• Security

Forget Hackers Watch Out for Competitors

How do you steal a company’s most valuable trade secrets? Cracking safes or rifling through file cabinets is pass?. Today, a better option is to break into the corporate network, says security consultant Ira Winkler. And in Silicon Valley at least, the data burglar could very well be an information-technology manager?or even an officer of the corporation.

Statistics are not kept by federal law enforcement agencies on how many acts of espionage and theft are committed each year by executives and technology managers in this age of worldwide computer networking. A Baseline investigative report in the December 2004 issue, "Wanted: Chief Espionage Officer," identified a half-dozen cases of digital espionage allegedly committed by corporate chief technology officers or information-technology directors in 2003 and 2004 (see sidebar, "Rogues’ Gallery"). Our take: "the next evolution of the economic spy."

That evolution continues. "We are very busy," says assistant U.S. attorney Christopher Sonderby, who heads the computer-hacking and intellectual-property unit for the Northern District of California. Since January, Sonderby says, his office has obtained five new guilty pleas and a conviction, and more cases are in the works.

More companies are aware of digital espionage and are hiring consultants such as Naomi Fine, who founded Pro-Tec Data in Los Altos, Calif., to help identify and classify their assets. Fine, whose firm serves Fortune 2000 companies, says her business is growing because of federal regulations such as Sarbanes-Oxley, a law that requires companies to document and audit their internal controls, and the Health Insurance Portability and Accountability Act, which sets guidelines for the transmission, security and privacy of health-care data?along with revised federal sentencing guidelines that hold senior executives accountable for compliance.

According to Fine, some of her clients are also using products from new vendors such as Vontu or Liquid Machines that track and control internal and external access to electronic information.

Hooking the Crooks

What can you do to thwart a chief espionage officer? In addition to using better tools to defend your company against digital snooping, there are at least four other measures every company should take.

Identify secrets. Take a good, hard look at your entire business. Do a real inventory of assets so you don’t leave corporate valuables unsecured. Then, make clear judgments of what really needs defending.

For instance, while a new drug formula might seem an obvious choice, what about the manufacturing or distribution processes that greatly reduce the cost of producing it? What would happen if a competitor got a whiff and copied the formula, design or process?

Inform employees. Corporations often fail to tell workers in areas such as new-product development that secrecy is vital to the company’s future success. Draw up non-disclosure agreements and have employees sign them. Conduct intellectual-property education seminars at least once a year.

Limit access. Don’t assume that every person needs access to every piece of information. Keep sensitive areas closed off. Hide valuable objects or processes.

Monitor visitors. Check backgrounds of regular visitors?especially those who are allowed into sensitive parts of your operations. Watch any outsiders who enter your premises.

But Winkler, who founded the Internet Security Advisors Group, says many of his clients still do a poor job of protecting themselves. "Even in some of the more secure organizations, they see one out of 12 attacks [on their networks] if they’re lucky," he says. "I know this from going in and looking at the companies."

Companies also fear publicity and so are reluctant to report espionage unless the attack is severe, according to Winkler and Fine.

in the fall of 2001, SSF imported auto parts found itself under attack. The South San Francisco, Calif.-based company’s I.T. staff started to detect extremely heavy traffic on its Web site coming from one customer’s online account.

The account had been used to search SSF’s electronic catalog of car parts almost 1,000 times in just two days, according to an FBI affidavit. Each entry into the system was for a single search; no orders were placed.

The SSF staff took a closer look and detected a script that appeared to be repeatedly probing the SSF catalog and downloading information on car parts. On one day, Oct. 12, 2001, SSF estimated that up to 18,000 pieces of information, including photos, could have been downloaded.

The staff thought they had secured the site. It required a password to enter and was available only during certain hours.

