Table of Contents
| Acknowledgments | |
| Introduction | |
| Ch. 1 | Spies | 1 |
| Ch. 2 | Spying and the Law | 25 |
| Ch. 3 | Black Bag Jobs | 47 |
| Ch. 4 | Breaching the System | 67 |
| Ch. 5 | Searching for Evidence | 95 |
| Ch. 6 | Unprotecting Data | 135 |
| Ch. 7 | Copying Data | 163 |
| Ch. 8 | Snooping with Keyloggers | 177 |
| Ch. 9 | Spying with Trojan Horses | 205 |
| Ch. 10 | Network Eavesdropping | 227 |
| Ch. 11 | 802.11b Wireless Network Eavesdropping | 259 |
| Ch. 12 | Spying on Electronic Devices | 289 |
| Ch. 13 | Advanced Computer Espionage | 313 |
| App. A | What's on the Web Site | 341 |
| Index | 343 |
Read a Sample Chapter
Secrets of Computer Espionage
Tactics and Countermeasures
By Joel McNamara John Wiley & Sons
ISBN: 0-7645-3710-5
Chapter One
Spies "I could have been a devastating spy, I think, but I didn't want to be a devastating spy. I wanted to get a little money and to get out of it." -Robert Hanssen, FBI agent and convicted Soviet spy
Getting to Know Spies
Computer spies typically don't wear trench coats. They don't dress in tight black clothes and hang upside down from trapeze wires over your keyboard. They probably aren't named Boris and don't speak with heavy Slavic accents. Most of them aren't even hackers or crackers, and likely wouldn't know the difference between a rootkit and root beer. If computer spies don't match the popular media's perceptions, just who are they?
As with most avocations, computer espionage is divided into the amateurs and the professionals.
Amateurs are casual spies. Although they may have very good reasons for snooping, their livelihood doesn't depend on it. These spies have a bit more experience with computers than the average user. That doesn't mean they're extremely technical; it means only that they have taken the time to learn about various technologies that can be used for computer eavesdropping and then applied that knowledge for espionage purposes. Learning about spying tools and then acquiring them is only a point and click away with an Internet connection. When you think about these types ofspies, don't picture Tom Cruise or Sandra Bullock. Instead think of your boss, coworker, spouse, children, or the neighbor next door.
Professional spies tend to have more technical experience than the amateurs. One aspect or another of the professionals' jobs is to spy on people. This spying can be legal, as in the case of a law enforcement officer collecting intelligence for a child pornography criminal case, or illegal, in the case of a spy hired to obtain trade secrets from a corporation's network. Although these spies use some of the same tools and technologies that the amateurs use, they have a deeper understanding of the technology as well as access to more advanced and sophisticated eavesdropping tools. As with amateurs, you usually can't tell a professional spy by his or her appearance. Consider Aldrich Ames or Robert Hanssen: white, middle-class, average-looking CIA and FBI insiders who successfully spied for the Russians but blended in with society for years. Again, professional computer spies don't match the popular media's romanticized versions of espionage reality - although perhaps one or two might have a partner in crime named Natasha.
There are two reasons why it's important to have insights into the different types of spies:
To understand the technical capabilities and limitations of a potential adversary. This is obvious because you want to make sure that your own security measures can withstand a spy's attempt to breach them.
So you can put yourself in the spy's shoes. Throughout this book, there are sections that present spying tactics, specifically regarding how people spy on computers. In most of these sections, you're asked to put on the spy's trench coat so you can better assess your own security; to fully protect yourself, however, you need to know not only the tools and the techniques, but also the mindset of a spy. Popular culture has the saying, "What would _______ (Jesus, Gandhi; fill in your favorite wise role model) do?" When you review your security, you need to ask, "What would Corporate Spy (or whichever type of spy may be a threat) do?" The famous Chinese military strategist Sun Tzu said, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
Throughout this chapter, the concepts of knowing the enemy, knowing yourself, and knowing both the enemy and yourself are applied to computer spying.
