May 31, 2005

Industrial Espionage using Trojan horses

One of the things that bedevils financial cryptography is not knowing just what crimes are for real and what crimes are fantasy. Amir points to a developing scandal in Israel over a threat that has been predicted for yonks but rarely if ever seen. In a fairly massive sweep, the Israeli police have picked up dozens of CEOs and PIs involved in what they claim is an organised industrial espionage ring.

It comes down to one Trojan horse writer who targetted the wrong couple - the parents of his ex-wife! When the parents found pages of their book on the Internet, they called the police, who found the Trojan. This led them to the author, their ex son-in-law, and from there to three private investigation firms that had contracted his services. And of course, to *their* customers...

It's got intrigue, public personalities, jilted husbands and good old scary FUD words like Trojan horse. As Amir suggests, the film rights are probably worth a bit!

Court remands top Israeli execs in industrial espionage affair

By Roni Singer, Haaretz Correspondent and Haaretz Service

The Tel Aviv Magistrate's Court Monday remanded several people from some of Israel's leading commercial companies and private investigators suspected of commissioning and carrying out industrial espionage against their competitors, which was carried out by planting Trojan horse software in their competitors' computers.

Uzi Mor, CEO of Mayer and his deputies Avner Kez and Or Schachar, Moriah Katriel, financial vice president of Yes as well as Yoram Cohen, CEO of Hamafil were placed under an eight-day house arrest.

The court also extended by four days the remand of two private investigators suspected of carrying out the espionage.

Earlier Monday, police searched the Tel Aviv offices of Haaretz sister publication TheMarker to check for any signs of Trojan horse software infiltration on their computers.

Also on Monday, the Tel Aviv fraud squad discovered Trojan horse software in computers belonging to AMC, a company that produces transmitters for planes and unmanned aerial vehicles. The inspection found that only financial material was extracted from the computers, although the company specializes in security.

Other companies suspected of espionage include the satellite television company Yes, which is suspected of spying on cable television company HOT; cell-phone companies Pelephone and Cellcom, suspected of spying on their mutual rival Partner; and Mayer, which imports Volvos and Hondas to Israel and is suspected of spying on Champion Motors, importer of Audis and Volkswagens. Spy programs were also located in the computers of major companies such as Strauss-Elite, Shekem Electric and the business daily Globes.

The case took a twist, when Bezeq - parent company of two of the companies suspected of the espionage - revealed that it too was apparently among the victims. Police now suspect that Cellcom cellular networks commissioned the spying against Bezeq.

This suspicion was strengthened when internal documents belonging to Bezeq were found in the drawers of senior executives at Cellcom. The name of the CEO of Cellcom, "Peterburg" was written on some of the documents. However, the police did not have decisive evidence Monday that the documents were obtained through Trojan horse software, and hence did not summon CEO Itzhak Peterburg for questioning under caution. Instead, Peterburg was only asked to give a testimony.

When, in the testimony he gave Sunday, Peterburg was asked why his name appeared on the classified documents of a competing company, he answered that he does not know.

A statement from the police said, "It's hard to believe that top executives at these companies don't know what is happening. Even if a security department manager requested the material of the competitor, it reached the CEO, and therefore it's clear to us that the CEOs can absolutely guess how the it was obtained."

Police said they intended to ask for the extension of the remand of several private investigators. But all of the executives in the involved companies will released to their homes under restricting conditions, police said.

Police are currently investigating several other companies that may have been involved in the affair, which was under a court gag order until Sunday.

The Trojan horse software program allows the person who plants it to track all activity conducted via the "victim's" computer and even to seize control of the computer. Police suspect that this program was employed by three private investigation agencies to conduct industrial espionage against their clients' commercial rivals. The software apparently enabled the PIs to obtain vast quantities of secret information from the targeted computers.

The investigation began last November, when author Amnon Jacont and his wife, Varda Raziel-Jacont, complained to the Tel Aviv police that someone had hacked into their computer and stolen information from it. They reached this conclusion after discovering that personal documents, as well as parts of a book Jacont was writing, which had thus far never left his personal computer, had been posted on the Internet. Police examined their computer and concluded that it had been infected with a Trojan horse.

