- Email: [email protected]
Computer aided industrial espionage
Computer Fraud & Security Bulletin
COMPUTER AIDED INDUSTRIAL ESPIONAGE Peter Sommer This paper accompanies a presentation made at Compsec 93 on 2 1 October 1993 at the Queen Elizabeth II Conference
Centre, London.
Many of the popular, fashion trends in down-sizing, facilities computing management, LANs, client/server designs, laptops, parallel port devices - have made the task of the industrial spy much easier. The simple spying methods are often ignored by potential victims in favour of more sophisticated, but less realistic means. End-user computing means end-user security management. But industrial espionage is not a purely technical problem with purely technical solutions, and proper risk analysis is essential. Indeed we may be reaching a ceiling in the practical capabilities of computer security products. Recent case material is reviewed in this article. In both of the two big international cases of alleged industrial espionage to surface in the first part of 1993, the computer element has been very strong. In the airline war between British Airways and Virgin Atlantic, former BA employees have appeared on television to confess that they hacked into Virgin’s computer files to obtain details of Virgin passengers who were then allegedly offered inducements to switch to BA flights. Also, following the recruitment by Volkswagen of former senior employees of General Motor’s German subsidiary, Adam Opel, GM claimed that Volkswagen had received confidential data about its new micro-car, a new diesel engine, and details of the prices it was paying to component suppliers. By way of rebuttal, Volkswagen’s chairman alleged that GM employees had hacked into VW computer systems in order to foist data onto them which could later be ‘discovered’ with embarrassing results. At the time this paper is being prepared, both these cases are lumbering on - there have so
10
November
far been
no criminal
charges
against
1993
British
Airways or its employees and new claims and counter-claims are still emerging from both VW and GM. What makes these cases unusual is their scale and the fact that they have come to public notice. Difficulties of detection, problems of firm proof, inadequacy and uncertainty in legal remedy, and the probability that the attendant publicity of a police investigation and trial will increase the size of an already irrecoverable loss, are all powerful silent.
reasons
for victims
to remain
A long history There is nothing new about computer aided industrial espionage. As long ago as 1970, Encyclopedia Britannica suffered the loss of a customer mailing list of two million names and addresses via copied and stolen computer tapes. In the same year, employees of a Swedish computer service bureau copied and sold official population census data. Thereafter, instances occur regularly in the computer crime casebooks. In 1984, Waterford Glass were deprived of 25 disks containing instructions for a numerically controlled machine which produced the high quality crystal artifacts for which the company is well known. More typically in terms of scale, earlier this year a former sales manager in a computer company was found guilty of stealing confidential computer records from his former employer the day he left to start his own business. He stole a backup tape containing details of 1700 clients and used the information to try and woo them to his new company. Not a new problem then, but the profound changes in computing since 1970 - hardware, architecture, varieties of applications, and above all types of users - have changed the nature of the problem almost beyond recognition. In this article, I want to bring the story up-to-date. One of the results, I hope, will be to put risk analysis on a more realistic footing. The key to appreciating the extent of the problem is to understand industrial espionage as a whole and see how the computer fits in. As with
01993
Elsevier Science Publishers
Ltd
November
Computer
1993
Reasons for conducting
industrial
Fraud & Security Bulletin
espionage
.
to gain economic, or possibly unfair, advantage
.
to obtain market research material at the lowest possible cost
.
to exercise ‘due diligence’ in the investigation
over a competitor
of companies,
in business
individuals or products in whom investment
.
to lower research and development
.
to acquire new technology
at the lowest possible cost
.
to discover developments that you produce yourself
in new technology
.
to avoid wasting research resources in following up lines which others have already found unprofitable
.
to expand a list of potential customers/clients
.
to determine your competitors’
.
to discover the trade’terms
.
to ascertain if you are paying the lowest possible prices for your raw materials
.
to calculate your competitors’
.
to discover potential employees
.
to acquire the data with which to perform ‘competitor
.
to uncover marketing plans, product launches, etc. planned by rivals
.
to win a competitive
.
to aid a merger or acquisition
.
to fight off a hostile takeover
.
to discover what others think of you
l
. .
(if a professional
costs by discovering
what has already been achieved by others
affecting components
being offered by your competitors
detailed costs breakdown
analysis’
tender or auction
advisor or consultant)
to help secure a contract or to enhance services being provided to a client
as a precursor to fraud or forgery to counter business fraud as a first step in the planned sabotage of a company or product to locate information
. .
that will aid the destruction
of an individual’s
reputation
to pursue a personal vendetta (if employed by a foreign power with a substantial amount of industry in public ownership) prosper more rapidly and at lower cost than would otherwise be the case to obtain information
or to detect if they are trying to do so
l
l
Advantages of computer industrial espionage
aided methods of l
It is worth setting out the great advantages that computer aided methods offer the industrial spy. In general terms, a spy wants: The greatest possible quantity of relevant information from the selected target/victim
01993
to help your country’s economy
for the purposes of journalism
to prevent others from spying on you -
so many aspects of so-called computer crime, we are talking about ordinary crimes which, for one reason or another, are greatly facilitated by the use or abuse of computers.
l
into finished products
by seeing who buys from your competitors
.
l
that you may wish to incorporate
detailed sales figures
. .
is about to be made
Elsevier Science Publishers
Ltd
The lowest possible commission
risk of detection
The smallest sign, after the information has been stolen
event,
The easiest route to convert the information into analysed intelligence can be put to practical use
during
that
stolen which
Compared with more traditional industrial espionage routes - stolen documents, bugged and tapped conversations, compromised and
11
Computer Fraud & Security Bulletin
bribed employees of the victim methods score high every time.
November
-
computer
location of the source files, is, perhaps, three minutes. An A4 ream (500 sheets) of copying paper weighs about 1.5 Kg, is about 5 cm thick, and even the most automated of high-speed copying machines will take 20-25 minutes; if individual pieces are selected and hand-fed, each page will take, realistically, almost 30 seconds.
