Who wants my data? - a case of data theft
There's a company which does 100% of its business online. It specialises in providing online services, so its IT systems and their security are of considerable importance. As any big company (4,000+ employees, several sites and branches worldwide) would do, they have a PR department that also follows up on Internet gossip, on what is going on in the chat rooms provided by the company, and in relevant online forums. This turned out to be a very wise move as, one lovely July day, a message popped up in one of these forums, which froze the blood of the head of PR.
The message read: Do you want to start your own online services company? - Customer contact list for sale - full details, names, addresses, CC info.
So the head of PR did what he was supposed to do in such cases, and called up the head of security, who was fortunate enough to have held that position only for a couple of months, as he certainly would not have wanted to be held responsible for what must have happened. He lost no time in getting hold of the message and all available details then, without further ado, turned to an investigator for assistance. On the very same day, a team was assembled which consisted of:
o a head of investigation bearing full responsibility for everything that happened as part of the investigation
o a head of operations in charge of all tactical matters, such as carrying out observations and acquiring information
o a quality assurance investigator who would review all documents and provide feedback on all planned steps
o a team with a variable number of members to perform surveillance; in this case, the maximum number of agents used was six
o a lawyer who would provide input on legal matters and on how these could be used should the case go to court.
The team started its work immediately, and the head of security also put his own people to work on some technical aspects, in close co-ordination with the investigation team.
One of the first things they found out was through quite a piece of luck. The original message in the Internet forum contained a link to what seemed to be a project belonging to the writer. They visited the link and took what was a simple step, once they thought of it, namely, looking at the source code of this web page. This revealed something very interesting - a file path containing a name, since the page had obviously been created on Microsoft® Windows® equipment and uploaded from the user's personal profile folder. So there it was: a name.
In parallel, fake negotiations were entered into with the writer who, step by step, revealed more details about himself. The goal of such negotiations is always the same: first, establish as much trust as needed (as fake buyer) to allow you to be the one who calls the shots. Then get the perpetrator to meet in person for a handover of some sample data. Using this sample data, you can find out whether the sale is actually based on real data, pointing to a severe breach, or whether the sale is entirely fake.
Unfortunately, as the victim, you almost always have to take this first step, and spend some money to find out whether or not you are really under threat. There is nothing much else you can do at this stage.
Once it turns out that the data is not fake, you would establish contact with the police, let them take the lead, and work towards some personal handover of the entire dataset, with the police arresting the criminals on handover.
In this case, things turned out to be pretty straightforward. From the fake negotiations and additional research, it became clear that the suspect was living in the country where the company had its headquarters, which would make legal follow-ups a lot easier. The investigation team was able to come up with a name, an address, a photo and a date of birth. The perpetrator was only 14% years old, which made him legally old enough to face criminal proceedings. And on top of it all, when contact was established with the police, it turned out that this child had already had one run-in with the law for fraudulent Internet activity.
The data, however, turned out to be authentic and that was the scary part.
As the case progressed, it turned out that the child was conducting all this activity, using a laptop, from where the family was on holiday in Greece. The investigators now had to find out when they would return, and where they would be coming back to. There were several possibilities, as the parents were divorced and the grandparents ran a small country hotel. This meant that a total of three surveillance teams was needed to locate them correctly.
You can image the surprise of the parents, as they returned from their holiday, and the police, notified by the surveillance team, raided them and impounded all computer hardware that could be found, including the laptop and additional hard disks.
As the child showed some remorse, he agreed to be interviewed with his father present, then reported all the sordid details to the investigators. And here the case ran dry again, as the child was only a dealer, and could not reveal much contact information about those behind the theft.
Legally, the child was only charged with fraud, as he had advertised that he was in possession of millions of customer records while, in fact, he only had about 10,000. He was let off lightly, received a suspended sentence and, as media reports showed some years later, all his later business ideas were legitimate ones.
As for the data theft, that was the tricky bit. Further research showed that the original company had bought another company, in a European country, just a couple of months previously, and that that was where the theft had occurred.
The best explanation they could come up with of what had happened went as follows:
o their new acquisition had wanted to shut down a couple of services and servers, and their idea of shutting down the devices was simply to take them out of DNS, but leave them connected while not doing any further maintenance on them
o over a period of four months, the attacker then successfully exploited an OS vulnerability to run a SQL injection attack and get hold of the customer records
o an estimated 4 million records were lost, including user passwords, but luckily no payment details, such as credit card information.
Naturally, some organisational changes were made to the new subsidiary company, and a tighter hold was exerted on all change management procedures inside that company.
Furthermore, the company had all user passwords changed and, luckily, no abuse was reported by users.
