Anatomy of an Industrial Espionage Attack
By Ira S. Winkler © 1
I had stolen all this and more posing as a temporary worker. A company with third-rate security? Hardly. The organization maintains an excellent perimeter security program, including strong access controls and physical-security mechanisms. The security manager suspected, however, that it may be vulnerable to a well-coordinated attack via insiders. He called upon me to test just how much a dedicated information thief could get.
I was there for three days. I got everything they had.
At a recent conference I met Henry, the security manager of Zed Technologies, a large high-tech firm with annual sales in excess of $5 billion. Henry knew of my previous penetration testing and asked if we could meet later to discuss the possibility of testing his own company's security. (Note: Company and individual names have been changed. In addition, some identifying details about the company and its systems have been changed.)
Henry was extremely concerned about the open environment at Zed -- an openness typical of research and development firms. Like many large companies, Zed Technologies employs a large number of contract and temporary employees on-site. These people have access to various amounts of information and are not thoroughly screened. Henry worried about the potential damage that they could cause. To find out, he asked me to perform a penetration test in which I would be placed inside the company as a temporary employee but would in fact steal as much information as I could.
I was given permission to do whatever was required without harming the company or individuals. A member of the company's information-security staff would remain within a reasonable range whenever I was performing any illicit tasks, to provide incident containment in case of a compromise of the effort. Funding also allowed for the use of off-site accomplices.
To simulate real-world circumstances, I wanted to perform a full-scale industrial espionage attack against the company, using both technical and non-technical methods. Specifically, I chose five categories of attack: open-source research, misrepresentation, abuse of access, insider hacking and internal coordination of external accomplices.
Getting to Know You
Prior to my contact with Henry, I knew nothing of Zed Technologies. I had to first become familiar with the company in order to steal any useful information.
Internet library resources provided an incredible amount of information. From news databases, I identified the company's top development effort, worth billions of dollars in company effort and potential sales. I also learned the name of the lead researcher working on the project, and I ran across several stories about the company's current products as well as the people involved in their development.
Other open-source information identified the names of company executives, the company's financial status and a wide range of general information about the company and its corporate philosophy. Searches of Internet newsgroups for the company name identified dozens of company employees. Employee postings to computer-related newsgroups told me about the company's hardware and software environment. Postings to non-technical newsgroups helped me learn the personal interests of the employees posting the messages. Other Internet resources revealed additional employees and their interests.
I executed a host command against Zed Technologies' domain name to get a list of all its computer systems, along with operating-system information. This action identified the company's TCP/IP addresses, the types of systems used throughout the company and a rough count of the number of computers in use.
A company newsletter that I requested and received helped as well. In it, the CEO defined the company's top six development efforts and mentioned the names of many employees working on those projects. This information served as my shopping list for the remainder of my effort.
A Bold Lie
With only three days available for on-site snooping, I was forced to behave more boldly than a normal industrial spy would. I tried a direct misrepresentation approach: I decided to impersonate an information-security supervisor.
Prior to arriving at the site, I had business cards printed that looked exactly like one from Zed Technologies, complete with my name and the title of Information Security Supervisor. A local copy store created the cards in less than a day, using a real business card as a template.
Upon arriving at the site, I was processed like any temporary worker. I filled out some paperwork, on which I provided false information including a social security number, an address and telephone numbers. A human-resources employee gave me an access badge and showed me to my office. I was pleased to find out that I had been added to the company telephone directory, as are all temporary employees, prior to my arrival.
Uncertain of the response I would get to my ruse, I began my effort by telephoning a researcher working on the company's top development effort. I told this researcher that I had just been hired and had been given the broad task of protecting the company's secrets. Therefore, I must find out what was worth protecting and where that information was being stored. After several minutes of discussion, the researcher recommended that I contact Stanley, the team leader for the project. I called Stanley and made an appointment to meet with him.
Playing the role of corporate spy can be pretty exciting, and I wondered what I would say or do if I was caught. I almost hoped that somebody would question my story so that I could test my ability to talk my way out of it. No such fast talking was needed, though. Not one employee challenged my integrity.
With Stanley, I again claimed to be a newly hired infosecurity supervisor. I handed him my business card and claimed that I was tasked with protecting the company's information. I asked him to detail for me what information was sensitive and how many people had access to it.
Stanley told me that product-manufacturing information is most sensitive among a broad range of other important information. I asked whether there was a single source that compiles the manufacturing information. In response, he showed me a book with copies of the minutes from project meetings and a distribution list of people who receive these minutes. I boldly asked for copies. Stanley not only gave me copies of everything in the book, but he also added me to the distribution list.
