Since the 1990’s the information explosion has drastically increased the ability to share information and also the ability to steal information. Former FBI undercover operative Eric O’Neill is widely credited with bringing down America’s most notorious spy, Robert Phillip Hanssen. At Inside Counsel’s Super Conference, Eric gave the first day’s Keynote address where he outlined how Corporation’s can learn some lessons from the Hanssen case.
As an undercover surveillance specialist, O’Neill was trained to watch, profile and follow people. In 2001, O’Neill was approached by his superiors to investigate special agent Robert Hanssen. O’Neill was assigned as a direct report of Hanssen’s and on his first day of work, Hanssen introduced O’Neill to “Hanssen’s Law.” “Hanssen’s law” was that the spy is always where he has access to the information that he knows he can use to do the most damage and get the most money.
In a corporate setting, O’Neill outlined a few obvious and not so obvious ways that industrial spies obtain proprietary corporate information:
Corporate Dumpster Diving: Picking up information that is cast off (i.e. trash at home or work.)
Most larger organizations have thorough data destruction policies and employ data destruction vendors. But things can go very wrong if procedures are not faithfully followed or if vendors are not fully vetted and monitored. There needs to be corporate awareness that data security is everyone’s daily concern.
Security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people think that data security is just an IT issue. “There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said in an article written for CSO On-Line.
With all the focus on protecting electronic data, many organizations forget about paper data and the physical protection of electronic data.
Hunt recently did a corporate dumpster dive in a major U.S. City and found all sorts of things that would be in violation of most companies’ data destruction policies. The dive turned up cancelled checks with the bank account owner’s social security number written on top. The bank account numbers, balances for the political fundraising account of “a certain prominent politician in the area.” Hunt also found the personal financial statement of a very wealthy individual, including the person’s name, home address, real estate owned and values of the properties, several of the individual’s bank account numbers, social security number and date of birth. Hunt’s experiment even yielded a whole laptop with a tag on the back that says “Property of [another financial institution]“. Steve’s adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests.
Given this outcome, Hunt suggests on-going monitoring of how their company’s data destruction policies are actually functioning.
Corporate Charity: Information that is ‘castoff’ can include old computers donated to charity. O’Neill detailed situations where companies purchased all the old computers of their competitor from a charity who supposedly cleaned off all pertinent information and the purchaser ended up obtaining valuable business information from their competitor’s donated computers. If making a charitable donation of your used electronic equipment is what your organization chooses to do, it may make sense to do the data cleaning in house prior to physically surrendering your old equipment, so you can control the data cleaning process.
Corporate Posers / Impostors: Corporate spies often attempt to gain access by relying on people’s willingness to help out, the awkwardness of questioning strangers, and the excitement of receiving free stuff. Corporate spies know these human tendencies and use them to their full advantage. According to O’Neill, a hacker could be posing as ‘Joe from IT’ sending you an email or phone call requesting your password. If you’re busy or distracted, this just may work.
“Hi, I’m the rep from Cisco and I’m here to see Nancy.” Chris Nickerson, founder of Lares, a Colorado-based security consultancy, recently pulled off a successful social engineering exercise for a client by wearing a $4 Cisco shirt that he got at a thrift store (Read: Anatomy of a Hack). Criminals will often take weeks or months getting to know a place before even coming in the door, according to O’Neill. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.
Other old stand-bys according to O’Neill are: “Can you hold the door for me? I don’t have my key/access card on me.” An another version would be “Can you hold the door for me?” while carrying a box of “paper for a printer” using both hands. How many people at your organization would turn away a HVAC person on an emergency call after normal business hours? Would the air conditioner / heater actually be serviced? Or would bugs be planted, phones be tapped, pictures be taken? Would computer drives be duplicated, papers photocopied, or data altered?
Another ruse is Flash Drives distributed at conferences or left in strategic locations. Flash drives left unattended in a parking lot, public bathroom or elevator of a targeted company may be a part of a sophisticated social engineering attack. These drives may be seeded with a trojan horse set to automatically run as soon as the drive is inserted and quietly steal your personal or company information in the background. This happened in an actual attack against the U.S. Pentagon!
Take Away: Closely check the background and reputation of any data destruction vendors. Verify that the data is actually destroyed in a non-usable format and monitor closely that your corporate record destruction procedures are being faithfully followed. Remember the simple and obvious ways that corporate spies can try to gain your trust and gain access to vital information. Be wary of free give away computer devices or cast off computer items that can be inserted into your computer.
Eric M. O’Neill is the founding partner of the Georgetown Group, where he specializes in counterintelligence and counterterrorism operations, security risk assessments, investigations into economic espionage, internal investigations, and background investigations. Eric served as an undercover operative for the F.B.I., where he conducted national security field operations against terrorists and foreign intelligence agents. His role in the investigation and capture of Robert Phillip Hanssen, the most notorious spy in United States history, became the subject of Universal Studio’s , movie Breach , released to critical acclaim in 2007.