Countering the computer spies

Not so long ago, I saw only one or two computer espionage cases a year. The pace picked up about three or four years ago, when malware began turning professional. Today, computer espionage and malware go hand in hand, so it’s not only surprising but amazing to me how many companies fail to grasp the seriousness of today’s Trojans and worms. For far too many firms, this realization hits home in the form of serious monetary damages.

News accounts are full of cases where cybercriminals were paid by companies to burrow into a competitor’s databases to extract crucial information. Do an Internet search on “corporate espionage,” and most of the articles you will find talk about external attackers gaining access to internal information. Almost as many talk about trusted insiders sending private information to the competitor just before taking a new job there.

I’ve been involved in five spy cases recently, all very different. The first one was the simplest — a classic social engineering attempt. The senior vice president of a large hotel company was caught asking IT for a complete download of the company’s customer and lead database. He intended to give this information to his new company, where he was being appointed CEO. Of course, the fact that he was leaving for the top job with a competitor was unknown until he got caught.

It was almost luck that this senior executive got caught. In his official capacity, he often requested large data extractions for third-party manipulation, something that would not normally be suspicious. But this time, instead of making the request through the normal channels, he came to a specific IT employee, the one that usually did the actual data extraction, and asked for “everything” in a hurried manner. The IT employee reported the suspicious behavior to their boss, and the whole scheme unraveled.

[ Must you trust your outsourcing vendors and employees? See “Insane in the security membrane” and “Let your worst fears be your guide.” ]

One wonders whether the VP would have been caught if he had requested less data through normal channels. A smarter crook would have made multiple, smaller queries over a period of time, gradually building the larger database our VP tried to get in one snatch. Thank goodness most crooks aren’t that clever.

The second case had to do with an offshore telemarketer. This particular employee was caught using customer credit card information to buy computer equipment, for personal use and resale. The thief was especially dumb because she had all the ill-gotten gains delivered to her real home address. When caught, she turned over a DVD containing the company’s entire SQL database of every customer handled by a particular client company. It contained more than 2 million credit card numbers and identifying customer information.

The third espionage case dealt with a competitor stealing bid information. The criminal in this case was a former executive that had started his own company. He had learned the CEO’s password years before, and the password had never been changed. During each competitive bid process, the spy would learn what his former employer was bidding, so was able to beat the bid by a small amount. He was caught when it was noticed that a rogue copy of GoToMyPC was installed on the CEO’s desktop.

The CEO had noticed GoToMyPC’s appearance several years ago but assumed it had been installed by the IT folks in their normal course of business. The IT staff assumed the CEO had installed it, and they had remarked to each other, several times, how they hated the CEO’s circumventing their firewall measures and his abuse of authority by not using the normal remote access program.

It’s almost funny to read, except it’s easy to see how in today’s busy world it could happen in any company. This victimized company had lost more than half of its contracts and was forced to lay off a substantial part of its workforce. The espionage was discovered when one of the recently let go IT employees complained about the CEO’s non-compliance during an exit interview. He saved the company and his job.

My two other recent espionage cases didn’t involve corporate competitors, but they still hold good lessons. One was a family dispute. During negotiations in a multi-million-dollar divorce case, the husband seemed to have information known only to his wife and her attorneys. The husband slipped up by mentioning an erroneous fact that was placed in the woman’s legal file by mistake. Both she and her lawyer had known about the now corrected mistake and realized that the husband must have had access to the law firm’s internal files. A forensic search was done. A commercial spying software program was found on the lead lawyer’s computer, and the remote IP address was traced to the husband’s new house. The law firm is now seeking an adverse finding.

My last example involved what seems to be pure meanness. An online stock trader’s home PC was taken over by a remote control Trojan. One early morning, the remote attackers signed into his online trading account and made a huge short bet (e.g. betting on a stock falling). If you’re wrong on a short bet, then you can, as this gentleman did, lose everything in your brokerage account and more. The victim lost everything and is attempting to recoup the loss by working with the online broker.

None of these incidents were reported to the media, and only the telemarketer has been charged with anything criminal so far, although charges are pending against the bid competitor. None of these companies or the home user ever suspected they would be a victim of computer-related financial crime. But they were, and all but one suffered big financial damages, the exception being the employer of the crooked VP.

What can you do about computer spying and data thefts? There are solutions beyond the normal desktop malware prevention techniques. The first thing is to get management to realize that corporate espionage is a legitimate threat. It should be considered during risk management mitigation and subsequent defenses incorporated as part of risk management.

IT departments should limit the number of remote access methods to the fewest needed to sustain the company and prevent the use of unapproved solutions. It goes without saying that IT should question, gently, even the CEO if an unapproved application is found.

Track large data downloads. It isn’t normal, in most cases, for any non-IT employee to download gigabytes of data from internal databases. There are several programs that track such usage and aberrant patterns should create an actionable alert. Use data leak protection programs to prevent intentional and unintentional data leaks. The market leading solutions are getting better.

Passwords must be long (10 or more characters) and changed on a regular interval. When a trusted insider leaves, every password they had knowledge of must be immediately changed. I’m still surprised by how many companies that have implemented password change policies allow those policies to be regularly circumvented by IT management. In the most common scenarios, IT will turn off the password history feature that prevents re-using passwords long enough to use the same password when prompted to change the expiring password. I think it takes almost as much effort to do that as it does to change the password.

In conclusion, computer espionage is not an edge case anymore. It is a constant reality that often causes the most damage that any company (or home user) will ever see.

In the case of the illegal competitive bidder described above, the spy was put in jail for a few years and the victimized company was awarded millions in damages. But it didn’t matter because the swindled company had already been put out of business and the criminal didn’t have the money to pay the restitution anyway. I saw the subsequently released criminal flying first class on a plane out of Houston last week. From the looks of his suit and his suite of accompanying high-tech devices, it seems he recovered better than the victim.