[ISN] You're Only as Good as Your Password

From: InfoSec News (isnat_private)
Date: Sun Aug 25 2002 - 23:24:23 PDT

  • Next message: InfoSec News: "[ISN] Bush's Cyber-Security Plan Targets E-Mail"

    By Jim Kerstetter
    AUGUST 23, 2002 
    Warren Leggett had just spent the long July 4 weekend golfing with his
    brother-in-law near Portland, Ore. Early the following Monday morning,
    his relaxing holiday ended abruptly. The chief information officer of
    Niku Corp. (NIKU), a small Silicon Valley software company, found
    himself plunged into a shocking case of alleged corporate espionage --
    one that raises troubling questions about the security of company
    information in the Internet Age.
    It all started when Leggett's brother-in-law, Jay Berlin, a mid-level
    tech manager at Nike Corp. (NKE), agreed to view a demonstration on
    July 8 of Niku's software, which helps companies collaborate on big
    projects over the Web. The morning of the meeting at Nike's suburban
    Beaverton offices, Berlin checked his voicemail -- which included a
    message from a salesperson at Niku archrival Business Engine Software
    Corp. That's odd, he told Leggett. He didn't even know the firm, and
    he wouldn't be the one to buy such software anyway. How did they know
    to call him?
    OPEN, SESAME.  Struck by the coincidence, Leggett says, he dug into
    Niku's Web access logs the next morning and discovered that someone
    using Internet addresses owned by Business Engine had used Niku
    passwords to sneak into Niku's network more than 6,000 times,
    downloading some 1,000 documents--including one that Leggett wrote
    about the planned demo for Berlin. The allegations are outlined in a
    lawsuit filed on Aug. 12 in U.S. District Court in San Francisco. "We
    never, ever assumed something like this could be going on," says Niku
    Chief Executive Farzad Dibachi. In a written statement, Business
    Engine said it's cooperating with an FBI investigation and does not
    yet know all the facts around the case.
    The alleged high-tech pillaging highlights a vexing problem in today's
    networked corporations: gaping holes in computer security. Passwords,
    which can be easily guessed or tricked out of employees, are becoming
    the Achilles heel of computer security. On Aug. 14, for example, an
    associate dean at Princeton University was removed from his post after
    admitting he used easily guessed passwords to access a student
    admissions site set up by Yale University.
    Indeed, an April survey of 500 corporations by the Computer Security
    Institute found that 80% of them had been broken into, resulting in
    combined losses of $455 million. And there are no easy solutions. "For
    all intents, when they are using that password, they are inside that
    network," says Dorothy Denning, a computer science professor at
    Georgetown University.
    WEALTH OF BAD NEWS.  Now the feds are involved. On Aug. 8, at least 2
    dozen FBI agents raided Business Engine's offices. FBI officials won't
    comment. Five days later, a federal judge issued a temporary
    restraining order against Business Engine and ordered it to ask its
    business partners and customers to return any proprietary Niku
    information it may have given them. In an Aug. 20 statement, Business
    Engine said it asked Niku to work with an "independent third-party
    mediator" to help resolve the case. Niku execs said that, as of press
    time, they had not received that request.
    The Niku lawsuit doesn't specify damages. Company officials claim that
    using that stolen information, Business Engine was able to become a
    last-second competitor on several major deals, including a project at
    Lloyds of London, according to court documents.
    The loss of big deals couldn't have come at a worse time for Niku,
    which is struggling with the tech downturn. The still-unprofitable
    Redwood City (Calif.) company has reduced its staff from 1,100 a year
    ago to 300 today. In the quarter ended in July, its sales fell 38%, to
    $10.5 million, from the year before.
    The stolen Niku files, the company contends in the lawsuit, were the
    crown jewels of the software company, including upcoming features,
    lists of potential customers, pricing, and customizations for clients.  
    The downloaded items also included one file mentioning that Leggett
    planned to show Niku's software to a project manager from Nike.
    FORENSIC SLEUTHING.  The file, the only place an invader could have
    learned of the Nike meeting, didn't mention they were related. That
    was strange enough, but Leggett says he kept digging and found more.  
    He was stunned to find that someone outside the company used 15
    internal passwords over and over again. The invasions had occurred
    since last October. "It was sheer coincidence," says Dibachi.  
    "Otherwise, who knows how long this would have gone on?"
    Even now, officials aren't quite sure how the passwords fell into the
    wrong hands. It could be weeks or months before Niku and the FBI
    figure that out. But for the rest of industry, Niku's experience is a
    warning call: The nearly $3.6 billion being spent worldwide on
    computer security clearly isn't enough.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 02:05:37 PDT