BlackBerry Reveals Bank's Secrets

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.wired.com/news/business/0,1367,60052,00.html

[Sad thing is few if any companies will heed the lesson in this story
by enforcing their employees to keep their PDA's locked, encrypted, or
afterward, clean of proprietary information once they've left the
company. I one thing I do see happening out of this story is the
prices of used Blackberry's will be going up on eBay with buyers
competing with each other hoping to score that "next" million dollar 
PDA chock full of corporate and government secrets.  - WK]


By Kim Zetter
Aug. 25, 2003

The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his 
real name), a Seattle computer consultant who always wanted one of the 
pager-size devices to check his e-mail, sent in a bid. For just 
$15.50, he bought the wireless device with 4 MB of memory. 

The BlackBerry didn't come with a cable, synching station, software or 
a manual. But it did come with something even more valuable: a trove 
of corporate data. 

After popping a battery into the BlackBerry's back panel, Sacks 
discovered a few things the previous owner wouldn't have wanted him to 
see -- more than 200 internal company e-mails from financial services 
firm Morgan Stanley and a database of more than 1,000 names, job 
titles (from vice presidents to managing directors), e-mail addresses 
and phone numbers (some of them home numbers) for Morgan Stanley 
executives worldwide. 

It was all there to read, Sacks said, the minute he turned on the 
device. 

The seller, who asked to remain anonymous, was a former vice president 
of mergers and acquisitions for Morgan Stanley who'd left the company 
months earlier. 

"If I were Morgan Stanley, I'd be embarrassed," said a source who is 
an expert in the financial industry. "You should not be able to get 
that kind of information paying $16 on eBay." 

Companies mentioned in the e-mails include technology firms, shipping 
firms, telecoms and accounting agencies. 

The incident serves as a cautionary tale about the ways companies fail 
to manage sensitive data despite public assurances to the contrary. It 
also shows how employees who are entrusted with confidential 
information are often insufficiently trained about the simple yet 
sophisticated technologies they use. 

In addition to personal e-mails that reveal the VP's own Charles 
Schwab IRA account numbers, the name and phone number of his mother 
and the amounts he paid for his monthly mortgage, car and Visa bills, 
the e-mails discuss confidential information about loan terms for 
Morgan Stanley clients, debt-restructuring strategies for specific 
companies, preliminary talks for potential merger deals and even some 
creative ways of interpreting contracts. 

In the latter category, an e-mail exchange between two Morgan Stanley 
employees discusses a client who seems to want to step around the 
terms of a contract signed with a third party. A Morgan Stanley 
employee advises telling the company to stay "aboveboard" and follow 
the letter of the contract. 

"They're asking you to act in something less than good faith it seems 
to me. Not wise. Better to have everything aboveboard and 
disclosed...." advises the one employee to another in e-mail. 

The VP who sold the BlackBerry told Wired News he didn't know the 
information was on the device. He said he removed the battery months 
ago, and assumed that everything had been erased. 

But Morgan Stanley said he violated a contract he signed promising to 
destroy or return any proprietary information. 

"On the last day of employment the employee must remove and destroy 
any confidential information in their possession and return any mobile 
devices and any portable media belonging to the firm," said Diana 
Quintero, a company spokeswoman. "When people leave and they sign 
these papers, they're reminded of this policy." 

While much of the information on the BlackBerry pertains to deals that 
are now public and thus no longer sensitive, the financial expert said 
it's simply a matter of luck that none of the e-mails contained 
information that could now be traded for profit on the stock market. 
Had the VP sold the BlackBerry after leaving his job months ago, some 
of the deals would still have been pending. 

For instance, a series of e-mails discusses debt restructuring for one 
of Morgan Stanley's clients -- in all likelihood so that the client 
could raise capital to purchase a competitor. Judging from public 
information about the companies, that particular deal never went 
through, but the company did purchase a second competitor a few months 
later. 

Had anyone obtained information about the merger before it occurred, 
they could have thwarted the deal by offering a higher bid for the 
target company or could have bought stock in the target company and 
waited for the purchasing bid to spike its value. 

"It's a violation of confidentiality, and it would really piss off the 
client if anybody found out about it," said the financial expert. 
"That's not something you ever want to be public until it's a done 
deal." 

In addition to information contained in the body of the e-mails, there 
are numerous attachments that contain proprietary PowerPoint 
presentations, financial spreadsheets and case studies about finished 
deals that would interest any Morgan Stanley competitor who wanted to 
know how the firm conducts deals. 

Because the attachments are stored on a server and not on the 
BlackBerry itself, though, no one can view them now that the VP's 
e-mail account is closed. But had the VP misplaced his BlackBerry 
while still an employee, someone could easily have read the 
attachments, too. The VP told Wired News that he never locked his 
BlackBerry with a password, and the device doesn't have encryption 
capabilities to let users scramble data stored in its memory. 

Paige Steinbock, a partner in headhunting agency Korn/Ferry 
International, called the database of Morgan Stanley employee names 
and home phone numbers "a virtual gold mine of information." 

