The Hidden Data Thieves

Untitled DocumentIn many organizations, employees have nearly unrestricted access to corporate data and information. This type of access is often necessary for employees to perform their duties. But it also makes it easy for employees to steal data. From e-mailing work materials to a personal account to burning data to CDs, proprietary information leaves organizations at an alarming rate.

In the article, “Portable Data Storage Devices: Security Nightmare” (ST&D, July 2005), I wrote that “the USB port of a computer is the portal through which trade secrets are sucked out of a company.” USB devices, however, are not the only tools used to steal information. There is a range of options available to individuals and businesses that want to remove data from your enterprise, and they don’t have to be James Bond to use them.

Not Only Q Does Covert
Some may not consider all the technologies we’ll discuss here “covert.” But it is important to remember that the term “covert” simply means secret or hidden; it doesn’t necessarily mean expensive or sophisticated.
Unfortunately, many people dismiss low-tech security threats and immediately jump to the conclusion that people are using advanced technologies to steal proprietary information and trade secrets. This phenomenon can be called the James Bond Syndrome, and it often clouds the vision of management. You should look for the least expensive and least sophisticated methodologies first, since users will always find the path of least resistance.

Click to Steal Clients
Client and customer lists represent valued proprietary information. Losing control of these lists can be devastating to a business. Unfortunately, businesses are losing control of this information on a regular basis through Internet-based contact managers.
Employees can easily import all of their clients’ contact information into free e-mail programs like Google’s Gmail. More robust contact management tools like Plaxo (also free) enable people to automatically synchronize their Outlook address books, keeping them up to date and accessible from anywhere. This means that when an employee leaves a company, he simply goes to his next employer, logs in to his Internet-based contact management system, and enjoys immediate access to the contact information of his previous employer’s clients. Blocking access to these sites at the firewall along with prohibiting this type of activity through an enforced company policy can minimize this threat. Periodic checks of Internet activity on company-supplied laptops can determine if these sites have been visited by employees on the road.

Hide Files Online
Another Internet-based method of removing data from an organization is online data storage. Numerous services allow users to upload data to secure Internet sites that are either free or fee based. Perhaps the most basic of these is Yahoo!Briefcase, which allows users to store up to 30MB of data for free with a maximum file upload size of 5MB.

In this age of multimedia files, 30MB does not seem like a lot of space, but it is enough to store reams of word processing and spreadsheet files. Business plans, internal memos and revenue forecasts could easily be uploaded. And if 30MB isn’t enough, employees could turn to Streamload, which offers 25 GB of free storage. (It used to be that our computers didn’t even offer that much space.) Commercial sites include Xdrive, GoDaddy, Bigvault and MyNetFolder.

What makes these sites even more frightening is that they allow you to share your online files with others. Many organizations block storage sites to prevent data from leaving. But these sites abound, and I have seen organizations successfully block one of them while others remain readily accessible. Even if an organization successfully blocks these sites at the firewall, there is nothing to stop a road warrior from accessing them on a company-supplied laptop. Although there is no way to defeat this, a periodic review of Internet activity on company laptops can reveal that the user has been accessing these types of sites. A policy that prohibits this type of behavior along with aggressive enforcement of the policy can help minimize the threat.

Spy Pen
All types of electronic devices are becoming smaller and more powerful, which makes many of them easier to use for dishonest purposes. One of the best examples of this is the series of handheld portable document scanners from PLANon. These handheld scanners are not much larger than a pen and have the ability to scan and store up to 100 pages of documents.

Ranging in price from $99.99 for a recertified black-and-white scanner to $299.99 for a 24-bit color scanner, these devices are easily within the reach of someone interested in stealing design plans, memos or graphics. Even if someone sees one lying on a desk or in someone’s possession, most people would not recognize it as a scanner.

The Zippo Cam

Another device that demonstrates the fact that technology is getting smaller is the l’espion S digital camera. Encased in a Zippo-style lighter case, this camera can take 150 images at 640 x 480, 12 minutes of audio and 30 seconds of video. It even has a surveillance mode in which it takes a picture every 90 seconds for 19 days. The image quality is not great, but it’s good enough to capture images of new products under development.

Ear to the Wall
The technologies that really get people excited are those designed for eavesdropping on conversations. From a low-tech perspective, don’t overlook your internal phone system. Many phone systems allow a third party to listen in on conversations for quality assurance purposes. A feature as ubiquitous as the intercom feature could cost you your secrets as well. All someone has to do is turn on the intercom of the phone in a conference room prior to a high-level meeting, and they can hear every word that is said behind closed doors.

