Blog Entries

The New England Patriots won three Super Bowl titles in four years, building an NFL “Super Power” in what many believe to be an era of unmatched competitive poise.

However, did this team—long considered a model of success and effectiveness—cheat to do it? Did the Patriots use means described by many as “spying” to gain that competitive edge? That is the pressing question as details emerge about the Patriots breaking NFL rules by secretly videotaping the defensive signals of the rival New York Jets this past Sunday.

In the NFL, information is relayed to players on the football field from coaches on the sideline in much the same way a baseball runner receives signs from the third base coach. As in baseball, most football teams use accepted methods (such as the naked eye from across the field) to attempt to “break” the signal code and decipher the opponent’s signs, thus gaining a competitive edge. Obviously, by knowing what play the opponent intends to use, a team can better prepare to counter it.

What allegedly happened with the Patriots—and presumably occurs with other NFL teams—is no different from what goes on every day in the business world. Companies of all sizes use various means, from legal and ethical competitive intelligence analysis to covert espionage and stealing of proprietary secrets, to proactively understand their competitors’ next moves. By identifying a competitor’s next move—whether it is new sales & marketing tactics, pricing strategies, product roadmap, or M&A plans—companies can blunt the competitor’s efforts, potentially reducing the loss of their own customers along with the associated revenue and market share.

In the business world, companies use various means of acquiring this information. I basically categorize competitive analysis into one of three categories:

1) Legal and ethical: This is the use of 100% legal and ethical means of gathering and analyzing competitive information. Examples include research involving both primary sources (first person collection of information from one-on-one interviews, surveys, and focus groups) and secondary sources (utilizing existing public information).

2) Legal but unethical: There definitely is a grey line in the world of competitive research. The legal system has not caught up with (or has ignored) current competitive research trends that utilize less than honest means. Remember, just because it is legal does not necessarily mean it is ethical. While billions of dollars are spent on IT and network security to prevent hackers from stealing digital information, experts in the art of “social engineering” are going right through a company’s front door and gathering confidential and proprietary information from unsuspecting employees. Social engineering involves the manipulation of people (rather than technology) to successfully breach an enterprise’s security. Social engineering remains the single greatest security risk, despite our advances in technology, and many of the most damaging security penetrations are the result of social engineering—not electronic “hacking” or “cracking.”

3) Illegal and unethical: Examples in this category include utilizing electronic eavesdropping devices, posing as someone you are not to gain non-public information (including some types of social engineering, such as “pretexting” and “phishing”), and hiring individuals to steal confidential information.

Also in the second category above (legal but unethical) is the issue of “human error.” Employees often do dumb things, like leaving behind confidential documents at a Kinko’s. In various media circles, former Patriots staffers allege that they were paid (or that they were instructed to pay others) to search meeting rooms of the visiting football teams’ hotels for strategic game-time documents. For example, it is fairly typical for a football team to script its first 10 to 15 offensive plays, and then distribute that list to players the night before a game. Often, extra copies of these and other documents get left behind in meeting rooms that anyone can pick up. This is equivalent of a competitor in the business world searching through the hotel meeting room just used by the board of the target company.

In Pittsburgh, wide receiver Hines Ward told a news reporter this week that he suspected New England had deciphered the Steelers’ offensive plans during the January 2002 AFC championship game.

“They knew a lot of our calls,” Ward said. “There’s no question some of their players were calling out some of our stuff.”

Whether your employer is a NFL football team or a top producing enterprise, you can limit the loss of strategy and confidential information by educating employees on information loss. Making employees aware that they can’t leave confidential information lying around—whether it is in a hotel conference room or online in an industry chat forum—is 90% of the battle.

By focusing on what is immediately controllable to reduce information loss, organizations can than move to the more complex task of limiting information that is lost through illegal and potentially criminal means.Until next time,

-Tim

For more than a year, unbeknownst to people who used Internet terminals at Kinko’s stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords.

Jiang had secretly installed, in at least 14 Kinko’s stores, software that logs individual keystrokes. He captured more than 450 user names and passwords, using them to access and even open bank accounts online. He was later caught and admitted to installing Invisible KeyLogger Stealth software at Kinko’s as early as Feb. 14, 2001.

Encrypting e-mail and Web sessions does nothing to combat keystroke loggers, which capture data before the scrambling occurs. Data cookies also contribute to the risk of identity theft. Cookies are files that help Web sites remember who you are so you won’t have to keep logging on to a site. Unless a user remembers to log out, these files could let the next person using the public terminal to surf the Web as you.

Secure public terminals should by default have provisions for automatically flushing cookies and Web addresses when a customer leaves, however many seldom have that program.