Police investigators eventually determined that the program had been written by Michael Haephrati, 41, a former in-law of Varda Raziel-Jacont. Haephrati, an Israeli citizen, currently lives in Germany and England and has no previous police record.

Investigators then found that Haephrati had sold his program to three private investigation agencies: Modi'in Ezrahi, Zvika Krochmal and Pilosof-Balali. All three agencies are licensed by the Israel Justice Ministry and enjoy excellent reputations.

"The program was essentially customized for each and every one of the 'victims' that the PI agencies wanted to attack," said Chief Inspector Nir Nativ, one of the officers who investigated the case. "Haephrati adapted the software to penetrate a specific company, at the request of the PI agency's client."

For each customized program, the agencies paid Haephrati about NIS 16,000. Haephrati took care of planting the virus in the target computer, then gave the PIs a username and password that enabled them to access the program, and thereby the victim's computer.

According to Chief Superintendent Arye Edelman, head of the Tel Aviv fraud squad, which ran the investigation, Haephrati used two methods to plant his malicious software (or malware) in the target computers. One was to send it via e-mail. The other was to send a disk to the target company that purported to contain a business proposal from a well-known company that would arouse no suspicions. Then, when an employee loaded the disk to view the proposal, the Trojan horse would infect his computer.

Police eventually obtained court orders to access several FTP servers based in Israel and the United States, and then discovered tens of thousands of documents stored there that belonged to major Israeli companies, including many files labeled "internal" and "secret." For the past two weeks, police have been examining these documents to determine which companies have been victimized.

Nativ explained that even anti-virus programs cannot detect Haephrati's malware, because each is unique. Moreover, the Trojan horses were generally unwittingly introduced by company employees who inserted the infected disks, rather than "attacking" from outside, making detection even more difficult.

Police believe that industrial espionage using Haephrati's programs has been going on for at least a year and a half. But because none of the victims knew about the malware, no one ever filed a complaint with the police. Only last week did police inform the victims about the software implanted in their computers.

Police said that they are not yet able to quantify the economic damage suffered by the victims, but it appears to have been considerable -thanks both to the program's capabilities and to the sheer number of companies involved.

Last week, police finally decided to end their undercover investigation. They therefore had Haephrati and his wife, Ruti, arrested in London, with the help of Interpol and the London police. Last Thursday, Haephrati was brought to a London court for a remand hearing, and Israel has requested his extradition as soon as possible.

Two days before his arrest, police raided the three private investigation agencies suspected of using the Trojan horse program, confiscated their computers and arrested nine PIs. From Modi'in Ezrahi, they arrested CEO Yitzhak Rath plus investigators Eyal Abramowitz, Haim Zisman and Assaf Zlotovsky; from Krochmal they arrested CEO Zvika Krochmal plus investigators Ofer Fried and Alex Weinstein; and from Pilosof-Balali they arrested the joint CEOs, Eliezer Pilosof and Avraham Balali. Police also arrested the 17-year-old son of one suspect after investigators caught him trying to erase information from his arrested father's computer.

Later that week, police also arrested Shai Raz, director of Pelephone's security department and Ofer Reichman, director of Cellcom's security department.

At a remand hearing for the PIs last Wednesday, police told the Tel Aviv Magistrate's Court that the investigators are suspected of penetrating a computer for the purpose of committing a crime, making and propagating a computer virus, violating the Protection of Privacy Law, conspiring to commit a crime, wiretapping and fraud. Police also suspect the three agencies of cooperating with each other to perpetrate their industrial espionage.

Rath, like many of the others, claimed at the hearing that he had no idea he was committing a crime. "When the investigators came, I opened the safe for them and helped with the papers. We didn't know we were breaking the law."

But that did not persuade Judge Mordechai Peled, who remanded them for nine days. Peled said the evidence indicated that they not only engaged in widespread industrial espionage, but made great efforts to conceal their illegal activities.

At a separate remand hearing for three of the corporate executives, Mor, Cohen and Katriel, last Thursday, the suspects admitted to commissioning the investigations, but claimed that they had no idea the material they were being given had been obtained illegally. All stressed that their contracts with the PI agencies explicitly obligated the agencies not to violate the law.