There are also inexpensive, unobtrusive sound amplification devices that allow people to eavesdrop on conversations from a distance. All of these methods can be successful, and none of them would be discovered if you were to conduct an electronic countermeasures sweep.

Eavesdropping Illegal but Available
Once people start using microphones or other devices to listen in on conversations, they have crossed over into the realm of serious information theft. They are also more than likely breaking the law. Despite this, there are numerous products available for these purposes.

A simple room transmitter can be secretly installed in an office or conference room, and it will transmit all conversations conducted in that space. These transmitters can be incorporated into innocuous products such as pens, ash trays, calculators, and wall plug adaptors. Whoever wishes to hear the conversation must use a compatible receiver, and they can record the conversation for later playback. These transmitters can also be connected to phone lines so that they transmit both sides of a conversation.
A person must have physical access to the room being monitored in order to place the transmitter, and because these transmitters are always on, they can easily be found during an electronic countermeasures sweep.

Reading Your Keystrokes
Another popular tool for data theft is keystroke capturing hardware. Keystroke capturing hardware is placed between the keyboard and the computer and requires no additional software or independent power supply. It is not detectable by the operating system and is generally not seen by the user. (For those that feel an adaptor placed between a computer and a keyboard is not covert enough, a keyboard with the keystroke capturing chip already embedded is also available.)

After the device captures the target’s keystrokes, the user removes it and hooks it up to another computer. He or she dumps all the keystrokes into a word processing application, which means they can be saved, printed or electronically distributed. This method can compromise usernames and passwords, credit card information and the contents of emails. Protecting against this type of data capture is extremely difficult. Maintaining strict access control to management offices is the best protective mechanism. Locked offices and restricted access after hours is the best solution.

Somebody’s Watching Me
Monitoring software not only captures keystrokes but will capture Internet activity and can take screen captures of the target’s computer at pre-set intervals. The number and variety of these tools is amazing. Many monitoring products can be installed remotely and will discreetly e-mail activity logs at specified intervals. Arguably, two of the most well known products are by Spectorsoft—Spector and eBlaster. Spector is the monitoring application, and eBlaster automatically forwards all a target’s e-mail messages—both sent and received—to a specified address.

Other popular products include Goldeneye and Invisible Keylogger. Remote Spy users set up an account, and the logs from their tools are sent to a secure site that users can access from anywhere. To learn more about monitoring applications, visit the monitoring products page under Library at www.anti-keyloggers.com.

While there are monitoring applications that can go undetected by anti-virus programs, keep in mind that although they are marketed as undetectable, these programs can be easy to detect. To be effective they must run at system start up, so finding unusual programs scheduled to run at start up can be a good security exercise. While there are system tools that allow you to do this, a free program from Sysinternals called Autoruns is very effective. Find it at www.sysinternals.com/utilities/autoruns.html.

There is also a low-tech method of determining if one of these programs is installed on your computer. Many of these monitoring applications can be accessed by hitting a series of “hot keys.” The default hot keys for many monitoring applications are Ctrl + Shift + another keyboard key, or Ctrl + Alt + Shift + another keyboard key. To see if one of these programs is running, simply hold down either Ctrl + Shift or Ctrl + Alt + Shift and cycle through the remaining keys on your keyboard. If a login prompt suddenly pops up, there is a monitoring application installed on the system.

The Impossible Dream?
During a recent consulting engagement, I was telling a client about the diverse methods and opportunities for theft of proprietary information when he threw up his hands and said, “Why bother? There is no way to stop the flow of trade secrets from my company!”
It is extremely difficult, if not impossible, to maintain control of all trade secrets and proprietary information within an organization. But steps can be taken to reduce the flow of information from a torrent to a trickle, and policies and procedures can be put in place to provide legal recourse against those that steal proprietary information from their employers.

Follow well-established security methodologies, such as allowing users access to only the materials they need to perform their job responsibilities. Implement multiple layers of protection for trade secrets—more commonly known as defense in depth. For organizations that have material that could be the target of foreign governments, extra security mechanisms should be put into place, such as periodic electronic countermeasures sweeps, a digital rights management program that restricts who has access to data and what they can do with it once they access it, and internal training programs to educate users on what to do should they be approached by someone wanting detailed information on the company.

Even highly sophisticated devices can be defeated, as long as the security team is vigilant and keeps abreast of current advancements in technology.

John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States. He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, published by McGraw-Hill. He can be reached at jmallery@bkd.com.

Loading