What Spies Are After and Who They Are
Let's start with knowing the enemy. Computer espionage is about the purposeful discovery of information or evidence. If you use a dictionary definition (in this case, the American Heritage Dictionary of the English Language, Fourth Edition), information is "knowledge of specific events or situations that has been gathered or received by communication, intelligence, or news." Evidence, on the other hand, is "a thing or things helpful in forming a conclusion or judgment." An industrial spy may be looking for secret information on a Microsoft project manager's laptop that specifically relates to the company's future and hush-hush Longhorn operating system. A wife who suspects her husband of having an online affair may be looking for evidence in e-mail messages in an attempt to confirm her suspicions. Depending on what the information is, it could evolve into evidence. For example, a phone number stored in a PDA address book could belong to a known drug dealer and become supporting evidence for a criminal case.
Remember that spying is a purposeful activity. Although the suspicious wife may have stumbled across evidence that her husband was cheating because he accidentally left an Instant Messenger window open on the family computer, that's not spying. She wasn't actively seeking the information.
The types of information and evidence gathered can be very targeted or generalized, depending on what the spy is trying to accomplish. Perhaps he is looking only for financial information that relates to an upcoming merger and will be content with snooping through spreadsheet files with accounting information. On the other hand, a government intelligence agency may examine the entire contents of a hard drive that belonged to a terrorist, seeking not only evidence, but any information that may relate to future terrorist attacks.
In addition to information and evidence, there are two other important concepts in computer espionage: The activity is typically unauthorized and unknown. In most cases, you aren't going to give explicit or implicit permission to have someone snoop through your computer. Exceptions might be in the workplace in which employee monitoring takes place or when you tell the friendly police officer that you don't have anything to hide, you don't need a lawyer, and certainly he can look at your computer. Also in some types of law enforcement investigations you won't have a say if a court has granted permission to a police agency to spy on your computer because of suspected illegal activities on your part. Remember that unauthorized doesn't necessarily mean illegal. Although breaking into a computer network to steal trade secrets clearly violates a number of laws, placing a keylogger on your son's computer without his permission to see if he talks to his friends about doing drugs would not be illegal, though it may be unethical to some people.
The second element of computer spying is that if you're the target, you don't know it's taking place until perhaps after the fact. Unlike clothing manufacturers, eavesdroppers don't go around leaving tags on computers that read "Snooped on by Spy #39." Sometimes, spies do leave tracks, but they usually aren't that obvious. Whoever is spying doesn't want you to know they are looking for information or evidence. Exceptions would be a publicized employee-monitoring program or the government's ECHELON data surveillance system (discussed later in this chapter), which is known about-much to the chagrin of those running the program.
x-ref ECHELON is an example of the government's frequent "cult of secrecy" attitude. Although the existence of ECHELON has been exposed, the government steadfastly refuses to acknowledge its existence. For more on ECHELON and other data surveillance systems, turn to Chapter 13.
So far, this discussion has all been about what spies are generally after, but we still haven't answered Sun Tzu's question of knowing who the enemy is. This is important because it gives us insights into their motivations and methods. Thinking like the bad guys is a valuable exercise in helping you protect yourself from them.
In general, spies can be lumped into seven different categories:
Business spies
Bosses
Cops
Private eyes and consultants
Spooks
Criminals
Whistleblowers
Friends and family Let's take a quick look into the world of each type of these spies to better understand who they are and what they are after.
Business Spies-Economic Espionage
Economic espionage is a large, yet often ignored problem. Trade publications and organizations and the news media have been warning businesses about the dangers of economic espionage, formerly called industrial espionage, since the 1980s. The warnings seem to have fallen on deaf ears.
Consider these key points of a study released in 2002 by the American Society for Industrial Security, U.S. Chamber of Commerce, and PricewaterhouseCoopers, a survey of Fortune 1000 corporations and 600 small to mid-sized U.S. companies:
Forty percent of the companies that responded to the survey reported having episodes of known or suspected loss of proprietary data. (Cutting away the jargon, that means someone on the inside or outside spied on them and stole company information.)