Data is typically stolen on computer disks; the standard 1.4 MB MSDOS, uncompressed, holds the equivalent of 650 single-spaced A4 pages or 225 000 words or 2.5-3 average-sized books. Standard compression
l
techniques capacity. The
l
will
easily
double
disk can be concealed
the
disk .
in a pocket,
carried out of a building in a case or purse. Copying time, depending on the size and In April 1993 Josef Szrajber and Paolo Sorelli were convicted of bribing senior management at British Petroleum to reveal confidential details about projects the company were planning in North Sea oil fields. The men then approached large engineering companies in Europe and Japan and offered to sell them the information to ensure that their bid for a particular project was accepted. Some of the contracts were worth f2 million, and Szrajber and Sorelli took a typical commission of 2 or 3%. Subsequently an allied set of charges were made against an executive of C.ltoh, the Japanese engineering company and the prosecution commenced at Southwark Crown Court on 14 May 1993. In a similar case in Norway in October 1992. the German steel company Mannesmann Handel said it had paid $800 000 to a senior Statoil engineer in return for illicit information. Directors at National Car Parks (NCP) recruited the services of a security company to obtain information on a rival called Europarks which had appeared to be very successful in winning contracts. The security company placed their own people on the staff of Europarks, including one who became a confidential secretary. The facts are not disputed, but the NCP director and staff member of the security company who were charged were found not guilty of conspiracy to defraud in March 1993. Part of the long-running dispute between British Airways and Virgin Atlantic has involved alleged computer hacking by BA staff into a seat reservation system used by Virgin. BA also allegedly paid for a corporate investigation company, Kroll Associates, to carry out a detailed investigation of one of its other rivals, Air Europe. A private investigator who stole rubbish from a Sunday Times journalist covering the story was caught and convicted in December 1992. 3TR, the industrial conglomerate, used corporate nvestigators to check the security of its own information systems before bidding successfully in 1991 for Hawker Siddeley, the engineering group. The company was surprised to see the quality of information abandoned lightly by staff in dustbins.
12
1993
There is often no evidence that data from a computer has been copied. This is particularly true of the personal computer, but it is also true of any computer with inadequate activity logging The Rover Car Group asked John Stalker, the former deputy chief constable of Greater Manchester to lead an enquiry after details of the new 200. 400 and Landrover Discovery models were leaked to car magazines and also possibly to rivals. Approximately 50 people were interviewed, and though security measures were tightened as a result, there were no redundancy.
The CometIvVoolworths ‘biscuit tin’ case was the first successful British prosecution for industrial espionage activities under the Interception of Communications Act, 1985. It involved telephone tapping during a bitter takeover battle with Dixons during 1986. Shortly before those events, officials at the Davenport Brewery in Birmingham, then facing a f38 million takeover bid by the Wolverhampton and Dudley Brewery, had found a well-used bug; the perpetrators and their employers were never caught. Davenport was later sold to another brewery group, Greenhall Whitley, and they in turn eventually closed it down. Allegations of bugging arose during the long-running Argyll/Distillers/Guinness affair. When the Independent newspaper was planning the launch of its Sunday edition a bug was discovered in the office wiring, and during a f441 million hostile takeover bid for Laing Properties by P&O and Chelsfield in 1990 a bug was found at Laing’s headquarters in Watford. A security guard who worked at Vickers shipbuilding yard in Barrow and a cab-driver attempted to sell an anti-radar tile, made of rubber and intended for Trident submarines, to the Russians. The Russians were apparently not interested and calls were intercepted by the Security Service. The two were arrested and eventually sentenced to prison in July 1991. Sun Life, one of Britain’s biggest life companies, admitted in October 1992 that it had undertaken a clandestine intelligence gathering operation against a more successful rival, Equitable Life. The plan was to drop an agent, in fact a Sun Life broker and sales manager, behind enemy lines by encouraging him to apply for a job with the Equitable so that he could find out details of the training, marketing and administrative methods.
01993
Elsevier Science Publishers
Ltd
November
l
Computer
1993
The stolen information can be quickly analysed on the thief’s own computer simple utilities can search a disk for all references to a name, product or process you do not need to read all the material that has been stolen (or waste time dangerously while still on the victim’s premises deciding what is really important); avictim’s mailing list of customers can be almost instantly incorporated into a database package owned by the thief and converted into a mail-out of competing information to the victim’s customers; a financial spreadsheet showing a victim’s future plans can be directly harnessed into an attack strategy by a takeover merchant or City analyst; a victim’s designs
can be fed into the computer
aided
design equipment owned by the thief, slightly modified, and offered for sale without any of the costs of original research and development, and so on. Long-term trends We will now look at some of the long-term trends in computing and see how the needs of the industrial spy are being facilitated.
Fraud & Security Bulletin
word-processing, spreadsheet, relational database, computeraided design. This means a spy has to acquire knowledge of only a small number of file formats. And in most cases file conversion utilities will make ‘reading’ a file extremely easy. Contrast that with the old mainframe environments where knowledge about operating systems was exclusive to a trained ‘priesthood’ and each applications program had its own unique way of storing data. As we know, the vast majority of PCs contain no intrinsicsecurityfeatures. There are many bolt-on devices available, but all need to be installed properly and used regularly before they become effective. What so often happens to owners of PCs known to hold sensitive data is this: the support people in their company give them the most expensive and complex PC security products on the market; the PC owner, whose competence is limited to the manipulation of the one essential applications package that he/she uses day-in day-out, finds the security package too complicated and inconvenient to use; the PC is as vulnerable as if no attempt had been made to secure it. Today, without a doubt, the PCs owned by a company’s key executives, are the premier targets of the computer-literate industrial SPY.