Stanley helped me one more time: he told me that the company's Government Affairs Office (GAO) representative and the project business manager together compile summary information, and he recommended that I speak with them. After I finished with Stanley, I returned to my office and made an appointment with Mark, the GAO representative, just as Stanley had suggested.
With Mark, I again used my phony business card and the ruse of working for the information-security department. Believe it or not, the job grew boring as I played the role of a security manager interviewing people about the processing and storing of critical information. I had to stay in character and talk about a lot of mundane details. But, patience provides its rewards. Mark and I discussed at length the consolidation of the GAO's documents, including the types of documents produced, the locations of stored files on the network, the group responsible for archiving the files and the name of the person responsible for their storage. Mark even mentioned one particular document that contained the specifications for manufacturing the product.
Next, I returned to my office and took some time to review the meeting minutes that Stanley had provided me. Amid a wealth of sensitive information I found the real prize in a message from Mark, the GAO representative. In it, he stated the location of the draft document being submitted to the U.S. Government. In the next sentence, he gave the password for accessing the document.
I could hardly believe my eyes. In those two sentences I had been given the keys to the document that contained all of the manufacturing information for the project that was my top priority. I turned to my computer and, in short order, accessed and copied the document. I had already stolen information representing more than $1 billion of company effort and potential sales.
But my amazement only grew; in the same directory where I had just found that jewel, similar documents for two other priority development efforts sat for the taking. At this point, in less than a day's time, I had compromised three of Zed Technologies' top efforts to the point that I could manufacture them myself.
Flushed with success, I started accessing other file systems that were not password-protected. I tried only those file systems that I believed, based upon my meetings with Mark and Stanley, would hold sensitive information. I did not want unnecessary documents cluttering my effort. I acquired more than 125M bytes of data within a few hours.
The next day I met with Steven, the business manager of the company's second-most-sensitive development effort. By now, any of my doubts about my likelihood of success had vanished. It was time to focus on the types of information that business managers use and create.
Again saying that I needed to see what I was responsible for protecting as a member of the infosec team, I had Steven walk through the process of accessing his files. I tried to observe the password he used, but could not see the keyboard from my vantage point. Steven stressed to me the importance of the quarterly management reports which, he said, contain such extremely sensitive information as manufacturing details. I noticed as he spoke that Steven's office had no lock. Also, I could not help noticing the box of computer disks on his desk labeled "Management Reports."
I returned to my office and immediately attempted to log into Steven's file systems. I used several common password combinations and was exhilarated when I hit the right one and achieved access to his files. As it turns out, each business manager holds responsibility for several development efforts, so Steven's files contained details for many projects.
My glee skyrocketed as I discovered that all business managers use the same file system to store their files. I would not need the disks on Steven's desk. I had in front of me the management reports for all of the development efforts on my shopping list. I had hit the jackpot.
I later learned that I had compromised all but one of the company's major development efforts, and I was only a day and a half into the effort. Nobody had reported any unusual occurrences. My cover had not been blown. A real industrial spy would have been on the next airplane out of the city.
Browsing After Dark
The misrepresentation attack was, however, only one method I was using. As you will recall, I had been given an access badge by the company. After my first day of work at Zed Technologies, I ate a nice dinner out and then returned to the offices with my badge.
Several cleaning people moved through the building as I searched through unlocked file cabinets, offices and in-boxes sitting on desks. I poked around on computers that were not protected by the workstation-locking utility required per company policy. It was impossible to avoid the cleaning staff, so I chose instead not to bother hiding my presence. This was risky, but it would imply to them that I was doing nothing worth hiding.
In the first area that I targeted, which houses the legal and licensing divisions, I obtained documents about a mature development effort, including the strengths and weaknesses of each potential licensee. I also found good material on pending lawsuits, including bargaining positions. Finally, I found a complete patent application that had not yet been filed.
I moved on to the second area, which houses the development organization. I found product-problem reports and other sensitive papers sitting on desks. In unlocked file cabinets I found the manufacturing information for two additional projects representing hundreds of millions of dollars of investment and potential sales.
One office that I entered was a complete mess. Papers were strewn all over the place, and two computers were left on without the workstation-locking product installed. The monitors were turned off, but I simply turned one on and discovered that the employee was still logged into an e-mail account. Fortunately for me, this person liked to save e-mail messages. I browsed through until I came across a message containing the master development schedule, one of the company's most sensitive documents.
After-hours snooping may seem old-fashioned and simplistic, but the effort produced a tremendous amount of sensitive information. Espionage involves the use of basic, effective methods. This one evening's work demonstrated the payoff for just looking through unprotected information. I had not picked any locks or left any signs of forced entry.
