I’ve amassed a lot of material for a book on information security including examples and real life cases, but unfortunately I haven’t had enough time to sit down and pull it all together. Probably the name of book —  Insider. This essay (the document you are reading now is just the first part of a 15-page write-up) was born after a discussion on information security issues with one particular, very pleasant, gentleman. Unlike illusionists I never pull the same trick twice and thus I see no problem in writing about some of the pitfalls in information security in companies. There will be another preface, so bear with me. 
 

 

The idea of raising the issue of information security came to me a long time ago and was inspired by discussion of a “leak” with one of the people in charge of information security at a major global company. It so happens that journalism is unthinkable without a deep understanding of the processes that take place within each company. A journalist is a man who’s always sneaking behind the locked doors, yet without any obligations. Hence why all the information he manages to find may be published. As of today journalists haven’t mastered the entire arsenal of tools for collecting and processing publicly available information, which they are lucky to have right at their fingertips, but in time they will. Perhaps this is the reason why companies should prepare for more leaks that will almost certainly occur in the future and for the fact that they won’t be sporadic anymore. In this essay I’ll touch upon a few of these topics – consider it an introduction. Now let’s get to business.

 

Your Sweet Home


 

Imagine you have a huge house with every room filled with countless trinkets and things you have crafted to shock the world at the next exhibition. You have curtains on your windows so that the most curious people wouldn’t be able to take a glimpse of the wizardry that takes place inside or, God forbid, find out more about your secrets. However, as years pass the interest in your work begins to dwindle and most visitors at exhibitions already know what you are going to put on show. All that is the result of a transformation, a magic trick you haven’t even noticed: the walls of your house have become transparent. Now you live in a house of glass, without even noticing it – no secrets from the outside world, no privacy or protection from jealous eyes of onlookers. An incredible number of companies live in similar houses these days and they are yet to clue in to the fact that their walls have gone. Some go to the rooms at the back of the house to find solitude, some hide behind furniture, some turn off the lights, and some even try to erect new walls. Why so?

 

It doesn’t take a rocket scientist to figure out that information is the very foundation of the Web – these companies themselves promote this idea, just look at their press-releases and you will see how they strive to be in tune with the zeitgeist. Without even trying to understand this new environment, without attempting to change to fit in – they live like they used to live, oblivious of the transparent walls. They unpack their presents in front of everybody, and seat their guests around the table, while putting some sweets on their their plates. Why are they so blind?

 

Perhaps it’s the power of habit, or they simply believe that some principles are never going to change? The issues of information security concerns everyone and therefore I’d like to move from allegories to real life examples. However, I am going to omit most of the names of those involved, although in certain cases I will reveal some so that you will be able to stay in touch with the story.


 

Rules That Don’t Work


 

The main challenge companies are facing today is the Internet and the rapid development of mobile devices, as well as the simplicity with which anyone can post literally anything that will spread across the web like fire and will be impossible to delete. All things considered, this is a security nightmare. Unfortunately security departments have lives of their own and thus security updates for various divisions and employees, as well as security-related policies, get updated very infrequently. How infrequently? Once in ten years or so. As a result, companies don’t have the right tools or mechanisms to react to their new problems in an adequate fashion. I am not talking about hardware or technical issues, such as traffic encryption, VPN, protection of storage devices and so on. These are actually the things that companies have taken care of already. Hardware gets updated as soon as new threats arise and employees get proper training – so on the face of it, nothing is wrong with information security, but security policies that were devised years ago are in fact the strategies defining how a company is going to protect its secrets.

 

It just so happens that my job gave me a chance to consult around a dozen companies that, trust me, had something to hide. In some cases I simply spent several hours in a friendly company drinking tea, but sometimes they were were full-fledged contacts. Regardless of format my favorite question was: “Say information about your product of service has been made publicly available, what’s your plan?”

Only in one single case was I given a competent short answer describing that company’s tactics in these scenarios. In all other cases security policies were built around the idea of passive defense – nobody had the right to comment on what was going on; their employees were prohibited from discussing rumors. At the same time, according to their instructions, they were to locate the source of this leak using the security department. The methods employed to accomplish this last part differ from company to company, but as recent experience has shown, all of them are next to useless. Then why do they stick to the same instructions and policies?