The stolen list, however, is still at large, though it is mostly useless. The physical addresses of the customers from the list were used at least once, when the chief executive of one company received an advertisement from a new and totally unknown competitor, in which his address was spelt exactly as in the company's database, including all spelling mistakes.
This all served as a giant wake-up call about the realities of doing Internet-related business today. The company has not only strengthened its security since then, it has also used this incident to establish standard procedures on how to deal with such cases in the future.
The case presented here is quite typical of what can happen to a big corporation. It also highlights the fact that one of the main groups of perpetrators of computer crime today consists of gifted individuals (generally male) aged between 14 and 25, who have nothing better to do with their time. It also shows that companies sometimes make it much too easy for such people to succeed, landing themselves with heavy investigational and recovery costs.
The case shows that a vigilant PR department can be a very good first line of defence in actually detecting a breach. Had it not been for the PR department and its standard routine of reading relevant forums, the breach might have remained unnoticed for much longer. If you belong to a big company, you should adopt this practice, though chances are that your PR department is already doing so.
It is essential that a clear reporting structure exists. It does not have to be fully formalised, though ideally it ought to be. It is absolutely fundamental to information security awareness that people know where to go to report an incident. The head of PR did just the right thing in reporting this incident to the head of security right away, which is the next important thing: report immediately, not as soon as possible.
The investigation team in this case might seem large, but its size and composition are quite typical for such cases. It is appropriate in dimension and scope and will usually only vary in the number of field agents used. Such a team comes at a cost of approximately 10,000 euros per day, but an investigation is characterised by intense phases of activity, followed by phases where nothing needs to be done, so the actual cost will always depend on the intensity of the case and its characteristics. The figure presented is more a rule of thumb.
Quality management is also necessary. Investigations do not forgive mistakes, so having an additional, senior and experienced investigator on board, who provides input on all plans and feedback on all actions taken can be tremendously important. Be aware, though, that these two qualities (senior and experienced) do not necessarily come in one package, and that the person you look for should ideally be in their 50s, having served in progressively more responsible job functions, preferably with an economic crime unit.
In cases like this, the best chance of success always comes from direct contact with the perpetrator. The investigators, therefore, need to be skilled in social engineering and able to take control of the perpetrator and steer them through the proceedings. The younger and less hardened the person is, the more easily this will work, but even hardened criminals have weak spots or vulnerabilities that can be exploited during negotiations, to make them steerable.
It is also important to have all relevant staff needed for the case on heightened alert, and on stand-by if necessary. In this particular case, all data verifications were made at a different site, so the people had to be informed and put on stand-by. This can become more complicated if teams are working across different time zones, though that was not the case here.
Luck was on the side of the company in this case, as the main perpetrator was located in the same country. That simplifies the whole investigation and the case by orders of magnitude as most of our judicial systems have not yet adapted to the scenarios of cybercrime, where national borders do not really have a meaning. In Europe, for example, it will take Europol (the co-ordination office of the EU's police forces) about two weeks to follow up on a case, which is totally useless in relation to the speed with which the perpetrators work. It is, therefore, not in any way sarcastic to state that a good investigation company with an extensive international network will be able to serve you better than the police could.
The root cause of this incident was the acquisition of the other company, coupled with the slightly negligent way in which control was taken over. Of course, all mergers need time for their full potential and their synergies to appear, and this process can take three to five years. Under no circumstances, though, should a security gap of such magnitude be the result of a merger. The company should have exerted tight control over the acquisition's IT processes and enforced this control from Day One of the merger. The buying company was in a better position as regards process maturity, so it was hard to understand why the other company was granted such a long leash.
As for lessons learned, the company did the best it possibly could to respond to the wake-up call it received. While it was tedious to initiate this investigation, the whole process of dealing with real and potential breaches was revised and brought to a professional level. The case also emphasised how important it was to exert tighter control on the acquired company, and that, too, was swiftly accomplished.
As is typical for larger companies, if they want to learn their lesson, they will, and with the proper drivers in place (in this case the head of security and the COO) changes will be speedily made.
Who wants my data? - a more complicated case
This case happened at the same company as Case 1, some time after that case was concluded. There had been no new breach, but the data was still in the wild and, until you have checked some of the data, you cannot tell whether there is a new breach or not.
At the beginning, this case was much the same as Case 1. This time, someone had approached the call centre of a competitor in Panama to leave a message for the head of marketing and offered to sell data. The head of marketing and the CEO of that company did not want to get involved in that sort of business and, through two middle-men, contacted the company. As contact between the companies was established, the investigators were in close contact with this other company and were even allowed to act under false identities taken from that company.
