CORPORATE SPYING SURGES IN TOUGH TIMES

[Anonymous]

http://www.usatoday.com/tech/news/computersecurity/2009-07-28-corporate-espionage-recession-tech_N.htm
CORPORATE SPYING SURGES IN TOUGH TIMES
Marla Suttenberg had a sinking feeling that a corporate spy was shadowing her.
In
March 2008, the owner of Woodcliff Lake, N.J.-based Sapphire Marketing
was preparing to give a longtime client a generous price cut on
$134,000 worth of audio/videoconferencing equipment.But before her
sales rep could extend the offer, her chief rival, David Goldenberg,
then regional vice president of sales for AMX, a Dallas-based
conferencing systems maker, sent the client an e-mail disparaging
Sapphire and offering a steeper AMX discount.”I felt sick to my
stomach,” Suttenberg recalls. To pull that off, someone had to have
infiltrated Sapphire’s internal e-mail, she thought at the time.She was
right. A few days later, Goldenberg, 48, of Oceanside, N.Y., was
arrested. He subsequently pleaded guilty to felony wiretapping for
tampering with Sapphire’s e-mail. He was sentenced last month to three
months probation and ordered to undergo counseling. “There was nothing
sophisticated about me getting into their e-mail,” he said in an
interview. “Honestly, I had no idea that it was illegal.”

Corporate
espionage using very simple tactics — much of it carried out by trusted
insiders, familiar business acquaintances, even janitors — is surging.
That’s because businesses large and small are collecting and storing
more data than ever before. What’s more, companies are blithely
allowing broad access to this data via nifty Internet services and cool
digital devices.”Having more sensitive information being seen by more
people and accessed on more devices drives up risk significantly,” says
Kurt Johnson, vice president at Courion, a supplier of identity
management systems.The slumping economy doesn’t help. “Mass layoffs
have increased internal threat levels dramatically,” says Grant Evans,
CEO of ActivIdentity, which makes smart cards and security
tokens.Employees worried about job security face rising temptations to
seek out and hoard proprietary data that could help boost their job
performance, or at least make them more marketable should they get laid
off, says Adam Bosnian, vice president at Cyber-Ark Software, another
identity management systems supplier.

Of the 400 information
technology pros who participated in a recent Cyber-Ark survey, 74% said
they knew how to circumvent security to access sensitive data, and 35%
admitted doing so without permission. Among the most commonly targeted
items: customer databases, e-mail controls and CEO
passwords.Cellphones, digital cameras and USB dongles come with vast
memory — enough to store data that a few years ago might have required
a stack of CDs, says Nick Newman, computer crimes specialist at the
non-profit National White Collar Crime Center. Web services, such as
Hotmail, Yahoo Mail and Gmail, and popular social networks, such as
Facebook and Twitter, make terrific free tools for transferring and
storing pilfered data anonymously.”If you create an environment where
your employees can walk freely out the door with unencrypted,
proprietary data, it’s only a matter of time before someone actually
does it,” says Sam Masiello, vice president at messaging and browser
security firm MX Logic.

Lax passwords a danger
The
exposure redoubles at companies that are lax about passwords. Last
week, a hacker pilfered sensitive Twitter business documents and
released them publicly. Twitter co-founder Biz Stone said in a
statement that the hacker got in by figuring out the log-on of a
Twitter employee who used the same non-unique password for several
online accounts.”The unauthorized extraction of information is epidemic
and essentially unstoppable,” says Phil Lieberman, CEO of Lieberman
Software, which makes password security systems.

Goldenberg’s
caper illustrates just how easy it can be. In an interview, he said it
all began in September 2007 when one of the sales reps who reported to
him at AMX jumped ship to rival Sapphire, the sales arm of Crestron
Electronics, a Rockleigh, N.J.-based maker of conferencing systems.
Goldenberg says he inspected the company laptop turned in by the
departing rep and found an e-mail from Sapphire welcoming the new
recruit.The message, he says, included the Web address to Sapphire’s
e-mail server and the recruit’s new e-mail address and password.
Goldenberg says he logged on as the recruit and quickly figured out the
log-ons of three other employees. Like the recruit, they used their
first name as part of their e-mail address — and as their password.”He
didn’t go searching for this,” says Dean Schneider, Goldenberg’s
attorney. “It basically hit him in the face.”

