Tech gadgets help corporate spying surge in tough times
-- Marla Suttenberg had a sinking feeling that a corporate spy was shadowing her.
In March 2008, the owner of Woodcliff Lake, N.J.-based Sapphire Marketing was preparing to give a longtime client a generous price cut on $134,000 worth of audio/videoconferencing equipment.
But before her sales rep could extend the offer, her chief rival, David Goldenberg, then regional vice president of sales for AMX, a Dallas-based conferencing systems maker, sent the client an e-mail disparaging Sapphire and offering a steeper AMX discount.
"I felt sick to my stomach," Suttenberg recalls. To pull that off, someone had to have infiltrated Sapphire's internal e-mail, she thought at the time.
She was right. A few days later, Goldenberg, 48, of Oceanside, N.Y., was arrested. He subsequently pleaded guilty to felony wiretapping for tampering with Sapphire's e-mail. He was sentenced last month to three months probation and ordered to undergo counseling. "There was nothing sophisticated about me getting into their e-mail," he said in an interview. "Honestly, I had no idea that it was illegal."
Corporate espionage using very simple tactics — much of it carried out by trusted insiders, familiar business acquaintances, even janitors — is surging. That's because businesses large and small are collecting and storing more data than ever before. What's more, companies are blithely allowing broad access to this data via nifty Internet services and cool digital devices.
"Having more sensitive information being seen by more people and accessed on more devices drives up risk significantly," says Kurt Johnson, vice president at Courion, a supplier of identity management systems.
The slumping economy doesn't help. "Mass layoffs have increased internal threat levels dramatically," says Grant Evans, CEO of ActivIdentity, which makes smart cards and security tokens.
Employees worried about job security face rising temptations to seek out and hoard proprietary data that could help boost their job performance, or at least make them more marketable should they get laid off, says Adam Bosnian, vice president at Cyber-Ark Software, another identity management systems supplier.
Of the 400 information technology pros who participated in a recent Cyber-Ark survey, 74% said they knew how to circumvent security to access sensitive data, and 35% admitted doing so without permission. Among the most commonly targeted items: customer databases, e-mail controls and CEO passwords.
Cellphones, digital cameras and USB dongles come with vast memory — enough to store data that a few years ago might have required a stack of CDs, says Nick Newman, computer crimes specialist at the non-profit National White Collar Crime Center. Web services, such as Hotmail, Yahoo Mail and Gmail, and popular social networks, such as Facebook and Twitter, make terrific free tools for transferring and storing pilfered data anonymously.
"If you create an environment where your employees can walk freely out the door with unencrypted, proprietary data, it's only a matter of time before someone actually does it," says Sam Masiello, vice president at messaging and browser security firm MX Logic.
Lax passwords a danger
The exposure redoubles at companies that are lax about passwords. Last week, a hacker pilfered sensitive Twitter business documents and released them publicly. Twitter co-founder Biz Stone said in a statement that the hacker got in by figuring out the log-on of a Twitter employee who used the same non-unique password for several online accounts.
"The unauthorized extraction of information is epidemic and essentially unstoppable," says Phil Lieberman, CEO of Lieberman Software, which makes password security systems.
Goldenberg's caper illustrates just how easy it can be. In an interview, he said it all began in September 2007 when one of the sales reps who reported to him at AMX jumped ship to rival Sapphire, the sales arm of Crestron Electronics, a Rockleigh, N.J.-based maker of conferencing systems. Goldenberg says he inspected the company laptop turned in by the departing rep and found an e-mail from Sapphire welcoming the new recruit.
The message, he says, included the Web address to Sapphire's e-mail server and the recruit's new e-mail address and password. Goldenberg says he logged on as the recruit and quickly figured out the log-ons of three other employees. Like the recruit, they used their first name as part of their e-mail address — and as their password.
"He didn't go searching for this," says Dean Schneider, Goldenberg's attorney. "It basically hit him in the face."
For each e-mail account, Goldenberg activated a feature to forward copies of all incoming messages to a fresh Gmail account he created. He then spent long hours and days on end poring over Sapphire e-mail, says Bergen County prosecutor Brian Lynch. "It was voyeuristic," says Lynch. "That's why we recommended counseling."
Court records show Goldenberg may have initially gained access to Sapphire's e-mail months earlier than he claims.
"Admittedly some of our people's passwords probably were not as strong as they should have been," Suttenberg says. "But just because you have a cheap lock doesn't mean it's legal to pick the lock."
The customer whom Goldenberg tried to steal contacted Sapphire to inquire how Goldenberg knew specifics about Sapphire's discount before he did. Suttenberg talked the customer into sticking with Sapphire.
"He was too blatant," she says of Goldenberg.
A new system
Suttenberg has since scrapped the bare-bones e-mail service supplied by her local Internet service provider, which cost her a few hundred dollars a month. She now pays thousands of dollars a month for an in-house Microsoft Exchange e-mail server brimming with security features. She also instructed her 10 employees to change their e-mail account passwords frequently and to avoid passwords "that your co-workers and contacts can figure out."
While Suttenberg has buttoned up Sapphire, millions of small-business owners — and plenty of big corporations — continue to make it easy for larcenous insiders. With the exception of highly regulated banking and health care companies, most businesses are just beginning to discuss how to repel insider intrusions, security experts say.
The basics include taking stock of how sensitive information is conveyed, collected and stored — and strictly controlling who has access to it. "We're seeing 70% to 80% of breaches originating from the inside," says Vladimir Chernavsky, president of DeviceLock, which makes systems that restrict data transfers. "Companies need to enforce security policies and make sure employees know there are severe consequences to a breach."
Spy toys
And then there are the janitors and groundskeepers to worry about, says J.D. LeaSure, a Virginia Beach counter-surveillance specialist. LeaSure makes his living conducting "sweeps" that ferret out miniature listening bugs and video cameras hidden in executive suites, conference rooms and other settings.
Insider intruders, he says, have come to see value in making audio and video recordings of certain closed-door discussions. They need only do a Web search on the phrase "spy bug," and a trove of eavesdropping and peeping-Tom gadgetry that would impress James Bond turns up. LeaSure calls them "spy-shop toys."
One of the latest: an ordinary-looking USB cable. You plug one end into a printer or other peripheral device and the other end into the computer's USB port. Nothing looks amiss, and the cable operates normally. But it also houses a sensitive microphone and antenna that continually transmits a UHF audio signal to a receiver that can be up to 160 feet away. "You can hear every whisper within the confines of the room,"' says LeaSure.
There are dime-size "contact bugs," which anyone could stick to the outside of a conference room window and matchbox-size "SIM bugs," or listen-only cellphones that don't ring or light up, that can be activated by a phone call an hour, a week or a month later.
Another readily available gadget looks like a luminescent jawbreaker. It is really a motion-activated video camera and digital video recorder capable of capturing 33 hours of activity. All one needs to do is perch it where it won't be noticed on a Monday and retrieve it on a Friday.
LeaSure recently did a security sweep of the CEO's office at a publicly traded corporation in the Southeast, which he declined to name because of client confidentiality. There, he found an innocuous-looking ballpoint pen in a cup with a handful of other pens and pencils. The pen wrote beautifully. It also contained a voice-activated audio recorder with 2 gigabytes of memory.
LeaSure set up a hidden surveillance camera and caught the janitor swapping out a fresh pen recorder every third day. The janitor was fired, with no other repercussions, after disclosing the identity of the insider who put her up to it.
That person stopped spying after being threatened with legal action, says LeaSure, but nothing else was done. "The principal did not want the stockholders or press getting a hold of the fact that company secrets were leaked because of what that would do to the company's stock price," he says.