ZIFFPAGE TITLEEngine of IntrusionBy Deborah Gage | Posted 2004-12-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Corporate America faces a new kind of cracker. Information-technology managers and chief technology officersthe people charged with safeguarding corporate networksare engaging in acts of digital espionage. In the past two years, a half-dozen c
Engine of Intrusion
Niku, a project portfolio management company in Redwood City, Calif., needed a little luck to find the person who broke into its Web site.
In the summer of 2002, Niku chief information officer Warren Leggett suspected that an outsider was reading confidential files on prospective customers, according to court records.
The fear arose after Leggett talked with his brother-in-law, Jay Berlin, a mid-level technology manager at Nike. Leggett thought the athletic-equipment and apparel giant might be interested in Niku's products, which help large companies manage technology projects. The two men set up a meeting for the software vendor to tell Nike about its products.
Information about prospective sales, and other Niku business documents, is stored in "project" repositories on Niku's servers. After the Nike meeting was arranged, a Niku sales account executive created a repository about the retailer. The file listed the time and date of the upcoming meeting with Nike and some background on the vendor and its products.
On the morning of July 8, 2002, Leggett went to Berlin's office at Nike. While Leggett was there, Berlin picked up his voice mail and remarked that he had gotten a message from a Business Engine Software (BES) salesperson who wanted to talk to him about his "project." Berlin had never heard of BES, a Niku competitor. Leggett also was surprised because he knew Berlin wasn't the Nike technology executive responsible for buying the project management software marketed by Niku.
"The timing and the content of the message seemed very suspicious to me," said Leggett in court documents on file with the U.S. District Court in San Francisco, from which Baseline obtained most of the information on the case.
His instincts proved correct. Someone from BES was looking at Niku's files.
Robert McKimmey was BES' chief technology officer, working out of an office in Virginia Beach, Va. From October 2001 to July 2002, McKimmey accessed Niku's computer networks and applications, according to the U.S. Attorney's Office in San Francisco. He downloaded and copied valuable information, and sent some of that information to other BES officers and employees so that "BES could maintain a competitive advantage over its direct competitor, Niku," said the attorney's office. A complaint filed by Niku said technical specifications of both existing products and software in development, documents about customer implementations, customer proposals and pricing, and sales forecasts were all downloaded.
Just as in the SSF case, the intrusion was made possible through a simple security lapse.
David Hurwitz, Niku's vice president of marketing, believes McKimmey gained access to the company's files by logging in to an online training session Niku arranged through WebEx, a service that allows companies to conduct meetings over the Internet. Hurwitz says it was easy to join the conferencea person sitting in front of a Web browser simply had to type in the name of the company hosting the session followed by the WebEx URL, in the style "companyname.webex.com." At the time of this incident, according to a WebEx spokesman, companies did not have to validate participants with passwords.
During the Web presentation, the user name and password of a Niku systems administrator was shown, according to Hurwitz. He says he doesn't know why that information was displayed, but admits it was "not a good idea."
Headquarters: 305 Main St., Redwood City, CA 94063
Phone: (650) 298 4600
Business: Project portfolio management company
Chief Executive Officer: Joshua Pickus
Financials: $2.4 million in net income on revenue of $46.3 million for the nine months ended Oct. 31.
Incident: Chief technology officer at a competitor, Business Engine Software, pleaded guilty to conspiracy to commit theft and downloading trade secrets, fraud in connection with computers, and interstate transportation of stolen property. Niku said customer lists and details on products in development were taken.
Niku took what it says were "reasonable steps" at the time to protect its computer systems, according to court documents. Niku said it had firewalls and required user names and passwords to access its systems. The company only gave those people with "a need to know" permission to read certain files. "Niku users are typically allowed access only to the limited number of documents associated with the specific Project(s) they are working on," said documents that Niku filed with the court.
However, not unlike other companies, a small number of Niku systems administrators have the authority to access all of the company's computer files.
When Leggett returned from his visit at Nike, he started looking over the company's computer logs and project documents. He discovered that on June 24, 2002, someone using the account of a Niku systems administrator had accessed and downloaded information from the company's computer systems, including the Nike file. According to his declaration on file with the court, he talked to the systems administrator, Cheryl Lahan, who told him that she had not gone into any of the files.
The CIO then tracked down the address of the computer used to pull out the information, a trace similar to the one conducted by the FBI in the SSF-Dallas European case. Based on public Internet address information from the American Registry for Internet Numbers (ARIN), a nonprofit organization that keeps track of IP addresses, Leggett believed the address used to access his company's Web site was part of a series of addresses owned by BES.
Examining Niku's internal computer systems, Leggett said he found that on 70 different days, from Oct. 31, 2001, through at least July 22, 2002, BES looked as though it had logged into Niku's systems. Leggett said the rival had used passwords of 15 different Niku employees, made more than 250 log-in attempts and downloaded more than 1,000 files.
Joshua Pickus, Niku's current chief executive officer and the company's chief financial officer at the time, said in an August 2002 statement to the U.S. District Court: "It is difficult for me to quantify, in any exact monetary amount, the damages Niku has suffered, and will continue to suffer, as a result of Business Engine's access to and use of Niku's Trade Secrets and other confidential and proprietary information, but it is likely to be in the many millions of dollars."
This doesn't include the "tens of thousands of dollars" Leggett said the company spent looking into what had happened. The CIO says that he and his staff had spent "in excess of 200 hours" in its investigation.
On Aug. 12, 2002, Niku filed its complaint against Business Engine. It charged the company with accessing its protected computer systems, and illegally accessing and downloading filesincluding documents containing technical specifications and designs for existing software and products in development, information on customer implementations, lists of prospective customers, customer proposals and pricing information, and sales forecast data.
BES filed an answer to the complaint on Sept. 5, 2002. The company said it "believes a now former employee of BE [Business Engine] downloaded certain files from a Niku computer system." Business Engine, however, denied allegations that it knowingly or intentionally accessed Niku's systems, learned anything from Niku's documents, disseminated the company's trade secrets, or that it used the information in the documents to design products or interfere with Niku and its prospective customers.
BES' CEO, Doug Dickey, was the company's chief financial officer at the time and led the internal investigation into what had happened. "We found nobody else who had accessed anything other than Robert," he insists.
Dickey says McKimmey was terminated. After the company looked at what had transpired, he says the company had "absolutely no question in our minds that this person has done something he shouldn't have."
In December 2002, the two companies reached a settlement in a civil case brought by Niku under which BES paid Niku $5 million and agreed to make sure "that Business Engine product releases do not incorporate Niku trade secrets," according to a BES statement at the time.
This past July, McKimmey pleaded guilty to conspiracy to commit theft and downloading trade secrets, fraud in connection with computers, and interstate transportation of stolen property. McKimmey has yet to be sentenced. He faces up to 10 years in prison and a fine that could exceed $250,000. As part of the plea agreement, McKimmey agreed to cooperate with the U.S. Attorney in the ongoing investigation of others in connection with the case.
Baseline reached McKimmey in early November at a Virginia phone number. Asked whether he was still working with the government in any kind of ongoing investigation, he said, "I can't elaborate any more on what you already know.''
But he indicated the case was not close to conclusion. "When the other shoe drops, I'll be more than happy to tell you the whole story," he added.
Both Dickey and Rob Scott, BES' lawyer, say they do not know of any ongoing investigation into the company. The FBI and the U.S. Attorney in San Francisco would not comment.
Hurwitz notes that Niku was new to WebEx when it conducted its online training session. He says now that when a company looks at a new technology, it should closely examine that technology's security features, or lack of themand certainly not display user names or passwords in any online presentation.