Police argued in response that upon being given their rivals' most closely guarded internal documents, they could hardly have failed to realize that the documents were obtained illegally.

Judge Peled accepted the police's argument on this score and remanded the three executives for five days.

On Friday, two more executives, Raz and Reichman, were remanded, along with two more PIs, Roni Barhum of Modi'in Ezrahi and Yitzhak Dekel of Krochmal.

That same day, however, police encountered their first hitch: A corporate executive whom they had planned to arrest that very morning left the country. Police blame his sudden departure on a report of Haephrati's arrest that appeared in that morning's daily Yedioth Ahronoth, and was later picked up by the Globes Web site. They have therefore begun investigating both newspapers on suspicion of violating the gag order on the affair.

The next step, police sources said, is to meet with executives of the victim companies to determine whether any have recently suffered damage from rivals that could be attributed to industrial espionage. That will give them leads to other corporate lawbreakers, the sources explained.

Posted by iang at May 31, 2005 10:18 AM | TrackBack

(WARNING: Nothing new here, just a fairly common opinion which is painfully often ignored by decision-makers)
Securing universal computers against well-funded adversaries "in collusion" with careless users is hopeless; primarily, because security (against any threat) cannot be positively demonstrated.
As far as preventive security goes, I do believe, however, that it is possible to secure specialized computers (against specific threats, of course) and this is where high-end preventive security lies in my opinion. Instead of perimeter-security, one should, perhaps, compartmentalize the network. It can be perfectly okay to use computers that would be insecure in a general purpose networked environment for composing sensitive documents, as long as information can leave and enter these computers through well-controlled choke-points. E.g. if the only ways of communication with the outside world would be the display, the keyboard and a network connection through which one can upload and download files (encryption happens on the other end of the connection). Even a total compromise of this computer would not leak secrets. This is much easier said than done, but even an incomplete solution with these things in mind would be much better than no design at all.
The other important matter is reactive security. Users could do a lot more to keep their computers safe, if only they had incentives to do so. This means that security breaches should have not just company-wide, but personal consequences for those responsible. Often, executives think that this is simply a matter of finding and punishing the guilty, but I disagree. It can be achieved much better by replacing command hierarchy with free-market relationships. Example:
Instead of telling employees to take stuff from A and deliver them to B or else..., one could sell stuff at A for less, and buy it at B for more. If people render paid services instead of selling their time and following executive orders, security can become their personal matter.
Finally, I think that the law should place a lot more responsibility on the victim. Don't try to solve technical problems through legal means. The reason society has harsh laws against violence is that physical protection against violence is unaffordable. This is not true for digital violence. In most cases adequate security is affordable, but people are obviously reluctant to pay for it, unless they have to. In addition, security is, to some extent, a commons. An insecure network is everybody's problem, not just the owner's. As long as we try to shield those who fail to secure their computing infrastructure from the consequences, we are harming the society as a whole. Lost your secrets? Watch them better next time!
And let evolution do the rest of the work...

Posted by: Daniel A. Nagy at June 1, 2005 05:12 AM

I have been into IT since 1960 (Stretch + Fortran-2) and I now lecture on IT (In)security.
There is one thing that I have learned.
IT Security is a myth.
If you have the desire and the dosh you can get into almost any system.
Optical TEMPEST (both forms) bog standard TEMPEST, Bugs, Trogens, and the "3Bs" of social engineering ( Bribery, Blackmail and/or Beating).
I have reciently seen a system that cost thousands that could be broken into just using FREE, open Source s/w.
I used to say that Microsoft should be as safe as a combination safe... until
I found out how 2 open one in under an hour just using a pencil and graph paper.... yes its that simple, you don't need Superman's hearing, or a stethascope, just try each if the 100 graduations and note the free-play on a graph paper, in both directions, and then its only 3x2x1 tries for a 3 disk lock and 4x3x2x1 for a 4 disk one.
Try it, you will be shocked at how "safe" your safe is!
Simarly, I spent a lot on a wired security sytem for my house.
Magnetic switched on all doors and windows.. yet with a 3.50 pocket compass and a magnet I find that I can defeat the switches and with an aerosol can beat the PIRs.
Most security will only stop the ignorent and incompetent!


Posted by: MikeO at July 31, 2005 12:50 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.