A quote from the film Inception captures the core motivation for corporate espionage: “What's the most resilient parasite? An idea. A single idea from the human mind can build cities. An idea can transform the world and rewrite all the rules. Which is why I have to steal it.”
Ideas, and the information they generate, have become the most valuable assets in the business environment. In a world saturated with information, finding the right data and knowing how to steal it can make all the difference.
As a result, companies are spending millions on protecting their intellectual assets - and keeping an eye on the competition's.
This is made all the more challenging by the fact that corporate espionage has become a thriving trade. Stock techniques are often devious in their simplicity. A spy may casually leave his/her pen in a conference room, for example, record everything discussed during the board meeting, and innocently retrieve it afterwards.
A number of devices are used for similar purposes, including sunglasses, watches with tiny video cameras, and even smiley-face badges, which hide malicious intent behind a cartoon grin.
Etienne Labuschagne, director of surveillance equipment company SpyCatcher SA, says the Internet era has opened up the trade significantly.
“Originally, only government agencies used this type of equipment, but in the past 15 years or so things have changed.”
Now, specialist sites like SpyChest and SpyLife advertise a variety of spy gadgets, some for as little as $79, available to anyone with an Internet connection and credit card.
Labuschagne says around 60% to 70% of SpyCatcher's business still comes from government, ranging from police and law enforcement agencies to security firms that handle things like protecting the president.
You can be anywhere in the world and still be able to activate a bug and listen in.
Etienne Labuschagne
But he adds that the line between what's used for government purposes and what's available to the public is become increasingly blurred. “The Internet has made it easy for people to get hold of cheaper equipment, which is often of lower quality. A lot depends on the type of information and how fast it needs to be accessed.”
The other advantage of the Internet is anonymity. Given the nature of the goods and services being sought, customers are often uncomfortable discussing their situation face to face, says Labuschagne.
In other cases, companies spend hefty sums on top-quality equipment, and want to meet in person before they do business, he adds.
Dirty dealings
Corporate spying is definitely on the rise, says Labuschagne, and the means of doing it are getting increasingly sophisticated. With advances in computing power and speed, gadgets have shrunk in size and in grown in capacity.
“In the old days, you were very limited in terms of listening distance. If you had a bug in the room, you would have to be within 100 or 200 metres to be able to listen. Now, you can be anywhere in the world and still be able to activate a bug and listen in.”
He gives another example, of a client who didn't trust his business partner: “He purchased a TV and hid a small camera in it, and put it in the boardroom. He could then access the camera feed from anywhere in the world, from his mobile phone.”
Another tactic is to target people inside the organisation, and get them to leak information.
“Take, for example, a single mom who's battling to get by each month, and who wouldn't mind looking the other way and feeding outside parties with information,” explains Labuschagne. “In many cases, cleaners are paid a few hundred or thousand rands to place an extension lead with a bug into an executive's office. A CEO's office could be locked at all other times, except once a week when it gets cleaned...”
In the past three to four years, says Labuschagne, corporate espionage has taken off like a rocket. “More people are aware that these things are out there and they often don't care what happens in the process,” he adds.
Much of the activity is motivated by greed. “Money has become a god to a lot of people. The thinking is, if they have to spend a few thousand on a spy gadget that could earn them hundreds of thousands, why not do it? It's all about competition.”
Counter-strike
Of course, it's not only the attacks that are getting better. Many companies are growing wise to these kinds of threats, and bolstering their defences.
“We get numerous calls on a daily basis with customers split at around 50% surveillance, 50% counter-surveillance,” says Labuschagne.
A lot of the time, it's simply people who want to protect their assets, family, or business. Other times, people want to know if their boardroom is completely secure, or whether they have a tap on their phone line.
“Companies also use it to prevent comebacks. Should clients change their mind about a deal, the company will have what they previously said on record,“ he explains.
According to Labuschagne, whether these practices are legal or not is a moot point - it's happening, and businesses need to be aware of it. “Lots of companies don't believe corporate espionage is a reality. They think it's a fairytale, until they realise it's a possibility and could happen to them.”
It can hit any and every kind of business. Labuschagne mentions a customer at a filling station, for example, who noticed a lot of consumables were going missing. “One month he'd have 100 pies and this month only 70. So he installed CCTV cameras to see who was going in and out.”
Other companies keep losing stock even though they know they had the product in supply, only to find staff members are selling it for cheaper on the sly.
