The ubiquitous flash drive or memory stick – harmless as it may seem – could be used in some pretty unsavoury ways by digital delinquents.
After all, it only takes minutes for someone to plug the contraption into any computer’s USB port and download sensitive and confidential information.
Just in case you think that’s just being overly paranoid about some fuzzy futuristic or fictitious mishap…well think again.
The USB stick was recently a “weapon of choice” in a high-value digital theft in the Big Apple, according to Carole Longendyke, partner and director of forensic services for PG Lewis and Associates LLP, based in Whitehouse Station, New Jersey since acquired by risk consulting firm Protiviti Inc. of New York. Longendyke was speaking at the World Conference on Disaster Management held in Toronto this week. The offender, she said, was a female employee of a New York-based firm who used a flash drive to steal hundreds of original designs.
What tipped off PG Lewis to the culprit’s identity was a computer trail indicating that the massive data download coincided with the moment an external drive was attached to the suspect’s terminal. “A couple of decades ago you would have had to stand by a copying machine for hours to accomplish that, now it only takes a few minutes,” Longendyke said.
When the forensic services expert pitches her company’s services to high calibre law firms, she usually begins with complimenting them on their tight security measures; then she pulls out an over-the-counter pen and disk drive ensemble, and casually observes that she could have downloaded an entire case file while waiting for the interview. “A few firms didn’t bother to ask me to come back,” she said.
The bad news, according to Longendyke, is that despite advances in information security, employees continue to represent the fastest growing threat to data safety.
According to a study conducted by the Philadelphia-based Computer Security Institute and the San Francisco office of the Federal Bureau of Investigation, in 2005 – losses from unauthorized access to computer systems and intellectual property theft totaled US$130.1 million for the companies polled.
The same survey showed the loss per incident of unauthorized access went up six fold to US$300,000 in 2005 from US$51,000 the previous year.
Detective Mark Fenton of the Vancouver Police Department’s Internet investigation unit said the rise in employee-perpetrated cyber crimes can be attributed to a lack of clear cut legislation and policy regarding the use of equipment and resources. Other factors include advances in technology (that provide potential cyber thieves with better tools) and a largely fluid workforce.
“Under the law, you have done nothing wrong if you download information you have access to from your company. Now, depending on what you do with that information, you may find yourself in the wrong side of the law,” said Fenton.
Five years ago, he said, computer-based corporate espionage was blamed for more than US$100 billion in losses across North America. “Information has become a global commodity that everyone – from company execs to countries – is willing to steal and sell for the right price.” Fenton said because most companies now employ a large number of temporary workers and consultants, loyalty has gone down. Some of the more prominent instances of misuse of company resources involve: theft of intellectual property, system sabotage, bandwidth hijacking and third party liability. While stealing company secrets and hacking into systems to disable corporate networks have gained enormous media coverage, instances such as bandwidth hijacking and third party liability are less heard of.
Longendyke said a case she worked on a couple of years ago involved an IT administrator for a major telecommunications firm in the U.S. who was nabbed for stealing the firm’s bandwidth and using it to run a porn site.
The person’s activities were only discovered when his pager began ringing incessantly inside his jacket, which he accidentally left in the office. Alarmed by the noise, his boss checked the pager and found the message “File Serve 4 down”.
An emergency check of all company servers indicated that all systems were fine. That was when cyber forensic investigators were called in. The team took a mirror image by copying the hard drive of the IT administrator’s computer and soon discovered he was running a porn site using his company’s bandwidth.
Apart from carrying out an investigation on the first instance of suspicion, Longendyke also recommends that businesses have specific and tight policies regarding use of company resources. “These policies must be spelled out to protect the company from third party liability.”
The New Jersey office of a sports association found itself in that situation when one of its employees was arrested for distributing pornographic material.
Longendyke said according to reports, co-workers had suspicions about the employee’s activities on the company’s computer and informed management. Management discovered that the employee was visiting porn sites.
The employee was given a strong warning to stop viewing porn sites during office hours and management “hoped the problem would go away,” since they did not have a policy regarding privacy.
Six months later, a police sting operation resulted in the employee’s arrest for allegedly distributing pornographic material. The worst part was that the employee also uploaded photos of his stepdaughter. The man’s wife later sued the assoxciation for damages on behalf of her daughter on the grounds that the association knew of her husband’s activities and had the power to stop it but did not.
Longendyke draws a parallel between her job and those of a TV crime scene investigation (CSI) unit.
When the CSI team arrives at the scene they look for finger prints, blood drops, fibres, DNA samples, soil and other pieces of evidence.
For the cyber forensics team, the computer is the crime scene. The evidence lies in e-mail trails, document images, computer system logs, file attributes, data manipulation signs, metadata, Internet activity, file transfer, copying activities and more. “You have to remember, even if you hit the delete key or reformat, nothing is really erased. The data just gets moved around,” Longendyke said.
Aside from physically crushing the computer’s hard drive, perhaps the only way of hiding data is going through the drives with an overwrite software. Even then portions of an entry could remain uncovered. The United States Department of National Defense recommends doing at least seven passes of overwrite to make sure the drives are clean.
Overwrite or “disk wiping” software come with names such as Eraser, Window Washer, Cyber Scrub and yes Evidence Eliminator. “Of course when we see traces of this in a computer, that’s a dead giveaway something fishy is going on,” Longendyke said.
One expert has a caveat for companies striving to detect and combat dubious digital activities by employees: be sure your own policies and strategies are above board.
If a company is monitoring its employees cyber activities it should make sure that this is done in accordance with in-house policies and legislative frameworks, according to Mike Gurski, primary strategist for Bell Canada Inc.
He said nearly 70 per cent of U.S. and Canada-based companies use some kind of technology to monitor employee cyb