Tag Archives: IP theft

Security News for the Week Ending November 1, 2019

Johannesburg, South Africa Attacker Threatens Data Breach

In what I think is going to be the way of the future, hackers compromised Joburg IT systems and threatened to publish data that they stole if the ransom is not paid.  As I write this, the deadline has just passed, they have not paid the ransom, the data is not yet exposed and they think they will have most of the systems back online soon.  While this project seems to be the work of inexperienced hackers (they did not encrypt all of the systems), this does not mean that more experienced hackers won’t try this technique and do a better job of it.  Source: The Register.

China Steals IP to Build C919 Airliner

I keep saying that the biggest threat to U.S. businesses is not credit card fraud but IP theft, such as by the Chinese.  In this case the Chinese wanted to build a passenger jet to compete with Boeing and Airbus.  The plane, in development for almost 10 years, was delayed because the Chinese didn’t actually know how to build it.  SOOOOOO, here comes TURBINE PANDA.  Stupidly, the developer of Turbine Panda came to the US for a security conference, where he was quickly arrested by the FBI.  Now China’s MSS (ministry of State Security) has banned Chinese researchers from attending conferences in the US.  In the meantime, Turbine Panda was  used to compromise US and European airplane parts suppliers so that China could get the tech that they needed to build the C919.  Source: CSO.

 

FCC Plans to Ban Huawei and ZTE Equipment, Force Replacement

The FCC is set to vote on rules banning using Federal Government subsidies to buy Huawei and ZTE equipment  because of their close ties to the Chinese government and another rule that would force telecoms to rip  out existing Chinese equipment.  The cost of replacing existing equipment has been estimated at several billion dollars and the FCC doesn’t have any way to pay for that.  In addition, if telecoms have to use more expensive 5G equipment from other providers, they will have to slow down the deployment of 5G services due to cost.  The options that telecoms have, if that proposal gets approved, is to significantly delay the rollout of the much overhyped 5G cell networks or raise prices.  This disproportionately will affect less densely populated parts of the county (like me, who lives 20 miles from downtown Denver – I cannot currently get any form of broadband Internet or any form of cell service where I live) because carriers will choose to install limited 5G service in highly dense areas where they will get more subscribers to pony up the additional fees for 5G cell plans and those 5G cell phones that often run $1,100 or more.  The U.S. is already pretty much a third world country when it comes to fast , affordable Internet and cell service and this will only reinforce it.  I have no problem banning Chinese firms, Congress just needs to figure out how to pay for this desire.  Source: ARS

 

Domain Registrars Web.com, Network Solutions and Register.Com Hacked

These three registrars – all owned by the same folks – were hacked in AUGUST but the company didn’t figure it out until mid OCTOBER.  The information taken is mild by today’s standards – names, addresses, phone numbers, etc. but no credit cards – they don’t don’t believe (that’s comforting).  Also not compromised were passwords.  If this is accurate, it seems like they segmented the data, which is a good security practice.  Still, if you use one of these services, I would change  my password and make sure that two factor authentication is enabled.  Source:  The Hacker News.

 

Rudy Guiliani Bricked His iPhone;  Asked Apple to Fix It

Reports just surfaced – and so far are not being disputed  – that the Prez’s cybersecurity advisor, personal lawyer and who knows what else, apparently forgot his iPhone password and after 10 tries, locked it up, so he took it to an Apple store in San Francisco and GAVE it to some random Apple tech to reset, and reload from iCloud.  Definitely a super secure situation.  Rudy said that everyone needs help from time to time and compared himself to the dead San Bernadino mass shooter whom the FBI needed help unlocking his iPhone.   I don’t think that would be someone that I would compare myself to.  Source: The Register.

Does Amazon Have a Security Prob?

One report says that an Amazon customer was seeing mysterious fraudulent charges on his account and even after working with Amazon multiple times and resetting everything, the charges kept coming.  After months, he found out that Amazon doesn’t have visibility to non-Amazon branded smart devices that are connected to your account (like a smart TV) and even if you reset your account, those devices can continue to connect and order stuff.  There is a department inside the company that has a special tool that they can use to detect these rogue devices.  If you are seeing mysterious charges that they can’t explain, this could be it.  Source: The Register.

