You're Only as Good as Your Password

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/smallbiz/content/aug2002/sb20020823_5482.htm

By Jim Kerstetter
AUGUST 23, 2002 

Warren Leggett had just spent the long July 4 weekend golfing with his
brother-in-law near Portland, Ore. Early the following Monday morning,
his relaxing holiday ended abruptly. The chief information officer of
Niku Corp. (NIKU), a small Silicon Valley software company, found
himself plunged into a shocking case of alleged corporate espionage --
one that raises troubling questions about the security of company
information in the Internet Age.

It all started when Leggett's brother-in-law, Jay Berlin, a mid-level
tech manager at Nike Corp. (NKE), agreed to view a demonstration on
July 8 of Niku's software, which helps companies collaborate on big
projects over the Web. The morning of the meeting at Nike's suburban
Beaverton offices, Berlin checked his voicemail -- which included a
message from a salesperson at Niku archrival Business Engine Software
Corp. That's odd, he told Leggett. He didn't even know the firm, and
he wouldn't be the one to buy such software anyway. How did they know
to call him?

OPEN, SESAME.  Struck by the coincidence, Leggett says, he dug into
Niku's Web access logs the next morning and discovered that someone
using Internet addresses owned by Business Engine had used Niku
passwords to sneak into Niku's network more than 6,000 times,
downloading some 1,000 documents--including one that Leggett wrote
about the planned demo for Berlin. The allegations are outlined in a
lawsuit filed on Aug. 12 in U.S. District Court in San Francisco. "We
never, ever assumed something like this could be going on," says Niku
Chief Executive Farzad Dibachi. In a written statement, Business
Engine said it's cooperating with an FBI investigation and does not
yet know all the facts around the case.

The alleged high-tech pillaging highlights a vexing problem in today's
networked corporations: gaping holes in computer security. Passwords,
which can be easily guessed or tricked out of employees, are becoming
the Achilles heel of computer security. On Aug. 14, for example, an
associate dean at Princeton University was removed from his post after
admitting he used easily guessed passwords to access a student
admissions site set up by Yale University.

Indeed, an April survey of 500 corporations by the Computer Security
Institute found that 80% of them had been broken into, resulting in
combined losses of $455 million. And there are no easy solutions. "For
all intents, when they are using that password, they are inside that
network," says Dorothy Denning, a computer science professor at
Georgetown University.

WEALTH OF BAD NEWS.  Now the feds are involved. On Aug. 8, at least 2
dozen FBI agents raided Business Engine's offices. FBI officials won't
comment. Five days later, a federal judge issued a temporary
restraining order against Business Engine and ordered it to ask its
business partners and customers to return any proprietary Niku
information it may have given them. In an Aug. 20 statement, Business
Engine said it asked Niku to work with an "independent third-party
mediator" to help resolve the case. Niku execs said that, as of press
time, they had not received that request.

The Niku lawsuit doesn't specify damages. Company officials claim that
using that stolen information, Business Engine was able to become a
last-second competitor on several major deals, including a project at
Lloyds of London, according to court documents.

The loss of big deals couldn't have come at a worse time for Niku,
which is struggling with the tech downturn. The still-unprofitable
Redwood City (Calif.) company has reduced its staff from 1,100 a year
ago to 300 today. In the quarter ended in July, its sales fell 38%, to
$10.5 million, from the year before.

The stolen Niku files, the company contends in the lawsuit, were the
crown jewels of the software company, including upcoming features,
lists of potential customers, pricing, and customizations for clients.  
The downloaded items also included one file mentioning that Leggett
planned to show Niku's software to a project manager from Nike.

FORENSIC SLEUTHING.  The file, the only place an invader could have
learned of the Nike meeting, didn't mention they were related. That
was strange enough, but Leggett says he kept digging and found more.  
He was stunned to find that someone outside the company used 15
internal passwords over and over again. The invasions had occurred
since last October. "It was sheer coincidence," says Dibachi.  
"Otherwise, who knows how long this would have gone on?"

Even now, officials aren't quite sure how the passwords fell into the
wrong hands. It could be weeks or months before Niku and the FBI
figure that out. But for the rest of industry, Niku's experience is a
warning call: The nearly $3.6 billion being spent worldwide on
computer security clearly isn't enough.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.