This time, therefore, the company had a good starting point since many of the procedures they needed to apply had already been field-tested, and close contact had been established with the company to which the data had been offered.
So the investigation team was assembled once again, but it soon became clear that things were going to be a little more complicated this time.
The perpetrator (or at least the vendor) was located in another European country. That made the case infinitely more difficult, as European inter-police co-operation has not been designed to work really fast, particularly not on cases that, although they may harm a company, are not of real public interest. It therefore became clear quite soon that the good police ties which had been established could only be used if, in the course of the investigation, the perpetrator(s) could be lured to the home country and arrested there.
For the moment, however, all communication was based on Internet chats using Skype. This had one big advantage: if you use Skype, all chats (the typed chat, not the telephone conversations) are recorded, and you can save them for later use in court; by installing additional software, you can record telephone conversations as well.
So, negotiations were begun, and dragged on for almost a couple of weeks until a first sample of data was to be made available by the seller. Transfer of this was, however, a problem. The investigators were very keen on not giving up their identity, so they did not want to make any kind of online payment to the seller. The seller wanted, at first, to meet on some remote island in the middle of the Bothnian Sea. They managed to convince him to meet them in another European country, which meant that the investigation team had to fly to that country with only a couple of hours' notice. A price of about EUR 5,000 was agreed, to be handed over in cash and, as preparations were very rushed, the money had to be counted and registered on the plane, which earned them some odd looks from the stewardesses. Registering the money means taking down all the numbers of the notes, so as to be able to identify them later on. In this particular case, it turned out not to be useful, but you can never be sure.
On arrival, one investigator was to meet with the vendor, while the other would try to secretly get a few photos of the perpetrator.
The meeting took place at the airport and, once again, the perpetrator turned out to be a youth, about 20 years old, who had just finished school and was waiting to do his military service. He had already established quite an online contact network, and further traces of the data led to Canada, which made the investigation all the more difficult.
The investigator was, as is standard practice, recording everything that was said and, at one point, the perpetrator said something very important to the whole direction of the investigation. His words were, 'I am doing a lot of business right now, including black business.' That statement would have been worth a great deal in a court of law as it proved something very important: that he knew that his actions were illegal and was determined to carry on. This could gain him a significant prison sentence later on.
Within a short time, an envelope of money was exchanged for a USB stick containing data samples. The readability of the stick was verified on the spot and the parties went their separate ways.
Back at home, a team of four people spent some time analysing the data and they found that, while it was authentic, it was also old, although some records seemed to be brand new. There were only a few of these, though, and they could well have come from other sources, as having affiliates and partners sharing links is very important to raise business in the online world. The youth was by now known to be in contact with such affiliates.
So what was purchased was basically just junk, and did not point at all to a new leak. That was the good news.
Negotiations then dragged on for some time, until it was decided with the customer that the best and most cost-effective move was now to drop the camouflage and give the vendor a choice: co-operate and tell us all you know, or be prosecuted. To this end, an elaborate trap was designed for the youth and his suspected partner (the Canadian) which involved inviting them to come to the home country for a gala where the entire data set would be handed over at a price of one million euros. Since the data had checked out as valid, at least the perpetrators could then be arrested on the spot for fraud.
The trap was never carried out. The following reasons clearly illustrate the intricacies of such investigations.
The police unit, with which an excellent working relationship was established, was unable to assist as the sum involved would automatically require special forces being brought into the picture. The main result of that would have been that the operation would almost certainly not have remained secret. The customer did not want that at all since, even though this was just a follow-up case, it would have been hard to explain to the public.
The customer did not wish to provide the one million euros, for fear that the sum might be lost. The chances of that were absolutely minimal, but one million is quite a bit of money, so the investigating team took the point.
Once the trap had been called off, what remained was the ultimatum already described. This approach usually works when applied to someone who is not a hardened criminal. And it worked in this case, too. The youth's co-operation was secured and he was invited to headquarters for a long talk about the whole case and to tie up the remaining loose ends. To ensure that he did not suddenly drop out of the agreement, (that if he talked, the charges would be dropped) he was picked up in a Northern European country and accompanied to headquarters. Someone even stayed in the same hotel, just to make sure that he would not suddenly decide not to co-operate.
The talk produced good results and some loose ends were fixed. The youth was let off, which led to some dispute within the investigation team, but it was ultimately decided that getting closer to the truth was worth more than could be gained by engaging in an even lengthier investigation including the police forces of several countries; even more so, as no new threat existed.
So, finally, dozens of pages of printed Internet chat, technical evaluations, meeting reports and decisions went, once more, to where they belonged - in the archives.