The personal computer The ubiquity and vulnerability of the PC has become something of a cliche of computer security conferences. However, cliches are usually truths which over-familiarity makes us ignore. Look at what has been happening lately: the population of reasonably literate and aware users continues to grow rapidly - they all know how to search disks, copy files and use simple archiving tools. The capacity, both in terms of processing power and data storage - ‘bang per buck’ - is expanding at a phenomenal rate - a standalone machine with a 50 Mhz plus processor, 8 MB of RAM and 1 Gigabyte of disk drive costs (in September 1993) just over f2000. Directors of finance, marketing, research and development, and so on often do not need any computing power beyond this. It is on the PC that a company’s most sensitive secrets are often held. Moreover, a tiny number of key software products dominate each market segment -
01993
Elsevier Science Publishers
Ltd
The laptop Everything that has been said of the desktop PC is even truer of the laptop. In specification of storage capacity and processing power, the laptop lags only very slightly behind its desk-based sibling. The main difference is that it is even easier to steal the whole machine and access the data later. Since laptops are carried around there are many more opportunities to steal. A desk-based machine should benefit from the general physical security precautions that exist in most offices: laptops can be stolen from cars, public transport, hotel rooms, even private homes. Hardware-based products, to prevent a hard disk’s data being read, are even more difficult to install on a laptop because many such devices need to be installed in a ISA slot - which most laptops lack.
13
Computer Fraud & Security Bulletin
November
Parallel port storage devices The laptop has spawned the need for a range of devices which, though intended to provide data backup, are wonderful tools for the industrial spy. Traditional data storage devices tapes, floptical, magneto-opticals - collect their data via a card installed in a motherboard slot. To overcome the lack of such slots in laptops, use is made of the parallel port, originally intended for printers. There are now a wide variety of such devices available with common capacities around the 250 MB size, but with some containing high-speed hard disks capable of holding over 1 GB. Prices vary from under f300 to over f2000, but at the higher end you end up with devices the size of a paperback book that can decant the entire contents of a medium-sized local area network (which can mean every bit of computer-held data a company owns) at very high speed. Used carefully, these devices leave no trace to show that they have been hooked up to a system.
hacking. Most writing and reporting of computer intrusion continues to be misleading: writers tend to concentrate on the more complex methods and protracted events. There continue to be only a handful of cases each year which truly conform to the ‘demon hacker’ image; overwhelmingly most cases rely on a handful of extremely simple and well-known methods; the failure rate of most attempts is quite high - but in the nine years since I first wrote about the subject, there are many more opportunities for success. Fully, 5% of all PCs in existence have a modem associated with them; most medium-sized companies have facilities for their computers to be remotely accessed; the growth of the large electronic messaging services continues in leaps and bounds. Nearly
all of this data transmission
place unencrypted people
just
how
little
skill
is required
to
eavesdrop. The increased use of wireless communications
very serious initiatives In many companies the justification for the installation of a PC-based local area network seems trivial the sharing of expensive resources like laser printers or CD-ROMs, E-mail and common diaries between office terminals, easy centralized backup. If the mainframe/mini environment is slowly becoming more helen flexible and end-user orientated, the LAN environment was like that from the beginning. In many smaller offices there is no specialist LAN manager, certainly not someone whose main role is to worry about LAN security. Often, some crude security system is set up by the original installer -and then left untouched. But in a poorly set-up system, access to all the users is possible from just one terminal -and that can include a server, if that is part of the particular architecture. Even in better set-up systems, commonly available diagnostic tools to check traffic flows can capture data flowing along the connecting cable.
market
that
abandon
to persuade the business
computer
the fixed
communications
landline
and take
can to the
airwaves. In addition to various data-over-cellular systems, there are countrywide a radio-based
version
services offering
of packet
technology.
Various claims are being made for the security of these services, but, alas, many of them are misleading:
the vendors seem to assume that the
eavesdroppers will seek to use radio scanners and personal computers. In fact, the most likely and simplest route is to compromise and lightly adapt the authentic transceiving equipment. It is within such equipment manipulation
that most of the protocol
(and encryption
if employed)
is
handled. The ‘hack’ then consists of putting the equipment into monitor-only mode, or of passing high level control lines to an external PC. This is how regular cellular radio has been cracked with this kit you can follow any conversation as it moves from channel to channel and can set up a
The growth of computer communications
watch for designated
14
takes
and it is difficult to persuade
Over the last year we have seen a number of
The growth of the LAN
I came into the computer security after writing an unexpectedly successful
1993
phone numbers.
industry book on
01993
Elsevier Science Publishers
Ltd
November
Industrial
Computer
1993
espionage
Fraud & Security Bulletin
and UK law: a brief guide
Criminal English Law offers no direct protection against industrial espionage. You cannot steal information, as opposed to the medium upon which it is held - paper, disk, tape, etc. - because information is not regarded as ‘property’ for the purpose of the Theft Acts, 1968 and 1978. All the legal protections are indirect. The following relate to various means by which industrial espionage
may be effected:
.
if you tap a telephone 1984
.
if you use a bug, or listen to a radio transmission Act, 1949
.
if you make unauthorized entry into a computer, you are in breach of section 1 of the Computer Misuse Act, 1990; if your unauthorized entry is for the purpose of committing a further serious offence, you are in breach of section 2, with the possibility of a five-year prison sentence as opposed to six months
line, you are breaking the Interception
of Communications
Act, 1985 and the Telecommunications
Act,
you are not licensed to receive, you are breaking the Wireless Telegraphy
But in all these instances, the law is not concerned with any information you may have thereby acquired. offences present considerable difficulties of evidence collection and standards of proof.
In addition, all these
The authorities can attempt to use the common law offence of Conspiracy to Defraud, which addresses the consequences of industrial espionage: you need to show two or more people forming a common purpose and to demonstrate that the victim has incurred losses as a result. Conspiracy charges were unsuccessful in the National Car Parks case, but successful in the British Petroleum case. In some instances, the stealing of the contents of a rubbish-bin - garbology - is regarded as simple theft. Other countries The USA has no federal offence to protect industrial secrets, but various individual States, particularly New York, California and Texas, do, though the precise mechanism varies considerably. There are federal laws to protect computers of federal interest. In Germany there are extensive Laws of Economic Crime which include industrial espionage. The technical problems of an industrial espionage
crime
How, and by whom is trade secret to be defined? Is it enough for the originator to use a form of document marking -e.g. ‘Secret’ or ‘Confidential’ - or should there be an objective test? If there is such a test, what would it actually say? How easy and costly -would it be for a court to apply the test? Should there be a ‘public interest’ defence - so that irresponsible manufacturers of dangerous products cannot use the law as a gagging device? And how, in practical detail, would the defence work? If, in English Law, we decide to designate information as ‘property’ (so that it can capable of being stolen) - how many separate items of common law and legislation would need to be modified in order to achieve a consistent result? Civil remedies Employees
and ex-employees
Non-employees can be sued employment and passes it to third party can be used even usually of greater immediate in 1981.
can be sued under their contracts of employment;
for breach of confidence; typically if an employee acquires information during the course of a third party, the breach of confidence is regarded as ‘travelling’ with the information so that the though there is no contractual relationship with the original owner; in this situation an injunction is use than eventual cash damages. Extensive reform was suggested in a Law Commission Report
Shanges in computer architecture At the big end of computing there have been lots of changes as well. In the traditional mainframe/large mini environment as it existed until a few years ago, what the end-user got was what the DP department in its wisdom thought they needed. If a different type of report was required, it could certainly be provided -
01993
injunctions are also available.
