File000095

Computer Hacking Forensic Investigator v4 Exam 312-49
Investigating Corporate Espionage
Module XLI Page | 3599 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator (CHFI)
Module XLI: Investigating Corporate Espionage
Exam 312-49


 News: Changing the Face of OPSEC
Operations Security, or OPSEC, was used as a military tool earlier to secure Military functions. It is the
process to deny an adversary (a competitor in the corporate world, or an individual doing bad activities
according to public) access to the information that is attempted by unauthorized entities to achieve their
desired goals against the person or organization. Every piece of information is significant to the
organization for its business and should always be protected to avoid any kind of trouble.
Many organizations are realizing the need of OPSEC and their role in the organization’s security
operation. OPSEC has proven to be a low-cost addition in the existing security programs of the
organizations to secure them from the occurrence of corporate espionage. All Federal service providers
are required to integrate OPSEC into their business proposals, but many organizations are doing so
voluntarily in other interactions. Some of the examples include Raytheon, Consolidated Networks
Corporation and H&R Block.


 Case Study: The New Spies
Source: http://www.newstatesman.com/
Private espionage industry is on a high demand and the environmental protest groups are their main
targets. A camp for Climate Action focuses on getting inside Kingnorth power station to prevent the
construction of new coal facility. To do this, look for the fellow protesters who are hired by private
companies.
According to the private espionage industry, about one in four of the comrades is on multinational’s
payroll.
Russel Corn, the managing director of Diligence, says that private spies cover up to 25 per cent of every
activist camp. In the month of April, the anti-aviation campaign network Plane Stupid, is one of the
important organizers of eco-camp built to protest against the expansion of Heathrow Airport. He also said
that one of their activists, Ken Tobaias, was working for a corporate espionage firm called C2i. He was
hired to divert and disturb the group’s campaigning.
At that time, Tobias first came for a Plane Stupid’s meetings in July 2007. He looked as a committed
former Oxford student striving to reduce aircraft emissions. The group however got suspicious as he
showed early at meeting, constantly pushed for increasingly drama tic direct action and - the ultimate
giveaway - dressed a little too well for an ecowarrior. When the team enquired about him in around the
Oxford, they found an old college pal of him who identified him as Toby Kendall. A Google search revealed
his Bebo page that has a link to corporate networking site, in which his job is an analyst at C2i
internationals.
Cara Schaffer contacted students and farm worker alliance, American college students who lobby fast-
food companies to help migrant workers in Florida who harvest tomatoes. These workers are smuggled
into US by the gangs who take their passports and force them to do work. The eagerness of Schaffer’s
raised suspicion, and by Internet her actual identity is revealed. She owned a Diplomatic tactical service
which is a private espionage.
From New York and London to Moscow and Beijing, any decent-sized corporation can now hire former
agents from the CIA, FBI, MI5, MI6, and the KGB. "MI5 and MI6 in particular have always guided ex-
employees into security companies," explains Annie Machon, the former MI5 agent.
Blackwater's vice-chairman, J Cofer Black, who runs TIS, said that it operates a 24/7 intelligence fusion
and warning centre. It monitors civil unrest, terrorism, economic stability, environmental and health
concerns, and information technology security around the world.

Like the state security services that ended up running class war in 1990s after a successful penetration,
these spies work as believable members for a nay protest movements. In the year 2007, the Campaign
against Arms Trade called in the police after the court documents revealed that weapons manufacturer
BAE systems paid a private agency to spy on the peace group.


