[ISN] FBI special agent recounts outsourcing horror story

From: InfoSec News (isn@private)
Date: Tue May 16 2006 - 22:45:49 PDT


By Bob Brown

The CAD/CAM company thought it was protecting itself, having employees
of the Indian outsourcing company that was debugging its source code
sign non-disclosure agreements. But when a disgruntled outsourcing
employee swiped a copy of the code a few years back and tried to sell
it to the CAD/CAM vendor's competitors, the vendor found out that the
NDAs were of little use when it came to prosecuting the alleged thief
in India.

"They weren't worth the paper they were written on," says Nenette Day,
an FBI special agent out of Boston who did double duty as both the
case agent and undercover agent investigating this crime against
software maker SolidWorks. "The employees would have had to sign the
agreement with the Indian company, not the American one."

Day, who has worked in computer crime for 8 years and calls herself "a
geek with a gun," told attendees at last week's CIO Forum that their
companies need to do serious research about the laws of any country to
which they outsource work.

CIO Forum is a unique conference during which IT vendors and 300
potential customers unite on a cruise ship out of New York City.  
(Other discussions at the event focused on topics such as identity
theft and biometrics and grid computing.)

A handful of FBI agents were on board to consult with IT pros about
cybercrime threats, a topic that FBI agents say companies are often
reluctant to talk about.

As for protecting yourself when outsourcing to other countries, Day
advises IT executives to assume that you have no legal rights. "It
should not start with your understanding of American law," she says.

In India, for example, there is no theft of trade secret law, Day
says. India does have an IT act, she says, but it is mainly focused on
copyright violations.

Day says that despite the fact that "there was not a shred of evidence
that we did not have" against the alleged SolidWorks thief,
prosecutors in India have failed to convict the suspect and he
continues to work. The FBI initially tried to lure the suspected thief
out of India to simplify prosecution, but he was too smart for that,
Day says.

Indian police nabbed the suspect in 2002 when he allegedly tried to
sell the code to Day while she was undercover (she says he initially
tried to sell the code for about $250,000, not realizing it was
probably worth $300 million). Fortunately, she says, the original
source code was recovered and copies were not believed to have been

In the wake of that case, Indian software developers have formed a
lobby to push for stronger intellectual property protection laws,
concerned that companies won't outsource to India if they aren't
better protected, Day says. Outsourcing firms, like the one SolidWorks
worked with, have also tightened their own security policies
considerably in recent years, she says.

Another thing to consider when outsourcing to other countries is not
just whether there are laws to protect intellectual property, but
whether the laws are enforced. "No criminal law exists if the police
will not enforce it," she says, noting that the FBI received an
unprecedented amount of cooperation from its counterpart in India on
the SolidWorks case (after threatening to expose India's laissez-faire
attitude toward the case).

Questions companies should ask when outsourcing to other nations, Day
says, include the following:

* Can my company risk loss of this data?

* What are my liabilities if I do lose it?

* What are your notification requirements if you lose customer data?
  (She notes that if your data is encrypted, you might not have to
  report it missing.)

* Will the company you are outsourcing to go the distance if you need
  its help to chase down a criminal?

* How long could a prolonged legal battle in a foreign country cost?
  ("You could lose all your outsourcing savings there," Day says.)

"This is all risk analysis," she says. "We're not saying don't
outsource. We're saying learn the risk points and add that to your
analysis when choosing the country or company wherever you're

Mobile computing worries

Mobile computing is the other area of networking that has Day very
concerned on the cybercrime front. This involves both stolen and lost
mobile systems.

"Laptops. I donít even know how to get on this soapbox and scream loud
enough," says Day, citing third-party market research about tens of
thousands of cell phones and portable computers being left in Chicago
taxis during a six-month period last year.

"Universities, companies, government. Where could I not go and not
tell you a story about the laptop that went missing and did not have
the information encrypted."

Day points out that even the FBI encrypted its laptops when she joined
8 years ago. "And we are behind the curve in every way electronically,
except that," she quips.

It's "mind boggling" that information is being kept in the clear on
portable devices and that companies aren't being held responsible, Day
says. Though she says that companies are starting to pay the price, as
a credit card processing company recently settled a compromised data
case for big bucks.

Cases so far have mainly been civil ones, though she says criminal
charges won't be far behind given the emergence of new data protection

Day also discussed the dangers of cell phones, which she described as
potential monitoring devices, given that so many have cameras and
audio recording capacity on them. They can also threaten security by
being tapped, through techniques such as someone asking to borrow your
phone and downloading a tracking program, she says.

The FBI requires members to shed all electronic devices during certain
of its top-secret meetings.

"We understand how easy these things are to compromise," Day says.  
"You might want to consider in your own company a no electronics

This includes devices such as iPods, which can be used to swipe info
via "pod slurping," a technique that involves simply sticking an iPod
into a USB port on a computer. "They don't even need access to the
keyboard," she says.

Day urges IT pros to contact the FBI if their intellectual property is
stolen, noting that even if criminal charges are brought against
someone, civil charges can also be made.

All contents copyright 1995-2006 Network World, Inc.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue May 16 2006 - 23:08:31 PDT