Elsevier Science Publishers
Ltd
eventually. Today the standard model, often called client/server, is very different-there may be still a central database, but the end-users are demanding much more flexibility and control over how they access it. Dumb terminals are no longer used to present information from a mainframe; PCs send requests for data to the host and then manipulate it and display the results locally; the
15
November
Computer Fraud & Security Bulletin
management (FM), sometimes called outsourcing. Not only large companies, but major government ministries are rushing to shed themselves of the messiness of owning and
industrial spy does not need to know much about mainframe operating systems if the data he/she wants is already on the hard disk of a PC. Many benefits flow from this change - but it has made the management of security facilities much more difficult. Where previously a security manager merely had to enforce controls over a relatively fixed and inflexible system, today all is fluidity and flexibility. This is not a problem that can be solved by purely technical means. The result is that the industrial spy has much greater opportunities for extracting information from a system that its owners would prefer remained confidential.
running a large computer system. Hardly ever do these articles identify the security risks. If you use FM you lose control of the security agenda and devolve it, along with everything else, to your sub-contractor. Your relationship is by contract and levels of compensation in the event of loss of confidentiality are often very unclear. There is nothing theoretical about this concern: Virgin Airways had an FM agreement with British Airways for its seat reservation system - it was this that was allegedly abused.
Facilities management Open any issue of any of the computer press targeted at the larger business, and you will find articles extolling the virtues of facilities
Industrial
espionage:
1993
with
The message to take away from this is that a few exceptions, the computer-literate
risk analysis
Who are the potential customers for your secrets? e.g. .
-business rivals
.
-suppliers
.
-customers
.
-the City
.
-journalists
What specific information are they likely to be searching for? e.g. .
-R&D
.
-Board minutes
.
-financial data
.
-customer lists
.
-supplier data
.
-marketing plans
.
-personnel data
.
-any material which aids the deduction of any of the above
In what forms is that information . . .
16
held? e.g.
-paper -computer data -(waste)
.
-(packaging)
.
-information
in people’s heads
01993
Elsevier Science Publishers
Ltd
November
Computer Fraud & Security Bulletin
1993
industrial spy requires surprisingly little skill and specialist equipment. Whilst it is possible to use various esoteric and expensive devices remotely to capture the contents of a VDU screen or traffic passing along a cable, in practice and in most cases, devastating results can be obtained with off-the-shelf kit for which there is an existing ‘legitimate’ use.
computer
security.
centralized
advice for its employees,
only
be in the form
of a Help
can
provide
but this can Desk.
Many
computer security products are far too complex. It seems to me that many of them, particularly those for PCs and small PC-based LANs, grossly over-estimate
the skills of those
who will use
them day after day. As with so much of the output of the PC industry,
Remedies
A company
products compete too much
on ‘features’. These look good in advertisements
There are some important must be drawn from all of this.
conclusions
that
and in comparative
reviews: however,
person who buys a word-processor
whilst the
because they
are told it has the ‘best’ macro language The first is that, increasingly, companies can no longer seek to place computer security in a separate ‘technical’ ghetto. Computer security has to join the main, mostly physical, security agenda. Now that it is standalone PCs, LAN terminals and laptops that are the prime targets, controls on physical access become vital. A lot of this is obvious: visitor control procedures, office designs which make it difficult for intruders to stay long, chits if equipment or disks are to be moved from a building, locks and/or physical access control to ‘sensitive’ areas, and so on. Managers of physical security need to understand some of the problems of the security of computer-held data - and computer managers must find ways of helping them to do so. So far, this has been successful in only a handful of companies. Secondly, risk analysis must become more focused and intelligent. Too much is based on scare stories rather than sober estimate. The subject of the risk analysis in this case should be ‘industrial espionage’ (which is the substantive business risk) rather than ‘computer security’ which has a largely technical agenda. Thus the analysis has to encompass an identification of who would be interested in a company’s secrets, what precisely they might wish to find out that they do not already know, and what forms that information is held in. Those forms will include paper, computer data and the information in employees’ heads. See the box (Industrial espionage: risk analysis) for a fuller account.
to print out a basic chunk of text, over-complex security products can give a false sense that they are working.
It is not the elaborate
that gives them their value -
computing
01993
it must be realized means
end-user
that end-user
management
Elsevier Science Publishers
Ltd
of
certification
but that they are
used properly. The best computer security precautions are those which the users can understand;
this may mean telling them to keep
essential data on floppies and then concentrating on the physical security of those floppies. This is not sophisticated, Lastly,
the
but it is easy to understand. human
factors
in computer
security rise ever higher on the agenda. It has always been the case that at the still centre of any computer security system has been a human in whom trust must be placed. As I have tried to show, purely technical measures are becoming increasingly
difficult to implement. This means an
increasing
reliance
resources
on the traditional
management
pre-employment assessment.
vetting
human
processes and
of
in-service
It means better and fuller training.
But companies
also
need
to earn
employee
loyalty and commitment. One of the things computerization has made possible for company managers is the ability to take on employees on a casual basis - “We’ll employee you only when we need you”. Often this goes hand-in-hand macho management paradox
styles.
that the end result
computer-dependent Thirdly,
merely
runs the risk of being unable to learn rapidly how
employees revenge.
with
It is an interesting of all of this for
companies,
is that their
have ever more powerful weapons of
17
COMPUTER AIDED INDUSTRIAL ESPIONAGE Peter Sommer This paper accompanies a presentation made at Compsec 93 on 2 1 October 1993 at the Queen Elizabeth II Conference
Centre, London.