 News: Confessions of a Corporate Spy
Source: http://www.computerworld.com/
A former National Security Agency analyst who is an expert in corporate espionage gave details of
incidences where he easily found his way into many U.S. companies. He touted that in a case within just a
few hours he made product plans and specifications that are worth of billions of dollars.
Ira Winkler, global security strategist at CSC Consulting, spoke at Computerworld's Premier 100 IT
Leaders Conference and punctured several popular misunderstandings about information security. At a
large company, he influenced a guard to admit him by saying he had lost his badge and presented a
business card as a substitute. He exploited many security weaknesses, from doors unlocked, using forged
signatures, etc. He found that most of the information is present on the Internet. For example, at one
company, he found which people to target by reading the company newsletter on the firm’s website.
Lawyers are also a target, and called them as the worst for computer security.
Winkler says that some companies secured their information equally, but instead they should devise a
system by protecting them according to their priority. He offered a formula that risk is equal to the
product of threat, vulnerability, and value divided by countermeasures.

Module Objective
Information can make or mar the success story of an organization in today’s business world. There has
been a buzz for a while about competitors stealing trade secrets and other information to enhance their
competitive edge. Companies all over the world are losing billions of dollars due to trade secret thefts.
Losses due to corporate espionage are far more devastating than other technical and non-technical losses.
The Module “Investigating Corporate Espionage” will discuss various aspects of corporate espionage and
strategies to prevent and investigate such cases. This module will familiarize you with:
 Corporate Espionage
 Motives behind Spying
 Information that Corporate Spies Seek
 Causes of Corporate Espionage
 Spying Techniques
 Defense from Corporate Spying
 Tools

Module Flow

 Introduction to Corporate Espionage
According to www.scip.org, “Espionage is the use of illegal means to gather information.” Information
gathered through espionage is generally confidential information that the source does not want to divulge
or make public. The term “Corporate espionage” is used to describe espionage for commercial purposes.
Corporate espionage targets a public or private organization to determine their activities and obtain
market-sensitive information such as client lists, supplier agreements, personnel records, research
documents, and prototype plans for a new product or service. This information, if leaked to competitors,
can adversely affect the business and market competitiveness of the organizations.
It is widely believed that corporate espionage is a high-tech crime committed by highly skilled persons. On
the contrary, corporate penetration is accomplished with simple and preventable methods. Corporate
spies do not depend on computer networks alone for information; they look for the easiest ways to gather
information. Even trash bins and scrap bits of papers can be of a great help in collecting sensitive
information. Spies look for areas that are generally ignored. For example, they take advantage of people’s
negligence, such as forgetting to close doors or leaving scrap, or waste paper around which contains
sensitive information.
Market research and surveys show the severity of corporate espionage. According to the FBI and other
similar market research organizations, U.S. companies lose anywhere from $24 billion to $100 billion
annually due to industrial espionage and trade secret thefts, whereas technical vulnerabilities are
responsible for just 20% or less of all losses.

 Motives Behind Spying
Motives behind spying include:
 Financial Gain:
The main purpose of corporate espionage is financial gain. A company’s trade secrets can be sold
for millions of dollars. Competitors can use the stolen information to leverage their market
position and obtain great financial benefits.
 Disgruntled Employee/Professional Hostilities:
Professional hostilities are also a result of market competition. Competitors often resort to
negative publicity of an organization’s issues which otherwise may have been kept secret and
sorted out in time. There have been many instances when a rival company has disclosed secret
information collected through corporate espionage of an organization resulting in plummeting
stocks and drastic decreases in market capitalization.
 Challenge and Curiosity/Just for Fun:
People sometimes indulge in corporate espionage just for fun and to test their skills. Students of
security programs and researchers often try to reenact corporate espionage. Though not
disastrous, it compromises corporate information’s security. These people themselves can also be
turned into a target for corporate espionage.
 Personal Relations:
Many times, a corporate spy is motivated by personal or non-ideological hostility towards the
country or organization. Personal hostilities of disgruntled employees and job seekers towards an
organization play a major role in almost all corporate espionage cases. The offenders reveal
important, sensitive information to others out of spite.

