

Comments