The purpose of this paper is to explore the attack method of "get a job". People who get a job in order to exploit the company by stealing confidential information and trying to sell or personally use it may find that it is not very difficult, especially since they will typically have access to the company's computer systems and networks. They can obtain information that the company relies upon to conduct their business and to stay ahead of their competitors. These people have official access to information that they require for their daily tasks at that job and someone who is skilled in computer technology may be able to access information that they may not be privy to, just by using the computer at their desk. The attack method of "get a job" may be used by people who just want to make some quick money using extortion methods, it may be used by competitors who find a job at another company to steal their secrets and put their company at an advantage, and sometimes an attacker can sell the company's information to make a profit for himself or herself.
According to the All.net database the attack of get a job is defined as "An attacker gets a job in order to gain insider access to a facility. Examples include getting a maintenance job by under-bidding opponents and then stealing and selling inside information to make up for the cost difference, the planting of spies in intelligence agencies of competitors, and other similar sorts of moles." [1] There are many different threat types that could commit this sort of crime. Competitors, consultants, economic rivals, extortionists, spies, fraudsters, insiders, information warriors, infrastructure warriors, maintenance people, private investigators, professional thieves, and reporters can all play the role of "attacker" in the above definition.
One of the most famous computer criminals, Kevin Mitnick, committed various types of information system attacks throughout the early 1990s. He also stole phone numbers and access codes from companies by posing as a computer repairman.[2]
A reporter was able to get a temporary position at British Telecom in order to obtain telephone numbers for MI5, MI6 and the Royal Family. He then wrote a story about "this hacker" leaving out the fact that he was the one who committed the crime. [3]
In March, 2001 Peter Morch pled guilty to unauthorized access of computer systems at Cisco Systems, Inc. Mr. Morch was planning on leaving the company and decided to steal information regarding products at Cisco, both products in the development stage and ones that had already been released to the public. He accessed the files using another employee's computer so that he could use a CD burner and used an administrator's account and password information to logon to the network. He was able to steal information regarding a voice-over and optical networking software product, including "project ideas, general descriptions, requirements, specifications, limitations of design, and procedures to overcome the design difficulties" for the product. Mr. Morch then became an employee of a competitor to Cisco, Calix Networks. Calix Networks, however, cooperated fully with law enforcement in regards to this case.[4]
In August, 2001, Geoffrey Osowski and Wilson Tang pled guilty to committing computer fraud while working at Cisco Systems, Inc. The two employees were able to access a computer system used to manage the company's stock options. They did not have access to this system as part of their normal job routine at Cisco. Using this system they were able to move some of the stock to their own personal accounts by falsifying forms for disbursement of the stock and sending these forms to the company that managed Cisco's stocks. The value of the stock that they were able to steal from Cisco was $7,868,637.00.[5]
In September, 2001, Said Farraj pled guilty to unauthorized computer access, wire fraud and interstate transportation of stolen property. He was employed as a paralegal at the law office of Orrick, Harrington & Sutcliff in New York. The law firm was working for the plaintiffs in a litigation (Falise, et al. v. American Tobacco Co., et al.). They had developed a 400+ page trial plan which included strategies, deposition information, and exhibits for trial. Mr. Farraj had access to this information because he was part of the team working on the Falise case. He used a computer at work to obtain an electronic copy of the trial plan without authorization and then attempted to sell the trial plan to the defense counsel through email using the alias "FlyGuyNYt". The defense counsel called the FBI to investigate and an undercover agent negotiated the terms of the sale ($2 million) and arranged an exchange for the trial plan.[6]
In October, 2001, Makeebrah Turner pled guilty to unauthorized use of computer systems to obtain credit card numbers and other account information while she was an employee at Chase Financial Corporation. She transmitted the credit card numbers and account balances and credit limits to one or more individuals, who then used the numbers to purchase $99,636.08 worth of goods. Ms. Turner had taken information from 68 accounts with a total credit limit of $580,700.[7] This type of crime is most interesting because almost anyone could obtain a temporary or full time job at a credit card company and steal account numbers and balances. This kind of information is valuable because it can also be sold to organized crime groups or other thieves interested in committing credit card fraud.
