Tuesday, May 31, 2005

Dickie's Quickies

Haaretz reports on an industrial espionage case that police have just revealed. The case involved some rather large Israeli companies hiring private investigators to spy on their competitors. The PI firms then hired another person to write a Trojan and place it on the computers of the competitors. Once in place, the program writer then provided the PI firm with a user name and password which their client used to steal documents from the competitor's computers and send them to a series of FTP servers. How did police catch on to this? The hacker wrote and used the program initially to spy on some ex inlaws and it was the ex inlaws who reported the original hacking to the police. From there it was a matter of back tracking the whole process to the industrial clients.

So, it wasn't the IT people who busted this hacker, but the police. Good for the police, but bad for the IT folks. They better look at their practices. Some highlights of the article:

The companies suspected of commissioning the espionage, which was carried out by planting Trojan horse software in their competitors' computers, include the satellite television company Yes, which is suspected of spying on cable television company HOT; cell-phone companies Pelephone and Cellcom, suspected of spying on their mutual rival Partner; and Mayer, which imports Volvos and Hondas to Israel and is suspected of spying on Champion Motors, importer of Audis and Volkswagens. Spy programs were also located in the computers of major companies such as Strauss-Elite, Shekem Electric and the business daily Globes.

"The program was essentially customized for each and every one of the `victims' that the PI agencies wanted to attack," said Chief Inspector Nir Nativ, one of the officers who investigated the case. "Haephrati adapted the software to penetrate a specific company, at the request of the PI agency's client."

Haephrati used two methods to plant his malicious software (or malware) in the target computers. One was to send it via e-mail. The other was to send a disk to the target company that purported to contain a business proposal from a well-known company that would arouse no suspicions. Then, when an employee loaded the disk to view the proposal, the Trojan horse would infect his computer.

Nativ explained that even anti-virus programs cannot detect Haephrati's malware, because each is unique. Moreover, the Trojan horses were generally unwittingly introduced by company employees who inserted the infected disks, rather than "attacking" from outside, making detection even more difficult.

Police believe that industrial espionage using Haephrati's programs has been going on for at least a year and a half.

Police said that they are not yet able to quantify the economic damage suffered by the victims, but it appears to have been considerable - thanks both to the program's capabilities and to the sheer number of companies involved.

Police eventually obtained court orders to access several FTP servers based in Israel and the United States, and then discovered tens of thousands of documents stored there that belonged to major Israeli companies, including many files labeled "internal" and "secret."

This sort of thing - with internal users introducing the Trojan - is going to be discovered more and more often. We're going to find that criminal enterprises are the ones behind it as well and not just competitors or hackers with an axe to grind.


Scott said...

When you say criminal enterprises do you include government which spies on it's own citizens?

Dumb question I guess.

B.D. said...

There are no dumb questions! The answer is, "Yes, I do include a government which spies on it's citizens - without some measure of proof or valid suspicion that a crime is being committed and that proof or suspicion has been submitted for review by a court which will make the matter public once the crime has been charged and that it be available for public scrutiny." But, you knew the answer to that already. :)