INDUSTRIAL ESPIONAGE — HACKERS FOR HIRE

Let’s consider the following scenario. A very large public utility with several nuclear power plants experiences a minor glitch with no real consequences. One evening, a hacker in the employ of an anti-nuclear activist group, using information provided by a disgruntled employee, gains access to the utility’s network, searches file servers until he finds one at the nuclear plant, and, after compromising it, locates copies of several of the lessons-learned memos. The Hacker delivers the memos to his employers who doctor them up a bit and deliver them with a strongly worded press release to a local reporter who has made a life-long career out of bashing the nuclear industry. Imagine the potential public relations consequences.

Or, how about this: a large corporation with only one major competitor hires an accomplished hacker. The hacker’s job is to apply at the competitor for a job in the computer center. Once hired, the Hacker routinely collects confidential information and, over the Internet, passes it to his real employer. Such a situation was alleged in 1995 when a Chinese student, working in the United States for a software company, started stealing information and source code and funneling it to his real employer, a state-owned company in China.

There are many instances of such espionage. Unfortunately, most of them don’t get reported. Why? The loss of confidence in a company that has been breached is one reason. Another is the threat of shareholder lawsuits if negligence can be proved. Estimates of the success of prosecuting computer crime vary, but the most common ones tell us that there is less than a 1% probability that a computer criminal will be reported, caught, tried, and prosecuted successfully. With those odds, it’s no wonder that the professional criminal is turning to the computer instead of the gun as a way to steal money.

Rob Kelly, writing in Information Week back in 1992 (“Do You Know Where Your Laptop Is?”), tells of a wife who worked for the direct competitor to her husband’s employer. While her husband was sleeping, she logged onto his company’s mainframe using his laptop and downloaded confidential data which she then turned over to her employer. A favorite scam in airports is to use the backups at security checkpoints to steal laptops. Two thieves work together. One goes into the security scanner just ahead of the laptop owner, who has placed his or her laptop on the belt into the X-ray machine.

This person carries metal objects that cause the scanner to alarm. He or she then engages in an argument with the security personnel operating the scanner. In the meantime, the victim’s laptop passes through the X-ray scanner. While the victim waits in line for the argument ahead to be settled, the confederate steals the laptop from the X-ray belt and disappears. You can bet that the few dollars the thieves will get for the laptop itself are only part of the reward they expect. Rumors in the underground suggest that as much as $10,000 is available as a bounty on laptops stolen from top executives of Fortune 500 companies. To paraphrase a popular political campaign slogan, “It’s the data, stupid!” Information in today’s competitive business world is more precious than gold. Today’s thieves of information are well-paid professionals with skills and tools and little in the way of ethics.

These examples show some of the ways industrial espionage has moved into the computer age. There is another way, this one more deadly, potentially, than the other two. It is called “Denial of Service” and is the province of computer vandals. These vandals may be competitors, activist’s intent on slowing or stopping progress of a targeted company, or disgruntled employees getting even for perceived wrongs. Denial of service attacks is attacks against networks or computers that prevent proper Data handling. They could be designed to flood a firewall with packets so that it cannot transfer data. It could be an attack intended to bring a mainframe process down and stop processing. Or, it could be an attack against a database with the intent of destroying it. While the data could be restored from backups, it is likely that some time will pass while the application is brought down, the data restored, and the application restarted.

“How can we prevent this type of activity?” The answer is complex. As you will see in the emerging glut of computer security books, planning by implementing policies, standards and practices, implementation of correct security architectures and countermeasures, and a good level of security awareness is the key. If your system is wide open, you’ll be hit. There is, in this day and age, no way to avoid that. What you can do is ensure that your controls are in place and robust and that you are prepared for the inevitable. That won’t stop the hacker from trying, but it may ensure that you’ll avoid most of the consequences.