Case Studies

Legal Corporate Espionage?

To what extent will a competitor or investor go to gain inside information about a company, their processes, development or strategic plans? If a six-year old case is any indication, advance information is lucrative enough to pursue, while pushing the limits of the law.

An interested third-party hired a business intelligence firm to research a competitor's operations. The firm evaluated methods of acquiring information and remaining undetected. They eventually settled on the competitor's accounting firm as the primary source of information. The firm is one of the Big 4. Many have a false notion that the largest companies are the most secure and mature in their processes, but this organization had a weakness and that is the people who can be exploited.

The firm is operated by a former British Intelligence agent and has a former director of the CIA and FBI as an advisory board member. They quickly researched the target and identified an accountant that they believed to be the most likely to comply with their ploy. Phone calls to the accounting office had resulted in conversations with secretaries, which led to the potential list of employees who would have access to the information they wanted. Ultimately, the accountant was contacted and was excited to be involved in a super secret project that would serve national interests. He assumed the person contacting him was exactly who he said he was. Social engineering methods were used to prey upon his natural desire to help. Many things were said and done to make him believe the exercise was authentic.

After mountains of confidential data had been handed over to the intelligence firm, the target was given a Rolex for his trouble. Were any laws broken during this corporate espionage incident? No criminal charges were filed but KPMG did ultimately sue and settle with the intelligence firm in U.S. District Court. Certainly, the phone calls placed to employees and face to face meetings where information was requested would be hard to detect and prove as illegal, given the vague nature of data security laws. Pretexting for financial information is prohibited under elements of the Gramm-Leach-Bliley Act, but who recognizes these attempts and can follow the trail back to the perpetrators? KPMG would have never known this event even happened had it not been for a mystery whistleblower within the intelligence firm who notified them of the data breach. Someone was ethically motivated to provide KPMG with everything they needed to prove the facts and intent of the espionage.

How much training and preparation do organizations conduct today in regard to recognizing and responding appropriately to these malicious requests for information? Social engineering attempts can and must be identified as part of an effective information security program, in order to stop the damaging data leaks that can happen in today's competitive corporate landscape.

Pretexting Goes Unnoticed by Microsoft

Obtaining financial information using the practice of pretexting has been illegal since the enforcement of the Gramm-Leach-Bliley law in 2001. The law prohibits fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. However, con artists continue to use this technique of false pretenses to find passwords and other personal information that will lead to the theft of financial information.

The Federal Trade Commission considers any organization that stores consumer financial information to be a non-traditional financial institution. Microsoft, for example, was a recent victim of pretexters when their Xbox Live support staff frequently gave up account information to fraudulent callers. This information then led to the ability to access Xbox accounts, which hold stored credit card data. So, in an indirect way, these pretexters have broken the law by accessing financial information through a non-traditional financial institution.

Any organization that stores personal information, especially financial data, must determine what routes a social engineer may exploit to access this information. During social engineering assessments, RavenEye uses ethical hacking techniques to find the path of least resistance that a pretexter may take. In one espionage simulation, RavenEye security specialists found a lapse in policy with a vacation ownership support line that allowed bank account information to be accessed by only providing the easily identified zip code and phone number.

Microsoft reacted to the breach with denial. Similarly, most organizations do not believe these breaches are possible, which works to the advantage of the thief. Awareness, assessment and testing must become staples of corporate management in information security.

Prevalent Security Neglect

Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents.

Deloitte researchers said that security has long been "neglected" by technology, media and telecommunications companies despite their dependence on digital information to run their businesses. The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information.continue to use this technique of false pretenses to find passwords and other personal information that will lead to the theft of financial information.

According to the report, more than 50 percent of the companies surveyed admitted to having a data loss within the last 12 months, with roughly one-third of those incidents directly resulting in financial losses. Half of the companies reporting data breaches said the incidents involved internal attacks or policy violations. Of the firms surveyed, only 4 percent said their employers are doing enough to address the issue, and just 20 percent of respondents said that they feel confident that their companies' intellectual property is being sufficiently safeguarded. Some 24 percent of interviewees said that the security tools they have installed are being used effectively.

While phishing schemes continue to pose a major threat to companies' customer information and brand reputations, only 18 percent of those executives surveyed said that their firms have employed technologies aimed at preventing the attacks. Deloitte said that 37 percent of the companies it interviewed have provided additional security training to their employees within the last 12 months. At the heart of the issue, the report said, is companies' reluctance to increase their spending on new security measures.

