So says business intelligence specialist Michael Shrenk, who demonstrated at Defcon 22 in Las Vegas this week the helpful ways in which businesses leak trade secrets to competitors. It’s notable that some perfectly ordinary activities provide a wide-open window for business espionage.
Job postings are among the richest source of valuable company information. One slide from Shrenk’s presentation featuring a help-wanted ad is particularly telling. (He did not provide copies of his slides to attendees. The following account is the best Habeas Hard Drive can provide from memory.)
The ad seeks to fill an immediate opening in the IT department of a law firm with offices in multiple cities. Its name and satellite locations are included, and its specialty is described as intellectual property. As a bonus, it offers a link to “our client list.” For business spies, that’s like a neon sign that says, “We have secrets belonging to the following companies!”
Attorneys may believe a list of prestigious clients attracts quality applicants to a firm. But an IT applicant cares little about this. In fact, there is no real reason to include the name of the company, especially in combination with a comprehensive description of the particular IT skills being sought. Those details together invite educated guesses about how the network functions, where it’s located, what might be stored there, and how to gain access.
In addition, Shrenk said, the “immediate” opening offers a clue that IT is short-staffed, and could prompt a “social engineering”attack, a term used by hackers that means deceiving a human being into facilitating their activity.
Suppose the new IT guy in Minneapolis gets a call from someone named “Joe Smith” who says he’s in the Phoenix office, Shrenk mused. “Joe” has been observing the company’s information-rich website for some time, and knows enough to pull off a con. He introduces himself as an associate with an urgent need. He’s due in court in 15 minutes and must have notes related to a certain client, but needs help getting access to files. If “Joe” is a skilled social engineer, he’ll have a very plausible story about why he should have access, but doesn’t.
The new IT guy is eager to please. His skill set (as described in the personnel ad) suggests he might be running a one-man shop. He may be working alone, overwhelmed with responsibility.
Who knows what treasure this con might yield? The spy might end up with his own email account, free to roam at will through client files and anything else that looks interesting.
Trade secrets can also leak into the company from the outside. As this piece by attorney Jeffrey Farrow reveals, information carried in the heads of new employees – or their smart phones – can spawn lawsuits from their former employers. Farrow’s focus is averting claims of unfair competition, but Habeas Hard Drive believes there’s a larger point: The nature of trade secrets has changed and expanded to include such things as client contact lists and social media postings, and they’re now as portable as the handheld device in your pocket..