Facebooktwitterredditlinkedinmailby feather

Equifax Hack – The Prequel

While we all know about the Equifax breach last year that compromised the data of almost 150 million people and businesses, until today we did not know about the Equifax hack two years earlier.

In the earlier hack, former employees – actually Chinese spies – stole thousands of pages of documents including plans for new products, human resource files, manuals and other information.

Equifax went to the FBI and even the CIA, but did not publicly admit the problem.

That is because there is no law that requires them to disclose the theft of intellectual property although investors may disagree and sue them now that they know.

Equifax later found out that the Chinese had asked 8 companies to help them build a national credit reporting system.

I am sure that is just a coincidence.

So what do you as a business owner need to do?

The first thing is to understand that the theft of intellectual property dwarfs credit card theft and the best we can do is guess at the magnitude because most of it is not reported.

While hackers can break into your company, it is much easier for employees to walk the data out the front door.  That problem is so bad that defense contractors and financial firms are required by law to have insider threat programs.  Understand what a competitor inside the US or internationally might be interested in.  

Implement employee training programs to make sure that employees do not contribute to the problem.

While the insider attack is one part of the problem, the outsider problem is just as big a problem.  To protect against this, you need to implement a full cyber security program – hardening servers, patches, access controls, firewall rules, etc.  

This needs to be part of a formal, documented program.

The most important thing to understand is that it doesn’t always happen to “the other guy”.  Most attacks are attacks of opportunity and small and medium businesses are disproportionately affected – likely because they do not have the sophisticated IT controls and staff that big companies have.

You have two choices – 

Prepare now.

React when an event happens.

I can tell you from experience, preparation is way better.

Information for this post came from Slashdot.

 

Facebooktwitterredditlinkedinmailby feather

Industrial Espionage – Much Worse Than Credit Card Breaches

General Keith Alexander, former director of the National Security Agency, said that cyber espionage is the greatest transfer of wealth in history.  In 2012 when he made that statement, the the value of cyber industrial espionage on an annual basis was $338 billion.  Per year.  5 years later I am sure that number is greater.

Of course industrial espionage is not new.  In the early 18th century John Lombe, a British silk spinner went to Italy to steal the technology of an Italian company.  At night, by candlelight, he sketched drawings of the Italian company’s machines that he had managed to get a job working for.  He returned to England with the stolen technology and built a better machine to compete with the Italians.  Industrial espionage is not new.

What is new is the ease with which this can be done.  With everything being connected, you can now steal secrets from half way around the world.  And with cyber security practices at many businesses being a bit lax (there are a few industries for which this is not the case, but they are the exception), it is pretty easy to do.  Even defense, which you think would be secure, is not.  Lockheed lost the technology for the F-35 and now the Chinese make a knockoff and sell it at a fraction of the price.

Unlike credit card or personal information theft which is required to be disclosed, for the most part, stolen intellectual property is kept quiet.  It is embarrassing and would likely make stockholders upset.  What they don’t know won’t hurt them.

As the manufacturing process becomes more computerized, it is a huge leak opportunity.  Traditional IT security solutions sometimes don’t work on the factory floor.  Crooks know that and attack at that weak spot. In the absence of controls, detection and good processes, the crime will go undetected.

Fast forward a couple of centuries.

6 men in Houston were arrested for stealing technology for creating marine foam.  China wanted to increase it’s marine business and this foam is used in building boats due to its special buoyancy.

The Chinese, like John Lombe above, spent years weaseling their way into the company in Houston that makes this.  The crooks sent the info back to China who then had the gall to try and sell it back to the company they stole it from saying they could make it for less.

In the process of stealing the information they kept coming back to the insiders in the U.S. to get more information when their efforts at cloning the process was not working.

Now, except for one guy who is in China, they are all under arrest.  BUT, the technology has already been stolen, so it is not clear how this company can get the genie back in the bottle.  Not clear at all.

Supposedly, this information that was stolen was only known to about a half dozen employees in this company – it was the company’s crown jewels and now the cat is out of the bag.

The company considered buying the stuff from the Chinese knockoff IF the Chinese would give them an exclusive.  SO, rather than go public and be outed, they proposed making a deal with the devil.

When the Chinese started offering this U.S. company’s technology to other companies in the U.S., the company called in the FBI.  That started an investigation and, eventually, the arrest of these 6 engineers. FOUR years later.