Many of the popular, fashion trends in down-sizing, facilities computing management, LANs, client/server designs, laptops, parallel port devices - have made the task of the industrial spy much easier. The simple spying methods are often ignored by potential victims in favour of more sophisticated, but less realistic means. End-user computing means end-user security management. But industrial espionage is not a purely technical problem with purely technical solutions, and proper risk analysis is essential. Indeed we may be reaching a ceiling in the practical capabilities of computer security products. Recent case material is reviewed in this article. In both of the two big international cases of alleged industrial espionage to surface in the first part of 1993, the computer element has been very strong. In the airline war between British Airways and Virgin Atlantic, former BA employees have appeared on television to confess that they hacked into Virgin’s computer files to obtain details of Virgin passengers who were then allegedly offered inducements to switch to BA flights. Also, following the recruitment by Volkswagen of former senior employees of General Motor’s German subsidiary, Adam Opel, GM claimed that Volkswagen had received confidential data about its new micro-car, a new diesel engine, and details of the prices it was paying to component suppliers. By way of rebuttal, Volkswagen’s chairman alleged that GM employees had hacked into VW computer systems in order to foist data onto them which could later be ‘discovered’ with embarrassing results. At the time this paper is being prepared, both these cases are lumbering on - there have so
10
November
far been
no criminal
charges
against
1993
British
Airways or its employees and new claims and counter-claims are still emerging from both VW and GM. What makes these cases unusual is their scale and the fact that they have come to public notice. Difficulties of detection, problems of firm proof, inadequacy and uncertainty in legal remedy, and the probability that the attendant publicity of a police investigation and trial will increase the size of an already irrecoverable loss, are all powerful silent.
reasons
for victims
to remain
A long history There is nothing new about computer aided industrial espionage. As long ago as 1970, Encyclopedia Britannica suffered the loss of a customer mailing list of two million names and addresses via copied and stolen computer tapes. In the same year, employees of a Swedish computer service bureau copied and sold official population census data. Thereafter, instances occur regularly in the computer crime casebooks. In 1984, Waterford Glass were deprived of 25 disks containing instructions for a numerically controlled machine which produced the high quality crystal artifacts for which the company is well known. More typically in terms of scale, earlier this year a former sales manager in a computer company was found guilty of stealing confidential computer records from his former employer the day he left to start his own business. He stole a backup tape containing details of 1700 clients and used the information to try and woo them to his new company. Not a new problem then, but the profound changes in computing since 1970 - hardware, architecture, varieties of applications, and above all types of users - have changed the nature of the problem almost beyond recognition. In this article, I want to bring the story up-to-date. One of the results, I hope, will be to put risk analysis on a more realistic footing. The key to appreciating the extent of the problem is to understand industrial espionage as a whole and see how the computer fits in. As with
01993
Elsevier Science Publishers
Ltd
November
Computer
1993
Reasons for conducting
industrial
Fraud & Security Bulletin
espionage
.
to gain economic, or possibly unfair, advantage
.
to obtain market research material at the lowest possible cost
.
to exercise ‘due diligence’ in the investigation
over a competitor
of companies,
in business
individuals or products in whom investment
.
to lower research and development
.
to acquire new technology
at the lowest possible cost
.
to discover developments that you produce yourself
in new technology
.
to avoid wasting research resources in following up lines which others have already found unprofitable
.
to expand a list of potential customers/clients
.
to determine your competitors’
.
to discover the trade’terms
.
to ascertain if you are paying the lowest possible prices for your raw materials
.
to calculate your competitors’
.
to discover potential employees
.
to acquire the data with which to perform ‘competitor
.
to uncover marketing plans, product launches, etc. planned by rivals
.
to win a competitive
.
to aid a merger or acquisition
.
to fight off a hostile takeover
.
to discover what others think of you
l
. .
(if a professional
costs by discovering
what has already been achieved by others
affecting components
being offered by your competitors
detailed costs breakdown
analysis’
tender or auction
advisor or consultant)
to help secure a contract or to enhance services being provided to a client
as a precursor to fraud or forgery to counter business fraud as a first step in the planned sabotage of a company or product to locate information
. .
that will aid the destruction
of an individual’s
reputation
to pursue a personal vendetta (if employed by a foreign power with a substantial amount of industry in public ownership) prosper more rapidly and at lower cost than would otherwise be the case to obtain information
or to detect if they are trying to do so
l
l
Advantages of computer industrial espionage
aided methods of l
It is worth setting out the great advantages that computer aided methods offer the industrial spy. In general terms, a spy wants: The greatest possible quantity of relevant information from the selected target/victim
01993
to help your country’s economy
for the purposes of journalism
to prevent others from spying on you -
so many aspects of so-called computer crime, we are talking about ordinary crimes which, for one reason or another, are greatly facilitated by the use or abuse of computers.
l
into finished products
by seeing who buys from your competitors
.
l
that you may wish to incorporate
detailed sales figures
. .
is about to be made
Elsevier Science Publishers
Ltd
The lowest possible commission
risk of detection
The smallest sign, after the information has been stolen
event,
The easiest route to convert the information into analysed intelligence can be put to practical use
during
that
stolen which
Compared with more traditional industrial espionage routes - stolen documents, bugged and tapped conversations, compromised and
11
Computer Fraud & Security Bulletin
bribed employees of the victim methods score high every time.
November
-
computer
location of the source files, is, perhaps, three minutes. An A4 ream (500 sheets) of copying paper weighs about 1.5 Kg, is about 5 cm thick, and even the most automated of high-speed copying machines will take 20-25 minutes; if individual pieces are selected and hand-fed, each page will take, realistically, almost 30 seconds.
