'Netspionage' costs firms millions

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html

By Bob Sullivan, MSNBC
September 12, 2000 5:46 AM PT

Top-secret designs are leaked out of a French military contractor
through its Web site; a content company's entire database of
proprietary images is posted in Internet newsgroups; a U.S. automaker
is offered a peek at the new designs from a German competitor for $8
million. In a world paranoid about computer security, most experts
quietly confess that hacking of high-profile Web sites is harmless --
it's high-priced corporate espionage hacking that's the real
cybercrime problem.

Hackers who deface sites like FBI.gov or steal credit cards from sites
like WesternUnion.com attract great attention. But some experts say
such break-ins and "toilet-clogging techniques" are merely a
distraction from the real problem of cybercrime -- corporate-sponsored
proprietary information theft committed by professionals who rarely
get caught.

"If a 15-year-old can break in, what do you think a professionally
trained intruder can do?" said Tom Talleur, former NASA computer
security chief, now a consultant at KPMG.

The untold tally

It's a problem few companies or individuals will openly discuss.
Computer security is a secretive business ladened with non-disclosure
agreements; corporations don't want to suffer the embarrassment of
admitting a break-in.

But in anonymous surveys, companies confessed to costly theft of
proprietary information. According to the American Society for
Industrial Security, in 1999 Fortune 1000 companies sustained losses
of more than $45 billion from thefts of their proprietary information.
Just how much of that theft is "Netspionage," or corporate-sponsored
hacking, is unclear. But in another survey conducted by the Computer
Security Institute, over half of 600 companies surveyed said they felt
their competitors were a likely source of cyber-attack; and the group
claimed over $60 million in losses to cyber-espionage.

"More and more hacking for the sake of trade secret theft is going
on," said Richard Power, who conducts the annual Computer Security
Institute survey and wrote the cybercrime book "Tangled Web." "But
it's very difficult to prove. No one wants to talk about them."

William Malik, an analyst at Gartner Group, says he has consulted in
two cases of electronic espionage during the past couple of years that
cost companies over $500 million. In one, two "heavy manufacturing"
firms were bidding on a $900 million contract; one outbid the other by
a fraction of a percent.

"It wasn't just bad luck," Malik said.

The losing company happened to be testing network monitoring software
during the bidding process and later discovered that someone had
broken into the company's computer network and accessed files that
contained bidding strategy information.

"There wasn't enough evidence to go to court," Malik said. "But they
called Gartner to make sure it never happened again."

Exodus Communication security chief Bill Hancock, who spent years as a
private cybercrime consultant, is one of a few professionals willing
to share some details of his work. He said he's prosecuted over 600
cybercrime cases during his career, and about 20 percent involve
corporate espionage.

"I can tell you the number of cases is on the rise," Hancock said.

In one recent case, Hancock said he was brought in by a French defense
contractor that knew its designs were somehow being leaked outside the
company. The company had careful guards on how digital information
could leave the premises, but not careful enough. Hancock's
investigation uncovered a computer criminal, working as part of a
team, who had taken a job inside the unnamed French company. Then, he
painstakingly embedded trade secrets inside Web site images, which he
then posted on the companys public Web site -- hiding information
within seemingly harmless files using a technique called steganogaphy.
An outside hacker then stole the secrets right from the company's home
page. Hancock only discovered the theft by noticing slight variations
in image file size.

In another case of outright computer theft, Hancock said he
investigated a U.S. cordless telephone company that stole designs from
a rival. An engineer at the first company hacked into the second
company's computers and stole designs and drawings, then passed them
off as his own work. The engineer's managers, knowing the work was
well above his skill level, suspected foul play but manufactured the
phone anyway, Hancock said.

"It was pretty obvious they knew about it from the inception," Hancock
said. "Actually, they thought it was funny."

No laughing matter

But there's nothing funny about the loss of trade secrets to
competitors. While corporate espionage is as old as the silk trade,
the Internet age has made it easier, faster and much more anonymous.

"Your competitors no longer have to be across town, or even across the
country; they're in other countries that have different laws and
business ethics," Power said. "Culpability is much less. There is a
lawless frontier in terms of theft of trade secrets."

Hackers for hire working for foreign nationals are not merely the
stuff of James Bond films, Hancock said. He's been chasing a Chinese
national for six to seven years who regularly hires U.S. teen-agers to
hunt down documents. In one case, Hancock said a 17-year-old U.S.
hacker was paid $1,000 -- and promised $10,000 more -- for stealing
design documents for kitchen appliances from U.S. firms.

Talleur, who formerly was in charge of protecting NASA's secrets from
a constant barrage of foreign information-based attacks, thinks the
problem is much more severe than most organizations let on.

"I don't think any government or corporation knows how much it's being
spied on," Talleur said. "It's my belief that the country is subject
to widespread dry cleaning."

Talleur believes most firms don't have sufficiently sophisticated
technology in place to detect professional attacks. Power agrees,
suggesting juvenile hackers who leave obvious calling cards provide an
unwitting smokescreen for professionals who are after much more
valuable information.

"I believe in many environments it's almost impossible to catch
somebody who is good enough," said Power. "One of the great blunders
in the defense of cyberspace is that the threat is juvenile hackers.
They end up in the headlines because they get caught. But
professionals don't get caught."

Not every act of corporate espionage is quite so dramatic or so highly
skilled. Joel de la Garza of Securify.com, which offers forensics of
espionage attacks, tells one story of an Internet service provider
that caught a young computer hacker attacking its systems. After
learning the hacker had also entered a competitor's network, the
company offered him free DSL for information about the competitor.

Just how valuable is such information? It's hard to quantify, says
Dick Heffernan of security firm R.J. Heffernan Associates Inc. -- and
sometimes that makes it hard for potential victims to see the threat.

"It's difficult for people to see the theft of information," said
Heffernan, who conducts the annual American Society for Industrial
Security survey. "With other kinds of theft, something is missing.
Information is the only asset that can be copied or stolen, but
nothing can appear to be missing. You can still have the information
... but have lost the value of that information."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".