This case does not differ too much from the first one except for one essential difference: the international theatre. As long as everything (the company, the breach, the perpetrator) stays in the same country, dealing with a breach is easy. It is easy to establish contact with the police, to co-operate and to close in on the perpetrator, with the cost being that of the investigations used. In other words, it is controllable and not excessive. But once the national field of action is left and the international theatre needs to be considered, things can become infinitely more complicated, going from having to deal with jurisdictions in which cybercrime simply does not exist, to those countries where corruption is rampant and the system will usually work against you.
In this particular case the following countries were involved:
o Panama: the site where the crime became apparent
o USA: the country where the competing company had its headquarters
o Costa Rica: the country where a trace of the original perpetrator (not the vendor) was leading
o Europe: the location of the victim company
o a different European country: the location of the perpetrator (where he had his permanent address)
o yet another European country: where the first exchange of money against sample data took place.
It is not at all easy to decide where it would make sense to go, where to establish surveillance operations, and so on. Once again, the key in conducting the investigation was social engineering against the perpetrator (or, in this case, the vendor) to gain as much information as possible in order to develop a plausible scenario of the root cause of the breach, and to find substantial evidence to awaken the interest of the authorities. In this case, the fact that the US was remotely involved would have made things easier, as the US, like Britain, is known to follow up thoroughly on cybercrime; but, in the course of the investigation, the idea of filing a criminal complaint in the US was dismissed for purely practical reasons. This also highlights the fact that the legal costs of even evaluating the best way to proceed may outrun the cost of the operational aspects of an investigation. This diverts the whole process into a series of business decisions about cost, thereby shortcutting the investigation.
The reader should also remember that this case was made easier by the fact that it was a sort of follow-up to the first one. This meant that it quite soon became clear, after the first exchange had taken place and data had been evaluated, that the case was not a very serious one. In practice, you will have to treat each alleged or presumed breach with full priority until it is clear whether you have suffered a breach.
It is important to emphasise that whenever negotiations take place you must have a means of recording them. You should use Skype for text chats, as Skype will store chats for at least 30 days. You can also use Skype for telephone chats together with a product called Pamela Call Recorder to record the call. Once you have stored a chat, be sure to save it to some write-protected media, such as a DVD or CD, and protect it with an MD5 hash code, to be able to prove that the recording has not been altered in any way since it was made.
The case also illustrates that, for reasons of cost, private investigations are usually limited in the number of people that can be employed. Going to another country to meet the vendor for the first time, using only two investigators, and having to use inferior mobile recording equipment (due to short notice) was less than optimal. However, if you can make good use of even the worst equipment available, you will still come up with an acceptable result. In this case, the pictures taken were not very good, because nobody could be prepared for the location and circumstances, but the sound recording was excellent which helped a great deal in moving the case along.
The case also shows that companies need a clear guidance if they are inexperienced in investigations. In this case, the investigators were incredibly frustrated when, having set an enormously elaborate trap, which could have helped them arrest the seller and the actual cracker, they finally had to let go of it. However, the company which owns the investigation has the undisputed right to change its directions, however unpleasant this may be. A firm hand is essential in coming up with a strategy and then employing the tactics that have been decided upon. If matters such as a trap need to be discussed, the same firm hand is used when presenting and explaining details of the matter, but it must be prepared to go along with the company's ultimate decision.
Please note that the ultimatum described here only worked because the vendor was not a hardened criminal, and did not want to go to prison. When dealing with organised crime or hardened individuals, it will be much more complicated to achieve success. If organised crime is involved, the police should be brought in anyway, as such cases can turn out to be too hot for even the most experienced private investigators to handle, and the reward is usually not consistent with the level of risk incurred. In the case of the hardened criminal, negotiations will be protracted, and you will need to accept that a much higher level of technical sophistication will be needed to get a firm handle on the perpetrator.
Ideally, an investigation will succeed up to the point where the perpetrator can be delivered to the police, but the police will usually take over at any point if you, as the company, wish them to do so. They will then take the case entirely out of your hands, which may, of course, be an undesired side effect.
Finally, the case illustrates that, as we are all human, sometimes giving somebody, even a perpetrator, a second chance is well worth it. In this case the youth, once he returned from doing his military service, started to work for one of the companies involved and was eager to prove himself, which turned him into a respectable, efficient employee. He has also helped in uncovering a number of other schemes, and has become a valuable asset in these cases. He may not be a Kevin Mitnick - technically, he certainly is not - but sometimes, as a company, you can benefit from bringing souls back on the side of righteousness. You need to be careful when you make this sort of decision, though. If the youth had already had a criminal conviction, then it would not have been prudent to have hired him.
Hard disk for sale - beware of your contractors
This case was a public one, and has been reported in the media. It provides an excellent illustration of some of the more delicate aspects of information security management.
