Forget Hackers Watch Out for CompetitorsBy Deborah Gage | Posted 2005-12-13 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Technology executives are burrowing into competitors' systems and stealing their trade secrets.
How do you steal a company's most valuable trade secrets? Cracking safes or rifling through file cabinets is passé. Today, a better option is to break into the corporate network, says security consultant Ira Winkler. And in Silicon Valley at least, the data burglar could very well be an information-technology manager—or even an officer of the corporation.
Statistics are not kept by federal law enforcement agencies on how many acts of espionage and theft are committed each year by executives and technology managers in this age of worldwide computer networking. A Baseline investigative report in the December 2004 issue, "Wanted: Chief Espionage Officer," identified a half-dozen cases of digital espionage allegedly committed by corporate chief technology officers or information-technology directors in 2003 and 2004 (see sidebar, "Rogues' Gallery"). Our take: "the next evolution of the economic spy."
That evolution continues. "We are very busy," says assistant U.S. attorney Christopher Sonderby, who heads the computer-hacking and intellectual-property unit for the Northern District of California. Since January, Sonderby says, his office has obtained five new guilty pleas and a conviction, and more cases are in the works.
More companies are aware of digital espionage and are hiring consultants such as Naomi Fine, who founded Pro-Tec Data in Los Altos, Calif., to help identify and classify their assets. Fine, whose firm serves Fortune 2000 companies, says her business is growing because of federal regulations such as Sarbanes-Oxley, a law that requires companies to document and audit their internal controls, and the Health Insurance Portability and Accountability Act, which sets guidelines for the transmission, security and privacy of health-care data—along with revised federal sentencing guidelines that hold senior executives accountable for compliance.
According to Fine, some of her clients are also using products from new vendors such as Vontu or Liquid Machines that track and control internal and external access to electronic information.
But Winkler, who founded the Internet Security Advisors Group, says many of his clients still do a poor job of protecting themselves. "Even in some of the more secure organizations, they see one out of 12 attacks [on their networks] if they're lucky," he says. "I know this from going in and looking at the companies."
Companies also fear publicity and so are reluctant to report espionage unless the attack is severe, according to Winkler and Fine.
in the fall of 2001, SSF imported auto parts found itself under attack. The South San Francisco, Calif.-based company's I.T. staff started to detect extremely heavy traffic on its Web site coming from one customer's online account.
The account had been used to search SSF's electronic catalog of car parts almost 1,000 times in just two days, according to an FBI affidavit. Each entry into the system was for a single search; no orders were placed.
The SSF staff took a closer look and detected a script that appeared to be repeatedly probing the SSF catalog and downloading information on car parts. On one day, Oct. 12, 2001, SSF estimated that up to 18,000 pieces of information, including photos, could have been downloaded.
The staff thought they had secured the site. It required a password to enter and was available only during certain hours.
But they were wrong. Executives at SSF's rival, Dallas European Parts Distributors, were said to have simply asked their own customers, some of whom did business with both companies, for account information and passwords to access SSF's site, according to documents filed in U.S. District Court in San Francisco. Some customers complied, unaware that they were helping Dallas European build a rival catalog,
the documents say. One executive pleaded guilty to trafficking in passwords; two others pleaded not guilty to the charges filed against them.
The story was similar at Redwood City, Calif., software company Niku Corp., which lost product, customer and sales information in 2001 and 2002 to a competitor after a simple security lapse.
The former chief technology officer of Business Engine Software Corp., Robert McKimmey, is believed to have logged on to one of Niku's online training sessions.
During this particular Niku training session, the user name and password of a Niku systems administrator was inexplicably flashed. Some systems administrators had unlimited rights to all Niku data. Business Engine was able to download more than 1,000 Niku files during the next eight or nine months, according to Niku CIO Warren Leggett.
And we will doubtless see more cases of information espionage come to light in the months ahead. The bigger issue: How many companies can muster the brainpower as well as the horsepower to repel these threats?
Safeguards are not just physical, according to Gideon Lenkey, president of Ra Security Systems, a Whitehouse Station,
N.J.-based company that specializes in vulnerability assessments.
In Lenkey's words: "It's people, process and product."