[Date Prev][Date Next]
[cdn-nucl-l] Trojangate, software that spies
Interesting story ...
Israel espionage case points to new Net threat
Experts: Targeted spy attacks could soon be common
By Bob Sullivan
Updated: 6:48 p.m. ET June 9, 2005
Executives of top telecom firms accused of spying on each other. A jealous
ex-husband suspected of monitoring his former in-laws. Private investigators
implicated in computer-hacking-for-hire; one now involved in a possible
attempted suicide. So much bad publicity, government officials worry it
might impact the entire nation's economy.
At the center of it all - a tiny computer program that's caused the biggest
corporate scandal anyone in Israel can remember.
Most consumers have heard of software that can spy on them, and their
computers. Such malicious software is often brazenly marketed to spouses who
suspect their mate is cheating. But that same technology, sometimes called
a Trojan horse, because it sneaks onto a victim's computer in disguise, can
be used to commit brazen acts of industrial espionage.
And U.S. experts say what happened in Israel could - and probably already
has - happen here.
Israel is now reeling from what some are calling "Trojangate," a corporate
scandal that has dominated news coverage there since it was revealed May 29.
Already, there have been nearly 20 arrests. Published reports indicate
mountains of documents have been stolen from dozens of top Israeli firms.
Some 100 servers loaded with stolen data have been seized.
But Trojangate, experts say, is not unique. It's just the first time a major
cyber-espionage case has been unmasked by law enforcement. There's evidence
suggesting U.S. firms have already been targeted by similar attacks.
Last fall, banks in the New York area were targeted by a program designed to
infect only certain financial institution computers and obtain critical bank
passwords, according to Webroot Software's Richard Stiennon, who studies
emerging threats for the anti-spyware firm. At the time, he was an analyst
with the Gartner research firm, and he helped the banks complain to their
Also last year, anti-virus firm MessageLabs discovered a Trojan horse
designed specifically to attack a type of software used only in airplane
"The phenomenon should worry everyone," said Baruch Gindin, managing
director of Gartner's Middle East operations, based in Israel. "There is
nothing unique to Israel here. The technology is simple to use. This is a
moral issue rather than a technology issue."
The coming of 'targeted attacks'
Some call the program used in the Israeli case a computer virus; others,
spyware. But whatever the lingo, those doing the Internet's really dirty
work are much more subtle than their predecessors. The authors of the
Melissa and LoveBug viruses wanted to infect as many computers as possible.
Those who make adware and spyware want to hijack as many machines as
possible and display as many pop-up ads as they can, or steal as many
passwords as they can.
But the program used in Israel, now called "Rona" by anti-virus firms, takes
a very different tactic. It's narrowly focused. It doesn't call attention to
itself. And it operates well below the radar of most modern anti-virus and
anti-spyware products. Those computer safety products generally rely on
lists of known malicious programs, which they hunt for on a user's computer.
But to do so, the security firms need to know what they are looking for.
Before the Israeli investigation was revealed two weeks ago, no one in the
security industry had a copy of Rona, so anti-spyware and anti-virus
software didn't spot it.
"The problem for anti-virus companies was they couldn't detect this threat
because they hadn't seen a sample," said Maksym Schipka, a London-based
virus expert at MessageLabs. "The scary part of this story is for one and a
half years nobody even thought they may be infected. Nobody could imagine
they had malware installed on their system."
That's why experts say the next great Internet threat, and perhaps the first
very real threat, is the advent of what are being called "targeted attacks."
Targeted attacks, by hackers for hire, could steal millions of dollars worth
of corporate secrets and never be detected. That's far more dangerous than
pranksters overwhelming a Web site with traffic for a few hours.
Assessing the size of the corporate espionage problem has always been a
challenge; companies struck by it rarely speak out. But privacy expert Larry
Ponemon, a former auditor who was at Price-Waterhouse Coopers five years ago
when it published the most recent landmark study on espionage, says its far
more common than many realize.
"Unless you've been on the inside you don't understand how pervasive this
problem is," he said.
In 1999, PriceWaterHouse Coopers said U.S. firms lose $45 billion to
espionage, nearly twice the estimate given a few years before by the FBI.
High-tech tools can only be making things worse, Ponemon said. Hiring
employees to infiltrate the competition, or to dig through their trash, as
Oracle's Larry Ellison did five years ago to spy on Microsoft, is hard work.
Particularly when there's a simpler way.
Electronic dumpster diving
Rob Douglas is a former private investigator who now runs PrivacyToday.com.
In his prior life he said he committed what he believes were several acts of
legally permissible industrial espionage - hunting for what his clients
called "competitive intelligence." One time he was paid $10,000 to attend a
trade show, pose as a company executive and buy a competitor's technology.
His employer planned to reverse engineer the hardware to see if their
technology had been copied. In another incident, he was paid by a boating
association to "dumpster dive" on another boating association for corporate
data the association had discarded as trash.
While Douglas said he believes the surreptitious use of Trojan horse
software is clearly illegal, he fears that for some unscrupulous private
investigators stealing such data remotely is simply the next logical step.
"This is the electronic version of dumpster diving," he said. "For private
investigators that would spend hundreds of hours dumpster diving, digging
through dirty trash, with all the risks you have, electronic dumpster diving
is much easier. And it's 100 percent accurate. You're not digging through
junk, bags of dog poop thrown in the trash, that kind of thing."
Discussion lists for private investigators were abuzz with Trojan talk after
the Israeli incident. Private investigators rarely publicly disclose their
methods, but many PI Web sites do sell such spying software, designed to
evade detection by anti-virus and anti-spyware computers.
