The Spy within

As a system manager, you may be living under an umbrella of security as you know you have the best hardware or software firewalls or both and have had the best rules in place that prevent crackers from getting into your corporate network from outside. However, one of the most important things you may have overlooked is that a very significant majority of crack attempts happen from within the organization, not outside.

The reasons that internal hacks are attempted or occur are many. However, the most important thing to realize is that these days the theft of information is more valuable than stealing equipment. And with the advent of the digital age, all that is required to move valuable data out of the office is access to the Internet, or a tiny USB drive casually kept in a pocket. No miniaturized cameras or other James Bond-ish gadgets are required. All the tools are easily available for anyone who wants to use them, in any corporate network.

Espionage happens in many forms. It could be as simple as forwarding an internal e-mail memo to someone outside the organization. Many examples of these are readily available–a recent big one being the Java memo “leaked” from Sun.

Attempts can also be made to allow greater access into systems from outside. For instance, an internal user can send information regarding remote access into the network to external people. This could result in their gaining access into the system easily, although you have taken precautions against unauthorized entry.

As far as tools required for this are concerned, they can start from something as simple as an e-mail client. All that is to be done is to attach a confidential e-mail and send it to someone outside. If outgoing e-mail and attachments are not tracked, it may be impossible to find out who sent that particular document out. And tracking all mail in an organization of any size is a practical nightmare, not to mention issues of confidentiality and privacy.

There are other, more sophisticated tools, of course. And the higher level of access a user has, the easier these tools are to use. For example, running a network sniffer like Ethereal on the network is simpler if the person attempting it already has a higher access level on the network.

There are many different methods that can be used by both internal and external corporate ‘spies’. Some of these are listed as follows.

Hacking/cracking: This is, of course, the stuff legends are made of. However, hacking is more difficult and liable for detection and prosecution than some of the other methods. But, hacking can also give the best results if successful.

Shared folders: Windows allows you to share folders with a couple of clicks and then there is Network Neighborhood that shows up all work groups and machines. It is easy for someone to access a share that you created for someone else, or that you forgot to remove. 

Default passwords: Not only in network shares and e-mail accounts, even in network equipment like routers, switches and RAS (Remote Access Server) equipment and in software like server OSs, Web servers and databases, one comes across default or blank passwords that have never been changed. A fairly easy entry point for any one!

White boards: You don’t need to have access to the network and to cracker tools in order to get to valuable data. Walk into a meeting room in any office, and it is a safe bet that you can see crucial plans and designs laid out in great detail. 

Social engineering: An art mastered by legends like Kevin Mitnick, the social engineering attack does not require extreme computer skills and depends more on social psychology. Classic attacks include sending e-mail masquerading as the administrator, looking over someone’s shoulder when he is typing a password, calling up a person within the company posing as someone else and others.

Dumpster diving: This is probably the dirtiest method of espionage in more ways than one. This involves going through the garbage of companies where papers and sometimes floppies, CDs and even hard disks are trashed. It is sometimes possible to recover a large amount of data from these items, much of it confidential.

War driving: An offshoot of ‘War-Dialling’, which arose when modems were new, this method involves driving around with a Wi-Fi enabled laptop searching for companies that have open wireless access to exploit without even getting into the network directly. As wireless networks become more common, this threat will only increase.

Contractual espionage: Outsiders like customers and consultants who walk in with notebooks, that are connected to the LAN present an even bigger threat. An extended form of this is the ‘kite attack’, which involves using an ‘independent’ contractor who is employed by one company on a contract. However, this contractor’s loyalties lie with a rival company and he passes on information to them. In the case of being found out, the rival company would ‘cut the kite’ to fly off independently and disavow any knowledge of him or his doings. 

Preventing these attacks

Preventing attacks that involve technology are simpler than preventing the ones that rely on social tactics. Preventing technology-based attacks involve tightening software, installing patches, monitoring logs and keeping an eye out for any suspicious activity. Something which most system administrators forget to do is to sensitize users to the possibility of such attacks and the elementary precautions (change default passwords and disallow shares without passwords) to be taken to deal with them.

Old PCs and servers that are sold as scrap often contain a rich haul of data in the hard disks. Just deleting the files from the disks does not remove them. There is specialized software that can destroy the data on the disks. You will also need to make sure that other media that you discard (paper, floppies, CDs, etc) are fully destroyed before they are dumped. 

You would also need to make sure any remote access points into your network, which include dial-up lines, RAS points, wireless access points and other points of access, are well secured. You will have to monitor these for any activity that you may not find desirable.

Vinod Unny