 

The reason lies in the fact that they don’t understand the environment or the threat that they are facing. To major transnational corporations the Internet is a Pandora’s box, a black hole, which can serve as the source of all trouble, or as the catalyst for sales. The processes unfolding within the Web, interactions between people and tools available to journalists remain unexplored. Phone makers try to achieve their goals by setting the contents of this box in motion, using various schemes and methods, but for the most part these attempts look more like they are feeding various ideas to it and expect something to happen, while the gears spinning inside the box seem vague and incomprehensible, and therefore frightening.

 

The trend lately has been to let employees roam around social networks and promote the values of their companies and their jobs, yet they are to keep mum on recent developments and yet-unannounced devices. All in all, not much has changed compared to the past century – the means and the environment have changed, yes, but the concepts of information security have remained intact. However, this new environment now offers completely new tools and opportunities, which are beyond the reach of old concepts.

 

So as not to sound as if I simply relying on allegory and conjecture, let me give you an example involving our release of the Nokia N900 preview, one week prior to its official announcement. The leak generated some debates within the company, however, the fact is that their security policy didn’t work and I am not talking about the leak itself, asthey couldn’t prevent it. What I mean is their course of action in this situation and its aftermath. Before we move on, let me tell you a story about the rise of Samsung’s semi-conductor business. During the 1980s Samsung didn’t posses any technology to produce memory chips; while the development of a 256K chip was in jeopardy. For Samsung Electronics this situation was unacceptable and of course their competition didn’t want to share any technologies or explain how they operate or how their production lines work. Eventually after a series of unsuccessful attempts to make official deals with other companies they found a solution. They got in touch with a Korean engineer, Dr. Yim-sang Lee, who worked for Sharp, GE and IBM. He wasn’t offered a job in Samsung though – they simply asked him to consult the company. He, in turn, brought Dr. Sang-joon Lee to Samsung, the man in charge of the development of semiconductor production technology at Control Data and Honeywell, and Dr. Il-bok Lee, who took part in the development of 64K DRAM at Intel as well as National Semiconductor. He also brought in Dr. Jong-gil Lee, Intersil’s expert, who also worked for Synertek and dealt with the efficiency of semiconductor production lines. Finally, Dr. Yong-eui Park, a memory chip designer, came from Western Digital and Intel. All these engineers were brought to Samsung officially – the company simply offered them salaries 4-5 times bigger than that of the president. [i]. The trick was that the contracts of these engineers allowed them to work for Samsung and it was just such a clause that Samsung needed. Using a fellow countryman, they built a whole chain of people who shared their knowledge and technologies with them and created the end-product. That’s how Samsung’s semi-conductor business started. The company also used to invite engineers from Japanese enterprises to unofficial “weekend consultations” held in Korea.

 

The story above is important in the sense that it allows the reader to understand that it’s not only information about certain technologies, products or services that is of value, the carriers of such information are precious too. To achieve their goal Samsung found a Korean engineer and used him as a search interface to find other members of a well-connected community of specialists working in other countries. Back then it was unthinkable that an experienced engineer would trade his position in a western company for a job in Korea; that’s why Samsung used the only method available to them.

Now let’s imagine for a minute that for some reason I need a list of people working on Nokia’s Maemo project and those who are connected to it. Will such a list be of any interest to me as a journalist? No doubt. Knowing the names of people one could look for their previous places of work, experience, education and so on. In other words it would allow someone curious to outline Nokia’s area of interest with regards to Maemo and related fields of development. The key, public figures in the Maemo world are well-know and it’s easy to find their profiles on the Web. What about those who actually move this goliath, the gears in this mechanism? Ask Nokia for a list? I am afraid such a request would only make Nokia laugh.

That’s why right around the time of the N900 preview release I began writing posts in English on my Twitter feed – these posts were nothing but news about Maemo. The first entries appeared days before the preview, and they were designed to intrigue, as I informed my“followers” that I needed an application to take screenshots. In truth this was bait to attract attention – I already knew how to take screenshots on the N900.My readers recommended various methods, some even added me to their friend lists, but my main goal hadn’t been realised yet – the people whom I was most interested in didn’t show up. Then I announced the article on Twitter, snippets of information and links, that could interest my colleagues and Nokia’s employees (Maemo, PR, security, marketing). On the day of the release I got at least 500 new “followers” on Twitter.

