From: InfoSec News (isnc4i.org)
Date: Tue Aug 26 2003 - 07:58:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: William Knowles <wkc4i.org>

http://www.wired.com/news/business/0,1367,60052,00.html

[Sad thing is few if any companies will heed the lesson in this story
by enforcing their employees to keep their PDA's locked, encrypted, or
afterward, clean of proprietary information once they've left the
company. I one thing I do see happening out of this story is the
prices of used Blackberry's will be going up on eBay with buyers
competing with each other hoping to score that "next" million dollar
PDA chock full of corporate and government secrets. - WK]

By Kim Zetter
Aug. 25, 2003

The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his
real name), a Seattle computer consultant who always wanted one of the
pager-size devices to check his e-mail, sent in a bid. For just
$15.50, he bought the wireless device with 4 MB of memory.

The BlackBerry didn't come with a cable, synching station, software or
a manual. But it did come with something even more valuable: a trove
of corporate data.

After popping a battery into the BlackBerry's back panel, Sacks
discovered a few things the previous owner wouldn't have wanted him to
see -- more than 200 internal company e-mails from financial services
firm Morgan Stanley and a database of more than 1,000 names, job
titles (from vice presidents to managing directors), e-mail addresses
and phone numbers (some of them home numbers) for Morgan Stanley
executives worldwide.

It was all there to read, Sacks said, the minute he turned on the
device.

The seller, who asked to remain anonymous, was a former vice president
of mergers and acquisitions for Morgan Stanley who'd left the company
months earlier.

"If I were Morgan Stanley, I'd be embarrassed," said a source who is
an expert in the financial industry. "You should not be able to get
that kind of information paying $16 on eBay."

Companies mentioned in the e-mails include technology firms, shipping
firms, telecoms and accounting agencies.

The incident serves as a cautionary tale about the ways companies fail
to manage sensitive data despite public assurances to the contrary. It
also shows how employees who are entrusted with confidential
information are often insufficiently trained about the simple yet
sophisticated technologies they use.

In addition to personal e-mails that reveal the VP's own Charles
Schwab IRA account numbers, the name and phone number of his mother
and the amounts he paid for his monthly mortgage, car and Visa bills,
the e-mails discuss confidential information about loan terms for
Morgan Stanley clients, debt-restructuring strategies for specific
companies, preliminary talks for potential merger deals and even some
creative ways of interpreting contracts.

In the latter category, an e-mail exchange between two Morgan Stanley
employees discusses a client who seems to want to step around the
terms of a contract signed with a third party. A Morgan Stanley
employee advises telling the company to stay "aboveboard" and follow
the letter of the contract.

"They're asking you to act in something less than good faith it seems
to me. Not wise. Better to have everything aboveboard and
disclosed...." advises the one employee to another in e-mail.

The VP who sold the BlackBerry told Wired News he didn't know the
information was on the device. He said he removed the battery months
ago, and assumed that everything had been erased.

But Morgan Stanley said he violated a contract he signed promising to
destroy or return any proprietary information.

"On the last day of employment the employee must remove and destroy
any confidential information in their possession and return any mobile
devices and any portable media belonging to the firm," said Diana
Quintero, a company spokeswoman. "When people leave and they sign
these papers, they're reminded of this policy."

While much of the information on the BlackBerry pertains to deals that
are now public and thus no longer sensitive, the financial expert said
it's simply a matter of luck that none of the e-mails contained
information that could now be traded for profit on the stock market.
Had the VP sold the BlackBerry after leaving his job months ago, some
of the deals would still have been pending.

For instance, a series of e-mails discusses debt restructuring for one
of Morgan Stanley's clients -- in all likelihood so that the client
could raise capital to purchase a competitor. Judging from public
information about the companies, that particular deal never went
through, but the company did purchase a second competitor a few months
later.

Had anyone obtained information about the merger before it occurred,
they could have thwarted the deal by offering a higher bid for the
target company or could have bought stock in the target company and
waited for the purchasing bid to spike its value.

"It's a violation of confidentiality, and it would really piss off the
client if anybody found out about it," said the financial expert.
"That's not something you ever want to be public until it's a done
deal."

In addition to information contained in the body of the e-mails, there
are numerous attachments that contain proprietary PowerPoint
presentations, financial spreadsheets and case studies about finished
deals that would interest any Morgan Stanley competitor who wanted to
know how the firm conducts deals.

Because the attachments are stored on a server and not on the
BlackBerry itself, though, no one can view them now that the VP's
e-mail account is closed. But had the VP misplaced his BlackBerry
while still an employee, someone could easily have read the
attachments, too. The VP told Wired News that he never locked his
BlackBerry with a password, and the device doesn't have encryption
capabilities to let users scramble data stored in its memory.

Paige Steinbock, a partner in headhunting agency Korn/Ferry
International, called the database of Morgan Stanley employee names
and home phone numbers "a virtual gold mine of information."