In a certain Ministry of Economics in one European country, everyone was perfectly content. The ministry was in good shape in information security terms and had even implemented some very new methods of securing data. Their paper and disks were shredded when they were no longer needed, and this was all taken care of by a trusted contractor, renowned throughout the country for its trustworthiness.
One day, however, things changed dramatically. Someone, it is not known who, discovered that he could make a very interesting purchase on eBay: a disk, openly advertised as containing data from this Ministry of Economics. The vendor should, of course, have known that this was one sale that would not work out. Instead of selling to some gullible person, the vendor was arrested and the whole thing became public knowledge through the media, which always like a good story.
Ultimately, the contract with the shredding company was terminated and the employee was fired. Peace was restored - or was it?
This case illustrates one especially delicate point in information security - how to deal with one's contractors. Even as a really large corporation or, as in this case, a ministry, you will find yourself in a position where you cannot handle all aspects of information security yourself. This applies particularly to recycling and disposing of equipment. Only the military is known to cover these aspects themselves, but we mere mortals usually rely on contractors to perform the job.
This case clearly shows that you can do everything right and still suffer a breach, as the chain of damage will not stop at the contractor itself. The stolen disk and its intended sale directly affected the customer, with the contractor being more of an indirect victim, as it suffered the Ministry's anger and subsequent termination of contract. That termination of contract, however, could not provide an assurance that such a thing would not happen with the next contractor, as the root cause was simply the behaviour of the individual employee. ISO27001 offers a number of essential remedies for this situation.
Your contract with your service provider needs to be as tight as it can be. You should not be afraid to state all expectations in ample detail. A typical ITIL®-based outsourcing contract can easily contain 1,000 pages of stipulations, so a contract on disposal may contain 10 to 20 pages of detailed regulations.
You should reserve the right to audit the contractor and you should make use of that right. You should also be strict in being transparent about its protocol and findings while carrying out the audit. In this way, you will demonstrate to the employees of the contractor that you are serious about your business.
You should define contractual penalties, for the case where deviations from the agreed procedures are found. You do not necessarily have to invoke these, but they should be there to make clear the importance of your message.
Rather unconventionally, you may insist that your contractor perform certain key actions, such as background checking on hires sent to your premises, and frequent changes of personnel.
In the above case, a good process which would have made the breach impossible would have been to have destroyed or damaged the disks before handing them over to the contractor. At its simplest, you can always drill through a hard disk and thereby render it unusable except by highly specialised labs. Physical damage or demagnetisation (degaussing) are essentially the best ways to protect information remaining on a disk. Alternatively, the Ministry could have securely erased all data first, which is certainly an action that could reasonably be expected of them. While secure erasing is very time consuming, it can be done without manual intervention, and only depends on setting up an appropriate 'production line' where computers perform the erasures 24x7.
Unauthorised domain links - it is easy to harm a company's reputation
This case is about a breach, not so much of confidentiality, as of trust. It does, however, illustrate how difficult it can be to remove from the Web material that can damage your reputation; in this case it was not even material, but just a mere link.
Companies who do online business often have very elaborate schemes of affiliation whereby the affiliates can make money or receive other benefits for bringing web traffic and, therefore, customers, to the company. One particular affiliate, however, had a very strange idea about what he could do to raise money.
Let's say the company in question is called www.some-online-company.com. This is the link that will pop up on affiliates' websites, with the aim that people get curious about the business and check out the company website. This is what the affiliate did, in a perfectly legal way, and he was actually one of the more successful affiliates in bringing traffic to the company.
One day, however, someone in PR noticed that an Internet domain existed which was called something like www.whos-the-biggest-fraud.com. Now this website, when surfed to, would immediately redirect people to the company website of www.some-online-company.com. In this way, the affiliate could increase his income by directing traffic to the company through his other (legal) links and by getting even those people sceptical of the company to go to the company's website, if they used this defamatory link; quite clever, indeed.
So, once this was known, a single investigator was charged with finding out the identity of this person, and with discovering as much information as was needed to close down the site. The investigation brought to light a number of facts:
o The website itself was hosted in Germany. The German ISP hosting it was quite surprised about the site, but did not want to co-operate without a court order, even for just handing out owner information, which is usually in the public domain, anyway. However, after some robust discussions, they were brought at least to confirming the owner's details, which the investigator had procured through other channels.
o The investigator had been lucky in being able to discover other channels through which information on the domain owner could be obtained. That information was verified several times and was found to be correct and valid.
The case was then handed back to the company and their affiliates department, as they were the best people to make a choice on how to proceed.