Over the next few days we managed to identify around 144 Nokia employees including those who worked on Maemo and had personal accounts on Twitter. The technical side of the matter was exceedingly simply. First of all there were some peaks of activity on my Twitter microblog, when I got the most “followers” – they correlated very well with two letters that circulated inside Nokia (PR, Maemo). Essentially, these letters triggered a chain reaction – Nokia’s employees came to my blog to read what was there and bookmarked me (started to “follow”) to get updates in the future. Twitter was advertised by Nokia themselves, they allowed their employees to use it, so they were familiar with it and happy with what it had to offer. In reality though it was a part of the black box that they didn’t fully understand. Having set the task for their employees to communicate more by making Twitter all the rage within the company, Nokia hadn’t foreseen the possible consequences and flaws of this approach.

 

Secondly, without access to the IP addresses of my Twitter “followers”, our puzzle became a little more challenging. We monitored every visitor, IP address and device parameter on the server that housed the articles. For this particular case we analyzed the entire flow of information and the reward was great – we could see how many people came to us from Nokia in real time. My previous conclusion that there was a couple of letters is based on the activity of Nokia’s employees. The fact of the matter is that there were two waves, each of them was bound to be based on some event that triggered this reaction – a letter with a link to our article more than qualifies. Given that from a technical standpoint Nokia’s security is marvelous, we only saw gateways, rather than IPs of computers within the company, but that was all we needed. I am not going to go into detail and reveal all our tricks – they are not particularly important in this particular example anyway. The important thing is that after comparing the chart with all the views of the article to my newly acquired “followers” on Twitter we got the same two groups of people. The rest was easy – we figured out what departments they worked for by browsing their Twitter entries.

Our job got considerably simpler thanks to people who didn’t hide their real personal data, first or last names. Even without cross-referencing it was very simple to guess where all these people came from – the list was full of Finnish names. During the next couple of weeks our partner, residing in a country with a very soft set of laws regarding information security (in fact, there was none), processed all the data. As a result we got a data base with the employees we were looking for, what projects they were involved in, all relevant comments they made on the Web and other valuable information.

 

Using only open sources of information and publicly available tools we managed to acquire data that would have been impossible to get hold of in any other way. How valuableis this database? It’s golden. Knowing the industry and all the latest trends one can easily put together a forecast of what will happen in the world of Maemo in the next 1.5 years. To get a similar amount of information using old “time-proven” methods we would have had to find insiders within the company and somehow persuade them to share all these facts, which is a direct violation of the law, plus that would be impolite. So, why would one want to risk committing a crime, when there are free, public tools available out there? All the information we need is right at our fingertips, all that is required is to collect these grains and filter them.

 

Did Nokia’s security policy work in this case? The answer is obvious – the company didn’t fully realize the threat they were facing, as well as its likelihood; they were not prepared. I think prior to the release of this essay Nokia hadn’t even thought about the possibility of such leaks. What is the lesson to be learned from all this? They can ban this service once and for all, but that will only give us more information (inactivity of multiple accounts after a certain date, or inactivity during certain hours and so on). It’s time to clue in to the fact that in the digital world there is no action without a trace, sometimes the effects of these actions are not even direct. The methods of collection of this indirect information were developed back in the 1930s and have been employed by the intelligence services of most major countries ever since. To make them work in the digital world one only needs to tweak them a little and, obviously, use his own knowledge of the industry and the rules to put all the data together. Without that last step, no matter what kind of information one stumbles upon, it will never be of any real use.

 

I hope you enjoyed this essay and that it will provoke a discussion on information security matters around the globe. To be honest, the full version of this essay is much bigger – I’m publishing only the first part, just to gauge the reaction. I am yet to see how companies will treat this information, whether they will discuss these issues anonymously or not. Nevertheless, this problem is real and serious. The first reaction will likely be negative, but without open discussions like this, the Internet will always remain a black box to you, where you throw something in and hope to get something back. I do hope that all reasonable people will find this write-up motivating enough to change at least a small piece of their company’s security policies. I eagerly await your comments …