Find Article by Date
Sun, 17 Jun 2001

JP/The Spying Game: How Safe Are Your Secrets?

The Spying Game: How Safe Are Your Secrets?

Most firms are aware of the need to protect their financial and personnel records as well as their trade secrets. Richard B. Elsberry, an American writer specializing in business and management topics, wrote this piece in OfficeSystems.

Security-conscious firms typically have a "clean desk" policy and religiously shred discarded office paper to discourage dumpster divers.

Their personal computers are password protected against infiltration, and sensitive information stored on the hard drives is routinely deleted. Doors and file cabinets are securely locked at night. By employing such precautions, you might think you are safe from cyber-snooping and other forms of industrial espionage, but you are wrong.

A dedicated assault by competitors or computer hackers on your data and business secrets could probably clean your clock in 48 hours or less, and you might not know for weeks, or maybe even months, how seriously your internal security has been compromised.

In the United States, more than 1,100 incidents of illegal data theft surfaced in a 1996 survey by the American Society for Industrial Security. It estimated the potential commercial value of the stolen information could be as much as US$300 billion.

Another survey by the Federal Bureau of Investigation (FBI) and the Computer Security Institute of 563 companies found that 422 had been victimized by computer-related crime in the preceding year. Some 249 of those firms were able to estimate the dollar value of their losses. It averaged $401,600.

But the problem of data theft actually may be much worse and more widespread since many firms that have been electronically molested often refuse to report it to the police or the media because they fear it will affect their public image.

The Internet

There was a time when a firm's trade secrets and its most important documents were locked in a safe at night.

Today, more often than not, they reside on the hard drives of desktop computers. As business computers become interconnected via the Internet and private networks, they become more susceptible to break-ins.

"The only secure computer is one that is turned off, locked in a safe and buried 20 feet down in a secret location," says Bruce Schneier, author of E-mail Security published by John Wiley & Sons.

Network security experts say that is an exaggeration. But they agree that your first line of defense against spies, saboteurs and disgruntled ex-employees should be a multilayered security program. Such a program, combining the use of firewalls, security scanning software, complex passwords, an encryption program and a file wiper program, can foil even the most sophisticated data thieves.

Unfortunately, most companies today try to deny access to their computers by relying almost exclusively on passwords, which, more often not, are so obvious they can be cracked by hackers without breaking a sweat. To prove the point, a Chicago management consultant was able to break into more than 100 of his client's computers by modem or over the Internet because they all had selected as their password "Bull 5", the name of the local NBA team.

People have a tendency to select stupid passwords, reports Kroll Associates, a New York-based private detective agency. Two of the most common are "secret" and "password." System administrators often choose "God." Spies and hackers know that.

They have lists of commonly used passwords as well as "cracker" software programs that can make shrewd guesses based on words and numbers.

They also use "sniffer" programs that can be installed at a modem or a gateway between the company's network and the Internet to record the passwords of people logging on.

Because a data thief can get into almost any voice-mail or e- mail box protected by a four-digit password, you should insist on passwords that are at least six digits.

Lucent Technologies claims the odds of breaking a four-digit password are only one in 9,000, but the odds rise to one in 900,000 with six digits. Lucent recommends 15-digit passwords for system managers. It is also a good idea to insist that telephone equipment rooms be locked and frequently inspected for tampering or devices that can transmit passwords to nearby radio receivers. Another way to authenticate personnel logging on to a computer is to use tokens, credit-card-size devices issued to users.

When a user logs on, the server issues a challenge. The user then keys the challenge into the token, and the device displays a response, which the user provides to the server.

Building a firewall

The first line of defense in most systems is a firewall -- a barrier between the internal network and external networks. Firewalls range in price from about $1,000 to $20,000. They protect against hackers and network attacks by screening incoming and outgoing packets, accepting or denying them according to a set of predefined rules.

Software tools designed to scan for network vulnerability to backdoor penetrations by hackers are now considered essential to local area network (LAN) security. They include Internet Security System's Internet Scanner, Qualix's NetProbe, Bellcore's Ping- ware and Security Administrator Tool for Analyzing Networks (SATAN). You can download SATAN from the World Wide Web for free, but to use the other three security-auditing products you must obtain a license.

You can assure complete privacy for specific files and e-mail messages or everything in your computer, by using an inexpensive encryption program that scrambles the text so that it can be decoded only by the sender and receiver.

File deleted?

Anyone who thinks that by deleting a file you completely destroy it should think again.

Actually, recovering files deleted from a computer directory is as easy as pie. Deleting a file does not really erase it; it just no longer shows up on the directory of files. Think of it as an unlisted phone number. The computer lists the space occupied by the deleted file as available for overwriting.

But on a hard disk with megabytes of storage, the space may not be reused for a long time. Computer pros know they can restore such files using commands such as "undelete" and "unerase." One program offering that capability is Norton Utilities from Symantec.

To assure that a file is irretrievably erased and not just residing in limbo, you need a program that obliterates the file by overwriting it several times with random characters to turn it into meaningless hash. Such programs, which can be downloaded from the Internet, include Burn, Shredder, Flame File and BCWipe Windows.

Another subtle form of industrial espionage that can devastate your business is a software virus. These are usually embedded in programs downloaded from the Internet, but recently a new type of virus has appeared that spreads through documents attached to e- mails.

Analog thieves

Not every attack on your company's secrets is launched over telephone lines in the middle of the night. Some thieves break in and enter the workplace, but others far more simply walk through your front door during normal business hours in the guise of visitors or temporary employees.

Companies routinely give access to highly proprietary information to complete strangers from temporary employment agencies who may know more about computers than Word Perfect or Lotus 1-2-3. Interlopers with hidden agendas can not only walk off with discarded copies of documents but printouts of the work they perform. During lunch and coffee breaks, they can collect passwords and data from monitors that display work in progress to anyone who cares to look.

Intelligence professionals often infiltrate as temps equipped with small devices that look like portable CD players but are actually CD writers. They can be plugged into a parallel port at the back of a computer left running during the lunch hour and siphon off the entire contents of its hard disk faster than you can say lickety-split.

To foil such data vampires -- who sometimes pose as suppliers or job applicants -- instruct your staff to always turn off an unattended computer. But since people are forgetful, an even safer approach is to install Norton Your Eyes Only, which will blank the screen and lock up the keyboard if the user steps away for a minute.

Another way intelligence professionals gain access to competitive data is to buy computers that have been traded in, or auctioned off, by targeted companies. More often than not, files on the hard disk are intact or can be unerased and may prove to be a gold mine of insider information.

While computer crime is widespread, it is not the only way you can have your pocket picked of your trade secrets.

While physical penetration of your workplace may see the least of your worries, one way to tap your secrets and make it look like the work of druggies is to steal a computer or two and explore the hard disk at leisure.

To deter uninvited visitors, consider a computer-controlled entry system involving keypads or smart cards. Closed-circuit television surveillance systems are also proving cost effective as deterrents to theft.

Since most of the companies that do not get their act together will be involved sooner or later in a computer-related crime, you have to ask yourself a question: Do you want to be the next victim?