Unfortunately, this is one of, likely, thousands of incidents.  Stopping one will NOT stop the hackers.  They just consider that an acceptable loss or collateral damage to the bigger game.

And American companies continue to ignore the warning signs (because, in many cases, there are no warning signs because the companies who got hacked keep the attack quiet).

Think about what happens to your company if you lose control of your intellectual property, whatever that is.

Information for this post came from IIoT World and the Houston Chronicle.

Facebooktwitterredditlinkedinmailby feather

Google Sues Uber Over Stolen Documents

Google and Uber are both working on self driving cars, for different reasons.  Google has had a strong lead in the game – until.

Google’s self driving car subsidiary called Waymo says it has spent millions of dollars perfecting the technology for self driving cars.

A former Google employee, Anthony Levandowski, started the self driving truck company called Otto.  Uber, sensing it was behind in the self driving game, bought Levandowski’s company and put him in charge of their effort to create self driving vehicles.

Only one problem.

Google claims that Levandowski “acquired” 14,000 documents from Google prior to leaving and starting what amounts to a competitor.

I’m guessing that Google looked at the Otto technology and figured it looked a little bit too familiar to them.

While this may seem like a game between giants – and it certainly is at one level – it is also a lesson for companies at all levels.

Every company has intellectual property.  Whether it is a customer list, software, business plans, or technical knowhow as is claimed by Google in its lawsuit against Uber, it is cheaper to steal it than to invent it.

While it is impossible to completely stop a person who is intent on stealing your IP, you can make it difficult.

We have one client who has disabled USB flash drives.  Another client who has removed DVD writers from PCs.  You can and likely should restrict access to data based on a need to know and you certainly should have legal agreements in place between the company and employees regarding ownership of information.  You should also be logging, auditing and alerting.

Information theft is not limited to big companies like Uber and Google –  it can affect even tiny companies.

And it even happens to security conscious organizations like the NSA (remember Booz, Allen NSA contractor Edward Snowden)?  Last year Another Booz – NSA contractor, Harold Martin, was arrested – accused of stealing 50 terabytes of information and storing it at his house.  It does not appear he was out to sell it to anyone, he just liked to horde data, although some of it may have been sold or hacked.

The real question is whether you have any information that might be valuable to a competitor.

And what you are doing to make it harder for them to get it.

 

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Law Firms Under Cyber Attack – Revisited

Some of you may be aware that earlier this year the FBI outed two major New York based law firms – Cravath, Swaine & Moore (500 attorneys) and Weil, Gotshal & Manges (1,000 attorneys) – as being hacked.  But they did not give a lot of details.  Now some of the details are coming out, but you have to connect the dots yourself.

The New York Law Journal reported today that three Chinese nationals have been charged with hacking into two unnamed law firms.

The three hacked into the law firms systems and stole information about pending deals.  They used that information to trade stocks in these pending deals and made about $4 million in profits.

According the the charges, one law firm, called Law Firm 1, advised Intel on their acquisition of Altera and the other law firm, called Law Firm 2, represented a company (unnamed) that was in deal talks with InterMune, which sold to Roche.

Roche’s press release on the InterMune acquisition said that Cravath was acting as legal counsel to InterMune.  The Law Journal article said that Weil represented Intel in their acquisition.

The Law Journal article concludes that Law Firm 1 and Law Firm 2 are Cravath and Weil.

U.S. Attorney Preet Bharara of the Southern District of New York said that the hackers attempted to hack at least 5 other law firms on over 100,000 occasions during 2015.

Once they got in, they watched email traffic as the deals came to an announcement so that they would know when to buy the company stock.

As I have said before, the theft of intellectual property is the prime target for many hackers for a couple of reasons.  First, unlike credit cards, the odds of getting caught the very first time you use stolen IP is almost zero.  It is not clear how many trades the $4 million in profits represented, but I am guessing several.

Secondly, if you are not greedy, the odds of ever getting caught is low.  If, instead of trying to make $4 million on these two deals they tried to make, say $250,000, it likely would have flown under the radar.

Third, your ability to make a profit is often not dependent on the victims doing something or not doing something,  Depending on your own ability to time the trading, in this case, of the stocks, you can make a lot of money – or not.

Of course Bharara gets to stand up and claim that the problem is solved once he decides to charge someone.

Reality is a little different.

