Information Security News mailing list archives
'Netspionage' costs firms millions
From: InfoSec News <isn () C4I ORG>
Date: Wed, 13 Sep 2000 02:36:03 -0500
http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html By Bob Sullivan, MSNBC September 12, 2000 5:46 AM PT Top-secret designs are leaked out of a French military contractor through its Web site; a content company's entire database of proprietary images is posted in Internet newsgroups; a U.S. automaker is offered a peek at the new designs from a German competitor for $8 million. In a world paranoid about computer security, most experts quietly confess that hacking of high-profile Web sites is harmless -- it's high-priced corporate espionage hacking that's the real cybercrime problem. Hackers who deface sites like FBI.gov or steal credit cards from sites like WesternUnion.com attract great attention. But some experts say such break-ins and "toilet-clogging techniques" are merely a distraction from the real problem of cybercrime -- corporate-sponsored proprietary information theft committed by professionals who rarely get caught. "If a 15-year-old can break in, what do you think a professionally trained intruder can do?" said Tom Talleur, former NASA computer security chief, now a consultant at KPMG. The untold tally It's a problem few companies or individuals will openly discuss. Computer security is a secretive business ladened with non-disclosure agreements; corporations don't want to suffer the embarrassment of admitting a break-in. But in anonymous surveys, companies confessed to costly theft of proprietary information. According to the American Society for Industrial Security, in 1999 Fortune 1000 companies sustained losses of more than $45 billion from thefts of their proprietary information. Just how much of that theft is "Netspionage," or corporate-sponsored hacking, is unclear. But in another survey conducted by the Computer Security Institute, over half of 600 companies surveyed said they felt their competitors were a likely source of cyber-attack; and the group claimed over $60 million in losses to cyber-espionage. "More and more hacking for the sake of trade secret theft is going on," said Richard Power, who conducts the annual Computer Security Institute survey and wrote the cybercrime book "Tangled Web." "But it's very difficult to prove. No one wants to talk about them." William Malik, an analyst at Gartner Group, says he has consulted in two cases of electronic espionage during the past couple of years that cost companies over $500 million. In one, two "heavy manufacturing" firms were bidding on a $900 million contract; one outbid the other by a fraction of a percent. "It wasn't just bad luck," Malik said. The losing company happened to be testing network monitoring software during the bidding process and later discovered that someone had broken into the company's computer network and accessed files that contained bidding strategy information. "There wasn't enough evidence to go to court," Malik said. "But they called Gartner to make sure it never happened again." Exodus Communication security chief Bill Hancock, who spent years as a private cybercrime consultant, is one of a few professionals willing to share some details of his work. He said he's prosecuted over 600 cybercrime cases during his career, and about 20 percent involve corporate espionage. "I can tell you the number of cases is on the rise," Hancock said. In one recent case, Hancock said he was brought in by a French defense contractor that knew its designs were somehow being leaked outside the company. The company had careful guards on how digital information could leave the premises, but not careful enough. Hancock's investigation uncovered a computer criminal, working as part of a team, who had taken a job inside the unnamed French company. Then, he painstakingly embedded trade secrets inside Web site images, which he then posted on the companys public Web site -- hiding information within seemingly harmless files using a technique called steganogaphy. An outside hacker then stole the secrets right from the company's home page. Hancock only discovered the theft by noticing slight variations in image file size. In another case of outright computer theft, Hancock said he investigated a U.S. cordless telephone company that stole designs from a rival. An engineer at the first company hacked into the second company's computers and stole designs and drawings, then passed them off as his own work. The engineer's managers, knowing the work was well above his skill level, suspected foul play but manufactured the phone anyway, Hancock said. "It was pretty obvious they knew about it from the inception," Hancock said. "Actually, they thought it was funny." No laughing matter But there's nothing funny about the loss of trade secrets to competitors. While corporate espionage is as old as the silk trade, the Internet age has made it easier, faster and much more anonymous. "Your competitors no longer have to be across town, or even across the country; they're in other countries that have different laws and business ethics," Power said. "Culpability is much less. There is a lawless frontier in terms of theft of trade secrets." Hackers for hire working for foreign nationals are not merely the stuff of James Bond films, Hancock said. He's been chasing a Chinese national for six to seven years who regularly hires U.S. teen-agers to hunt down documents. In one case, Hancock said a 17-year-old U.S. hacker was paid $1,000 -- and promised $10,000 more -- for stealing design documents for kitchen appliances from U.S. firms. Talleur, who formerly was in charge of protecting NASA's secrets from a constant barrage of foreign information-based attacks, thinks the problem is much more severe than most organizations let on. "I don't think any government or corporation knows how much it's being spied on," Talleur said. "It's my belief that the country is subject to widespread dry cleaning." Talleur believes most firms don't have sufficiently sophisticated technology in place to detect professional attacks. Power agrees, suggesting juvenile hackers who leave obvious calling cards provide an unwitting smokescreen for professionals who are after much more valuable information. "I believe in many environments it's almost impossible to catch somebody who is good enough," said Power. "One of the great blunders in the defense of cyberspace is that the threat is juvenile hackers. They end up in the headlines because they get caught. But professionals don't get caught." Not every act of corporate espionage is quite so dramatic or so highly skilled. Joel de la Garza of Securify.com, which offers forensics of espionage attacks, tells one story of an Internet service provider that caught a young computer hacker attacking its systems. After learning the hacker had also entered a competitor's network, the company offered him free DSL for information about the competitor. Just how valuable is such information? It's hard to quantify, says Dick Heffernan of security firm R.J. Heffernan Associates Inc. -- and sometimes that makes it hard for potential victims to see the threat. "It's difficult for people to see the theft of information," said Heffernan, who conducts the annual American Society for Industrial Security survey. "With other kinds of theft, something is missing. Information is the only asset that can be copied or stolen, but nothing can appear to be missing. You can still have the information ... but have lost the value of that information." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- 'Netspionage' costs firms millions InfoSec News (Sep 13)