|
 |
Due to length of topic,
print
out for easier reading. Click
on PRINT in browser toolbar. |
Anatomy of an
Industrial
Espionage Attack
By Ira S. Winkler © 1
President, Information Security Advisors Group
The CEO sat quietly as I showed him the complete manufacturing instructions for his
top product in development. He remained expressionless when I placed his company's master
development schedule on his desk. He sat back in his chair as I pulled out several
documents describing his bargaining position in a multimillion dollar lawsuit. The CEO
finally spoke. "I guess we should be happy you're not working for a competitor,"
he said.
I had stolen all this and more posing as a
temporary worker. A company with third-rate security? Hardly. The organization maintains
an excellent perimeter security program, including strong access controls and
physical-security mechanisms. The security manager suspected, however, that it may be
vulnerable to a well-coordinated attack via insiders. He called upon me to test just how
much a dedicated information thief could get.
I was there for three days. I got everything
they had.
The Assignment
At a recent conference I met Henry, the
security manager of Zed Technologies, a large high-tech firm with annual sales in excess
of $5 billion. Henry knew of my previous penetration testing and asked if we could meet
later to discuss the possibility of testing his own company's security. (Note: Company and
individual names have been changed. In addition, some identifying details about the
company and its systems have been changed.)
Henry was extremely concerned about the open
environment at Zed -- an openness typical of research and development firms. Like many
large companies, Zed Technologies employs a large number of contract and temporary
employees on-site. These people have access to various amounts of information and are not
thoroughly screened. Henry worried about the potential damage that they could cause. To
find out, he asked me to perform a penetration test in which I would be placed inside the
company as a temporary employee but would in fact steal as much information as I could.
I was given permission to do whatever was
required without harming the company or individuals. A member of the company's
information-security staff would remain within a reasonable range whenever I was
performing any illicit tasks, to provide incident containment in case of a compromise of
the effort. Funding also allowed for the use of off-site accomplices.
To simulate real-world circumstances, I
wanted to perform a full-scale industrial espionage attack against the company, using both
technical and non-technical methods. Specifically, I chose five categories of attack:
open-source research, misrepresentation, abuse of access, insider hacking and internal
coordination of external accomplices.
Getting to Know You
Prior to my contact with Henry, I knew
nothing of Zed Technologies. I had to first become familiar with the company in order to
steal any useful information.
Internet library resources provided an
incredible amount of information. From news databases, I identified the company's top
development effort, worth billions of dollars in company effort and potential sales. I
also learned the name of the lead researcher working on the project, and I ran across
several stories about the company's current products as well as the people involved in
their development.
Other open-source information identified the
names of company executives, the company's financial status and a wide range of general
information about the company and its corporate philosophy. Searches of Internet
newsgroups for the company name identified dozens of company employees. Employee postings
to computer-related newsgroups told me about the company's hardware and software
environment. Postings to non-technical newsgroups helped me learn the personal interests
of the employees posting the messages. Other Internet resources revealed additional
employees and their interests.
I executed a host command against Zed
Technologies' domain name to get a list of all its computer systems, along with
operating-system information. This action identified the company's TCP/IP addresses, the
types of systems used throughout the company and a rough count of the number of computers
in use.
A company newsletter that I requested and
received helped as well. In it, the CEO defined the company's top six development efforts
and mentioned the names of many employees working on those projects. This information
served as my shopping list for the remainder of my effort.
A Bold Lie
With only three days available for on-site
snooping, I was forced to behave more boldly than a normal industrial spy would. I tried a
direct misrepresentation approach: I decided to impersonate an information-security
supervisor.
Prior to arriving at the site, I had business
cards printed that looked exactly like one from Zed Technologies, complete with my name
and the title of Information Security Supervisor. A local copy store created the cards in
less than a day, using a real business card as a template.
Upon arriving at the site, I was processed
like any temporary worker. I filled out some paperwork, on which I provided false
information including a social security number, an address and telephone numbers. A
human-resources employee gave me an access badge and showed me to my office. I was pleased
to find out that I had been added to the company telephone directory, as are all temporary
employees, prior to my arrival.
Uncertain of the response I would get to my
ruse, I began my effort by telephoning a researcher working on the company's top
development effort. I told this researcher that I had just been hired and had been given
the broad task of protecting the company's secrets. Therefore, I must find out what was
worth protecting and where that information was being stored. After several minutes of
discussion, the researcher recommended that I contact Stanley, the team leader for the
project. I called Stanley and made an appointment to meet with him.
Playing the role of corporate spy can be
pretty exciting, and I wondered what I would say or do if I was caught. I almost hoped
that somebody would question my story so that I could test my ability to talk my way out
of it. No such fast talking was needed, though. Not one employee challenged my integrity.
With Stanley, I again claimed to be a newly
hired infosecurity supervisor. I handed him my business card and claimed that I was tasked
with protecting the company's information. I asked him to detail for me what information
was sensitive and how many people had access to it.