In the end, i
t turned out that there was no way to deliver letters to the domain owner, as he was already in prison, serving a sentence for tax fraud. Furthermore, as his legal affiliate activities were bringing in plentiful hits, terminating his contract was not an option the company wanted to follow up.
That domain exists to this day, and maybe the company will have to wait until their affiliate gets out of prison to give him a really good talking to.
The potential legal case here would be based on defamation and on unethical business conduct, as the domain owner would be directly profiting from having people reroute to the company website through the defamatory site.
This case does have some funny aspects, as you would rather not suspect your perpetrator to already be in jail. Practically speaking, however, it made dealing with it all the more difficult, as there was simply no means of delivering a legal brief. It could have been managed once it had become clear where this person was imprisoned, but the company didn't want to go to those lengths.
In addition, the entire case came down to quite a difficult business decision, as the domain owner was bringing much desired traffic to the company's site, while, at the same time, abusing that very business model to make an additional profit at the company's expense. So the main decision became whether to sever ties with this person, and they decided not to do so.
The investigation was a milk run, executed by one single investigator who was successful in getting the true identity of the person and in securing enough co-operation from the uncooperative domain provider to verify the results of prior research. The only technical tools used were the standard Microsoft® Windows® and UNIX tools used to get domain name information from the WhoIs service which all Internet service providers use to store domain owner information.
The case, however, illustrates very well how easy it is to harm a company, and how it may not be so easy to define that harm legally, as all it consisted of was the link to the company's website. There was also a risk of going to court without sufficient certainty of conviction and cost recovery.
It needs to be noted that, strictly speaking, the 'breach' (in this case an incident rather than a breach), has not been fully dealt with, neither has it been resolved. It does show, however, what kind of risk-related business decisions can be required from companies whose business exists entirely online.
The trusted guard who was not
This case once more illustrates how important it is:
o to choose one's contractors carefully
o for these contractors to choose their personnel carefully
o to have a secure IT environment.
There is a certain defence sector company which one would expect to take their security extremely seriously, given all the requirements made upon them, largely by the governments who are their main customers. However, even nowadays, it is still a challenge for any company to get the whole chain of trust right, as this case shows.
The company relied on a third-party service provider for guard and gate services to the company's premises, and it was contractually agreed that the guards would change every now and then, usually after about six months. So, in the middle of the year, a new guard was posted to the premises. Had the contracting company run even the most basic criminal background check, they would have noticed that this individual already had one conviction for computer-based fraud. The guard, obviously, did well to hide his true nature and non-job-related talents. For the next couple of months, he served politely and quietly, courteously and charmingly, and it was felt that he was doing the job pretty well.
Unnoticed, however, he began to connect his own laptop to the company network which, frankly, should never have worked in the first place. Exploiting further weaknesses in the IT infrastructure of the company, along with predictable passwords for network equipment, he managed to get access to the CFO's network traffic and, with a little more effort, he discovered a number of online banking IDs, PINs and some transaction numbers that the CFO exchanged with his staff, and which had, therefore, not yet been used.
So, the final act began, and the guard initiated some bank transfers with the stolen data, to several accounts, so that it would not be immediately clear where the payments were going. The payments were substantial, but not really high enough to arouse suspicion.
What did alert the CFO, however, was the fact that these transfers took place on a Friday, and he knew that he never made bank transfers on a Friday. That simple fact ignited the case which was handed over to the police without any further ado. The guard was arrested and convicted once more, the contract with the contractor was terminated and an IT manager was fired. The company had decided on a full clean-up.
Note that what the company did is not to be taken for granted. In a similar case recently, the contracting company offered to pay for the damage, and simply fired the guard without any further criminal proceedings. In that case, it was deemed best to preserve a low public profile, and not to alert the media of anything that could become a good story by reporting the case to the police.
This case, once more, highlights the risks inherent in third-party outsourcing, but, in this case, the obvious mistakes and errors made are staggering and blatant.
This is a defence sector company, so security should be at its best, not somewhere between medium and poor. In view of that one fact, the eventual firing of the IT manager was fully justified.
The security company providing the guard made an essential and basically unforgiveable mistake in not checking his background. That was strange, as they would normally have checked. Particularly with customers in this sort of sector, you should not allow the least element of carelessness; there should be absolutely no negligence.
The company made several IT-related mistakes. One was to use easy-to-guess passwords for its network equipment, which enabled the guard to monitor the CFO's network connection, once he had found out which network ports to monitor. The second error was not to monitor usage of administrative commands on its network equipment -which could easily have been done. Thirdly, and most importantly, the guards should never have been able to attach their own equipment to the network - that is just unforgiveable. They should have been provided with company-issued PCs and, yes, it would make sense to allow them to surf the Web, as guard duty can be very boring sometimes, and this would actually help keep spirits and vigilance up, if used responsibly. Furthermore, it is really easy today, with even the most inexpensive network equipment, to configure it in such a way that no other devices than those specified can be attached. That one simple provision could have prevented the entire incident.