Steinbock said headhunters regularly purchase directories of alumni 
associations and professional groups to track executives to hire. But, 
she said, "having something electronic like that address book would 
obviously speed up the process in terms of having accurate, 
identifiable names and numbers of people you're trying to target." 

An address database can also aid corporate spies and hackers who want 
to piece together an organizational chart of company executives. 
Knowing the name, title and e-mail address of a managing director, a 
hacker can spoof the account and send correspondence as an executive. 
Someone posing as a managing director in the New York office, for 
instance, could contact a secretary in the Chicago office and request 
a company file be e-mailed to his home address. 

The VP who sold the BlackBerry said he had no idea data could remain 
on a device long after the battery was removed. 

"It didn't even occur to me that it would have this stuff still on 
there because it had been lying around for a long time without a 
battery in it," he said. "Had I known there was anything on it, I 
wouldn't have sold it." 

The VP acknowledged he signed papers saying he needed to return 
company property. But the BlackBerry didn't belong to the firm. Morgan 
Stanley employees generally buy their own BlackBerries through a plan 
offered by the firm. The one the VP bought was shipped directly to 
Morgan Stanley's IT department, which set up the software and service 
on the BlackBerry before giving it to him. 

"I paid (for it) on my credit card and they handed it to me in working 
order," said the VP. 

The large address book containing employee job titles and home phone 
numbers was already loaded on the device when he received it, he said. 

"Usually what happens when someone leaves, they hand in their 
BlackBerry, everything is erased, and then we give it back to them," 
said Morgan Stanley's Quintero. "Obviously that didn't happen in this 
case." 

Quintero said that while the VP may have sold the information 
accidentally, he still violated company policy. And even though the 
company knew he possessed the BlackBerry, she said the onus was on him 
to bring it forward to be cleaned. 

"We trust employees with a lot of sensitive information; that's why we 
have these procedures in place. Someone who is in mergers and 
acquisitions and is a vice president should be very aware of his 
responsibilities," she said. 

But Korn/Ferry's Steinbock said, "If they were vigorously wanting to 
protect their intellectual property, I would hardly think that's 
enough. 

"Since it's information that would harm them, not him, it's perplexing 
that they wouldn't be more aggressive about retrieving that 
information and follow up with him. The company obviously doesn't have 
controls in place to take care of its own intellectual property, and 
that's really their fault," she said. 

In fact, the VP said that when the company closed his e-mail account 
on his last day of work, he thought any data on the BlackBerry would 
be deleted remotely by the server. "I just assumed it was all taken 
care of," he said. 

Courtney Flaherty, a spokeswoman for Research in Motion, the company 
that manufactures the BlackBerry, said there are two ways to wipe data 
on a BlackBerry -- either manually using the synching software, or 
remotely through a command that gets pushed out from the server to the 
device. But that only works if a company uses the Microsoft Exchange 
server. Morgan Stanley uses Lotus Domino. 

This is not the first time an individual or organization inadvertently 
sold sensitive data with a used system. Last year a Veterans 
Administration medical center sold or donated to schools 139 used 
computers that turned out to contain credit card numbers and medical 
data for patients afflicted with AIDS and mental health conditions. 

Recently MIT researchers purchased (PDF) used hard drives from 
computer resellers and eBay auctions to see how many drives contained 
recoverable data. Out of 129 drives they examined, only 12 had been 
properly cleaned. One hard drive contained 3,722 deleted credit-card 
numbers that were easily recoverable. And another drive, which 
appeared to come from an ATM machine, showed no evidence that the bank 
had tried to erase it. It still contained the ATM's log of customer 
account numbers and balances. 

The incident with Morgan Stanley highlights the risk of disseminating 
data on handheld devices. With so many PDAs and mobile phones sold 
secondhand each year, there are likely numerous cases that have never 
become known. 

Judging from the windfall of info captured on the VP's BlackBerry, the 
financial expert interviewed for this story said he could only imagine 
the wealth of information people could gather if they placed ads for 
used BlackBerries online and waited for the devices to roll in. 

Of course, information leaks occur in non-technical ways as well, he 
noted. Employees take paperwork home all the time. But new technology, 
he said, "makes it more efficient (and) compact" to transport lots of 
data at once. As a result, a higher volume of information can be 
captured in a single device than if someone simply left a briefcase 
behind on the subway. 

> From employees who willfully take data with them when they leave a job 
to those who are simply neglectful, he said banks lose confidential 
information all the time. "We don't make a big deal about it, we never 
tell anybody about it, but that's the bottom line," he said. 

Guy Diament, a senior systems engineer in New York, said it's up to 
companies to communicate with employees about secure computing and to 
train them to use passwords as well as encryption when available. "But 
they can't just encrypt files at work. If an employee syncs files to a 
laptop, a handheld or a home computer, then the files have to be 
encrypted there if possible." 

"The bottom line," he said, "is that as long as a company allows 
employees to duplicate and triplicate company files on devices that 
leave the office, it cannot ensure that its information won't ever get 
out. It can only strive to protect itself." 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.