Hacking From Within
I brought with me to Zed Technologies a portable Sun computer specially configured for hacking into the company based upon what I had learned from my open-source searches. I equipped the laptop with the Internet Scanner from Internet Security Systems Inc. and a variety of hacker tools that compromise systems with vulnerabilities identified by the Scanner. When I got to my office at Zed, I unplugged the office PC from the ethernet connection and plugged in my portable Sun.
I first ran the Scanner against key computer systems, and sure enough it located known vulnerabilities on several exported file systems that I knew contained sensitive information. It went on to perform password guessing after a scan of identified user accounts. Three user accounts were immediately compromised.
I mounted the exported file systems onto my personal computer and attempted to copy critical directories over to my system. I was able to copy most but was sorely disappointed to find that some files were restricted. I then logged into the remote computer using one of the accounts compromised by the Scanner and copied one of the hacker programs over to the computer. I was pessimistic about the chances for this program, but I executed it anyway and hoped for the best.
I literally jumped out of my chair when I received the "#" prompt--I had root access. With nothing to hold me back now but my computer's storage capacity, I copied whatever looked important. I put in a few back doors and went on to other computer systems.
In this manner, I acquired more than 200M bytes of information considered extremely sensitive. The vulnerability I compromised had been only recently identified, but a patch for it was available. The company had just been too slow to install it. They will know better in the future.
Hacking with Friends
As part of my misrepresentation campaign, when I was posing as an information security staffer, I learned that Zed Technologies uses smart card tokens for authenticating external access. I obtained a copy of the form used to request a token, forged the infosec manager's signature to it and persuaded a secretary to walk the form through the approval process. I used the same deceit to request a pager. I needed these for my final attack, which I had to coordinate with accomplices back home.
I sent the token and accompanying software to my accomplices via overnight courier, giving them remote access to the company's Novell network. I telephoned them with my user ID and password for the Sun network to which I had access as a temporary employee. I gave them the modem number that I obtained by asking one of the system-administration personnel for it. Now my cohorts could also compromise the Sun network.
The host command I had used before starting my job at Zed Technologies had identified that the company uses a large number of Sun- and PC-compatible computers. So, I had acquired appropriate hacking tools and left them with my accomplices. Now they would put those to use.
They started by capturing the password file from the Sun network and running the Crack password-guessing program against it. They obtained approximately 10 percent of the passwords. They faxed me the list of compromised accounts, which I prioritized using the company's online employee directory to identify the departments of the employees tied to the accounts.
I faxed back the list of prioritized accounts along with a list of key words that would indicate sensitive information. They searched the accounts and hacked into other Zed computer systems at will. The dial-in system, designed to prevent unauthorized access, did nothing to prevent abuse by authorized users.
One accomplice focused on compromising the PC systems. Using the smart card token, he gained access to the internal network over telephone lines. He ran a vulnerability scan against several zones that I told him were of high value. He captured a large amount of information from those targeted areas.
Insider coordination was key to the success of this effort. Even if an outsider could have gotten through the perimeter security mechanisms, which is unlikely, there would be no way to know where to look for critical information. More than a terabyte of information lies scattered throughout the company, only a gigabyte of which could be considered sensitive. Perhaps a megabyte contains the truly critical information detailing the manufacturing process of the development efforts. Computer access is insignificant; access to specific information is what matters.
After three days, I left my temporary employment at Zed Technologies as planned. I had obtained more than 300M bytes of sensitive information. I had information detailing the manufacturing process of five of the company's top products, which represented billions of dollars in potential sales. I also had a large amount of information on almost all of the company's development efforts, which, if provided to a competitor, could cause a significant loss of income. Due to the volume of information captured, it is extremely likely that I also obtained manufacturing information for most other developments, but only an exhaustive search of the data could tell for sure.
Along the way, nobody had reported any unusual activities. Despite my bold methods, nobody had taken any notice as I compromised the company's major developments.
Significantly, I by no means exhausted the methods that a real industrial espionage attack might have included. I never needed to. I made no effort to plant bugs or tap phone lines. I did not try to recruit other employees. I did not rifle through any trash. I spent very little time and money; a real attack would have been planned and executed over a period of months, and there would have been millions of dollars invested in the effort.
While many readers might assume that Zed Technologies was a lax company that held security in low esteem, the opposite is true. Indeed, the fact that they chose to conduct this test is proof of the company's interest in fully securing their sensitive information. Unfortunately, Zed had concentrated on protecting only their perimeter. Once an attacker gained insider status, these defenses were rendered useless and their information stood very much at risk.