Originally published in NetGuide magazine
Writer Dashiell Hammett could never have dreamed up private investigator Joseph Seanor. Unlike a fast-talking, streetwise gumshoe who spends his nights pounding the pavement, Seanor does his research pounding on a keyboard. Each week he dons a virtual reality headset and spends 100 hours online, trolling databases for information and hanging out under a variety of screen names with the hackers, crackers and net junkies found late at night on bulletin boards, in newsgroups and on Internet Relay Chat.
As head of Computer Intelligence Business Investigative Resources Corp. (CIBIR), anAlexandria, Va, company that specializes in cyberspace investigations, Seanor is one of the first of anew breed of private detectives. "Every software company in the industry has people who monitor the net for them, keeping an eye out for stories of people trying to hack systems, stories of people talking about software problems and just general chitchat," says Seanor.
And it's not just the computer industry that has a stake in protective surveillance: Seanor's client list also includes Fortune 500 companies. According to a survey conducted by the accounting firm of Ernst & Young, more than half of the 1,271 North American corporations polled reported financial losses related to information-security problems. The companies said they saw competitors as the biggest threat to information security, followed by employees, customers, public interest groups, suppliers and foreign governments.
Not surprisingly, companies are more than willing to pay for the services of a good privat edetective with the cyberspace equivalent of street smarts and deep-throat sources of information in the computer underground. Indeed, electronic detectives may be corporate America's best weapon againstthe onslaught of technologically sophisticated spies and bandits.
Companies collecting data on business rivals and individuals pose a disturbing threat to corporate information security. Such activity comes under the broad heading of "competitive intelligence" and can involve a variety of techniques, ranging from computerized searches of public records on-line or on CD-ROMs and purchases of "black" data--illegal data obtained from sensitive government or private-sector databases--to hacking into computer networks to obtain insider documents.
"The first thing they're going to do is get a credit report from Dun & Bradstreet," warns private eye Ed Pankau, who is chief executive officer of Intertect Inc. in Houston, and author of the Prentice Hall online database search engine. Pankau is also part owner of Seanor's company. "Then they're going to go in and see where you bank, what your lines of credit are. This information can be gotten by a good hacker. He can get it by accessing the Uniform Commercial Code records and by calling the bank directly and saying you want to do this deal and do these people have the creditability to do this?
"Then they'll go online and get franchise tax reports, sales tax reports and they'll get your dollar volume and then they'll start going in to get more specific information from within the company itself," Pankau continues.
He warns that companies can buy a wide range of black data gleaned from government databases, credit bureaus and hospitals by unscrupulous employees, who then sell the files to shady private investigators or information brokers. This data can be used to build detailed profiles of corporate executives and investors. Social Security files, files from the National Crime Information
Commission, medical records and credit reports can go for as little as $100 a pop. "And if they can go in and get past the firewall--if the company even has one--they can just go wide open and pull a lot of their financial data," Pankau cautions.
Most companies believe that carefully designed firewalls will protect sensitive information on local networks that are connected to the Internet from being compromised. But a number of protective firewalls already have been breached.
In fact, in the same week last November two major firewall break-ins occurred. The first involved the General Electric Co. According to Information-Week, General Electric Information Services in New York had to shut down its computers for 72 hours after hackers broke in through the GEIS system's firewall. Then a group called the Internet Liberation Front penetrated secure systems at Pipeline Network, Inc., a New York Internet service provider, and at Sprint, Pipeline's long-distance provider.
Perhaps even more disturbing, hackers have been able to collect classified passwords to U.S. Department of Defense firewall-protected systems, using specially designed "sniffer" software. These programs are able to collect logins just outside a network's gateway, enabling would-be hackers to gain access to a protected system.
The vulnerability of existing electronic protections, such as firewalls, is one reason why private detectives like Seanor probably will not have trouble finding work in the future. This is especially true given expert opinion that the use of competitive intelligence will increase. "As global competition grows, companies must define competitive strategies to gain position and market share at the expense of competitors," says Bill DeGenaro, managing director for The Futures Group, a corporate intelligence company in Glastonbury, Conn., and former director of strategic countermeasure planning, counterintelligence and security with the Department of Defense. "In today's high-velocity markets, recovery from a major surprise attack may be difficult at best, and more likely impossible."
Based on findings from The Conference Board, DeGenaro estimates that only 5 percent of American companies have well-defined competitive intelligence and counterintelligence programs, in sharp contrast to other leading industrialized countries. "We would argue that 100 percent of the flagship Japanese firms use competitive intelligence techniques, 100 percent of the French, most of the Swedes, many of the Germans, most of the Swiss, all of the Koreans," concludes DeGenaro.
Computer experts agree that the threat to computer system security from insiders is almost always greater than that from outsiders. In fact, even the nation's phone system doesn't appear to be nearly as secure as we assume it is once you take a close look at how insiders have hacked the system.
Consider the story of Ivy James Lay, a former MCI employee awaiting trial for the alleged theft of 60,000 AT&T, Sprint and MCI calling-card numbers, which were then sold to others.
According to former National Security Agency official Noel Matchett, the telephone companies lost a total of about $50 million. Lay, whose job it was to oversee the monitoring and maintenance of the signaling link of MCI's telephone system, was arrested by Secret Service agents last September.