 Information that Corporate Spies Seek
Information that corporate spies seek includes:
 Marketing and new product plans
 Source codes of software applications. It can be used to develop a similar application by a
competitor or for designing a software attack to bring down the original application, thus causing
financial losses to the developer
 Corporate strategies
 Target markets and prospect information
 Business methods
 Product designs, research, and costs. Huge investments will be in vain if the product design and
related research is stolen, because the competitor can also develop the same product and offer it
for less
 Alliance and contract arrangements: delivery, pricing, and terms
 Customer and supplier information
 Staffing, operations, and wage/salary
 Credit records or credit union account information
All of the above information is considered crucial for the success of an organization. Leaks in this
information could have catastrophic effects on organizations.

 Corporate Espionage: Insider/Outsider Threat
Corporate espionage threats can be classified into two basic categories:
 Insiders:
Insiders such as IT personnel, contractors, and other disgruntled employees who can be lured by
monetary benefits are the main targets of corporate spies. An insider threat is always considered
more potent than the outer threats because insiders have legitimate access to the facilities,
information, computers, and networks. According to the available study reports, almost 85% of
espionage cases originate from within the organization. Insiders can easily misuse their privileges
to leak out sensitive information or can collaborate with an outsider in espionage. There are
several factors that may prompt an insider to sell information to a competitor or spy, such as:
o Lack of loyalty
o Job dissatisfaction
o Boredom
o Mischief
o Money
 Outsiders:
Outsiders include corporate spies, attackers, and attackers, who have been hired by a competing
organization or motivated by personal gain. These people try to intrude into the organization’s
affairs for the purpose of stealing sensitive information. An outsider can enter a company through
Internet connection lines, physical break-ins, or partner (vendor, customer, or reseller) networks
of the organization.


 Threat of Corporate Espionage due to Aggregation of Information
Espionage is a form of threat to the organization where aggregation of information creates several issues
regarding espionage to the organization. If organizations aggregate and save information at one particular
location, personnel can access critical information easily. Aggregation of information can lead to either an
insider or outsider attack. In an insider attack, insiders or the personnel with access privileges (to access,
i.e., to read/write) can tamper, edit, overwrite, or send critical information to the competitors.
The other form of attack in espionage is an outsider attack. Here, the outsider who breaks into the
private/isolated network of the organization can search, aggregate, and relate all the information, thus
leading to espionage.

 Techniques of Spying
Spying techniques include:
 Hacking Computers and Networks
This is an illegal technique of obtaining trade secrets and information.
 Social Engineering
According to www.microsoft.com, social engineering is defined as a “non-technical kind of
intrusion that relies heavily on human interaction and often involves tricking other people to
break normal security procedures.”
Social engineering is the use of influence and the art of manipulation of individuals for gaining
credentials. Individuals at any level of business or communicative interaction can make use of this
method. All the security measures that organizations adopt are in vain when employees get
“socially engineered” by strangers. Some examples of social engineering include unwittingly
answering the questions of strangers, replying to spam email, and bragging to co-workers.
 Dumpster Diving
According to search security, “Dumpster diving is looking for treasure in someone else's trash (A
dumpster is a large trash container). In the world of information technology, dumpster diving is a
technique used to retrieve information that could be used to carry out an attack on a computer
network.”
Dumpster Diving is searching for sensitive information in target companies’:
o Trash bins
o Printer trash bins
o User desk for sticky notes
 Whacking
Whacking is wireless hacking that is used to capture information passing through a wireless
network.
 Phone Eavesdropping
Phone eavesdropping is eavesdropping using telephones. "Electronic eavesdropping is the use of
an electronic transmitting or recording device to monitor conversations without the consent of
the parties."
 Network Leakage
Most organizations set up their networks to block or limit inbound and outbound connections.
Even organizations that are starting to filter outbound traffic still allow certain traffic out. Two
types of traffic that are always allowed out of an organization are web and email traffic.
 Cryptography
Cryptography is a technique to garble a message in such a way that the meaning of the message
will be changed. With cryptography, you start off with a plaintext message, which is a message in
its original form. You then use an encryption algorithm to garble a message, which creates
ciphertext. You would then use a decryption algorithm to take the ciphertext and convert it back
to a plaintext message. During the encryption and decryption process, what protects the
ciphertext and stops someone from inadvertently decrypting it back to the plaintext message is
the key. Therefore, the secrecy of the ciphertext is based on the secrecy of the key and not the
secrecy of the algorithm. Thus, to use an encryption program, you have to generate a key. The key
usually is tied to a user name and email address.