Recently, during some business travel, I became trapped at the Salt Lake City airport facing a 5 hour delay before my next flight. I decided to find some peace and quiet (and a T1 internet connection) and went into a “LapTop Lane”, a franchise company that provides private offices in multiple airports in the U.S. Each LapTop Lane has between 4-10 private offices, each which have their own desktop, which individuals can use for an hourly fee.

I got settled in and was re-charging my laptop and decided to use the provided desktop. I opened up Microsoft Explorer to see what was on the computer, and much to my horror and surprise, I discovered no less than 20 saved customer documents on the computer. One of these documents was a confidential presentation from Cisco. I am not going to re-post the entire presentation here, but here is the first page of the document where you can see it is definitely an internal, confidential document.

Users, like me, need to avoid using public terminals for anything other than general web browsing. Keep all confidential and non-public communications to your secure computer to avoid a mess, like described above.

An independent study conducted by Websense Inc. shows that many small and medium sized businesses are at a greater risk of information loss than they realize. 99% of IT managers feel their company is somewhat protected from internet data loss, but only 22% feel their company is completely protected and only 20% use internet security software. It is very disheartening that 80% of all small and medium sized businesses are not taking even basic security precautions. Internet security software is inexpensive and simple to implement; if your company doesn’t have it in place, then your IT manger needs better training to help them get your company to a baseline level of internet security.

The IT managers surveyed identified the following threats as the top risks to their business:

• 74% - employees clicking on email links from unknown sources
• 53% - employees accidentally sending company email to the wrong address
• 50% - employees deliberately or accidentally accessing adult websites from work

73% of employees surveyed admitted to engaging in at least one of those behaviors, 54% admitted to more than one, and 27% admitted to engaging in all three. This clearly points to a huge lack of training. First and foremost, every company should have an acceptable internet use policy that they actively enforce. Upon employment, every person should receive training that clearly explains these policies and why they are important to keep the company’s confidential information safe. Preventing risky behaviors like these should be one of any IT manager’s top priorities.

41% of employees said they believed their IT department was protecting them from every internet security threat, and 45% said their IT department provided some protection but they weren’t sure how much. The bottom line is that most companies need better security policies in place, IT departments need to be better able to implement those policies and procedures, and employees need better training to understand what their responsibilities are to protect the company’s confidential information. If your company does not have an internal resource with the expertise to help you achieve these goals, the best step to take is to hire an outside consultant who specializes in training companies in your industry.

On August 20th, we brought you the story of Monster.com losing 1.6 million customer records when administrator level accounts were compromised.  It has now been revealed that Monster waited 5 days before sending letters to the affected customers on August 21st informing them of the situation.  The problem is the customers were exposed to a fraudulent email which appeared to be from Monster.  If they had been notified of the issue sooner, the vast majority of them might have never opened the email and downloaded the virus it contained.

Monster waited to send out the letter because they thought they could contain the inevitable PR disaster, but have instead attracted even more negative attention.  If handled properly, some data leaks never need to become public knowledge, but ones of this scale need to be handled by notifying the affected people ASAP.

It is a good bet that Monster did not have a policy in place before hand to deal with this type of situation, so when it happened they inevitably mishandled it.  Companies need to have policies and procedures in place for handling all different sizes of information leaks before they happen.  They need to know when they can handle the situation quietly behind the scenes, and when the public has to be notified.  Now in addition to dealing with the damage caused by the original information leak, Monster has to handle the additional scrutiny for waiting so long to tell people.

A New York City official reported today that a laptop with the financial information of as many as 280,000 city retirees was stolen from a private consultant when he took the laptop with him to a restaurant. As we have mentioned on this blog numerous times, you should only allow a third party access to your confidential information after they have undergone thorough training to make sure they understand your security policies and procedures. With so many high profile cases of laptops being stolen in the news, thieves are looking for unattended laptops more than ever. Even if the thief doesn’t use the information directly, he can sell it to someone who will, or spread the information on the internet for anyone to use.

Although you need to be careful anytime you allow a consultant to handle your confidential information, you have to be even more cautious when you allow sensitive data to leave your premises on a laptop. The lost laptop itself may be only worth $2000 - $3000 dollars, but according to the numbers from the 2002 Computer Security Institute/FBI Computer Crime & Security Survey, the actual financial loss of a laptop theft is estimated to be $89,000. Although this number is shocking at first, consider the manpower involved in just contacting the 280,000 people, explaining exactly what was stolen, and advising them the best way to secure their finances. It wouldn’t be surprising if the loss of this particular laptop costs New York City millions of dollars.

The most obvious precaution to take with laptops that leave the premises is to make sure the user never leaves them unattended; however, the users are human and can make mistakes. The only way to be sure your information isn’t stolen is to encrypt all the data on the hard drive. Some hard drive manufacturers such as Seagate have started manufacturing laptop hard drives that automatically encrypt all the data on the drive. If your laptop doesn’t already have that functionality, there are numerous software applications you can use to keep your data encrypted. Good hard drive encryption can render a laptop almost useless to a thief, which can save your company hundreds of thousands of dollars in the event of a laptop being stolen.