Data is typically stolen on computer disks; the standard 1.4 MB MSDOS, uncompressed, holds the equivalent of 650 single-spaced A4 pages or 225 000 words or 2.5-3 average-sized books. Standard compression
l
techniques capacity. The
l
will
easily
double
disk can be concealed
the
disk .
in a pocket,
carried out of a building in a case or purse. Copying time, depending on the size and In April 1993 Josef Szrajber and Paolo Sorelli were convicted of bribing senior management at British Petroleum to reveal confidential details about projects the company were planning in North Sea oil fields. The men then approached large engineering companies in Europe and Japan and offered to sell them the information to ensure that their bid for a particular project was accepted. Some of the contracts were worth f2 million, and Szrajber and Sorelli took a typical commission of 2 or 3%. Subsequently an allied set of charges were made against an executive of C.ltoh, the Japanese engineering company and the prosecution commenced at Southwark Crown Court on 14 May 1993. In a similar case in Norway in October 1992. the German steel company Mannesmann Handel said it had paid $800 000 to a senior Statoil engineer in return for illicit information. Directors at National Car Parks (NCP) recruited the services of a security company to obtain information on a rival called Europarks which had appeared to be very successful in winning contracts. The security company placed their own people on the staff of Europarks, including one who became a confidential secretary. The facts are not disputed, but the NCP director and staff member of the security company who were charged were found not guilty of conspiracy to defraud in March 1993. Part of the long-running dispute between British Airways and Virgin Atlantic has involved alleged computer hacking by BA staff into a seat reservation system used by Virgin. BA also allegedly paid for a corporate investigation company, Kroll Associates, to carry out a detailed investigation of one of its other rivals, Air Europe. A private investigator who stole rubbish from a Sunday Times journalist covering the story was caught and convicted in December 1992. 3TR, the industrial conglomerate, used corporate nvestigators to check the security of its own information systems before bidding successfully in 1991 for Hawker Siddeley, the engineering group. The company was surprised to see the quality of information abandoned lightly by staff in dustbins.
12
1993
There is often no evidence that data from a computer has been copied. This is particularly true of the personal computer, but it is also true of any computer with inadequate activity logging The Rover Car Group asked John Stalker, the former deputy chief constable of Greater Manchester to lead an enquiry after details of the new 200. 400 and Landrover Discovery models were leaked to car magazines and also possibly to rivals. Approximately 50 people were interviewed, and though security measures were tightened as a result, there were no redundancy.
The CometIvVoolworths ‘biscuit tin’ case was the first successful British prosecution for industrial espionage activities under the Interception of Communications Act, 1985. It involved telephone tapping during a bitter takeover battle with Dixons during 1986. Shortly before those events, officials at the Davenport Brewery in Birmingham, then facing a f38 million takeover bid by the Wolverhampton and Dudley Brewery, had found a well-used bug; the perpetrators and their employers were never caught. Davenport was later sold to another brewery group, Greenhall Whitley, and they in turn eventually closed it down. Allegations of bugging arose during the long-running Argyll/Distillers/Guinness affair. When the Independent newspaper was planning the launch of its Sunday edition a bug was discovered in the office wiring, and during a f441 million hostile takeover bid for Laing Properties by P&O and Chelsfield in 1990 a bug was found at Laing’s headquarters in Watford. A security guard who worked at Vickers shipbuilding yard in Barrow and a cab-driver attempted to sell an anti-radar tile, made of rubber and intended for Trident submarines, to the Russians. The Russians were apparently not interested and calls were intercepted by the Security Service. The two were arrested and eventually sentenced to prison in July 1991. Sun Life, one of Britain’s biggest life companies, admitted in October 1992 that it had undertaken a clandestine intelligence gathering operation against a more successful rival, Equitable Life. The plan was to drop an agent, in fact a Sun Life broker and sales manager, behind enemy lines by encouraging him to apply for a job with the Equitable so that he could find out details of the training, marketing and administrative methods.
01993
Elsevier Science Publishers
Ltd
November
l
Computer
1993
The stolen information can be quickly analysed on the thief’s own computer simple utilities can search a disk for all references to a name, product or process you do not need to read all the material that has been stolen (or waste time dangerously while still on the victim’s premises deciding what is really important); avictim’s mailing list of customers can be almost instantly incorporated into a database package owned by the thief and converted into a mail-out of competing information to the victim’s customers; a financial spreadsheet showing a victim’s future plans can be directly harnessed into an attack strategy by a takeover merchant or City analyst; a victim’s designs
can be fed into the computer
aided
design equipment owned by the thief, slightly modified, and offered for sale without any of the costs of original research and development, and so on. Long-term trends We will now look at some of the long-term trends in computing and see how the needs of the industrial spy are being facilitated.
Fraud & Security Bulletin
word-processing, spreadsheet, relational database, computeraided design. This means a spy has to acquire knowledge of only a small number of file formats. And in most cases file conversion utilities will make ‘reading’ a file extremely easy. Contrast that with the old mainframe environments where knowledge about operating systems was exclusive to a trained ‘priesthood’ and each applications program had its own unique way of storing data. As we know, the vast majority of PCs contain no intrinsicsecurityfeatures. There are many bolt-on devices available, but all need to be installed properly and used regularly before they become effective. What so often happens to owners of PCs known to hold sensitive data is this: the support people in their company give them the most expensive and complex PC security products on the market; the PC owner, whose competence is limited to the manipulation of the one essential applications package that he/she uses day-in day-out, finds the security package too complicated and inconvenient to use; the PC is as vulnerable as if no attempt had been made to secure it. Today, without a doubt, the PCs owned by a company’s key executives, are the premier targets of the computer-literate industrial SPY.