The company was simply lucky that the CFO was able to realise so quickly that there had been a breach. Had the guard been more careful, the breach might have remained unnoticed for long enough for him to move to another job.
This case is typical of most breach scenarios, where one essential vulnerability (the actual hiring of the guard based on incomplete information) was aggravated by a company's own shortcomings and resulted in quite a severe incident. Not all incidents can be as easily resolved as this one was.
This next case serves to illustrate the difficulties of investigating company insiders who share their knowledge (or some of it) through online forums.
Take, for instance, an online services company which is also traded on the international stock market. Who knows what about the company's figures, and when, is a matter not to be taken lightly in view of insider trading regulations. Furthermore, the company's reputation is taken very seriously, and some people's only business in the PR department is to monitor relevant online forums for news and reports on the company.
On one occasion, they came across several entries in a stockholder forum where one member was ranting about the company, making defamatory comments, and generally writing very bad things about the company. While this would all come under the freedom of speech regulations (except for the defamatory parts), one sentence alerted the company: 'I know, because I work there.' This set alarm bells ringing, and the PR department notified the head of security who engaged an investigator to find out all there was to discover. The case was not assigned highest priority, though.
As it turns out, the identity of the writer was quite well hidden and no conventional, or even less conventional, means were successful in finding the person. The ultimate option, an elaborate social engineering scheme, by which their trust was to be gained in order to uncover their identity, was not taken, as the cost was deemed excessive given that, although the postings were quite bad, they were just not bad enough to go to court over.
Hence, the case was closed, incomplete as it was, much to the chagrin of the investigator, as investigators do not like unfinished cases. Company policy will, alas, always prevail when it comes to private customers.
This case shows that perpetrators can hide quite effectively from a private investigation, but would ultimately not be able to escape the law. While it would be easy for a prosecutor to obtain a search warrant allowing analysis of all systems and traffic to the forum site, the private investigator will either have to rely on superior technical means, shady means or social engineering, to get the information. Sometimes, you simply cannot get the job done, which is just a fact of life for an investigator, though everyone hates to admit it. Furthermore, as the company, your customer, always owns the investigation, their will is your command (as the investigator) and when you are ordered to stop, you do just that, however unwilling you may be.
Technically, this case illustrates that, except for legal stipulations included in contracts, NDAs or acceptable use policies, there is no way to stop an employee from posting his opinion in some online forum. If that employee had crossed the line to exchange insider information in the legal sense of the word, then criminal proceedings would have been unavoidable, but since the case had caused comparatively little harm, the decision ultimately taken by the company becomes understandable; maybe not acceptable, but understandable.
The software vulnerability that was not - a case of blackmail
This case amply illustrates how difficult it has become to resolve today's crime schemes if they are based entirely
on IT. Another company, once again providing online services, would have been perfectly happy just serving its customers, if only the bad guys had left it in peace. Unfortunately, that just didn't happen.
It all started when the company introduced new software for its online services. Some of their software could be used without charge, while some of it needed to be paid for. Now, it turned out that the free software had a bug which a user could take advantage of, and use defraud other users. Since no money was involved, there was, strictly speaking, no damage whatsoever.
However, one clever person discovered the bug and contacted the company about it. That was fine and the company was grateful for the information. When the issue of financial compensation was raised, the company's first reaction was, 'No problem in receiving compensation, just send us an invoice.' For services such as pointing out a software flaw, no one in the business would expect the invoice to amount to more than 2,000 to 3,000 euros.
The finder, however, did not send an invoice. Instead, his line of argument was that the company had made about x million euros that year and he felt that, for pointing out the bug, he deserved a total of 2.5 million euros. That was a pretty impudent demand, given that the bug only affected free software, and the charged-for software did not have the bug. Things started to get worse from there. As the company did not react to that demand, the person stepped things up a little. He now threatened to expose the company via online forums and YouTube if they did not comply with his demands. By doing this, he crossed the line from impudence to extortion.
So the investigators were called in; only a lead investigator and a second investigator this time, as the case was not deemed big enough to require a full team. The perpetrator was from another European country, with a rather weak judicial infrastructure and a different language. The perpetrator was not really able to speak English, which complicated matters quite a bit, as a native language speaker then had to be included in the investigation team. Once that had been done, negotiations were begun, and the perpetrator then posted incriminating videos on YouTube, which meant opening a full criminal case in that country.