One defendant has been arrested in Hong Kong and is awaiting extradition.  Whether the Chinese will ever extradite him is unclear.  The second defendant is from Macau and the third from China.  Those two are at large.  I think it is unlikely that the Chinese will extradite these guys, but who knows.

So, of the millions of attacks a year, the U.S. Attorney caught one of them and does not have any of the defendants in custody.

THAT is why the legal system is more than a little bit challenged in dealing with cyber crimes.  For a crime that happened in 2014 and 2015, it is now almost 2017 and one person has been arrested, no one has been extradited, two people are at large, no one has been brought to trial and no one has been convicted.

It is a REALLY challenging problem.

From a law firm’s standpoint, their reputation is again being dragged through the mud and if any of these defendants ever come to trial, their reputation – and possibly their technical competence – will get dragged through the mud again.  And, the law firms really have very little ability to cut a deal and make this go away.  The defendants might plead to avoid a trial, but they might not.  If there is a trial, more dirty laundry will come out.

While I am sure (I hope) that Weil and Cravath have improved their cyber security practices, other firms probably have not.

This is why we tell clients that they need to ask their law firms some very pointed cyber security questions – preferably before engaging them – and they should not take arm waving as a replacement for clear answers.  Contact us if you need advice in this area.

Information for this post came from the New York Law Journal and Roche’s web site.

Facebooktwitterredditlinkedinmailby feather

Healthcare Ranked #1 – Most Records Breached

This is the time of year for lists.  In this case, the healthcare industry is probably not happy about coming in #1.  IBM has named 2015 as The Year Of The Healthcare Breach, with 34 percent of all records breached being healthcare related.

In just the first half of the year, over 100 million healthcare related records were compromised.

The cyber security universe has focused a lot of its energy on fixing credit card related fraud.  While this is good, it is only solving a very small part of the problem.

An indication of this is that the price of credit card data on the dark web is down dramatically.  Part of this is due to the fact that the credit card industry has improved its ability to detect fraudulent use, but part of it, also, is due to the fact that there are so many fraudulent credit cards out there that there are not enough crooks to use them.

So what is an enterprising information thief to do?

MOVE ON.

Healthcare records can sell for 50 TIMES what a credit card record sells for on the black market.  Partly this is due to the fact that the insurance industry, both private and government, have not done a great job at cracking down on fraudulent use of healthcare information, but part of it is due to the fact that you cannot change your healthcare information if it gets compromised like you can change your credit card number.  As a result, the useful life of fraudulently used healthcare information is measured in years unlike credit cards, which is measured in days and weeks.

So now we know that healthcare breaches are bigger than credit card breaches, but what is bigger than healthcare breaches?

In my opinion, it is the theft of intellectual property.  This includes employees who leave a company and take customer files, proposals, and other IP as well as people who steal it for financial benefit.

Only occasionally do we get a glimpse of the size of this business and that is usually accidentally.  For example, last month when the attackers who stole customer information from J.P. Morgan Chase were indicted, we got a peek.  Remember, there was no bank account or credit card data in that theft.  Still, according to the U.S. Attorney, the attackers made hundreds of millions of dollars.  They did this by trading on inside information – theft of intellectual property.

And, for the most part, there is no law that requires that the theft of intellectual property be disclosed.  Assuming that the company even knows that it has been stolen.  After all, there is no credit card company or insurance company looking for the use of stolen intellectual property.  And the company still has its data.

Personally, I think that theft of intellectual property dwarfs all other forms of data theft.  And we are not spending a lot of effort stopping it.  China and other countries are masters of it.  By stealing, for example, the plans for the F-35 Joint Strike Fighter, China saved tens of billions of dollars.  First, they don’t need to spend the R&D dollars to develop, for example, new engines – they just copy what we did and second, they don’t need to buy those engines from us – costing us billions in business.  And, they take our technology and sell engines built with it to other countries, reducing the market for our engines – costing us even more money.

This is just a very obvious and large scale example, but on a much smaller scale, if a competitor learns your business methods, they don’t have to develop it themselves and will compete with you using your own processes and technology.  Or try and steal your customers away from you.  You get the idea.

So while healthcare is #1,  there is a hidden #1 that we are not even talking about.

Just sayin’.

Information for this post came from HITECHanswers and BreakingDefense.

Facebooktwitterredditlinkedinmailby feather