No validation is performed, so you can put in bogus information that could be used later to launch
a man-in-the-middle attack where you can trick someone into using a false key. If you know the
public key for a user, you can encrypt a message; but only if you know the private key can you can
decrypt a message. The public key can be distributed via a trusted channel, but your private key
should never be given out. If someone can get access to your private key, then they can decrypt
and read all your messages.
 Steganography
Steganography is data hiding, and is meant to conceal the true meaning of a message. With
steganography, you have no idea that someone is even sending a sensitive message because
he/she will be sending an overt message that completely conceals the original covert message.
Therefore, cryptography is often referred to as secret communication and steganography is
referred to as covert communication, but insiders use steganography techniques to pass out
credentials to other organizations.

 Defense Against Corporate Spying
You can secure the confidential data of a company from spies using the following techniques:
 Controlled Access:
o Encrypt the most critical data
o Never store sensitive information of the business on a networked computer
o Classify the sensitivity of the data and thus categorize personnel access rights to
read/writethe information
o Personnel must be assigned the duties where their need-to-know controls should be defined
o Ensure authorization and authentication to critical data
o Store confidential data on a stand-alone computer with no connection to other computers and
the telephone line
o Install anti-virus and password protect the secured system
o Regularly change the password of the confidential files
 Background investigation of the personnel:
o Verify the backgrounds of new employees
o Physical security checks should not be ignored
o Monitor the employees’ behavior
o Monitor systems used by employees
o Disable remote access
o Make sure that unnecessary account privileges are not allotted to normal users
o Disable USB drives in the employee’s network
o Enforce a security policy which addresses all concerns of employees
Basic security measures to protect against corporate spying:
 Destroy all paper documents before trashing them. Secure all dumpsters and post ‘NO
TRESPASSING’ signs
 Conduct security awareness training programs for all employees regularly

 Place locks on computer cases to prevent hardware tampering
 Lock wire closets, server rooms, phone closets, and other sensitive equipment
 Never leave a voice-mail message or email broadcast message that gives an exact business
itinerary
 Install electronic surveillance systems to detect the physical intrusions

 Steps to Prevent Corporate Espionage
The following are the steps that help in preventing corporate espionage:
 Understand and prioritize critical assets
Determine the criteria that are used to estimate value. Monetary worth, future benefit to the
company, and competitive advantage are sample criteria that could be used. Whatever the criteria
are, they need to be determined first.
After all your assets are scored, you need to prioritize them based on the criteria. When you are
done, you should have a list of all the critical assets across your organization. These assets
represent the crown jewels of your organization and need to be properly protected. Once the list
of assets has been determined, the critical assets need to be protected. Understanding the likely
attack points and how an attacker would compromise the asset is the “Know Thy Enemy” portion
of the equation.
 Define the acceptable level of loss
The possibility for loss is all around, and risk management becomes a driving factor in
determining what efforts should be focused on by an organization and what can be ignored. As