In December, 2002, Richard Gerhardt was charged with unauthorized access to information systems at Nestle, Inc. At the time of the crime he was employed as an information systems consultant at Nestle. He obtained about 5,000 user names and passwords from the computer systems using "L0phtCrack" password-cracking software. Mr. Gerhardt also used a program called "pwdump.exe" to download active user accounts and passwords. The program was installed on both Nestle's server and on a laptop issued to him by Nestle for his services as a consultant, and at a particular time each day would communicate with networked computers to download the user information. He stored these account numbers and passwords in a database on Nestle's server and on the laptop. He also created an administrator account for himself using a dial-up connection from a remote location. Although he did not use the user names and passwords he did cost Nestle, Inc. over $5,000 in repairs to their computer server and network, to both verify the security and integrity of their system.[8]
In February, 2003, Dino Amato was charged with "knowingly violating the regulations and orders of the Administrator of NASA for the protection and security of property and equipment in the custody of NASA, and property and equipment under contract with NASA". Mr. Amato allegedly downloaded a file called "ZIP-42" from the Internet, which he then transmitted to an email account on NASA's server at the Glenn Research Center. This file caused the computer systems to slow down and/or stop completely the transport of email messages at the Center. This cost NASA's computer security department around $12,000 to inspect, diagnose, and repair their email server.[9]
In March, 2003 Charmaine Northern pled guilty to using her computer at Schools Federal Credit Union to obtain the account information of their customers without authorization. She used the information, which included names, social security numbers, driver's license numbers, and addresses, to open fraudulent accounts in the customers names. Ms. Northern then used the fraudulent credit card accounts, some of which were opened online, to purchase goods in the amount of $53,376.[10]
Although many of the above examples of attacks came from only one person, there is increasing evidence that attackers may form groups to obtain confidential information. If companies hire someone for a managerial role they may also grant that person the ability to hire new employees for the department. This manager may hire people that he knows from previous jobs. If the manager got a job in a new company in order to steal information or money from them, then the people that he hires to work for him may have been hired to help him.
The manager will be able to assign tasks to the new hires and may give them easier assignments in order to allow them to focus on their real goal of stealing confidential information or money. It will appear to the company that the manager's department is doing well and meeting all of their goals, and may reward them with benefits in addition to their salaries. They can also make it appear that they are working on a long-term project. They may plan on staying at the company for only a short while, maybe just a couple of years. Then the manager may move on to another job, slowing taking the people he hired with him. Companies tend to hire people from other companies with similar products because they tend to be the people with the most experience. In addition, it makes sense that a new manager may want his old staff to come with him because they work well together.[11]
At most jobs the employees are provided with a computer and access to the company's email server and certain portions of the network. People in the information technology departments may have access to most of the network and physical access to servers. Additionally, these employees have a greater knowledge of technology and information systems than many of the other employees at a typical company. Also, information technology departments may hire consultants and other part time workers to help out with many of their projects. These temps or interns are given access to much of the company's proprietary information and may also have the ability to access without authorization information from the network and servers. Temporary workers often do not have the salary and benefits that come along with working full time, and may have more of a motive to steal information and attempt to make a profit from the company's secrets.
Employees may also utilize different technologies downloaded from the Internet to steal confidential information. In the above examples, an employee at Nestle used two programs found online, "pwdump.exe" and "L0phtCrack" password-cracking software, and an employee at NASA used a file called "Zip-42". Key-stroke recording software could also be implemented to record usernames and passwords. Packet sniffing can be used to obtain passwords as they are transmitted across the network by installing a program on the network.[12]
The best protection against the get a job attack is good hiring practices. If candidates are fully screened, interviewed well and all their references are thoroughly checked, the likelihood of hiring someone who wants to attack your company decreases. Good interviewing and screening of candidates may include checking the skills that are required for the job. An attacker may not have the skills for the types of projects that he will be working on because he has focused more on processes that steal company secrets or assets. Also, not hiring people from the same previous employeer may decrease the chances of a cyber-gang attack against the company.
