The insider threat: learning hard lessons
20 March 2018 | 0
There is an even chance that you have — or will someday — an enemy within. According to McAfee, insiders are responsible for 43% of data breaches. The Information Security Forum puts that number at 54%. Whatever number you believe, bad actors on the inside are a real problem.
Protecting your kingdom from an insider threat is a different war. It is hard to define, its soldiers are difficult to identify, and it cannot be stopped with better antimalware. It is a war that must be fought with knowledge, intelligence and internal protocols.
The first step toward fighting this enemy is to understand him. To that end, we have gathered together some egregious examples of insiders who have brought their own kingdoms to their knees.
Stealing the future
The story of Anthony Levandowski is probably not yet completely played out. But it looks as if his story — and that of the birth of autonomous vehicles — will include a significant insider data breach.
Levandowski once worked for Google in the autonomous car division that is now Waymo. There, he helped develop Lydar, which was new then and is essential to the whole intelligent car endeavour. In May of 2016, Levandowski left to found Otto Motors. Shortly afterward, in July of 2016, Uber bought Otto.
The juicy part of the story is right there in that transition, where accusations fly that Uber’s then CEO Travis Kalanick was the director of a Levendowski-enabled plot to steal Waymo’s intellectual property and use it to kickstart its own driverless car programme. Allegedly, before Levandowski left Google, he downloaded thousands of files including blueprints and brought them to Otto so he could sell them to Uber. Google sued, rather famously.
In February of 2018, Waymo and Uber settled that suit. Current Uber CEO Dara Khosrowshahi apologised publicly and promised that going forward, the company would “put integrity at the core of every decision we make.” In the settlement, Uber gave Waymo a 0.34% stake in its business, worth $245 million (€198 million).
Biting the hand that fed
Offering further proof that it might be smart to frisk employees for proprietary data as they depart, is the case of Jason Needham. Needham was an employee of engineering firm Allen and Hoshall in Tennesee until 2013 when he left his job to start his own company.
After he left, though, he continued to access his ex-employer’s file servers and email for two years, undetected. He downloaded documents and designs — worth roughly $425,000 (€344,000) — and accessed an ex-colleague’s email account. He claimed, in court, that he was just checking in on his old projects out of habit and concern. But that is a hard story to swallow since he got caught when a client he pitched recognised the proposal as being suspiciously similar to one from Allen and Hoshall.
The FBI got involved on this one and helped Allen and Hoshall put together a case. Needham lost his engineering license and went to prison for eighteen months.
For self and country — not employer
The case of Jiaqiang Xu is a near-perfect example of how much damage one employee can do from a position of trust inside the company. Xu, a Chinese national, worked at IBM developing source code for clustered file systems. He was one of just a handful of people who had clearance to work on this proprietary software, which was stored behind a carefully built and guarded firewall.
After getting hired and building the company’s trust, he built a copy of IBM’s software, quit his job, and offered his copy for sale to aid himself financially and help his home country. An FBI sting proved as much, when he met with agents and produced his version, complete with source code that indicated it had been originally built by and was owned by IBM. He offered to alter that code, for the FBI agents, in order to remove the source of origin. He was arrested shortly after that meeting.
Xu pleaded guilty to all counts levelled against him by the Justice Department and went to prison for five years.
Competitor poaches employee to get data
When Dejan Karabasevic left his job at clean-energy company AMSC to work for Chinese wind-turbine company Sinovel, a lot more was going on than a simple job jump. In his job at AMSC, Karabasevic, as head of AMSC Windtec’s automation engineering department, had access to the company’s proprietary technology for wind turbine efficiency. Karabasevic did not simply get a better job offer from Sinovel, he was recruited by the company, one of AMSC’s largest customers, and asked to bring that software with him. Before he left, he secretly downloaded the code to an offsite computer.
Once it had the code, Sinovel retrofitted its wind turbines with it, thereby saving itself the $800 million (€648 million) price tag. The theft was discovered because a supplier, asked by Sinovel to do the retrofit, got suspicious.
The damage to AMSC was considerable. According to evidence presented at the resulting trial, the company lost more than $1 billion (€810 million) in shareholder equity and almost 700 jobs — over half its global workforce. “Sinovel nearly destroyed an American company by stealing its intellectual property,” said Acting Assistant Attorney General Cronan in a statement.
Saved by SPAM
This one is rich. David Kent built a social networking site for oil company professionals called Rigzone.com. In 2010, Kent sold it to DHI Group (then known as Dice Holdings) for $51 million (€41.3 million). As part of this sale, Kent agreed to a non-compete agreement.
He honoured that agreement. But shortly after it expired, he started a similar site, Oilpro.com, hoping to create another acquisition target for DHI. A few short years later, Kent had built the membership of Oilpro up to 500,000 users and DHI was interested in purchasing it for something like $20 million (€16.2 million).
Then, one piece of SPAM blew his entire con game and landed him in prison.
Instead of the networking genius he claimed to be, Kent was a hacker. He broke into the site he’d already sold, with the help of an old colleague now employed there, and stole over 700,000 customer accounts.
A customer of Rigzone complained that it had received SPAM from Oilpro, without ever giving that company any information. Rigzone, alerted, set up a couple of fake accounts to catch the culprit. Those accounts were not public. Nonetheless they quickly received SPAM from Oilpro. From there, Rigzone figured out what was going on, the FBI investigated, and Kent got three years in prison.
Insider railroad attack
The story of Christopher Victor Grupe is an object lesson in the dangers of the disgruntled employee. Grupe was a systems administrator for the Canadian Pacific Railway (CPR) but he did not play well with others. He got suspended for insubordination in December of 2015. And when he returned to work, was informed he was fired, effective immediately. He convinced his boss to let him resign instead. But before he returned his laptop, he used it to access the company’s networks and delete essential files and remove some admin accounts and change the passwords of others. Then he wiped his computer’s hard drive to cover his tracks and handed it in.
After he was gone, the network began to act erratically, and the company’s IT staff found they were locked out, unable to attempt repairs. Eventually they got in by rebooting and hired an outside consulting firm to fix things. System logs revealed that Grupe was the perpetrator.
The weak contractor
Sometimes the insider that breaches a network is not really inside and does not really do the breaching. This is neatly illustrated by the notorious and massive Target data breach of 2014, which compromised the names, addresses, phone numbers, email addresses, and credit card data for some 70 million people.
Hackers managed to install memory scrapers on Target’s point of sale devices. But for that to do them any good, they had to be able to get into Target networks to get the data they had stolen. And, for that, they needed inside information. They got that by breaking a weaker system.
The system they breached was that of one of Target’s contractors: Fazio Mechanical, a refrigeration contractor. One of Fazio’s employees fell for a phishing scheme that installed the Citadel malware on his company’s network. When someone at Fazio logged into the Target network, Citadel captured the log-in information and sent it to the hackers. With that entryway down, the hackers used their mad skills to get into Target’s network. The rest is history.
IDG News Service