But they were wrong. Executives at SSF’s rival, Dallas European Parts Distributors, were said to have simply asked their own customers, some of whom did business with both companies, for account information and passwords to access SSF’s site, according to documents filed in U.S. District Court in San Francisco. Some customers complied, unaware that they were helping Dallas European build a rival catalog,

the documents say. One executive pleaded guilty to trafficking in passwords; two others pleaded not guilty to the charges filed against them.

The story was similar at Redwood City, Calif., software company Niku Corp., which lost product, customer and sales information in 2001 and 2002 to a competitor after a simple security lapse.

The former chief technology officer of Business Engine Software Corp., Robert McKimmey, is believed to have logged on to one of Niku’s online training sessions.

During this particular Niku training session, the user name and password of a Niku systems administrator was inexplicably flashed. Some systems administrators had unlimited rights to all Niku data. Business Engine was able to download more than 1,000 Niku files during the next eight or nine months, according to Niku CIO Warren Leggett.

And we will doubtless see more cases of information espionage come to light in the months ahead. The bigger issue: How many companies can muster the brainpower as well as the horsepower to repel these threats?

Safeguards are not just physical, according to Gideon Lenkey, president of Ra Security Systems, a Whitehouse Station,

N.J.-based company that specializes in vulnerability assessments.

In Lenkey’s words: "It’s people, process and product."

Rogues’ Gallery Among the Espionage

Cases examined this year by Baseline:

The former chief technology officer at Business Engine Software Corp. in San Francisco, Robert McKimmey, pleaded guilty in 2004 to downloading trade secrets from rival Niku Corp. in Redwood City, Calif.; he has yet to be sentenced. In September, a second executive from Business Engine?William F. McMenamin, former executive vice president of worldwide sales?pleaded guilty to conspiring with McKimmey to misappropriate trade secrets and transmit them to other Business Engine employees, i.e., interstate transportation of stolen property. Niku was acquired in July by Computer Associates. And in September, Business Engine reorganized, acquiring the assets of the old company and receiving $4 million in new venture money.

  • San Jose-based Lightwave Microsystems’ former information-technology director, Brent Alan Woodard, pleaded guilty in August to stealing backup tapes of databases containing the network equipment maker’s trade secrets and trying to sell them to a competitor, JDS Uniphase, which notified the FBI. Lightwave, which was acquired in 2003 by Neophotonics, had already ceased operations.
  • Richard Day, the former chief technology officer of Speedera Networks, a Santa Clara, Calif., provider of Web hosting and content delivery services, was accused by Akamai Technologies of breaking into a database at Keynote Systems to steal Akamai’s performance data, according to documents filed in Santa Clara County Superior Court. In June, Akamai acquired Speedera and the case was dismissed.
  • The CEO of Orbit Communications, Saad (alias Jay R.) Echouafni, was still a fugitive at press time. He allegedly ordered and funded denial-of-service attacks against the Web sites of three competitors, according to an indictment in U.S. District Court in Los Angeles. In August, one man pleaded guilty to launching attacks. In October, another man, alleged to have recruited attackers, was charged with conspiracy and fraud. Orbit, a satellite data reseller, has ceased operations.
  • In March, Mark Erfurt, the former I.T. manager at Manufacturers Electronic Sales Corp. (MESC), a Santa Clara, Calif.-based sales representative for electronic-component makers, was sentenced to five months in prison for breaking into the company’s computer system, deleting data, and then trying to destroy evidence of his break-in. MESC ceased operations in 2004.
  • The former chief technology officer of Dallas European Parts Distributors, Kevin Harold Smith, pleaded guilty in August to trafficking in passwords to defraud his competitor, SSF Imported Auto Parts, by downloading parts from SSF’s online catalog. Dallas European’s assets were sold to the Dallas Business Group in 2003.

    In at least three of these cases?Business Engine, MESC and Dallas European?the attackers, according to court records and people familiar with the incidents, saw a simple vulnerability that let them penetrate a competitor’s defenses.

    ?D.G.

    • Deborah Gage

    View more

    More Stories