Kristian Erik Hermansen
May 28th, 2011
On Recent Trends in Competitive Intelligence via Technical Virtuosity
“There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!” -- Cosmo, from the film Sneakers#
The world is a very different place today than it was before the Information Age. With ubiquitous access to information and a world where everything is connected, your competitors are also just a few hops away over the Internet. What this means is that those who can control the way you access information can control the entire game of competition. So what does this mean from the perspective of our Competitive Intelligence education?
Benjamin Gliad’s book on Business War Games continually reiterates the point that you don’t need a complex technical advantage to perform Competitive Intelligence activities or derive useful knowledge in a simulated Business War Game. However, what I would like to discuss in this short paper is what can be done by adversaries that do have such an advantage -- be it legal or not. This is very important because we must remember that the laws of the United States do not apply globally. I am also quite interested in this topic personally, mainly because I have spent the majority of my life in the Information Security industry and was also invited to speak at two of Taiwan’s top universities last year on such topics.
In the readings for this week entitled “Competitive Information Policy at Pratt & Whitney” and “Corporate Policy and the Ethics of Competitor Intelligence Gathering”, various subjects are discussed in relation to enacting, enforcing, and skillfully adhering to policies set internally by a corporation. There is much discussion of legal grey areas and what to do with documents labeled CONFIDENTIAL that are not really confidential. There was also an example of a competitor utilizing aerial photography to gain insights about a new production plant. That case was found to be a violation in the court or law. But, what about the truly black areas of competitive intelligence?
Last January, Google and numerous other Fortune 500 companies admitted that they were targeted in a malicious hacking campaign termed publicly as Operation Aurora.# The source of the attacks were traced back to China and this forced Google to at least temporarily suspend their normal operations in that country. Last September, various news agencies reported that Iran’s new nuclear power facility had been compromised by a very sophisticated computer worm that could cause the facility to self-destruct.# Last November, WikiLeaks published confidential diplomatic cables retrieved by a military soldier that abused his top secret clearance.# In February of this year, the well-known government security firm HBGary was attacked and all of its internal emails were posted online for anyone to download, revealing all of their communications and forcing the CEO to resign.# In March, RSA Security -- makers of the once perceived impenetrable dual-factor SecureID product# -- reported that they were the target of a sophisticated cyber-attack.# In April, Sony’s PlayStation gaming network was taken offline due to breaches into one of their supplier networks, causing disruption and identify theft issues for hundreds of millions of customers and game producers.# And today, one of the US government’s largest defense contractors, Lockheed Martin, is battling intrusions into their network due to issues with their RSA SecurID tokens.# Could anyone see that coming?
So, just from these news items, one can see the drastic consequences that technical aptitude can evoke. In the context of competitive intelligence, what does this mean for us working within the realms of an American corporation? Instead of providing a litany of ‘To Dos’ and ‘Shall Nots’, I would instead like to get you into the mindset of a technical attacker so that you can understand how they think. Many successful attacks such as these outlined above usually involve precursory information leakages. What I mean is that privileged information is somehow obtained by the attacker unbeknownst to the target(s). I intend to structure the scenarios as role-playing exercises that you can follow along with and play them out, as discussed in detail in the Business War Games book. It’s time to think like a bad guy.
You are heading to a business conference with some colleagues from your firm. At the conference, you hope to learn about recent trends or breakthroughs in the industry as well as possibly gleam some information about your competitors in the process. You hear that someone from a top competing firm is giving a talk at the conference. You are intrigued, but you also realize that the presentation materials will likely have been pre-screened by their organization so that they have little to no value for you from a competitive standpoint. Still, you might learn something over drinks with the individual or perhaps via some other means. So you go.
On the first day of the conference, you arrive and get settled into the environment. There are some familiar faces, but most you do not know. You sit through one interesting topic on widgets and take excessive notes. As you are leaving, you are told that you can drop your business card in a bowl for a raffle at the end of the conference. You don’t see the harm and think that you might actually win, since there are less people at the conference than last year. You continue on at the conference and everything is great. You meet new people and hear new things. You take copious amounts of notes on the good stuff. It’s nearing the end of the final day of the conference and you need to skip the last talk so you can make your flight home on time.
You arrive home Friday night and spend the rest of the weekend with the family. On Sunday night before bed, you quickly check your email in order to be prepared for the day ahead. Interestingly, your co-worker Bob has sent you an email. He mentions something about the conference you both attended and has also attached a document. You open it up, but it doesn’t seem to work. You intend to query Bob about it at work.
The next morning you wake up and head into work. You run into Bob by the water cooler and he asks you about the email you sent him last night. “What? I didn’t reply to the email you sent me yet.”, you proclaim. Bob, on the other hand, further states that he never sent you any emails either. Hrmm...