For each e-mail
account, Goldenberg activated a feature to forward copies of all
incoming messages to a fresh Gmail account he created. He then spent
long hours and days on end poring over Sapphire e-mail, says Bergen
County prosecutor Brian Lynch. “It was voyeuristic,” says Lynch.
“That’s why we recommended counseling.”Court records show Goldenberg
may have initially gained access to Sapphire’s e-mail months earlier
than he claims.”Admittedly some of our people’s passwords probably were
not as strong as they should have been,” Suttenberg says. “But just
because you have a cheap lock doesn’t mean it’s legal to pick the
lock.”The customer whom Goldenberg tried to steal contacted Sapphire to
inquire how Goldenberg knew specifics about Sapphire’s discount before
he did. Suttenberg talked the customer into sticking with Sapphire.”He
was too blatant,” she says of Goldenberg.

A new system
Suttenberg
has since scrapped the bare-bones e-mail service supplied by her local
Internet service provider, which cost her a few hundred dollars a
month. She now pays thousands of dollars a month for an in-house
Microsoft Exchange e-mail server brimming with security features. She
also instructed her 10 employees to change their e-mail account
passwords frequently and to avoid passwords “that your co-workers and
contacts can figure out.”

While Suttenberg has buttoned up
Sapphire, millions of small-business owners — and plenty of big
corporations — continue to make it easy for larcenous insiders. With
the exception of highly regulated banking and health care companies,
most businesses are just beginning to discuss how to repel insider
intrusions, security experts say.The basics include taking stock of how
sensitive information is conveyed, collected and stored — and strictly
controlling who has access to it. “We’re seeing 70% to 80% of breaches
originating from the inside,” says Vladimir Chernavsky, president of
DeviceLock, which makes systems that restrict data transfers.
“Companies need to enforce security policies and make sure employees
know there are severe consequences to a breach.”

Spy toys
And
then there are the janitors and groundskeepers to worry about, says
J.D. LeaSure, a Virginia Beach counter-surveillance specialist. LeaSure
makes his living conducting “sweeps” that ferret out miniature
listening bugs and video cameras hidden in executive suites, conference
rooms and other settings.Insider intruders, he says, have come to see
value in making audio and video recordings of certain closed-door
discussions. They need only do a Web search on the phrase “spy bug,”
and a trove of eavesdropping and peeping-Tom gadgetry that would
impress James Bond turns up. LeaSure calls them “spy-shop toys.”One of
the latest: an ordinary-looking USB cable. You plug one end into a
printer or other peripheral device and the other end into the
computer’s USB port. Nothing looks amiss, and the cable operates
normally. But it also houses a sensitive microphone and antenna that
continually transmits a UHF audio signal to a receiver that can be up
to 160 feet away. “You can hear every whisper within the confines of
the room,”‘ says LeaSure.There are dime-size “contact bugs,”
which anyone could stick to the outside of a conference room window and
matchbox-size “SIM bugs,” or listen-only cellphones that don’t ring or
light up, that can be activated by a phone call an hour, a week or a
month later.

Another readily available gadget looks like a
luminescent jawbreaker. It is really a motion-activated video camera
and digital video recorder capable of capturing 33 hours of activity.
All one needs to do is perch it where it won’t be noticed on a Monday
and retrieve it on a Friday.LeaSure recently did a security sweep of
the CEO’s office at a publicly traded corporation in the Southeast,
which he declined to name because of client confidentiality. There, he
found an innocuous-looking ballpoint pen in a cup with a handful of
other pens and pencils. The pen wrote beautifully. It also contained a
voice-activated audio recorder with 2 gigabytes of memory.LeaSure
set up a hidden surveillance camera and caught the janitor swapping out
a fresh pen recorder every third day. The janitor was fired, with no
other repercussions, after disclosing the identity of the insider who
put her up to it.That person stopped spying after being threatened with
legal action, says LeaSure, but nothing else was done. “The principal
did not want the stockholders or press getting a hold of the fact that
company secrets were leaked because of what that would do to the
company’s stock price,” he says.

[Author]

September 9, 2009 at 10:34 AM