The personal computer The ubiquity and vulnerability of the PC has become something of a cliche of computer security conferences. However, cliches are usually truths which over-familiarity makes us ignore. Look at what has been happening lately: the population of reasonably literate and aware users continues to grow rapidly - they all know how to search disks, copy files and use simple archiving tools. The capacity, both in terms of processing power and data storage - ‘bang per buck’ - is expanding at a phenomenal rate - a standalone machine with a 50 Mhz plus processor, 8 MB of RAM and 1 Gigabyte of disk drive costs (in September 1993) just over f2000. Directors of finance, marketing, research and development, and so on often do not need any computing power beyond this. It is on the PC that a company’s most sensitive secrets are often held. Moreover, a tiny number of key software products dominate each market segment -
01993
Elsevier Science Publishers
Ltd
The laptop Everything that has been said of the desktop PC is even truer of the laptop. In specification of storage capacity and processing power, the laptop lags only very slightly behind its desk-based sibling. The main difference is that it is even easier to steal the whole machine and access the data later. Since laptops are carried around there are many more opportunities to steal. A desk-based machine should benefit from the general physical security precautions that exist in most offices: laptops can be stolen from cars, public transport, hotel rooms, even private homes. Hardware-based products, to prevent a hard disk’s data being read, are even more difficult to install on a laptop because many such devices need to be installed in a ISA slot - which most laptops lack.
13
Computer Fraud & Security Bulletin
November
Parallel port storage devices The laptop has spawned the need for a range of devices which, though intended to provide data backup, are wonderful tools for the industrial spy. Traditional data storage devices tapes, floptical, magneto-opticals - collect their data via a card installed in a motherboard slot. To overcome the lack of such slots in laptops, use is made of the parallel port, originally intended for printers. There are now a wide variety of such devices available with common capacities around the 250 MB size, but with some containing high-speed hard disks capable of holding over 1 GB. Prices vary from under f300 to over f2000, but at the higher end you end up with devices the size of a paperback book that can decant the entire contents of a medium-sized local area network (which can mean every bit of computer-held data a company owns) at very high speed. Used carefully, these devices leave no trace to show that they have been hooked up to a system.
hacking. Most writing and reporting of computer intrusion continues to be misleading: writers tend to concentrate on the more complex methods and protracted events. There continue to be only a handful of cases each year which truly conform to the ‘demon hacker’ image; overwhelmingly most cases rely on a handful of extremely simple and well-known methods; the failure rate of most attempts is quite high - but in the nine years since I first wrote about the subject, there are many more opportunities for success. Fully, 5% of all PCs in existence have a modem associated with them; most medium-sized companies have facilities for their computers to be remotely accessed; the growth of the large electronic messaging services continues in leaps and bounds. Nearly
all of this data transmission
place unencrypted people
just
how
little
skill
is required
to
eavesdrop. The increased use of wireless communications
very serious initiatives In many companies the justification for the installation of a PC-based local area network seems trivial the sharing of expensive resources like laser printers or CD-ROMs, E-mail and common diaries between office terminals, easy centralized backup. If the mainframe/mini environment is slowly becoming more helen flexible and end-user orientated, the LAN environment was like that from the beginning. In many smaller offices there is no specialist LAN manager, certainly not someone whose main role is to worry about LAN security. Often, some crude security system is set up by the original installer -and then left untouched. But in a poorly set-up system, access to all the users is possible from just one terminal -and that can include a server, if that is part of the particular architecture. Even in better set-up systems, commonly available diagnostic tools to check traffic flows can capture data flowing along the connecting cable.
market
that
abandon
to persuade the business
computer
the fixed
communications
landline
and take
can to the
airwaves. In addition to various data-over-cellular systems, there are countrywide a radio-based
version
services offering
of packet
technology.
Various claims are being made for the security of these services, but, alas, many of them are misleading:
the vendors seem to assume that the
eavesdroppers will seek to use radio scanners and personal computers. In fact, the most likely and simplest route is to compromise and lightly adapt the authentic transceiving equipment. It is within such equipment manipulation
that most of the protocol
(and encryption
if employed)
is
handled. The ‘hack’ then consists of putting the equipment into monitor-only mode, or of passing high level control lines to an external PC. This is how regular cellular radio has been cracked with this kit you can follow any conversation as it moves from channel to channel and can set up a
The growth of computer communications
watch for designated
14
takes
and it is difficult to persuade
Over the last year we have seen a number of
The growth of the LAN
I came into the computer security after writing an unexpectedly successful
1993
phone numbers.
industry book on
01993
Elsevier Science Publishers
Ltd
November
Industrial
Computer
1993
espionage
Fraud & Security Bulletin
and UK law: a brief guide
Criminal English Law offers no direct protection against industrial espionage. You cannot steal information, as opposed to the medium upon which it is held - paper, disk, tape, etc. - because information is not regarded as ‘property’ for the purpose of the Theft Acts, 1968 and 1978. All the legal protections are indirect. The following relate to various means by which industrial espionage
may be effected:
.
if you tap a telephone 1984
.
if you use a bug, or listen to a radio transmission Act, 1949
.
if you make unauthorized entry into a computer, you are in breach of section 1 of the Computer Misuse Act, 1990; if your unauthorized entry is for the purpose of committing a further serious offence, you are in breach of section 2, with the possibility of a five-year prison sentence as opposed to six months
line, you are breaking the Interception
of Communications
Act, 1985 and the Telecommunications
Act,
you are not licensed to receive, you are breaking the Wireless Telegraphy
But in all these instances, the law is not concerned with any information you may have thereby acquired. offences present considerable difficulties of evidence collection and standards of proof.
In addition, all these
The authorities can attempt to use the common law offence of Conspiracy to Defraud, which addresses the consequences of industrial espionage: you need to show two or more people forming a common purpose and to demonstrate that the victim has incurred losses as a result. Conspiracy charges were unsuccessful in the National Car Parks case, but successful in the British Petroleum case. In some instances, the stealing of the contents of a rubbish-bin - garbology - is regarded as simple theft. Other countries The USA has no federal offence to protect industrial secrets, but various individual States, particularly New York, California and Texas, do, though the precise mechanism varies considerably. There are federal laws to protect computers of federal interest. In Germany there are extensive Laws of Economic Crime which include industrial espionage. The technical problems of an industrial espionage
crime
How, and by whom is trade secret to be defined? Is it enough for the originator to use a form of document marking -e.g. ‘Secret’ or ‘Confidential’ - or should there be an objective test? If there is such a test, what would it actually say? How easy and costly -would it be for a court to apply the test? Should there be a ‘public interest’ defence - so that irresponsible manufacturers of dangerous products cannot use the law as a gagging device? And how, in practical detail, would the defence work? If, in English Law, we decide to designate information as ‘property’ (so that it can capable of being stolen) - how many separate items of common law and legislation would need to be modified in order to achieve a consistent result? Civil remedies Employees
and ex-employees
Non-employees can be sued employment and passes it to third party can be used even usually of greater immediate in 1981.
can be sued under their contracts of employment;
for breach of confidence; typically if an employee acquires information during the course of a third party, the breach of confidence is regarded as ‘travelling’ with the information so that the though there is no contractual relationship with the original owner; in this situation an injunction is use than eventual cash damages. Extensive reform was suggested in a Law Commission Report
Shanges in computer architecture At the big end of computing there have been lots of changes as well. In the traditional mainframe/large mini environment as it existed until a few years ago, what the end-user got was what the DP department in its wisdom thought they needed. If a different type of report was required, it could certainly be provided -
01993
injunctions are also available.