While 74 percent of survey respondents said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9 percent. Fewer than 15 percent of those increasing their security budgets planned to do so by over 20 percent, Deloitte said. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub. Despite the sobering statistics, Deloitte researchers said that technology, media and telecommunications companies are beginning to make changes to improve their IT defenses and security policies.

Regulations such as the U.S. government's Sarbanes-Oxley Act have help pave the way for those improvements, said Brian Geffert, principal of security and privacy services at Deloitte. "Sarbanes got people to understand security a bit more, and now more people are catching up; more CEOs are communicating directly with chief information security officers, and I think we will see a lot more investment from these particular companies," said Geffert. "To a degree people are in the stage where they are still making plans, and not yet fully engaged in moving forward, but there's progress." Only 63 percent of respondents to the survey said they have a senior-level executive in their company dedicated to managing security issues, with 53 percent of information technology companies employing those types of leaders.

Deloitte noted that those numbers were lower than the proportion of companies in other industries with C-level security executives already in place. Further, the survey found that 52 percent of technology, media and telecommunications companies consider security a problem for IT departments, rather than viewing the issue as a central business concern. The top five information security concerns identified by the executives polled were those related to instant messaging systems, phishing schemes, viruses that attack mobile devices, hacks into online brokerage accounts and other Web-based crimes. So-called insider attacks, or threats emanating from employees or other people with legitimate access to IT systems, are another major concern. However, only 59 percent of the companies interviewed said that they have any form of employee behavior monitoring technology in place.

While 25 percent of respondents listed cited insider fraud as their primary internal security concern, 22 percent pointed to data losses such as the incidents that have recently victimized the U.S. Department of Veterans Affairs and insurance giant American International Group as their greatest fear. "These data leaks are starting to make people think differently about the manner in which they handle data, and you also have the emergence of small storage devices capable of carrying off a boatload of data, those things have opened people's eyes," Geffert said. "At the end of the day, it's all about getting people to look at their work habits differently and letting workers know what their responsibilities are for protecting the data; technology companies are a bit behind other industries today, but there's no reason that they cannot catch up."

Yahoo News

Companies Surprised with FTC Enforcement

The Federal Trade Commission has begun enforcing the "Safeguarding Customer Information Guidelines" from the Gramm-Leach-Bliley Act. The FTC has named identify theft as the #1 fraud reported by consumers in 2004. As part of a nationwide sweep targeting mortgage brokers and automobile dealers, the commission found deficiencies in the way customer information was stored and protected.

The FTC found that the mortgage companies that violated the rule did not assess the risks to its customer information; did not implement reasonable policies and procedures; did not provide written privacy notices to customers; did not initiate employee training; did not oversee employees working and handling customer information at remote locations; did not oversee the collection and handling of customer information via the companies' web sites; did not monitor the computer network for vulnerabilities and did not take steps to ensure that service providers provided appropriate security in handling customer information.

Automobile dealers audited by the commission were surprised that they fell under the definitions of the rule. The "financial institutions" covered by the Rule include not only lenders and other traditional financial institutions, but also companies providing many other types of financial products and services to consumers. These institutions include, for example, payday lenders, check-cashing businesses, professional tax preparers, auto dealers engaged in financing or leasing, electronic funds transfer networks, mortgage brokers, credit counselors, real estate settlement companies, and retailers that issue credit cards to consumers.

The administrative actions taken by the FTC against the companies that did not comply with the rule will result in significant expense compared to the pro-active effort that the initial analysis and implementation would have cost. In fact, the central issue to the Safeguards Rule is that organizations employ appropriate measures before an incident occurs, "identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information."

Foreseeing risk is somewhat of a challenge. With the fast paced Internet and information technology landscape, new risks emerge daily. Regardless, the companies surprised with the actions of the FTC were not covered by the "I didn't know" excuse. The very rule required that they were to know. The attitude held in days past by corporate executives confidently stating, "that's not going to happen to us" has changed with the law, which now requires them to foresee the next threat. In order to foresee, those bearing the responsibility of the organization's actions must admit a need to assess the fact that an unknown threat could exist from within or without. It is no longer sufficient to rely on the opinion and recommendations of the internal security or technology officer. The Safeguards Rule charges the board of directors with the responsibility of overseeing the employees and service providers who are implementing and adjusting an information security program.

Wireless Provider's Servers Accessed

With a plot line right out of Hollywood, a 21-year old hacker had unfettered reign of T-Mobile's 16.3 million customer accounts, including many social security numbers, dates of birth, voice mail PINs and passwords for customers' web access to e-mails, according to government filings in the case. The fourth-largest wireless network operator in the United States was unaware of the breach that had occurred at least a year before.

