As an ex-RCMP officer, Rene Hamel tries to uphold the tradition of always getting his man. But there was one insider who almost got away.
A few years ago he was investigating a case involving intellectual property theft in the film industry. An individual was suspected of stealing valuable software code for a special effects application. But he had locked away his traces of guilt.
Fearful of being caught, the thief had password-protected e-mail access, Word and Excel documents, and even access to certain Web sites. For Hamel, vice-president, computer forensic services with the Toronto-based Inkster Group, the trail looked barren. Though Hamel had access to the hard drives and found a few saved passwords, they accessed pretty mundane data. And the passwords themselves were gibberish, nothing but asterisks, as passwords are when they are saved. But after using a tool called Revelation — designed to translate the asterisks in a password into characters — he saw something that piqued his interest. “They were not like normal passwords,” he said. “They were random letters and numbers…every password was unique.”
This meant they were being randomly generated and uncrackable using brute force (a computer scanning 50 billion combinations a second would take more than 300 billion years to crack a random 15-character password).
But it also meant the generator, and its goldmine of saved passwords, was somewhere on the hard drive, Hamel reasoned.
He found the application, but it too was protected by another randomly generated password. The trail would have stopped here if the thief trusted himself to remember this one password. Fortunately for Hamel he didn’t. He saved a file on his drive — stupidly named password — with the key to the kingdom. “There are always trails,” he laughed.
But the inside job is no laughing matter. The recent 2004 CSI/FBI computer crime and security survey found that internal Internet abuse and theft of proprietary information were behind only denial of service in terms of dollars lost. And that in itself was surprising since theft of proprietary information had been number one for four years running. Additionally, though the percentage of respondents who admitted to unauthorized computer use has fallen from 70 per cent to 53 per cent during the past four years, half of the unauthorized use came from inside.
“The external has seen a great deal of press…but what does the damage is the internal,” said John Weigelt, chief security advisor with Microsoft Canada Co.
Regardless, the numbers are probably higher, said Adel Melek, partner, IT risk management services with Deloitte Canada in Toronto. Deloitte’s own 2004 global security survey, which focused on the financial sector, found that 44 per cent of Canadian financial institutions admitted having been compromised in the past 12 months. This compared to 24 per cent in the U.S. Melek’s theory on the discrepancy is that the Canadian institutions (reputed for having some of the best security in the world) were “more honest in reporting.” The American numbers will probably change as U.S. laws such as Sarbanes-Oxley and Graham-Leach-Bliley come into effect, he said.
Furthermore, the statistics from the Deloitte survey, while not in complete disagreement with the CSI/FBI numbers, do point to some major discrepancies and the fact that security surveys are notoriously inconsistent. Eighty-three per cent of Deloitte respondents said their systems had been compromised “in some way” during the last year. Admittedly, some of this could be due to the increase in online banking by less than secure consumer users but there was an noticeable upward trend in internal attacks from the previous year (compared to levelling off in the CSI/FBI study), a statistic that should be unaffected by increased consumer use.
In addition, while about 10 per cent of the respondents were “extremely confident” of their external security, approximately one per cent had the same thing to say about internal security. Overall, Melek said Canadian companies tend to be “much more frugal” than their global counterparts. Companies spent six per cent of their IT budget on security versus nine per cent for the rest of the world, and half of them reported flat IT budget growth, he added.
Lavalife Inc., the Toronto-based online dating service, takes no chances with its security. Not only does its existence rely heavily on proprietary interactive voice response (IVR) technology, it also can’t afford any perception of impropriety if users are to trust its online system.
The company has a formal external security policy and is in the process of implementing an internal one. Regardless, the internal network and its applications are designed to segment access to avoid any potential (inadvertent or otherwise) internal abuse. With a myriad of groups — from production and a call centre, to the Web and IVR teams, chief technology officer George Howitt has his hands full. In the case of the call centre, “we keep those folks in a specific VLAN, which has restricted access,” he said. But the access still allows the call centre employees access to confidential information because their jobs require it, Howitt said. A call centre employee can access a person’s name from a credit card and vice versa, but since the application runs off a different server from the database, he or she can not access “bulk credit card numbers,” Howitt said. Although Lavalife doesn’t audit individuals’ access attempts, any stab at hacking — say the production system from the call centre VLAN — would be logged. So far there has been no indication of abuse, and no employee has been fired or even disciplined, Howitt said.
“We have put a lot to thought into the internal network design…in order to maximize security,” he said.
A recent case demonstrated the vulnerability of some corporate security systems. An America Online Inc. employee was arrested for allegedly stealing 92 million user screen names and selling them to a spammer for US$100,000.
Howitt said he and his IT staff of 80 (Lavalife employees 400 people) have created a working balance between security and workability. For example, developers do not have access to the locked-down production system. But if a bug needs to be fixed the developer can quickly requisition access (usually the same day) and once he or she is done, the access is terminated.
Lavalife’s Web site team has operational meetings three times a week and its voice team twice weekly. Regardless, “all the folks are in constant communication,” Howitt said, and if there is a problem that needs immediate attention “you either walk over…or pick up the phone.”
Lavalife seems to have succeeded in creating a workable security balance, but Inkster’s Hamel warns this is not as easy as it seems. He spent a year as a forensic investigator at a Canadian bank and said that although the security is excellent and well structured, too many policies often force employees to create workarounds — the curse of all IT security. Since, for the most part, no CD burners or USB thumb drives are allowed, it creates a problem for large file transfers when networks are down, which is not as infrequent as one would assume, he said. To request an external drive “takes forever because of the red tape,” he said. Though Hamel didn’t want to mention the specific workarounds he saw, he did say there was an attitude that if people were caught, “they’d just say ‘I’m sorry’, that’s it.”
knowing who has access
In this day and age, as incredible as it seems, the vast majority of companies still control user access manually.
When a new employee joins a company it sets off a chain of e-mails telling people to let the newbie have access to a variety of systems. “Why would you have a manager authorize e-mail…if everyone gets it?” asked Joe Anthony, program director of integrated identity management, with IBM Corp.
But it is not the person joining the company who often leads to problems. It is those leaving. If you audit companies which have not fully automated their identity process (80 to 90 per cent, according to IBM) 50 per cent of the identities are “orphaned” Anthony said. These are valid user names and passwords for employees who no longer work at the company.
One of Hamel’s favourite stories of internal deceit is about an orphaned ID that almost destroyed a company.
A Toronto commercial real estate company was losing a lot of deals just before the papers were signed. The president was baffled, but unaware of what was really going on. Turns out his IT manager, who had left, kept his orphaned account with full privileges. He was reading the president’s e-mail and contacting prospective clients from a Hotmail account, giving them all sorts of anonymous dirt on the company; nothing verifiable but enough to cause some concern and kill the deals. One of the clients, when queried by the financing bank as to why it was backing out, presented an e-mail from the former IT manager. It was forwarded to the real estate president, who hired Hamel. He got an Anton Pillar order (a civil search warrant) and traced the e-mail to the former IT manager.