Cyberspying: no longer a crime for geeks only

Cyberspying: no longer a crime for geeks onlyA recent spate of news stories on Internet privacy has spawned a national awareness of Web-related security threats. But it takes neither an Internet connection nor a network of exotic gadgetry to invade systems and steal data. Indeed, critical information stored on a CD or laptop hard drive can be walked right out the front door. As technology becomes more widespread, corporate data is becoming easier to access and transport, which means that many heretofore impotent miscreants are quickly becoming armed with the tools for cyberspying.

We're all familiar with the most common type of cyberspy - the departing employee. Loyalty is a rare commodity in this white-hot job market; if the money's right, almost anybody will jump ship. Even if ethics prevent your ex-staffer from sketching your entire strategy on a competitor's whiteboard, he or she might exploit his or her knowledge of your plans to personally get ahead of you.

Unfortunately, breaches of confidentiality are difficult to prove, and if you do take the matter to trial, you'll end up publiciising the very trade secrets you're fighting to protect.

Instead of relying on lawyers, accept that most employees are temporary workers and encourage them to zip their lips after leaving. Tell new hires you're not interested in competitors' inventions, and make your employee exit process as non-confrontational as possible. Attitude toward your company plays a crucial factor in how well your secrets are kept.

Keep an equally suspicious eye on current employees, who may be stealing data in exchange for a paycheck from one of your competitors. These internal spies have a host of access methods to your secrets, which means that you must be aware of who is accessing what files and why.

Notebook computers are high-capacity storage tanks for sensitive data. In just 10 minutes on your company Ethernet, somebody could pull almost 5GB of data into a notebook.

Lock critical files in document or source-code control systems that require users to sign files out. Analyze access audits and sign-out logs regularly, looking for access attempts from users who don't need those files for work. Act immediately on any suspicious audit or log entry: Lock out the offending user until you clear the access with a supervisor. Sounds harsh, but no gentler approach is as effecTraditional criminals and hackers can only be kept distinct for so long. When they unite, be prepared for business-crushing spying and crucial data theftA recent spate of news stories on Internet privacy has spawned a national awareness of Web-related security threats. But it takes neither an Internet connection nor a network of exotic gadgetry to invade systems and steal data. Indeed, critical information stored on a CD or laptop hard drive can be walked right out the front door. As technology becomes more widespread, corporate data is becoming easier to access and transport, which means that many heretofore impotent miscreants are quickly becoming armed with the tools for cyberspying.

We're all familiar with the most common type of cyberspy - the departing employee. Loyalty is a rare commodity in this white-hot job market; if the money's right, almost anybody will jump ship. Even if ethics prevent your ex-staffer from sketching your entire strategy on a competitor's whiteboard, he or she might exploit his or her knowledge of your plans to personally get ahead of you.

Unfortunately, breaches of confidentiality are difficult to prove, and if you do take the matter to trial, you'll end up publiciising the very trade secrets you're fighting to protect.

Instead of relying on lawyers, accept that most employees are temporary workers and encourage them to zip their lips after leaving. Tell new hires you're not interested in competitors' inventions, and make your employee exit process as non-confrontational as possible. Attitude toward your company plays a crucial factor in how well your secrets are kept.

Keep an equally suspicious eye on current employees, who may be stealing data in exchange for a pay cheque from one of your competitors. These internal spies have a host of access methods to your secrets, which means that you must be aware of who is accessing what files and why.

Notebook computers are high-capacity storage tanks for sensitive data. In just 10 minutes on your company Ethernet, somebody could pull almost 5GB of data into a notebook.

Lock critical files in document or source-code control systems that require users to sign files out. Analyse access audits and sign-out logs regularly, looking for access attempts from users who don't need those files for work. Act immediately on any suspicious audit or log entry: lockout the offending user until you clear the access with a supervisor. Sounds harsh, but no gentler approach is as effective.

A notebook or PC can also be a packet siphon, a la Carnivore. A modern network adapter normally ignores traffic not intended for it but can easily switch into "promiscuous mode", grabbing and storing every packet crossing the network. The only sure way to keep data out of unauthorised users' hands is to put it on a separate network and limit access to that network to those who need it. Network management tools such as Tivoli Systems and CA Unicenter can also alert you to the appearance of unauthorised devices on your isolated subnet.

In addition, desktop systems with high-capacity removable storage devices (Iomega Jaz, Castlewood Orb, and CD-ROM burners, for example) make it easy for users to discreetly carry out gigabytes of data. You may want to consider restricting access to removable storage devices and media. PC BIOS setup programs can disable USB, parallel, and serial ports, effectively blocking most avenues for adding external removable devices.

Monitoring devices are also powerful spying tools, which can be planted on your servers either by employees or by outside spies, posing, for instance, as telephone workers who need access to your circuit.

Computerised telephone systems are particularly vulnerable to monitoring. A voice- mail system stores messages and call logs on hard drives. A spy can easily remove, copy, or replace these drives, making off with months of invaluable data.

Voicemail servers that forward messages to e-mail are easy targets for anyone with access to the console. They need only forward a user's messages to an untraceable external mailbox.

And anyone can insert a $250 device into a desktop system (PC, Mac, or Unix/Linux) that mirrors the entire contents of the system's hard drive. The device is invisible to the operating system and to remote hardware audits, and it does not alter system behaviour.

With only intermediate Linux skills, a hacker can build a small, low-power microcomputer that invisibly forwards desirable network packets to an external location, makes copies of your e-mail traffic, or provides an external operator with remote access to your network. It isn't science fiction. You could build a complete system, small enough to fit in a modem cabinet, for less than $1000.

It is fortunate that so far, criminals, thieves, and con artists are generally slow to take up technology. Conversely, hackers and techies often lack a criminal's skill of avoiding apprehension, which probably discourages them from wreaking the havoc they otherwise could. However, the future union of these two groups is imminent, and it is in this union that the most potent security dangers lie.

Even as we speak, criminally minded hackers are securing enviable positions with Internet providers and in the server rooms of lucrative corporations. Hacker skills are valuable in this market, to be sure, but not nearly as valuable as the information that can be gleaned from your network. What percentage of these hackers will resist the attentions of courting criminals? Which of them, if offered $5000 for a copy of your e-mail traffic, will refuse and contact the police instead?

We advise cultivating a healthy paranoia. If you have data you can't afford to lose, hire a reputable security consulting company and follow their advice. This action may be costly, but now is the time to harden your facility against cyberspying exploits, before the most clever criminal and technological minds join forces.