Anatomy of an Industrial Espionage Attack

By Ira S$.$ Winkler $1$

President, Information Security Advisors Group

The CEO sat quietly as I showed him the complete manufacturing instructions for his top product in development. He remained expressionless when I placed his company's master development schedule on his desk. He sat back in his chair as I pulled out several documents describing his bargaining position in a multimillion dollar lawsuit. The CEO finally spoke. "I guess we should be happy you're not working for a competitor," he said. I had stolen all this and more posing as a temporary worker. A company with third$-$rate security? Hardly. The organization maintains an excellent perimeter security program, including strong access controls and physicalsecurity mechanisms. The security manager suspected, however, that it may be vulnerable to a well$-$coordinated attack via insiders. He called upon me to test just how much a dedicated information thief could get. I was there for three days. I got everything they hadl.

The Assignment

At a recent conference I met Henry, the security manager of Zed Technologies, a large high$-$tech firm with annual sales in excess of $$5$ billion. Henry knew of my previous penetration testing and asked if we could meet later to discuss the possibility of testing his own company's security. $($Note: Company and individual names have been changed. In addition, some identifying details about the company and its systems have been changed.$)$ Henry was extremely concerned about the open environment at Zed $--$ an openness typical of research and development firms. Like many large companies, Zed Technologies employs a large number of contract and temporary employees on$-$site. These people have access to various amounts of information and are not thoroughly screened. Henry worried about the potential damage that they could cause. To find out, he asked me to perform a penetration test in which I would be placed inside the company as a temporary employee but would in fact steal as much information as I could. I was given permission to do whatever was required without harming the company or individuals. A member of the company's information$-$security staff would remain within a reasonable range whenever I was performing any illicit tasks, to provide incident containment in case of a compromise of the effort. Funding also allowed for the use of off$-$site accomplices. To simulate real$-$world circumstances, I wanted to perform a full$-$scale industrial espionage attack against the company, using both technical and non$-$technical methods. Specifically, I chose five categories of attack: open$-$source research, misrepresentation, abuse of access, insider hacking and internal coordination of external accomplices.

Getting to Know You

Prior to my contact with Henry, I knew nothing of Zed Technologies. I had to first become familiar with the company in order to steal any useful information. Internet library resources provided an incredible amount of information. From news databases, I identified the company's top development effort, worth billions of dollars in company effort and potential sales. I also learned the name of the lead researcher working on the project, and I ran across several stories about the company's current products as well as the people involved in their development. Other open$-$source information identified the names of company executives, the company's financial status and a wide range of general information about the company and its corporate philosophy. Searches of Internet newsgroups for the company name identified dozens of company employees. Employee postings to computer$-$related newsgroups told me about the company's hardware and software environment. Postings to non$-$technical newsgroups helped me learn the personal interests of the employees posting the messages. Other Internet resources revealed additional employees and their interests. I executed a host command against