Your office photocopiers can now be added to the list of items that can leak personal data. Recent personal data losses across the nation have been attributed to employees mishandling or purposefully removing hard drives located in multi-function printers (often called MFPs) for the purposes of exploiting the information that is digitally held by the memory devices inside them.

The security issue pertains only to higher-end MFPs that digitally store copied or scanned images temporarily or on a short-term basis. These MFPs usually contain small hard drives that can be removed and accessed by virtually anyone who has a computer and a hard drive data cord. The problem is so significant that a major copier company issued a security advisory warning that the hard drives on many photocopiers can store scanned documents.

So how easy is it to obtain information or documents from these machines? I decided to do a little test of my own by going to the local Kinko’s, since our office copier lacks anything “high-end.” (That is another story.) I found a higher-end digital copier machine that had scanning capabilities. My intention was to ask a Kinko’s employee if the machines had hard drives embedded within their skeleton; however, I came across something that captured my interest. I discovered that the machine had a “recall” option where the last three items copied or scanned were still made available! I chose one of the three, and the MFP started printing out 10 copies of what appeared to be a confidential presentation from a local company that was proposing the acquisition of a large, publicly traded company. I later checked secondary research and open-source news and investor sites and discovered that the notion of a merger or acquisition with the company in question was not even being considered, much less publicly released. This could have caused a real issue for the company involved if a “get-rich quick” trader had leveraged this information in the stock market.

I then asked one of the Kinko’s employees about the hard drives allegedly installed in these machines. The employee kindly told me that these copy machines were “top-of-the-line digital MFPs…each containing 1 GB [Gigabyte] of hard drive space for storage.” When I asked how this information could be accessed, she told me that the hard drives are “easily removable” from the machines. I then inquired about how this might place personal or corporate information at risk, and I was surprised by the response I received from her: “That is definitely an issue [internal MFP hard drives], but what gets me the most is when people come in here [to Kinko’s] from area businesses and photocopy and print dozens of copies of confidential and non-public materials and then just leave extra copies laying around. I am always picking up off the printers or copiers copies of presentations marked ‘confidential,’ ‘do not distribute,’ or ‘internal company information – not for external distribution,’” the employee told me. She further told me: “And, it must be common knowledge that documents get left at a Kinko’s, because there was a guy who came in here each week and collected presentations and extra copies left on the printers or scanners. After about the fourth or fifth day, I asked him what he was doing and he told me that he worked for [name omitted – the company is a competitor of a Fortune 500 company in the area]. He was hired as the company’s competitive intelligence manager and one of the first places he goes to get his information is the Kinko’s closest to the competitor’s facility.” My jaw nearly dropped.

While I remain extremely concerned about the issue of security with digital copy machines, I am also concerned that companies are actually lurking at Kinko’s shops for competitor information. So, let this be a lesson: not only are digital copy machines not secure, it appears that employees who lack common sense are making the local copy shop a source of competitive intelligence!

This is an example of why company employees need basic awareness training about information security. Leaving confidential documents behind in public places is 100% sheer laziness. According to the Kinko’s store manager of the location I visited, “Every Kinko’s has secure shredder boxes for customers to use. We make sure that any piece of paper that goes into that box is shredded and unable to be used by a would-be identity thief or corporate intelligence agent.”

Investing in basic employee awareness training is a must to increasing awareness about confidential document security. But this story is also a good reminder that annual audits of your company’s risk level for information loss can help prevent embarrassing incidents of personal customer data loss or confidential company document loss. Understanding that office equipment and devices that hold information – either temporarily or for long periods of time – can be accidentally or intentionally transferred to criminals who wish to make a quick buck by directly using or selling this information is key to raising that awareness.

Symantec Corp. has reported that 1.6 million records from the popular job posting site Monster.com have been stolen.  The stolen information includes names, e-mail addresses, home address, phone numbers and resume identification numbers of people who posted their resumes to the site.   Hackers were able to gain access to the personal information by compromising the user names and passwords of individuals who have privileged access to Monster.com.  Monster gives some recruiters and human resources personnel access to this very sensitive information to make their jobs easier, but incidents like this one can happen if even one person loses their login information.

Attackers used the information they gained to send phishing emails to the victims which fraudulently claim to be from Monster.com.  Any users who clicked the link in the email had malware automatically downloaded to their computer which attempted to steal bank account details, credit card numbers, and other highly personal information.

In the future, Monster should rethink their access control policies to prevent incidents like this one from occurring.  They should provide better training to users with access to sensitive information and have strict guidelines concerning the handling of login information.  An ongoing monitoring system that watched for suspicious activity, like downloading the information for more than a certain number of people at a time, could have greatly reduced the number of people affected by this break in.