Elsevier Science Publishers
Ltd
eventually. Today the standard model, often called client/server, is very different-there may be still a central database, but the end-users are demanding much more flexibility and control over how they access it. Dumb terminals are no longer used to present information from a mainframe; PCs send requests for data to the host and then manipulate it and display the results locally; the
15
November
Computer Fraud & Security Bulletin
management (FM), sometimes called outsourcing. Not only large companies, but major government ministries are rushing to shed themselves of the messiness of owning and
industrial spy does not need to know much about mainframe operating systems if the data he/she wants is already on the hard disk of a PC. Many benefits flow from this change - but it has made the management of security facilities much more difficult. Where previously a security manager merely had to enforce controls over a relatively fixed and inflexible system, today all is fluidity and flexibility. This is not a problem that can be solved by purely technical means. The result is that the industrial spy has much greater opportunities for extracting information from a system that its owners would prefer remained confidential.
running a large computer system. Hardly ever do these articles identify the security risks. If you use FM you lose control of the security agenda and devolve it, along with everything else, to your sub-contractor. Your relationship is by contract and levels of compensation in the event of loss of confidentiality are often very unclear. There is nothing theoretical about this concern: Virgin Airways had an FM agreement with British Airways for its seat reservation system - it was this that was allegedly abused.
Facilities management Open any issue of any of the computer press targeted at the larger business, and you will find articles extolling the virtues of facilities
Industrial
espionage:
1993
with
The message to take away from this is that a few exceptions, the computer-literate
risk analysis
Who are the potential customers for your secrets? e.g. .
-business rivals
.
-suppliers
.
-customers
.
-the City
.
-journalists
What specific information are they likely to be searching for? e.g. .
-R&D
.
-Board minutes
.
-financial data
.
-customer lists
.
-supplier data
.
-marketing plans
.
-personnel data
.
-any material which aids the deduction of any of the above
In what forms is that information . . .
16
held? e.g.
-paper -computer data -(waste)
.
-(packaging)
.
-information
in people’s heads
01993
Elsevier Science Publishers
Ltd
November
Computer Fraud & Security Bulletin
1993
industrial spy requires surprisingly little skill and specialist equipment. Whilst it is possible to use various esoteric and expensive devices remotely to capture the contents of a VDU screen or traffic passing along a cable, in practice and in most cases, devastating results can be obtained with off-the-shelf kit for which there is an existing ‘legitimate’ use.
computer
security.
centralized
advice for its employees,
only
be in the form
of a Help
can
provide
but this can Desk.
Many
computer security products are far too complex. It seems to me that many of them, particularly those for PCs and small PC-based LANs, grossly over-estimate
the skills of those
who will use
them day after day. As with so much of the output of the PC industry,
Remedies
A company
products compete too much
on ‘features’. These look good in advertisements
There are some important must be drawn from all of this.
conclusions
that
and in comparative
reviews: however,
person who buys a word-processor
whilst the
because they
are told it has the ‘best’ macro language The first is that, increasingly, companies can no longer seek to place computer security in a separate ‘technical’ ghetto. Computer security has to join the main, mostly physical, security agenda. Now that it is standalone PCs, LAN terminals and laptops that are the prime targets, controls on physical access become vital. A lot of this is obvious: visitor control procedures, office designs which make it difficult for intruders to stay long, chits if equipment or disks are to be moved from a building, locks and/or physical access control to ‘sensitive’ areas, and so on. Managers of physical security need to understand some of the problems of the security of computer-held data - and computer managers must find ways of helping them to do so. So far, this has been successful in only a handful of companies. Secondly, risk analysis must become more focused and intelligent. Too much is based on scare stories rather than sober estimate. The subject of the risk analysis in this case should be ‘industrial espionage’ (which is the substantive business risk) rather than ‘computer security’ which has a largely technical agenda. Thus the analysis has to encompass an identification of who would be interested in a company’s secrets, what precisely they might wish to find out that they do not already know, and what forms that information is held in. Those forms will include paper, computer data and the information in employees’ heads. See the box (Industrial espionage: risk analysis) for a fuller account.
to print out a basic chunk of text, over-complex security products can give a false sense that they are working.
It is not the elaborate
that gives them their value -
computing
01993
it must be realized means
end-user
that end-user
management
Elsevier Science Publishers
Ltd
of
certification
but that they are
used properly. The best computer security precautions are those which the users can understand;
this may mean telling them to keep
essential data on floppies and then concentrating on the physical security of those floppies. This is not sophisticated, Lastly,
the
but it is easy to understand. human
factors
in computer
security rise ever higher on the agenda. It has always been the case that at the still centre of any computer security system has been a human in whom trust must be placed. As I have tried to show, purely technical measures are becoming increasingly
difficult to implement. This means an
increasing
reliance
resources
on the traditional
management
pre-employment assessment.
vetting
human
processes and
of
in-service
It means better and fuller training.
But companies
also
need
to earn
employee
loyalty and commitment. One of the things computerization has made possible for company managers is the ability to take on employees on a casual basis - “We’ll employee you only when we need you”. Often this goes hand-in-hand macho management paradox
styles.
that the end result
computer-dependent Thirdly,
merely
runs the risk of being unable to learn rapidly how
employees revenge.
with
It is an interesting of all of this for
companies,
is that their
have ever more powerful weapons of
17