In the attack examples mentioned above, employees were able to get customer's phone numbers, user names and passwords, credit card numbers, social security numbers, addresses, the company's product information and even steal stocks. Although these employees many not have gotten the job specifically to commit these crimes, they clearly indicate the types of information that may be exploited. Further work may be done to attempt to find actual examples whereby a criminal got a temporary job in order steal information from a company.
[1] Cohen, Fred, All.net Database, Available at http://all.net/CID//Attack/Attack31.html [This is a database which contains information on threat types, attack methods, and prevention methods. It provides definitions of all types and links them together.]
[2] Goodman, Leisa, A Crime By Any Other Name..., Freedom Magazine, Available at http://www.theta.com/goodman/crime.htm [This is an article about several different celebrity hackers with a brief history of each one.]
[3] Kelsey, Tim, Revealed: how hacker penetrated the heart of British intelligence, November 24, 1994, Available at: http://kaizo.us/mirrors/phrack/phrack47/p47-22
[4] U.S. Department of Justice, Press Release, March 21, 2001, Available at:http://www.cybercrime.gov/MorchPlea.htm> [This is a press release from the U.S. Department of Justice with a summary of the crime committed by Peter Morch just before he left his employment position at Cisco Systems, Inc.]
[5] U.S. Department of Justice, Press Release, November 26, 2001, Available at: http://www.cybercrime.gov/Osowski_TangSent.htm [This is a press release from the U.S. Department of Justice with a summary of the crimes committed by Geoffrey Osowski and Wilson Tang while they were employed at Cicso Systems, Inc.]
[6] U.S. Department of Justice, Press Release, January 30, 2002, Available at: http://www.cybercrime.gov/farrajSentence.htm [This is a press release from the U.S. Department of Justice with a summary of the crimes committed by Said Farraj while employed at the law firm of Orrick, Harrington & Sutcliffe LLP.]
[7] U.S. Department of Justice, Press Release, October 9, 2001, Available at: http://www.cybercrime.gov/turnerPlea.htm [This is a press release from the U.S. Department of Justice with a summary of the crimes committed by Makeebrah Turner while employed at Chase Financial Corporation.]
[8] U.S. Department of Justice, Press Release, December 20, 2002, Available at: http://www.cybercrime.gov/gerhardtIndict.htm [This is a press release from the U.S. Department of Justice with a summary of the crimes allegedly committed by Richard Gerhardt while employed as an information systems consultant at Nestle, Inc.]
[9] U.S. Department of Justice, Press Release, February 13, 2003, Available at: http://www.cybercrime.gov/amatoCharged.htm [This is a press release from the U.S. Department of Justice with a summary of the crimes allegedly committed by Dino Amato while employed at NASA.]
[10] U.S. Department of Justice, Press Release, March 10, 2003, Available at: http://www.cybercrime.gov/northernPlea.htm [This is a press release from the U.S. Department of Justice with a summary of the crimes committed by Charmaine Northern while employed at Schools Federal Credit Union.]
[11] Cohen, Fred, Managing Network Security: The New Cyber Gang - A Real Threat Profile, Available at: http://www.all.net/journal/netsec/2001-05.html [This article is about the insider threat and the new type of cyber-gang that infiltrates a company by getting jobs there.]
[12] Littman, Jonathan, Inside Jobs: Is there a hacker in the next cubicle?, Cable News Network, August 13, 1998, Available at http://www.cnn.com/TECH/computing/9808/13/hacker.idg/index.html [This is a article from CNN.com which addresses the problems that employees can cause for a company if they decide to steal information. It also offers ideas on how companies can protect their data.]