Stanley told me that product-manufacturing
information is most sensitive among a broad range of other important information. I asked
whether there was a single source that compiles the manufacturing information. In
response, he showed me a book with copies of the minutes from project meetings and a
distribution list of people who receive these minutes. I boldly asked for copies. Stanley
not only gave me copies of everything in the book, but he also added me to the
distribution list.
Stanley helped me one more time: he told me
that the company's Government Affairs Office (GAO) representative and the project business
manager together compile summary information, and he recommended that I speak with them.
After I finished with Stanley, I returned to my office and made an appointment with Mark,
the GAO representative, just as Stanley had suggested.
With Mark, I again used my phony business
card and the ruse of working for the information-security department. Believe it or not,
the job grew boring as I played the role of a security manager interviewing people about
the processing and storing of critical information. I had to stay in character and talk
about a lot of mundane details. But, patience provides its rewards. Mark and I discussed
at length the consolidation of the GAO's documents, including the types of documents
produced, the locations of stored files on the network, the group responsible for
archiving the files and the name of the person responsible for their storage. Mark even
mentioned one particular document that contained the specifications for manufacturing the
product.
Next, I returned to my office and took some
time to review the meeting minutes that Stanley had provided me. Amid a wealth of
sensitive information I found the real prize in a message from Mark, the GAO
representative. In it, he stated the location of the draft document being submitted to the
U.S. Government. In the next sentence, he gave the password for accessing the document.
I could hardly believe my eyes. In those two
sentences I had been given the keys to the document that contained all of the
manufacturing information for the project that was my top priority. I turned to my
computer and, in short order, accessed and copied the document. I had already stolen
information representing more than $1 billion of company effort and potential sales.
But my amazement only grew; in the same
directory where I had just found that jewel, similar documents for two other priority
development efforts sat for the taking. At this point, in less than a day's time, I had
compromised three of Zed Technologies' top efforts to the point that I could manufacture
them myself.
Flushed with success, I started accessing
other file systems that were not password-protected. I tried only those file systems that
I believed, based upon my meetings with Mark and Stanley, would hold sensitive
information. I did not want unnecessary documents cluttering my effort. I acquired more
than 125M bytes of data within a few hours.
The next day I met with Steven, the business
manager of the company's second-most-sensitive development effort. By now, any of my
doubts about my likelihood of success had vanished. It was time to focus on the types of
information that business managers use and create.
Again saying that I needed to see what I was
responsible for protecting as a member of the infosec team, I had Steven walk through the
process of accessing his files. I tried to observe the password he used, but could not see
the keyboard from my vantage point. Steven stressed to me the importance of the quarterly
management reports which, he said, contain such extremely sensitive information as
manufacturing details. I noticed as he spoke that Steven's office had no lock. Also, I
could not help noticing the box of computer disks on his desk labeled "Management
Reports."
I returned to my office and immediately
attempted to log into Steven's file systems. I used several common password combinations
and was exhilarated when I hit the right one and achieved access to his files. As it turns
out, each business manager holds responsibility for several development efforts, so
Steven's files contained details for many projects.
My glee skyrocketed as I discovered that all
business managers use the same file system to store their files. I would not need the
disks on Steven's desk. I had in front of me the management reports for all of the
development efforts on my shopping list. I had hit the jackpot.
I later learned that I had compromised all
but one of the company's major development efforts, and I was only a day and a half into
the effort. Nobody had reported any unusual occurrences. My cover had not been blown. A
real industrial spy would have been on the next airplane out of the city.
Browsing After Dark
The misrepresentation attack was, however,
only one method I was using. As you will recall, I had been given an access badge by the
company. After my first day of work at Zed Technologies, I ate a nice dinner out and then
returned to the offices with my badge.
Several cleaning people moved through the
building as I searched through unlocked file cabinets, offices and in-boxes sitting on
desks. I poked around on computers that were not protected by the workstation-locking
utility required per company policy. It was impossible to avoid the cleaning staff, so I
chose instead not to bother hiding my presence. This was risky, but it would imply to them
that I was doing nothing worth hiding.
In the first area that I targeted, which
houses the legal and licensing divisions, I obtained documents about a mature development
effort, including the strengths and weaknesses of each potential licensee. I also found
good material on pending lawsuits, including bargaining positions. Finally, I found a
complete patent application that had not yet been filed.
I moved on to the second area, which houses
the development organization. I found product-problem reports and other sensitive papers
sitting on desks. In unlocked file cabinets I found the manufacturing information for two
additional projects representing hundreds of millions of dollars of investment and
potential sales.
One office that I entered was a complete
mess. Papers were strewn all over the place, and two computers were left on without the
workstation-locking product installed. The monitors were turned off, but I simply turned
one on and discovered that the employee was still logged into an e-mail account.
Fortunately for me, this person liked to save e-mail messages. I browsed through until I
came across a message containing the master development schedule, one of the company's
most sensitive documents.
After-hours snooping may seem old-fashioned
and simplistic, but the effort produced a tremendous amount of sensitive information.
Espionage involves the use of basic, effective methods. This one evening's work
demonstrated the payoff for just looking through unprotected information. I had not picked
any locks or left any signs of forced entry.