difficult as it may seem for all critical assets, an adequate level of risk needs to be defined. This
helps an organization to focus on what should or should not be done with regards to insider
threat. A cost-benefit analysis is a typical method of determining the acceptable level of risk. The
general premise behind a cost-benefit analysis is determining what the cost is if the asset is lost in
part or in whole, versus what the cost is to prevent that loss. While this is hard for some people to
swallow, there are actually many situations where it is more cost effective to do nothing about the
risk than to try to prevent or reduce the risk from occurring.
Typically, there are two methods to deal with potential loss: prevention and detection. Preventive
measures are more expensive than detective measures. With a preventive measure, you stop the
risk from occurring. With detective measures, you allow the loss to occur but detect it in a timely
manner to reduce the time period in which the loss occurs. Defining an acceptable level of loss
enables an organization to determine whether they should implement preventive or detective
measures. If your acceptable level of loss is low, which means you have a low tolerance for a loss
to a given asset, a preventive measure would be more appropriate to stop the loss. You would have
to be willing to spend the extra money on appropriate preventive measures. If your acceptable
level of loss is high, this means you have a higher tolerance and would most likely spend less
money on a solution and implement detective measures. Now you are allowing the loss to occur,
but you are controlling and bounding it. Therefore, performing calculations on an acceptable level
of loss plays a critical role in controlling the insider threat.
 Control access
The best method for controlling the insider threat is limiting and controlling access. In almost
every situation in which an insider compromises, it is usually because someone had more access
than he/she needed to do his/her job. There are usually other factors at play, but the number one
factor is properly controlling access. For preventing an insider attack, it is better to allocate
someone the least amount of access that he/she needs to do his/her job. Encrypt the most critical
data. Never store sensitive information about the business on a networked computer; and store
confidential data on a standalone computer which has no connection to other computers and the
telephone line. Regularly change the password of the confidential files.
 Bait: Honeypots and Honeytokens
A honeypot is a system that is put on your network that has no legitimate function. It is set up to
look attractive to attackers and lure them in. The key thing about a honeypot is that there is no
legitimate use for it, so no one should be accessing it. If someone accesses the honeypot in any
way, they are automatically suspicious because the only way they could have found it is if they
were wandering around your network looking for something of interest. If they were only doing
what they were supposed to, they would have never found the system.
A honeytoken works the same way as a honeypot, but instead of an entire system, it is done at a
directory or file level. You put an attractive file on a legitimate server and if anyone accesses it,
you just caught them with his/her hand in the cookie jar. This usually has a higher pay off.
Insiders are really good at figuring out a certain system or even a certain directory that contains
critical IP for the company. If you add an additional file to the system or directory, there is a
chance that someone might stumble across it. Once again, since this is not a legitimate file, no one
should be accessing it. There is no speculation involved if someone accesses the honeytoken file.
They are clearly up to no good since there is no reason anyone should be accessing it. Therefore,
by setting them up correctly, honeytokens can enable you to set up a virtual minefield on your
critical system. If you are a legitimate user and know the files you are supposed to access, you can
easily navigate the minefield and not set off any mines. However, if you are an insider trying to
cause harm, there is a good chance that you will be tempted by a honeytoken or misstep.
 Mole Detection
With mole detection, you are giving a piece of data to a person, and if that information makes it
out to the public domain, you know you have a mole. If you suspect that someone is a mole, you
could “coincidentally” talk about something within ear shot of him and if you hear it being
repeated somewhere else, you know that person was the mole. Mole detection is not technically