So the chief investigator travelled there, established contact with local lawyers and got the proceedings under way. A legal brief was filed with the authorities, outlining and detailing the case, but due to the nature of the country, there was no real hope of any fast action on the part of the legal system.
In the meantime, the investigators, by using local sources, were successful in getting closer to the perpetrator; however, the basic result was that the company he claimed to work for did not exist. It was neither in the UK, where he claimed the headquarters were, nor in his local country. He was using stolen SIM cards to make his calls - it was just not credible that the calls should be coming from a Pakistani illegal immigrant, or from an 80-year-old lady living in the countryside. The identity of the person was still a mystery.
This was to change, quite some time later, as the man established contact with one of the company directors, who had accidentally accepted him as a friend on Facebook. Now a name and a picture were available, although the name did not seem authentic. On the plus side, the lawyers were successful in getting the defamatory videos pulled off YouTube and in having the perpetrator's account suspended. The threat was quite effectively dealt with.
As the company did not react to any of his demands, the perpetrator's will seemed to weaken, but it was revived when the company announced that it was acquiring a similar company in the perpetrator's country. This time, the embarrassing phone calls and blackmailing e-mails were sent to the CEO of the new company as well. However, the investigation teams managed to contain the threat in a joint action, and interest on the perpetrator's part died down again.
As of 2010, the legal case is still continuing and, due to the slowness of the legal system of that country, it is expected to progress for quite some time. However, speedy action on the lawyers' part was, and is, essential to contain the threat and to deal with it appropriately.
It should be mentioned that all proceedings showed clear signs of an amateur, as a professional extortionist would not just let his business die down because the victim did not react. Still, even an amateur was able to give the company a severe headache, given that modern IT technology was available to him and that, as it turned out, you can hide your identity quite effectively for some time in that country.
Once again, this case amply illustrates the complexities of international investigations and of perpetrators hiding behind borders and in weak legislations. It is deplorable that, even among European countries and all those who have signed the Convention on Cybercrime, the standards in actually following up on cybercrime differ so much that they can be safely deemed ineffective in some countries.
This particular case also shows how superior a well-functioning private investigation team can be when it has all the right contacts in place. The main aspects of this case are outlined below.
The investigation team consisted of a core team of two people and a local contact co-ordinator who synchronised all local sources of information. This group turned out to be strong enough to establish all basic facts of the case.
Not very long into the investigation, it became clear that the matter should go to court, and a local legal office was contracted to deal with the local authorities and to file a criminal complaint.
In this case, the company had to contact the authorities, in order to be allowed to invoke reasonable self-defence measures, such as initiating an investigation. If they had not notified the authorities, the case could have turned against them in a very ugly way early on or, at the latest, when it eventually reached the courts. It could even have meant that all evidence secured throughout the investigation would be deemed void.
Furthermore, it turned out to be fundamental to the legal proceedings that, in that particular country, blackmailing or extortion were loosely defined, and the terms covered a lot more than would have been the case in the company's home country. This was important to know and a very positive factor, as it allowed prosecution of the perpetrator in his home country, where the case was legally considered to be a strong one. Under the law in its own country, on the other hand, the company could not have claimed to have suffered a case of extortion, as the threat of force was still too indirect.
The speed with which the investigational team was able to provide facts, such as the origins of telephone numbers used, proved very useful in providing big-picture views of the case. Having a native-language speaker on board also proved essential in getting a correct picture of the perpetrator's personality and motives. You should always consider native-language staff on international cases, as they might make all the difference. Your native-language speakers will also, of course, better be able to judge local mentality, which will make all the difference when you need to apply social engineering to steer a perpetrator.
It is astonishing to see how efficient you can be in silencing a threat simply by acting as if you are ignoring it. That worked in this case aided, of course, by the lawyers who quickly got all the defamatory material pulled off YouTube. That material was evidence in establishing the extortion scheme, and it, therefore, had to be preserved carefully, which included storing it on write-once-read-only media and calculating hashes.
The main trick employed here was actually to wear out the perpetrator's willingness to proceed which, again, points to the fact that this was not an habitual criminal, but rather an amateur, although he was fairly professional in hiding his identity.
One tip from the field: if you need to store videos posted on YouTube, you can do so by using a site such as www.keepvid.com. This site allows you to store video from a number of other sites as well, by entering the link to it. Quality may suffer, but at least the evidence is preserved.
There is, unfortunately, not much to mention in regard to lessons learned, as the company already has a very elaborate process to ensure software quality and software security. However, the investigational process was revised to accommodate those aspects that had arisen from the international nature of this case, especially including native-language speakers in order to be able to communicate, which was the main reason in this case.