S E C T I O N
Newsletter
About Newsletter
Editorial
IISSM News
Training Programme
Book Review
Book Reference
Responses
Article
Monthly Summary
Print Newsletter
HomeNewsletterArticle
Volume No. 5,   Issue No. 2,   July 2006

Are You Prepared for Competitive Intelligence?

By Richard Stiennon

July 21, 2005: Competitive intelligence gathering (read corporate espionage) is the latest threat in the never ending game of spy vs. spy, writes CIO Update columnist Richard Stiennon of Webroot Software.

A spate of recent incidents have come to light involving criminal attacks against businesses to gather competitive intelligence or to directly damage a competitor.
.
Are you prepared for this kind of targeted attack? I ask this because there is a big difference between the protections needed to ward off viruses and the random hacker and the types of things you have to do to avoid losing data to a direct competitor..
.
In all my years in cyber security the most common refrain I hear from senior executives is "Why would a hacker target me? All we do is X." Well times are changing and old security postures are proving vulnerable to new threats...

The threat I am talking about is the targeted attack to gain competitive intelligence: your payroll data, your sales pipeline, your project plans, your real estate or building plans, your hiring plans, your financials, your designs, your pricing, all could prove very valuable to a competitor making strategic plans.

Sometimes It's Personal

Imagine this scenario (it derives from my early experience as an automotive engineer):

I was responsible for a power seat mechanism for a new Buick luxury seat design. We had a prototype shop out back and an expert machinist, Dag Broadbent. Dag was "old-school" and loved to tease the young engineers. He called me "Pilgrim" for some reason.

Anyway, Dag was making some very special drive nuts for the project that required a multi-start thread that needed a custom cutting tool. I got a call from the shop late on Friday. The tool had snapped so we needed a new one. This could put us behind schedule. "Not to worry," I told Dag, "I have had one on order from the supplier for three weeks. It should be ready Monday.

" Come Monday I called the supplier to find out what time their truck would be delivering the new tool. The guy on the phone said "What do you mean? We gave it to an engineer from XYZ Company!"

I was floored. Apparently our competitor was using the same drive nuts on their prototype and they learned from the tool supplier that we had ordered the same tool they needed. So an engineer dropped by and told them I said it was OK to give him my tool!

Alright, fast forward to modern times. Have you hired anyone out of college in the last five years? Well, hacking in school has been elevated to a sport. The new kids you hire are well versed in common hacking techniques. It is not a huge leap from stealing machine tools to your competitor's employees taking a peek at your exposed Web application just to see what they can see.

Consider a few cases of recent attacks:

Lexis-Nexis succumbed recently to a concerted attack from hackers. Reinforcing once again the need for organizations to review all web-based processes for weaknesses that can be exploited by criminal minds.

In this case, fake accounts were created using the normal process and then the access to Lexus-Nexus' data base was used to pilfer over 200,000 identities.

In April DSW Warehouse it reported that 1.3 million identities had been stolen from their retail operations.

In June the FDIC announced that reports of false loan applications led them to the discovery that the identities of 6,000 employees had been stolen.

This is a disturbing shift in reported incidents. To date, most data loss reports are of the Bank of America type where the data was not necessarily stolen. In this and the CardSystems case the data was already being used by criminals when the loss was discovered.

Israeli Trojans

Meanwhile in Israel a convoluted story erupted on May 30. In short, large businesses were hiring private investigators to spy on competitors. These PI's used modified Trojan's and social engineering techniques to steal documents from over twenty companies. It is worth reporting the further convolutions of this fiasco.

The story started when an Israeli author noticed that his unpublished works were being posted to the Internet. Suspecting his step-daughter's ex-husband, he called in the Israeli police. The police discovered the HotWar Trojan on his home computer. Files, emails, and everything the author typed were being sent to FTP servers in Germany, the U.K. and the U.S.

When those servers were seized by local authorities in each country they were found to contain internal documents from dozens of companies in Israel including the state owned telephone company, Bezeq, a car dealer, satellite TV company (Hot!), a cell phone company (Patner), a water company (Gal-Al), a defense contractor and more.

It turns out that at least a dozen companies in Israel had hired PIs to gather competitive intelligence on their counterparts. The PIs had purchased software from Michael Hephrati in the U.K. and sent it to the targets disguised as a legitimate email proposal.

While 22 people are under arrest, indictments have been filed against 12, and the investigation continues.

Concerted hacking attacks to gather information from competitors are going on in the U.S. as well, although nothing of this scale has been disclosed to date but it could be going on right now within your computer systems.

The lesson here? If there is just one overarching tenant of information security it is this: You cannot afford to stand still.

Richard Stiennon is vice president of Threat Research at Webroot Software. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine. You can read his blog at www.threatchaos.com.

Contributed by Sysman Computers – email dated July 30, 2005

Go Top

Israeli airport technology detects intent of terrorists

By David Brinn May 08, 2005

Not many terrorists walk into an airport waving a banner announcing who they are. They don't carry handguns or try to conceal explosives as they debark from an international flight into the United States. And just as rarely do they have police records.