Six months ago, Ponemon said, he would have dismissed the possibility of a
Trojangate in the U.S. But a research project he's now conducting for his
current firm, The Ponemon Institute, has convinced him otherwise. He's
placed a computer with fake critical business documents on the Internet, a
honeypot, designed to entice hackers and study their techniques. What he's
learned: Virus writers are now authoring programs designed specifically to
look for documents flagged as "confidential" or "critical." They've also
built software that can quickly index information on spy-software attacked
computers - a sort of Google for economic espionage -to make sorting thought
mountains of stolen data easy.
"I'm starting to believe it could be much more common," Ponemon said. "If
you asked me this question three or four months ago, I would say we're
giving too much credit to the criminal. But we are starting to see these
technologies. . I'm really worried now."
Security consultants like Ponemon are hamstrung in what they can say by
non-disclosure agreements; their claims of massive data theft sometimes fall
flat - or suffer utter disbelief - without the supporting details. That's
why the Israeli incident is both important and fascinating for security
experts; it offers a glimpse of the world of economic espionage rarely seen
by outsiders. It is perhaps the first definite proof that this kind of thing
Jealousy and booby-trapped CDs
The tale has all the makings of a made-for-TV movie. The only reason
authorities caught on, apparently, was jealousy. The scheme unraveled when
Israeli author Amnon Jackont stumbled on portions of a book he was writing -
but had not published or shared with anyone - on the Internet. After
initial confusion, Jackont suspected his computer was bugged. His suspicions
soon focused on his daughter's ex-husband, Michael Haephrati; the couple
went through a messy divorce eight years ago.
When police investigated Jackont's computer they say they found the "Rona"
Trojan horse program and were able to trace it back to Haephrati, who now
lives in Britain. The investigation quickly widened, however, as police
uncovered scores of other bugged computers. In addition to what reads like a
who's who of Israel's telecom industry, victims included the local divisions
of Hewlett-Packard and the Ace hardware chain.
Police accuse Haephrati, 41, of selling the program to private
investigators, knowing they intended to use it to commit corporate
espionage. In addition to Haephrati, executives from three of Israel's
biggest private investigative firms have been arrested. One, 54-year-old
Yitzhak Rath, who heads the Modi'in Ezrahi agency, fell from a three-story
building earlier this week. Rath sustained head and spinal cord injuries,
according to the Israeli newspaper Haaretz. Police are unsure whether it was
an accident, an attempted suicide or even an attempted murder.
Gindin said the attackers were clever - they apparently send CD-ROMs with
business proposals to the target firms. Once the CDs were loaded, the Trojan
horse was secretly installed. The CDs were often sent to marketing managers
and others who would be in a position to have early knowledge of company
product development, he said.
How common are such cases?
John Fialka, author of "War by Other Means: Economic Espionage in America,"
wrote seven years ago about the threat U.S. firms face from widespread
espionage efforts. The drama of the Israeli incident doesn't surprise him.
"People seem shocked when it happens. They shouldn't. The threat has always
been there. The risk is huge," Fialka, now a reporter at The Wall Street
"There's not more information because companies keep it a secret," he said.
"There is incredible disinformation that surrounds this area. If you are a
big corporation and you find a Trojan horse in your computer, the first
problem you have is, 'Do you tell anybody or just absorb the information?' "
There's no question that the technology is easily accessible. Stiennon, from
anti-spyware firm Webroot, says there are currently 4,000 known pieces of
spyware in the world, capable of copying and transmitting every key typed on
a computer to a spy. And, as was the case with the Rona spyware, a would-be
spy can always take an existing keystroke-logging program and alter it
slightly so it slips under the radar of anti-virus programs - creating a
targeted attack that could go undetected for months.
Still, Stiennon is not among the crowd who thinks U.S. firms are busily
spying on each other this way.
"My guess is it would be as rare as Enron-style fraud," he said. "It
wouldn't surprise me if it's going on; but it would surprise me a lot if it
was common everywhere."
Richard Smith, a noted cybersleuth who runs ComputerBytesMan.com, has much
the same perspective. He said he thinks the risk of cybersnooping on
competitors would be too steep for most U.S. firms, who would pay a dear
public relations price if exposed.
"It's got to be going on to some degree. But I don't think name-brand
companies would be doing this," he said.
'Our guard should be up'
There are other risks from targeted attacks, however: hacktivists, who
wanted to disrupt U.S. firms, would likely be eager to expose the inner
workings of companies they were targeting. And this method would be an easy
way to do it.
"A company could be hurt very badly," Smith said. "I see that as a huge
risk, a company being embarrassed in the public eye."
Fialka, the espionage author, said he sees the threat in broader terms. He
says foreign governments, particularly China, have targeted U.S. business
intelligence for years. While U.S. firms might not spy on other U.S. firms,
the threat of nation-sponsored electronic corporate espionage is real.
"Our guard should be up, but it's not," he said.
Gadi Evron, an Internet security manager for the Israeli government, also
sees things that way. He says he was approached twice in the computer
underground with hacker-for-hire offers; he turned both down, but learned
there is plenty of easy money to be made in a world where corporate
intelligence is so valuable, and remote hacking is so easy. Reportedly,
companies were paying $4,000 for each hijacked PC in the Trojangate case.
"Today, the business case behind Trojan horses is significant," Evron said.
"This used to be a game of kids trading candies. Today, the money involved
is quite significant. . I'd say that this kind of thing is commonplace
© 2005 MSNBC Interactive
© 2005 MSNBC.com