sophisticated but can be useful in trying to figure out who is leaking information to the public or
to another entity.
 Profiling
An ideal way to control and detect the insider is by understanding their behavioral patterns. There
are two general types of profiling that can be performed: individual and group. Individual
profiling is related to a specific person and how he/she behaves. Every person is unique, so
individual profiling helps the profiler decipher the pattern of normality for a given individual and
if it falls outside of that norm, that person is flagged. The advantage of this method is that it
closely matches to an individual and is more customized to how a single individual acts. The
problem is that it changes with the person, so if the attacker knows that individual profiling is
being performed and makes slow, minor adjustments to their behavior, they could slip through
the system.
 Monitoring
Monitoring is easy to do and provides a starting point for profiling. With monitoring, you are just
watching behavior. In watching the behavior, you could inspect the information either manually
or automatically but you are looking for a specific signature in the information you are
monitoring. In order to profile a given person and flag exceptional behavior, you have to perform
monitoring as the base. Therefore, in many cases, it is better to start with monitoring to see how
bad the problem is and then move towards profiling if that is deemed necessary at a later point in
time. Before an organization performs monitoring, it is critical that they do it in a legal and ethical
manner. From a legality standpoint, it is critical that an organization determines whether
information has an implied expectation of privacy.
Different types of monitoring can be performed:
• Application-specific
• Problem-specific
• Full monitoring
• Trend analysis
• Probationary
 Signature Analysis
Signature analysis is a basic but effective measure for controlling insider threats or any malicious
activity. Signature analysis is also called pattern analysis because you are looking for a pattern
that is indicative of a problem or issue.
The problem with signatures is that you must know about an attack in order to create a signature
for it. The first time an attack occurs, it is successful because you do not have a signature. After it
is successful and you perform an incident response and damage assessment, you can figure out
how the attack occurred and can build an appropriate signature the next time. However, if the
next time the attacker attacks in a different manner, the signature might miss the attack again.
This brings up two important points with regards to signatures. First, they will only catch known
attacks; they will not catch zero-day attacks. A zero-day attack is a brand new attack that has not
been publicized and is not well known. Second, signatures are rigid. If you have a signature for an
attack and it occurs exactly the same way each time, you can detect it and flag it. However, if it is
morphed or changed, there is a good chance the signature will no longer be effective. The last
problem with signatures is that they take a default allow stance on security. A default stance lists
what is malicious and anything else that falls through will be flagged as good. By itself, signature
detection says if you see a signature that is bad behavior but there is not a signature match, then
the behavior must be good.

 Key Findings from U.S Secret Service and CERT Coordination Center/SEI study on
Insider Threat
Source: http://www.cert.org/
From the U.S Secret Service and CERT Coordination Center/SEI study, the following things are revealed
on threats:
 A negative work-related event triggered most insiders’ actions
 The most frequently reported motive was revenge
 The majority of insiders planned their activities in advance
 Remote access was used to carry out the majority of attacks
 Insiders exploited systematic vulnerabilities in applications, processes, and/or procedures, but
relatively sophisticated attack tools were also employed
 The majority of insiders compromised computer accounts, created unauthorized backdoor
accounts, or user shared accounts in their attacks
 The majority of attacks took place outside normal working hours

 The majority of the insider attacks were only detected once there was a noticeable irregularity in
the information system or a system became unavailable
 The majority of attacks were accomplished using the company’s computer equipment
 The insiders not only harmed the specific individuals, but also the organizations

 Netspionage
Source: http://www.pimall.com/
“Netspionage is defined as network enabled espionage, and in our information systems world, it is an
exciting way of …extending the old practice of competitive intelligence gathering. This new, computerized,
and information-dependent world is heavily dependent on the web, networks, and software technology.
The information gatherers of this new age are exploiting [our] dependency on technology for personal,
corporate, and national gain.”
Corporate espionage is an old practice but the advent of the Internet has made it easier, faster, and much
more anonymous. Netspionage enables the spies to steal sensitive corporate information without
physically entering into the company.

 Investigating Corporate Espionage Cases
Check the points of the possible physical intrusion: Before starting an investigation into a corporate
espionage case, scan all points of possible physical intrusion carefully. These points may provide clues on
how the information might have leaked and can also provide fingerprints if anybody passed through that
are helpful in presenting the case before a court of law.
Check the CCTV records: Check all the CCTV records for any unusual activity. This often leads to the real
culprit.
Check emails and attachments: Check all official emails and other emails with their attachments used at
the workplace. In many cases, the information is passed outside using emails. Thoroughly scan any
suspicious mail and try to find out its destination.
Check systems for backdoors and Trojans: Disgruntled employees install backdoors and Trojans in their
systems using their privileges as employees before quitting their job. So, scan all the systems and check
for backdoors and Trojans. If any backdoor or Trojan is discovered, trace its connecting options.
Check system, firewall, switches, and router’s logs: Logs show each and every event taking place in a
network. Examine the logs of all network devices to surmise suspicious activities, such as when and which
data passed through the network and which kind of services and protocols were used.
Screen the logs of network and employee monitoring tools if any: If you have installed any kind of
employee monitoring tools in your systems, analyze their reports. But before using any such monitoring
tools, take care of any legal aspects.
Seek the help of law enforcement agencies if required: Help of law enforcement agencies are necessary to
track the culprit and bring him or her to trial.

