Tech-Ed-2010 Session Summaries 9: Laura Chappell on Corporate Espionage

Broadly speaking, there are two types of presenters at Tech-Ed. There are the meticulously outlined and powerpointed, clearly rehearsed presentations. Then there are the seemingly wing-it presentations, where the presenter has few slides, and often laughs it off, preferring to cram demos into the session. The former goes by practice, the latter by passion. Mark Minasi or Jeff Woolsey exemplify the former, and some of Steve Riley’s later presentations represent the latter.

The difficult thing is, six months after the presentation, the video and the powerpoint are usually all we have to rely on. And if all you have is an 80-minute presentation, it’s unnecessarily difficult to find what you need for your work, and you often have to go almost frame by frame to see the details. Maybe you enjoy slow-motion spelunking. Maybe I don’t.

Laura Chappell’s presentation, ostensibly on corporate espionage splits into two halves. The first was narrative, the second was technical. Throughout she tossed in insights, names, sites, and suggestions.

The first part was comprised of five case studies. The first one was extremely illuminating; all were worth hearing:

1. A company had outsourced some development work to India. When they received the code and put on their servers, it made a connection to a website called “five knives”. Then massive outbound traffic started. The outsourcing company had put in code that searched through the entire drive looking for any documents with the words “agreement”, “signature”, “title”, etc., stealing all the contracts. Nothing was encrypted, and all could be seen in plaintext in transit. Incidentally, this story alone was worth the time investment in this presentation. It would have been interesting to learn its outcome.

2. A company planned to release a new cell phone product, expecting it to be a cash cow for the next few years. They decided to outsource some production to India. The product manager was sent to India bearing a single hard drive with all the product plans. He reported back that the drive had been lost. Indian law enforcement was of no assistance. Eventually a competitor released a comparable product first.

3. Outplacement/Separation. Some types of firewalls are verbose, and some are silent. Verbose firewalls in effect inform people their access has been blocked, which enables some to find circumventions. Laura gave the example of a company which discovered almost $200,000 had been siphoned off through a remote office which had been closed (management was not aware of this). The most successful such attacks take place before major holidays.

4. Lost Prototype. IPhone 4 prototype lost in a public place, was retrieved, and sold. Familiar story, with good discussion of the efforts made to carry out and thwart such attempts to steal products.

5. Blabla and Stephen Watt. Involved the theft of 170 million credit/debit card numbers. Watt designed a program that by itself accessed at least 45 million credit and debit card numbers. Other partners were also bought off and brought in.

There was some good insight here. For instance, she mentioned business aspects of breaches, from stuff like fireproof safes to how to interact with law enforcement, how to get in close with law enforcement in HTCIA (and its great value), and valuable products for host forensics (Access Data with their Forensic Toolkit and Guidance Software with Encase). Another example was a recommendation to search for “cybercrime DOJ forensics” and to look for an excellent DOJ paper for first responders.

The second half was non-narrative and more technical, built around a series of network traffic traces. Oddly, it seemed very impressionistic; watching her muse in Wireshark over which capture file to pull up made me wonder how much advance thought and planning had gone into this presentation. But I digress.

Chappell showed a site listing credit card numbers for sale, with related info (security codes, etc.). Next she showed Wireshark in action, taking a sample trace file available from the Wireshark book site. Also discussed NMAP (network scanning and discovery product); ZenMAP, a graphical add-on, lets you traceroute to the found locations and see the relations of devices on the internet. These are the kind of resources used for reconnaissance. Much practical advice on social engineering and traffic analysis techniques in general and Wireshark. For example, even handshake refusals are significant, since they frequently identify chatty firewalls. Chappell gave a good description of using taps to capture traffic for analysis, the logistics involved, what she looks for, and characteristics of troublesome packets.

The second half of the presentation seemed driven by the samples chosen on-the-fly, rather than having samples selected to illustrate planned, organized ideas. That’s not to say there was no insight or value. But it did seem wandering and unstructured. Re-listening and trying to outline her presentation, I was often left scratching my head. That being said, Chappell consistently gets high ratings for her Tech-Ed presentations; I’ll have to listen again to see what I’m missing.