So how can US officials go about identifying potential terrorists? A new solution is Israel's Suspect Detection Systems (SDS) - a company that has developed an advance automated filtering tool for identifying potential suspects with hostile intentions among masses of tens of thousands visitors.

Consider it a personal polygraph machine, that will make air travelers infinitely safer, says SDS CEO Shabtai Shoval, a former division manager at Comverse Technology who founded SDS along with former head of the Israel Police's polygraph division Yeshayahu Horowitz and former deputy Mossad chief Amiram Levin.

"Our system makes an initial assessment within three minutes. If the system identifies a suspect, he can be sent to a personal agent to complete the investigation," Shoval said. Shoval explained that the inspiration his journey from Comverse to airport security was spurred by the September 11 attacks, as well as a viewing of a Tom Cruise movie.

"I happened to see the movie Minority Report - with Tom Cruise. I thought to myself, how great it would be to be able to prophesize a crime before it happens," he told ISRAEL21c.

"Among my staff in the telemarketing division of Comverse were two people formerly from the Shabak (Israel's General Security Services). After 9-11, we said to ourselves, maybe we should change direction toward the field of homeland security. 'What's the major problem that 9-11 has presented to the world,' we asked?

"Our conclusion was the fundamental issue that international terrorism has gotten sophisticated enough to enable terrorists to get into the target country without any weapons and with their own identity. Therefore, they can then create a strategic terror attack from within, without carrying in any means with them," he said.

Built to replace human selectors or random check ups of visitors, the SDS-VR-1000 is a device based on the assumption that sophisticated terrorists might not be included in suspect lists and will not carry weapon or explosives when they approach a checkpoint.

"We came to this conclusion two years ago - and since then, that idea has only been reinforced with the Spanish train explosion and the Chechnyan school takeover. It plays out again and again. International terrorists are getting inside a country without weapons, under their own identity and are succeeding in changing history," said Shoval.

According to Shoval, there are two basic ways to combat this threat – either through good intelligence, or through being able to detect them when they try to enter a country.

"Intelligence is a problem - since most potential terrorists haven't been on a suspect list. So you need to look for intention. This has to be done with the handicap of not being able to look for weapons, since carrying a weapon into the US, for example, would be stupid since it's so easy to obtain weaponry once they're inside," he said.

"If only you could have each person trying to enter the US go through a polygraph test with a specialist, you could prevent terrorists from entering - but of course that's not realistic. But, can we create a machine – that uses the basics of polygraph technology - that works automatically without the specialist, and takes only three minutes?"

The SDS system does just about that. It is based on the belief that the terrorist's fear will be reflected in measurable psycho-physiological parameters.

"As they say in the movies, we have the technology to do this - to use artificial intelligence in software to imitate polygraph capabilities It took a long time -two years - and lots of trial and error through tests conducted in Israel. But we've achieved a success rate of 95%," said Shoval.

The way it works is that the passenger approaches the machine - they put their passport on a scanner and their other hand on a sensor. He is then presented with an array of written questions in the language indicated by the passport (or in an audio mode with earphones if requested). A special detector then measures physiological responses.

"What is does is collect objective data out of the passenger's ID - and it analyzes the data compared to the subjective data it collects while the passenger is asked different questions," said Shoval. "The process takes approximately three minutes, and the passenger either receives a transfer printout authorizing him to advance to the next stage of entry to the country, or an announcement that he is required for further questioning. A monitoring official will then escort the passenger to another area for further questioning."

The system has been approved by the Israeli security apparatus, and an experimental version is going to be tested this year in an American airport.

"We've passed all the lab tests in Israel - with the involvement of various security involvement - and now this year, it will be field tested in Israel and in the US. Once it's on the market, each system will cost approximately $200,000 and will service about 40,000 per year. We're talking to Boeing and Accnture about partnerships as well as looking for a VC strategic investor in the US," said Shoval.

According to Shoval, the SDS system is a truly unique product, one that could only have been developed in the cultural and political climate of his country - and he lists three reasons why.

"First, it's based on the methods developed by the Shabak and El Al, Israel's national carrier.

Second, the field tests in Israel were unique -only here can you find a population (in Gaza) where 95% of the population has been in an ongoing conflict with their authorities. It's a fine tuning issue to find which people among those 95% are actual terrorists. If you cross that barrier, there's no place in the world where it can't work. Even in Iraq, only about 30% of the population have been involved with confrontations with the US Army and ruling Iraqi forces.

"And third - it took Israeli boldness to go ahead with a plan involving full contact polygraph with civilians, a concept that the US would not have been able to initiate. Americans chose not utilize human selectors - partly due to budget, and partly because it's difficult to educate the selector how to define between the different kinds of profiling. Here, our system is doing it for you - there's no human element involved.

"It's like a robot selection process - we don't make the decision to take someone out of line and put him in jail - we only take someone for further investigation. There's no profile selecting and no human rights violations," he said.

We've created a single-track minded machine - it can do just one task - ID a terrorist."

Courtesy: Email dated May 9, 2005, from Mr. Mayer Nudell, CSC, USA.

Go Top