The unauthorized access came to light only after the hacker began offering customer information and pictures taken by the T-Mobile Sidekick phones. Investigators with the Secret Service noticed the private data for sale during "Operation Firewall," a criminal investigation that netted 28 fraud and computer crime suspects from eight states and six foreign countries. In a twist of irony, the T-Mobile hacker had accessed the Secret Service agent's phone during his investigation of the underground networks. The hacker offered a government informant classified documents accessed from the agent's phone. The documents are described in a Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases."

By policy, agents with the secret service are not supposed to access classified e-mail via their personal wireless devices but in this case, a lapse in proper protocol led to a leak in the government's case against the hacker networks. According to an affidavit filed by cyber crime agent Matthew Ferrante, the agency informed the wireless company after the Secret Service discovered the hacker's information offers from T-Mobile in March of 2004. By July, the company discovered that the intruder had indeed accessed their customer databases. T-Mobile could be negligent under California's anti-identity theft law "SB1386" because they've known about the intrusions since July of 2004 but as of yet, has not issued any public warning. The company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Customer privacy has been compromised and the fourth-largest wireless network operator's reputation has been brought into question. The hacker, Nicolas Jacobsen, then living in Santa Ana, California faces two felony counts of computer intrusion and unauthorized impairment of a protected computer and is awaiting a federal status conference in federal court February 14th. Celebrity users of T-Mobile camera phones, such as Demi Moore, Ashton Kutcher, Nicole Ritchie and Paris Hilton, have had their stolen digital photos posted on the Internet. Jacobsen was arrested with little fanfare on October 27th and secrecy still surrounds the case. A friend of Jacobsen has disclosed that the government may be offering a plea deal in exchange for his work in finding other criminals. So, another hacker becomes a government employee but what about the consumer who is left to question the security of their information in the hands of trusted companies? What steps will organizations take to protect customer data and thereby protect their own reputation?

Home Improvement Chain Targeted by Wardriver

Three men were charged with the intent to steal credit card information from the national computer system of the Lowe's home improvement chain. One of the men, Brian Salcedo, 21, of Whitmore Lake Michigan was sentenced on December 15th, 2004 to nine years in federal prison.

The interesting aspect of this case is that one of the other men, Adam Timmins, became one of the first to be convicted of wardriving. This hacking technique involves driving around with an antenna in search of vulnerable wireless Internet connections. The three hackers tapped into the wireless network of a Lowe's store in Southfield, Michigan, and then used that connection to access six other stores and the chain's central network in North Wilkesboro, N.C. Once inside, a program was installed to capture credit card information.

"I think the massive amount of potential loss that these defendants could have imposed was astounding, so that's what caused us to seek a substantial sentence against Mr. Salcedo," federal prosecutor Matthew Martens said. The frightening part is that Lowe's only discovered the breach when the malicious program caused some of their point-of-sale machines to crash.

The trio has been convicted but what about Lowe's? Shouldn't they have discovered the intruder sooner? The actions by these hackers occurred over a period of time and could have been stopped with the simplest of policies for their wireless Internet connections. If the red flags hadn't appeared from the crashed point-of-sale devices, how many credit card numbers would they have gathered? Privacy-conscious consumers file lawsuits and complaints with the Federal Trade Commission against companies that fail to protect their private data. The penalties are steep. Consider the California law passed in 2003 that applies to any company doing business in the state. Companies that fall short in securing themselves open themselves up to a penalty associated with the cost of notification and the negative impact on image and consumer confidence had they properly disclosed the breach. Private remedies may be sought by consumers, which could include class actions. The statute also states that any "business that violates, proposes to violate, or has violated this title may be enjoined."

Failure to comply with this privacy statute can lead to civil liability damages of up to $2,500 per violation, for a total of up to $500,000 per occurrence. The fine is "irrespective of the amount of damages suffered by the consumer as a result of that violation." There is no limit on the level of damages per occurrence if the violation was known and willful. Additionally, all fines can be doubled in instances where violation results in the identity theft of a consumer. Without the enhanced vigilance of the world's retailers and service providers who store and maintain consumer data, the problems will grow as the pre-teen computer whiz now seeks a place for his ability. The three Lowe's hackers have become celebrities in the black hat community. Kevin Mitnick is the father of the hacker who gains fame and fortune through his crimes. He spent more than 5 1/2 years behind bars for his exploits, which cost companies millions of dollars by stealing their software and altering computer information. Victims included Motorola, Novell, Nokia and Sun Microsystems. Shouldn't today's companies protect us from these criminals seeking to gain financially or infamously from cyber crime?