Hacking From Within
I brought with me to Zed Technologies a
portable Sun computer specially configured for hacking into the company based upon what I
had learned from my open-source searches. I equipped the laptop with the Internet Scanner
from Internet Security Systems Inc. and a variety of hacker tools that compromise systems
with vulnerabilities identified by the Scanner. When I got to my office at Zed, I
unplugged the office PC from the ethernet connection and plugged in my portable Sun.
I first ran the Scanner against key computer
systems, and sure enough it located known vulnerabilities on several exported file systems
that I knew contained sensitive information. It went on to perform password guessing after
a scan of identified user accounts. Three user accounts were immediately compromised.
I mounted the exported file systems onto my
personal computer and attempted to copy critical directories over to my system. I was able
to copy most but was sorely disappointed to find that some files were restricted. I then
logged into the remote computer using one of the accounts compromised by the Scanner and
copied one of the hacker programs over to the computer. I was pessimistic about the
chances for this program, but I executed it anyway and hoped for the best.
I literally jumped out of my chair when I
received the "#" prompt--I had root access. With nothing to hold me back now but
my computer's storage capacity, I copied whatever looked important. I put in a few back
doors and went on to other computer systems.
In this manner, I acquired more than 200M
bytes of information considered extremely sensitive. The vulnerability I compromised had
been only recently identified, but a patch for it was available. The company had just been
too slow to install it. They will know better in the future.
Hacking with Friends
As part of my misrepresentation campaign,
when I was posing as an information security staffer, I learned that Zed Technologies uses
smart card tokens for authenticating external access. I obtained a copy of the form used
to request a token, forged the infosec manager's signature to it and persuaded a secretary
to walk the form through the approval process. I used the same deceit to request a pager.
I needed these for my final attack, which I had to coordinate with accomplices back home.
I sent the token and accompanying software to
my accomplices via overnight courier, giving them remote access to the company's Novell
network. I telephoned them with my user ID and password for the Sun network to which I had
access as a temporary employee. I gave them the modem number that I obtained by asking one
of the system-administration personnel for it. Now my cohorts could also compromise the
Sun network.
The host command I had used before starting
my job at Zed Technologies had identified that the company uses a large number of Sun- and
PC-compatible computers. So, I had acquired appropriate hacking tools and left them with
my accomplices. Now they would put those to use.
They started by capturing the password file
from the Sun network and running the Crack password-guessing program against it. They
obtained approximately 10 percent of the passwords. They faxed me the list of compromised
accounts, which I prioritized using the company's online employee directory to identify
the departments of the employees tied to the accounts.
I faxed back the list of prioritized accounts
along with a list of key words that would indicate sensitive information. They searched
the accounts and hacked into other Zed computer systems at will. The dial-in system,
designed to prevent unauthorized access, did nothing to prevent abuse by authorized users.
One accomplice focused on compromising the PC
systems. Using the smart card token, he gained access to the internal network over
telephone lines. He ran a vulnerability scan against several zones that I told him were of
high value. He captured a large amount of information from those targeted areas.
Insider coordination was key to the success
of this effort. Even if an outsider could have gotten through the perimeter security
mechanisms, which is unlikely, there would be no way to know where to look for critical
information. More than a terabyte of information lies scattered throughout the company,
only a gigabyte of which could be considered sensitive. Perhaps a megabyte contains the
truly critical information detailing the manufacturing process of the development efforts.
Computer access is insignificant; access to specific information is what matters.
Easy Pickings
After three days, I left my temporary
employment at Zed Technologies as planned. I had obtained more than 300M bytes of
sensitive information. I had information detailing the manufacturing process of five of
the company's top products, which represented billions of dollars in potential sales. I
also had a large amount of information on almost all of the company's development efforts,
which, if provided to a competitor, could cause a significant loss of income. Due to the
volume of information captured, it is extremely likely that I also obtained manufacturing
information for most other developments, but only an exhaustive search of the data could
tell for sure.
Along the way, nobody had reported any
unusual activities. Despite my bold methods, nobody had taken any notice as I compromised
the company's major developments.
Significantly, I by no means exhausted the
methods that a real industrial espionage attack might have included. I never needed to. I
made no effort to plant bugs or tap phone lines. I did not try to recruit other employees.
I did not rifle through any trash. I spent very little time and money; a real attack would
have been planned and executed over a period of months, and there would have been millions
of dollars invested in the effort.
While many readers might assume that Zed
Technologies was a lax company that held security in low esteem, the opposite is true.
Indeed, the fact that they chose to conduct this test is proof of the company's interest
in fully securing their sensitive information. Unfortunately, Zed had concentrated on
protecting only their perimeter. Once an attacker gained insider status, these defenses
were rendered useless and their information stood very much at risk.
Reference
1. This article is a shorter version of a chapter entitled
"Anatomy of an Industrial Espionage Attack" in the book Corporate Espionage
by Ira Winkler (Prima Publishing, 1997). It is reproduced here with the author's
permission. It remains copyrighted and may not be reproduced without the author's
permission. The author may be contacted by e-mail at winkler@isag.com.
|