While he's seen his share of false alarms, Labuschagne says concerns are usually triggered by an incident, such as money being lost, or stock going missing.
“Everyone has instincts - something that tells you things aren't right. In some cases we do find bugs, in others we don't, but that doesn't mean there wasn't a bug at some time in the past. A person could have walked in, taken information, and walked out again.”
Once bugs have been detected, however, it's difficult to flush out the source. “Especially with GSM bugs, it's virtually impossible to know where they transmit to - it could be anywhere in the world.”
In some cases, companies ask him to leave the bugs. Once they know they're being spied on, the company can feed the bugs false information, and figure out from the results who's behind the espionage. Others prefer to do regular sweeps.
Despite the dangers, the approach to corporate spying in SA remains more reactive than proactive, says Labuschagne.
“Companies are spending thousands of rands on firewalls and IT security, and then someone can walk in the front door and get hold of their information.”
Protecting against attacks requires facing reality, and then taking stock, he says.
“The first thing that has to happen is for companies to come to the realisation that this is happening. Then they have to ask themselves a few questions, such as 'What kind of information are we dealing with?', 'If information is leaked, how will it impact on the business?' 'If the opposition gets hold if it, how valuable is it to them?'”
There are also security considerations, such as sign-in logs, CCTV, metal detectors, bags being x-rayed, and proper vetting processes for temporary staff.
Labuschagne believes we're only seeing the beginning of what's possible on the corporate spying front.
“It's really shocking what's available to top government agencies and it's only a matter of time until they're accessible to members of the public.”
Cyber CSI
Once the damage is done, however, a new set of experts is called in.
According to Jacques Malan, director of cyber forensic firm Facts Consulting, the problem is that companies want to play in the big leagues without preparing for the threats that come with it.
Malan explains that more companies in SA have become dependant on Web technologies to increase the effectiveness of their business, but that security measures haven't kept up.
He says he's seen more people using spyware to get hold of confidential company information, as well as more IT security breaches.
“I believe the changes are driven by more people and organisations going online and becoming increasingly dependent on technologies they don't necessarily fully understand.
“The bottom line is crime follows money. Best practices have been around for a long time, but many companies aren't even getting the basics right.”
According to Malan, security usually comes in after something has happened, instead of being used proactively to protect against attacks.
“It's still early days and people don't really think about what would happen if their information got in the hands of other organisations.”
As a computer crime scene investigator, he says the principles and methodologies of the physical and cyber realms are built around a similar goal - preserving the evidence.
“The fundamentals are the same. Just like in a physical crime scene, you have to make a huge effort to not tamper or destroy evidence. Like in the physical realm, we cannot jump to conclusions; we have to allow the evidence to guide us.”
He adds that investigations are very different from the work of say, an IT administrator. “You can't just 'do', you have to think things through and be incredibly careful.”
Malan says one of the most challenging cases he's worked on involved reviewing the source code for a client who had been sabotaged over a period of 18 months, after which the developers left the company and joined a competitor.
“The challenge was the fact that the suspects did not code obvious bugs or back doors, but rather subtle bugs, such as mathematical triggers, which would cause the application to become much less effective at handling client requests when certain conditions were met. This system did not crash, it just grinded to a snail's pace and made the clients very unhappy.”
This system did not crash, it just grinded to a snail's pace and made the clients very unhappy.
Jacques Malan
According to Malan, solving a complicated security breach comes down to being able to understand the motive behind the breach, as with any other type of crime.
“As one sees puzzle pieces of the activity, you put yourself in the shoes of the perpetrator to understand what they were thinking or why they were doing something specifically. It all sounds very complicated but it isn't. It comes down to thinking out of the box and experience of various technologies and attack approaches. Add to that dedication, and the 'dark side' will make a lot of sense.”
Given the rate of technology, and the ways to exploit it, Malan says staying up to date is vital. He adds that being part of an international incident handling advisory board allows him to share information with other members of the security community every half hour.
While keeping up with attack patterns in a world where changes happen “insanely fast” comes with its difficulties, Malan says it's being kept on one's toes that keep things interesting.
“Every day brings something new. We face anything from legacy technology, embedded technology, right up to bleeding edge technology, and each cracker or criminal has something in their approach which makes them unique.
“This makes for a lot of challenges, long days and nights and a very rewarding experience when the criminals are successfully identified and convicted.”
Read about the threats mobile devices are bringing into the workplace in Smart but deadly.
Share