Steinbock said headhunters regularly purchase directories of alumni
associations and professional groups to track executives to hire. But,
she said, "having something electronic like that address book would
obviously speed up the process in terms of having accurate,
identifiable names and numbers of people you're trying to target."

An address database can also aid corporate spies and hackers who want
to piece together an organizational chart of company executives.
Knowing the name, title and e-mail address of a managing director, a
hacker can spoof the account and send correspondence as an executive.
Someone posing as a managing director in the New York office, for
instance, could contact a secretary in the Chicago office and request
a company file be e-mailed to his home address.

The VP who sold the BlackBerry said he had no idea data could remain
on a device long after the battery was removed.

"It didn't even occur to me that it would have this stuff still on
there because it had been lying around for a long time without a
battery in it," he said. "Had I known there was anything on it, I
wouldn't have sold it."

The VP acknowledged he signed papers saying he needed to return
company property. But the BlackBerry didn't belong to the firm. Morgan
Stanley employees generally buy their own BlackBerries through a plan
offered by the firm. The one the VP bought was shipped directly to
Morgan Stanley's IT department, which set up the software and service
on the BlackBerry before giving it to him.

"I paid (for it) on my credit card and they handed it to me in working
order," said the VP.

The large address book containing employee job titles and home phone
numbers was already loaded on the device when he received it, he said.

"Usually what happens when someone leaves, they hand in their
BlackBerry, everything is erased, and then we give it back to them,"
said Morgan Stanley's Quintero. "Obviously that didn't happen in this
case."

Quintero said that while the VP may have sold the information
accidentally, he still violated company policy. And even though the
company knew he possessed the BlackBerry, she said the onus was on him
to bring it forward to be cleaned.

"We trust employees with a lot of sensitive information; that's why we
have these procedures in place. Someone who is in mergers and
acquisitions and is a vice president should be very aware of his
responsibilities," she said.

But Korn/Ferry's Steinbock said, "If they were vigorously wanting to
protect their intellectual property, I would hardly think that's
enough.

"Since it's information that would harm them, not him, it's perplexing
that they wouldn't be more aggressive about retrieving that
information and follow up with him. The company obviously doesn't have
controls in place to take care of its own intellectual property, and
that's really their fault," she said.

In fact, the VP said that when the company closed his e-mail account
on his last day of work, he thought any data on the BlackBerry would
be deleted remotely by the server. "I just assumed it was all taken
care of," he said.

Courtney Flaherty, a spokeswoman for Research in Motion, the company
that manufactures the BlackBerry, said there are two ways to wipe data
on a BlackBerry -- either manually using the synching software, or
remotely through a command that gets pushed out from the server to the
device. But that only works if a company uses the Microsoft Exchange
server. Morgan Stanley uses Lotus Domino.

This is not the first time an individual or organization inadvertently
sold sensitive data with a used system. Last year a Veterans
Administration medical center sold or donated to schools 139 used
computers that turned out to contain credit card numbers and medical
data for patients afflicted with AIDS and mental health conditions.

Recently MIT researchers purchased (PDF) used hard drives from
computer resellers and eBay auctions to see how many drives contained
recoverable data. Out of 129 drives they examined, only 12 had been
properly cleaned. One hard drive contained 3,722 deleted credit-card
numbers that were easily recoverable. And another drive, which
appeared to come from an ATM machine, showed no evidence that the bank
had tried to erase it. It still contained the ATM's log of customer
account numbers and balances.

The incident with Morgan Stanley highlights the risk of disseminating
data on handheld devices. With so many PDAs and mobile phones sold
secondhand each year, there are likely numerous cases that have never
become known.

Judging from the windfall of info captured on the VP's BlackBerry, the
financial expert interviewed for this story said he could only imagine
the wealth of information people could gather if they placed ads for
used BlackBerries online and waited for the devices to roll in.

Of course, information leaks occur in non-technical ways as well, he
noted. Employees take paperwork home all the time. But new technology,
he said, "makes it more efficient (and) compact" to transport lots of
data at once. As a result, a higher volume of information can be
captured in a single device than if someone simply left a briefcase
behind on the subway.

>From employees who willfully take data with them when they leave a job
to those who are simply neglectful, he said banks lose confidential
information all the time. "We don't make a big deal about it, we never
tell anybody about it, but that's the bottom line," he said.

Guy Diament, a senior systems engineer in New York, said it's up to
companies to communicate with employees about secure computing and to
train them to use passwords as well as encryption when available. "But
they can't just encrypt files at work. If an employee syncs files to a
laptop, a handheld or a home computer, then the files have to be
encrypted there if possible."

"The bottom line," he said, "is that as long as a company allows
employees to duplicate and triplicate company files on devices that
leave the office, it cannot ensure that its information won't ever get
out. It can only strive to protect itself."

 
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]