Proprietary information and intellectual property losses accounted for between $53 billion and $59 billion.
Economic spies are looking for information; they most commonly target research and development, customer lists and related data, and financial data.
Despite the potential impact of possibly successful attacks, only 55 percent of the responding companies said their management was concerned about information loss and were taking precautions to prevent it. The implication of this is a significant number of managers underestimate or don't understand the risks and costs of data theft. Companies suffering economic espionage attacks don't just suffer simple financial losses. They also have to contend with eroded competitive advantages, legal fees in the case of litigation, and diminished stockholder and public trust if an attack is publicized (which many are not publicizing for this reason alone).
Business spying isn't confined just to large corporations, either. Smaller companies, from mom- and-pop retailers to light manufacturers that operate at thinner margins without the cash reserves of a larger corporation, may actually suffer more significant damage from economic espionage.
Former employees, domestic and foreign competitors, and on-site contractors are the usual perpetrators of economic spying. (It's worth noting that economic espionage is very different from competitive intelligence. Competitive or business intelligence is practiced by using legal and open source methods. Economic espionage is where illegal means are used to obtain information. Granted, at times there can be gray areas, but most business intelligence professionals adhere to a fairly strict set of ethics.)
x-ref For more information on the differences between legitimate competitive intelligence and illegal espionage, visit the Society of Competitive Intelligence Professionals Web site at scip.org.
Although movies and TV shows portray corporate spies as shadowy mercenaries who cleverly break into super-secure locations, the reality is that insiders who have access to unsecured information are responsible for most economic espionage. Current or former employees with greed or revenge as motivation are much more of a threat than professional spies hired by a competitor.
The problem isn't confined only to lower-level employees. Jose Ignacio Lopez, the head of purchasing for General Motors, abruptly resigned in 1993 and took a job with Volkswagen. GM later accused Lopez of masterminding the theft of more than 20 boxes of research, sales, and marketing documents. Included were blueprints for an assembly plant GM hoped would displace VW's dominance in emerging small-car markets. In 1997, the case ended when VW admitted no wrongdoing, but settled the civil suit by paying GM $100 million and offering to buy $1 billion of GM parts over the next seven years. German prosecutors eventually dropped industrial espionage charges against Lopez, but ordered him to donate a quarter of a million dollars to charity.
Outsider attacks still occur though, and are either committed by an employee or agent of a competitor. Outside attacks typically fall into two categories:
Opportunistic attack. A competitor may casually see if information may be easily accessible, akin to twisting a doorknob to see whether it's locked. Information is stolen if there's not much of a risk of discovery or involves little effort. An example of this attack is a spy using a port scanner or vulnerability-assessment tool to see if there are any holes he can exploit to enter a corporate network. If exploitable vulnerabilities are discovered, a targeted attack may be launched.
Targeted attack. A targeted attack is a serious attempt to steal information. The spy has a specific goal and employs a variety of techniques to get what he wants. When the monetary stakes are high, a large amount of money and resources may be committed to a spying operation. Because computers are used to store all sorts of corporate information, they present a prime target for business spies. Networks, laptops, desktop PCs, and PDAs are all vulnerable to attack. The technical skills that business spies have range from eavesdroppers with minimal skills, such as copying a confidential file to a floppy disk, to skilled technicians who can easily bypass a firewall to access a corporate database.
x-ref There are strict penalties for economic espionage in the United States. Turn to Chapter 2 for details.
Bosses-Employee Monitoring
Employee monitoring in the United States is growing rapidly. In the American Management Association's (AMA) 2001 survey on Workplace Monitoring & Surveillance, 77.7 percent of major U.S. companies stated that they recorded and reviewed employee on-the-job communications and activities. This amount is double what the AMA reported in its first monitoring report released in 1997.
If you work for someone else, there's a good chance the boss is spying on you. That means your e-mail, Web surfing, instant messaging, and hard drives could all be under scrutiny.
Continues...
Excerpted from Secrets of Computer Espionage by Joel McNamara Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Loading...