So what happened? Remember that raffle bowl? Someone not involved with the conference set up an unauthorized raffle and used it to collect intelligence about people at the conference. They found your business card and Bob’s business card. They noticed that you work at the same company and in the same department, which was not publicly known, even on LinkedIn. They then used that knowledge to spoof emails to and from each of you using your real email addresses. This is very easy to do technically, but very difficult to detect. Even Google Mail has a hard time knowing who really sent the email. The attachments that you opened installed malware on your computer and siphoned all Word, PowerPoint, Excel, PDF, emails, and other related documents off to a remote server. It was specially crafted to evade your computer’s anti-virus and firewall software, which is also fairly easy to do. This could have all been done just by getting you to click on a hyperlink from the email, but the attachment method is more reliable, since most organizations don’t upgrade their Microsoft Office or Adobe Reader programs very often. The malware also dumped all the passwords you saved in your web browser.
From the siphoned passwords in your browser, the attackers noticed that you used the same password, your wife’s name “betsy”, on a lot of personal websites like netflix.com and nytimes.com. After going through your emails, they find that you emailed Bob about the corporate VPN server when he first joined the company. You gave him instructions for how to log on. The attackers try to emulate to process, but find that the password ‘changeme’ for Bob isn’t working. They try using your username and the password ‘betsy’. That seemed to work. Now they have access to the VPN and all the shared servers, including SharePoint. They dump the entire contents that they can access. They continue infiltrating the network until they begin to feel they have enough information or they sense that they may be detected. The attackers then sell the entirety of information on the black market to some of your Chinese competitors, which are less scrupulous. Various news agencies report on the hack a few months later, if your staff is proficient enough to detect the majority of hacking activity.
Your firm is preparing to launch a new product. You have been trying to keep it under wraps for months, while your technical team designed the website and prepared to introduce iWidget to the masses. A few weeks ago, the technical team started testing the final website in preparation for the launch. A small group of trusted internal employees from across the organization were offered a chance to review the new site and give feedback. They were cautioned not to discuss the new product with their friends or family until the product was launched and further reminded of the non-disclosure agreement they signed when joining the company.
A few days after the testing team started, a popular technology blog named TechMunch leaked details of the new iWidget product. You and the rest of the management team are livid and plan to find out who the mole was. You ask the technical staff to track down the culprit. After a few days, the IT team lets you know that they have no information about the leakage or from whom it originated. You ask anyone with knowledge about it to come forward, but no one will fess up. You are at a loss -- but even more unbelievable is that your top competitor announced today, ahead of your firm, the introduction of a new MyWidget+ product that has all of the same features and more!
So what happened? Even though the leak could have occurred via a staff member in the past week, it actually happened much longer ago. When the name for the new product was being decided, as per your normal company process to prevent trademark infringement, you instructed your IT staff to reserve the freely available web domain name iwidget.com. As the IT team has done this in the past for other products, this was all normal. What was not normal was that the competition had predicted this move far in advance of the product announcement, based on your firm’s previous history of operations. They knew that the domain name would be purchased about six months in advance, so when their Reverse Whois# service alerted them to the purchase of a new domain by your company, they immediately began putting a plan into action for how to adapt their currently in-development product to have similar points-of-parity.
Reverse Whois is a paid service that tracks domain name purchases, but at a significant cost, which is only typically useful when the benefit is large. The competition leveraged this tool and eventually engineered MyWidget+ so it would have differentiated features and a slick design, which would add significant value over iWidget. The test web site on the new domain name should not have been accessible to anyone except internal staff, but due to a glitch during a routine technical maintenance window, the site briefly became available to the outside world. The competition previously wrote a program to check for this, because they noticed it was likely to happen every third Sunday around midnight, based on an observation made by someone in their staff previously. In the end, the MyWidget+ product went on to sell ten times as well as iWidget due to the late introduction and lesser feature set.
In summary, although these examples seem contrived, they certainly are not. These type of attacks can and do occur. I have witnessed and performed very tactical exploitation of business targets in my work on both the defensive and offensive side of information security. There are entire “red teams” that get paid to do this legally in order to test corporate defenses, usually without the IT staff even knowing. These legitimately paid attackers generally have a tremendous amount of skill and are rarely detected or caught. They consider themselves a failure if they cannot get access to the highest valued targets, which could be a senior executive’s email.
A friend of mine once mentioned an interesting occurrence on an international flight. He was writing some penetration testing# tools and decided to debug them on the way. He was writing a new wireless (WiFi) sniffing and interception tool. In his testing, the tool would pretend to be a common WiFi HotSpot, like “Free Internet”, or “Starbucks”. Most computers automatically connect to previously named HotSpots, so if anyone on the flight had their WiFi turned on, he would be able to get them to connect and see their data. As luck would have it, a few computers connected. One of the computers was more interesting than the rest and kept trying to reach a corporate email server to send an unsent email from Outlook. His tool was designed to appear like the email server and accept any email. On this test, the emails he received detailed a proposed acquisitions deal. That’s not something you want getting out too early!
Many proficient security experts leverage new methods of attack that have never before been made public, just to gain access and get paid. Now that you know this, what will you do? Maybe you already knew all this? Either way, it may give you some ideas about how to play the game of competitive intelligence a little bit differently, especially if you are operating in the grey area. At the very least, you might have some insight into how to protect yourself or be more cautious in the future. Stay safe.