ZIFFPAGE TITLEWellBy Deborah Gage | Posted 2004-12-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Corporate America faces a new kind of cracker. Information-technology managers and chief technology officersthe people charged with safeguarding corporate networksare engaging in acts of digital espionage. In the past two years, a half-dozen c-Suited to the Task">
Well-Suited to the Task
Not only are corporate technologists usually well-versed in the latest electronic intrusion tools and hacking techniques, but they also know where to look for valuable information once they've gained access to a system, say security experts.
Mark Erfurt, the technology director who broke into MESC's computer system, for example, would have known that manufacturers' reps use Rep Profit Management System software, from a company called RPMS, to track sales and commission reports, says MESC CEO Yul Koszegi. Erfurt downloaded those files from MESC's system and then deleted them from MESC's servers, according to Koszegi. The motivation is unclear.
The danger becomes even more apparent in a country where the main value-added component of operations is ideas about how to design, create and market products that actually get built elsewhere. Today, says Richard Weyand, president of The Trade Secret Office, a Chicago-area software vendor, up to 80% of the value of U.S. companies is tied up in what can be characterized as "intangible" assetsinformation such as product designs, chemical or drug compounds, manufacturing processes and customer lists. All of this is stored as a matter of course in databases on mainframe computers, servers and other storage devices.
Such trade secrets are leaking from U.S. companies at an alarming rate. R. Mark Halligan, a Chicago-based intellectual property attorney, notes a "logarithmic rise" in trade-secret theft cases since 1980. The Justice Department released figures in October that showed intellectual property theft up 26%, from 322 incidents in 1994 to 405 in 2002, and trade-secret thefts up more than threefold, from 28 in 1997 to 92 in 2002.
Several experts and law enforcement officers say many companies are doing little to protect themselves. Some don't even know how to adequately define trade secrets, which can be processes or product designs or whatever the company uses to make money every year. That makes it difficult to prove ownership or damage when they are stolen. And even when they catch a thief, says Naomi Fine, a security consultant who has worked with Fortune 500 companies for 20 years, clients typically resist reporting theft of intellectual property and trade secrets to avoid negative publicity.
Yet, in the cases of SSF, Niku and MESC, the companies did come forward to say they had been harmed by electronic intruders from competing companies. Each claims to have taken precautions to protect their trade secrets and intellectual property; at SSF, employees were actively monitoring their site for suspicious activity. One warning sign SSF's I.T. staffers watched for: customers logging in to the site and performing hundreds of searches in a single day.
In all three incidents the attackers, according to court records and people familiar with the incidents, were able to spot a simple vulnerability that allowed them to penetrate a competitor's defenses. In the Niku case, for instance, Niku believes that Business Engine's now-former CTO was simply monitoring a Niku online training session and saw a slide come up on screen with a Niku systems administrator's user name and password on it. An administrator's password grants unlimited rights to read, change or delete data on a given systemor, for a top-level administrator, all systems companywide.
A company could even be tempted to recruit a technologist when thinking about breaking into a competitor's system to steal trade secrets. Saad (alias Jay R.) Echouafni, Orbit Communications' CEO, has been charged with exactly that. Echouafni, who landed on the FBI's Most Wanted List, allegedly hired his Internet service provider, CIT/FooNet, to recruit security consultants who then launched denial-of-service attacks against the Web sites of competitors, such as WeaKnees.com. Echouafni denied the charges in a November Wall Street Journal article.
"It would make senseif upper management was already colludingto bring the technologist into that collusion," says Mark Lobel, a director in PricewaterhouseCoopers' security services practice. "It's a logical progression."