"While the investigation of the case is ongoing," Matchett says, it appears that Lay "hooked up a digital analyzer--a common maintenance tool--to the signaling link and downloaded large amounts of information that passed through his switch. He then apparently took the collected messages home and analyzed the signals to pick out credit card calling numbers." Matchett added that the hacker then removed calling card and PIN numbers from his digital stash at leisure and sold them on electronic bulletin boards to other hackers in the United States and Europe. Matchett, now president of Information Security Inc. in Silver Spring, Md., explains that someone with such access can easily eavesdrop, reroute traffic and modify data passing through networks. He also warns that capturing information as it bounces around the Internet would be relatively simple.
"Any system manger can get information through his system if it's not encrypted," Matchett contends. "Every router has remote diagnostics. I control router number one. You're sending information from point A to point B through router number one. I send it to router number two where my buddy splits it, takes a copy of it, lets it continue on and routes it back to point B. When B gets the information, B will never know there was a security breach. This isn't hard to do."
Who Done It?
Hunting down the perpetrators of an electronic break-in can be complicated. It's often next to impossible to follow the digital trail back to the source. That's why a major U.S. Internet service provider recently called Seanor to investigate the strange case of the stealth virus. The service provider had started getting e-mail from worried subscribers who had heard that free software being distributed to new customers was contaminated with a virus. People who had seen messages about the virus posted on newsgroups and bulletin boards were frantically searching for the most effective anti-viral software as well as help and advice.
"The company started checking it out and they got some of the people to forward them copies of the messages, which had been posted on the net and bulletin boards," Seanor says. "Once they started reading the messages, they realized the virus was a total fabrication."
Nevertheless, the company wanted Seanor to track down the source of the lie. Seanor went to work and eventually discovered that many of the messages had been sent through anonymous remailers and posted on Usenet newsgroups. He then focused on the original bulletin board postings.
"Strangely enough," he explains, "the local bulletin boards were all located in the same area code on the West Coast, known to be the area code for a software company that provides telecommunications software in competition with my client."
But it would be hard to prove in court that the software company had attacked the service provider. And the provider had no stomach for a potentially damaging countersuit. Better, the company decided, simply to take the hit, grin and do damage control. The service provider informed its users that the virus scare had been a false alarm.
"Security is an illusion," Matchett concludes. That's not to say, however, that companies can't protect themselves. For one thing, Matchett says, companies need to recognize the dangers and advantages of the net and to work on developing new security technologies to protect their interests.
In July 1993, Matchett obtained patents for new technology that continuously verifies the identity ofcomputer users.
"What our technology is, it's basically a control system to control a variety of biometrics," Matchett explains. "You would go to some organization that would take your biometric credentials--including videoprint, voiceprint, thumbprint--and put these in a registry. We have a patent on the concept of integrating the biometrics into a man/machine interface. We could put your thumbprint in a mouse. So when you click on the mouse, it would grab your thumbprint. That's the way to link an individual to the system he or she is using."
Matchett's ideal system would observe all users constantly, monitor their typing pattern, voice, face and thumbs, and black out any terminal without clear and constant positive ID. Such a system could keep track of every mouse click you make, every piece of e-mail you save, everyone with whom you interact, and every time you log off to go to the bathroom.
How much security are we, as corporations and individuals, willing to trade off for personal privacy in the workplace? And how much privacy are we willing to sacrifice to enforce the increasingly fragile social contract in today's downsizing, outsourcing, reengineering corporations?
The answers to these questions will shape our society as well as the future of the net
Protecting the Corporate Trust
-- Use encryption. If you're sending sensitive e-mail, invest in easy-to-use encryption from Norton Disk Utilities programs, which will discourage the casual or newbie hacker, or you can go for industrial-strength programs like Pretty Good Privacy, which is more difficult to use, but provides
virtually unbreakable security, providing you remember not to store your secret keys and passwords on your computer. Encrypt hard drives in the office with sensitive corporate information on them, or, better yet, store as much as possible of your sensitive information behind an "airwall"--put it on a
standalone computer, unconnected to any online service, BBS or Internet service provider. Then encrypt the sensitive files on that machine. You can hire an Internet service provider that offers security management. BBN Planet, an Internet provider in Cambridge, Mass., offers constant
monitoring, firewalls and other goodies for corporate customers. Although IP (Internet Protocol) hacking threatens conventional firewalls, it's only a matter of time before security pros find ways to defeat software "sniffers." Encrypt key corporate faxes and all corporate satellite video feeds.
Consider telephone encryption for top management.
-- Set up stings and disinformation campaigns if you believe you are the target of industrial espionage. You can send disinformation out through suspect channels, and if competitors pick up on it, you know they're spying on you.
-- If you're really concerned about security, you might consider doing much of your networking business on a "virtual network," a standalone, wide-area network unconnected to the Internet. Or you could use AT&T's new corporate networking system, which is separate from the net as we know it.
In that event, you'll have to figure out how to provide employee access to the net or be cut off fromthe bulk of cyberspace. -C.L.
Investigative reporter Curtis Lang has written for Worth, Mother Jones, New Media, The Village Voice and Ad Age, among other publications