DOJ National Security Division Pursuing Cyber Espionage

I just read Justice Department trains prosecutors to combat cyber espionage by Sari Horowitz, writing for the Washington Post. The article makes several interesting points:

Confronting a growing threat to national security, the Justice Department has begun training hundreds of prosecutors to combat and prosecute cyber espionage and related crimes, according to senior department officials.

The new training is part of a major overhaul following an internal review that pinpointed gaps in the department’s ability to identify and respond to potential terrorist attacks over the Internet and to the rapidly growing crime of cyber espionage, the officials said, describing it for the first time.

In recent weeks, Justice has begun training more than 300 lawyers in Washington and nearly 100 more across the county in the legal and technical skills needed to confront the increase in cyber threats to national security...

Under the reorganization, teams of specialized lawyers within NSD in Washington will work with other agencies, the military and companies facing cyber intrusions. They will develop protocols for the intelligence community and federal agents in how to deal with private companies that are victims of cyber attacks. The issues revolve around how to build possible prosecutions within guidelines covering information sharing, privacy and civil liberties.

At least one prosecutor in each of the 94 U.S. attorney’s offices around the country has been designated and will be trained to gather evidence and prosecute cyber espionage and similar Internet-related cases.

This is very interesting if the focus is truly on cyber espionage cases. DOJ persecutes physical espionage cases routinely (albeit with difficulty due to the nature of the laws). Cyber espionage cases are almost never pursued. Working with private companies will be key to this problem, and that aspect is mentioned specifically in the article.

Let's see what happens!

Tweet

Read More

Israeli Agents Steal Korean Tech for Chinese Customer

Thanks to the show Asia Biz Today I learned of an industrial espionage case involving South Korea, Israel, and China.

In brief, agents of the South Korean branch of an Israeli company stole technology from two South Korean companies, and passed the loot to Chinese and Taiwanese companies.

On June 27th the Yonhap news agency in South Korea reported the following:

Key technologies to manufacture advanced flat-panel displays at Samsung Mobile Display and LG Display have been leaked by an local unit of an Israeli company, local prosecutors said Wednesday, raising concerns the leakage could pose a major threat to the national interest.

The Seoul Central District Prosecutors' Office indicted under physical detention three employees at the local unit of an Israeli inspection equipment supplier, including a 36-year-old man surnamed Kim, on charges of leaking key local technologies used to produce active-matrix organic light-emitting diode (AMOLED) displays and white organic light-emitting diode (White OLED) displays.

They also indicted without physical detention three other employees and the local unit, the prosecutors said, without identifying the Israeli firm.

According to the prosecution, the indicted employees photographed circuit diagrams of yet-to-be-released 55-inch AMOLED television panels when they were let into Samsung and LG's manufacturing factories to check defects of inspection equipment from November of last year to January of this year.

They stored the images on portable memory cards and slipped them into their shoes, belts and wallets to avoid suspicion, prosecutors said...

Prosecutors said the stolen information was likely relayed to the Israeli headquarters and Chinese and Taiwanese display-making rivals, including the biggest Chinese panel manufacturer BOE.

"It is very likely that the stolen technologies have been given by the Israeli firm to foreign rivals," a prosecution official said. "This may expectedly deal a massive economic blow to the entire nation and can cause a sea change in the landscape of the global display market."

This Korea Herald story revealed the name of the Israeli company and an additional receiving company in Taiwan:

According to prosecutors, circumstantial evidence suggests that circuit diagrams of the two companies’ active-matrix organic light-emitting diode, or Amoled, display technology have been leaked to their rivals in China and Taiwan, including the BOE Technology Group in China, and AU Optronics Corp. in Taiwan...

Prosecutors have indicted six officials from Orbotech Korea, the Korean subsidiary of Orbotech Ltd., an Israeli company specializing in automated optical inspection equipment, on charges of technology theft...

Prosecutors say Orbotech officials in China and Taiwan sought to win inspection contracts from display panel manufacturers there using the circuit diagrams as bait.

So, while the original article implied theft for purposes of duplication, the second article implied theft "to win inspection contracts." That is a narrower function and in line with Orbotech's corporate function as "an international developer and producer of automated optical inspection (AOI) and related imaging and computer-aided manufacturing systems" according to Wikipedia.

Image credits: Korea IT Times.

Tweet

Read More

Non-Technical Means Unearth Best Intrusions

Thanks again to the latest SANS NewsBites, I learned of an interesting trade secret theft case. From the CNET News story:

"John O'Neil, former CEO of Business Engine Software, pleaded guilty in a San Francisco federal court on Wednesday to conspiracy to download and steal the trade secrets of software competitor Niku over a 10-month period...

From October 2001 until July 2002, Business Engine used the passwords to gain unauthorized access to Niku's systems more than 6,000 times and downloaded over 1,000 confidential documents containing trade secrets, the complaint alleged. The stolen documents included technical specifications, product designs, prospective customers, customer proposals, client account information and pricing.

Niku discovered the break-in after a Business Engine salesman made an unsolicited call to one of Niku's prospective clients, a Nike employee who happened to be related to Niku's chief information officer, Warren Leggett. The call raised suspicion because the Nike employee was not ordinarily responsible for software purchasing decisions, had never heard of Business Engine and had no idea how the salesman had obtained his contact information, according a declaration by Leggett.

The incident prompted Leggett to examine his company's computer logs and files from his recent meeting with Nike. He quickly determined from a trail of Internet network addresses that someone from outside the company had been stealing files. Leggett was able to trace the intrusions back to Business Engine by using Internet domain registration information and publicly available Internet tools." (emphasis added)

Whoa. Niku has been 0wn3d for 10 months, and accessed "more than 6,000 times," before a freak family relation caused the right gears to mesh. What kind of security did Niku have (or not have) that would let a compromise continue undetected and unimpeded for so long?

The sad fact is that many of the most interesting intrusions (i.e., not worms, or bots, or viruses) are discovered by non-technical means. Once a company is clued in to the fact they have a breach, the question becomes one of scoping the incident. For example:

• What happened/is happening?


• What systems are or may be affected?


• What information did the intruder copy, change, or destroy? (violations of confidentiality, integrity, or availability)


• When did the intruder first gain unauthorized access?


• When was the last time the intruder accessed victim systems?

Most organizations are not collecting the NSM data they need to answer these questions. Is yours?

Read More