 Employee Monitoring: Activity Monitor
Source: http://www.softactivity.com/
The Activity Monitor allows you to track how, when, and what a network user did in any LAN. The system
consists of a server and client parts.
Features:
 Views remote desktops
 Easy Internet usage monitoring
 Monitors software usage
 Records activity log for all workplaces on the local or shared network location. Log file includes
typed keystrokes, records of switching between the programs with time stamps, application path
and window names, visited websites, and more
 Tracks any user’s keystrokes on your screen in real-time mode. Passwords, email, chat
conversation - you have the full picture
 Takes snapshots of the remote PC screen on a scheduled basis. Easy spying without your
presence. Time-sorted history of the activity in compressed JPEGs on your computer
 Total control over the networked computers. Start or terminate remote processes, run commands,
copy files from remote systems. You may even turn the computer off or restart it, not to mention
logging off the current user
 Deploys Activity Monitor Agent (the client part of the software) remotely from the administrator's
PC to all computers in your network
 Auto detection of all networked computers with Agent installed
 Automatically downloads and exports log files from all computers on a scheduled basis
 HTML, Excel, CSV support to export data and reports
o Easy to understand reports in HTML format for viewing in browser
o Exports logs to MS Excel for advanced analysis. Views total picture of what programs users
work with
o Exports logs to CSV file for further importing into your custom database

o Combines log files from different computers or users and exports them into a single resulting
file
 You see it instantly on your screen when users type text on their computers
 Monitors multiple employee computers simultaneously from a single workstation in LAN
 Workplace surveillance software part, running on the monitored PC, is difficult to find for an
employee because it does not show up in the task list (on Win9X) and runs completely invisible
 Installs, uninstalls, or stops Agent spy program remotely from the administrator's PC
 Easy to install and use. Works on PCs with Windows 98/Me/NT/2000/XP/2003
Figure 40-1: Activity Monitor Screenshot (Source: http://i.d.com.com)

Figure 40-2: Activity Monitor- Admin Connection Screenshot

 Spector CNE Employee Monitoring Software
Source: http://www.spector.com/
Spector CNE is the leading employee monitoring software that is designed to provide businesses with a
complete and accurate record of all of their employee PC and Internet activity. It significantly prevents,
reduces, or eliminates problems associated with Internet and PC abuse. When the user absolutely needs to
know exactly what your employees are doing on the Internet, Spector CNE is the tool of choice. It allows
you to install, configure, record, and review Internet and PC activity across your network.
Spector CNE gives a complete record of every email sent and received, every chat conversation and instant
message, every website visited, every keystroke typed, every application launched, and detailed pictures of
PC activity via periodic screen snapshots.
The following are the features of Spector CNE:
 It monitors and conducts investigations on employees suspected of inappropriate activity
 It monitors and increases employee productivity by reducing frivolous and inappropriate activity
 It monitors and eliminates leaking of confidential information
 It monitors and recovers lost crucial communications (email, chat & instant messages)
 It monitors and assists help desk staff with PC recovery
 It meets or exceeds federal, industry, or agency compliance requirements for keeping records of
company communications and transactions
 It monitors ongoing employee performance and PC proficiency
 It obtains proof to support accusations of wrongdoing
 It reduces security breaches
 It detects the use of organization resources to engage in illegal or unethical activities
 It limits legal liability (including sexual and racial harassment)
 It enforces PC and Internet acceptable use policies

 Track4Win
Source: http://www.track4win.com/
Track4Win monitors all computer activities and the Internet use. It can automatically track the running
time of every application on a computer. With powerful network support, it can easily collect the
application running time and track Internet use information through the network, log them into the
database, and finally analyze them with very useful reports. It is an inexpensive tool to monitor web usage
and computer activities in the network. To install track4win into the system, it is necessary to have
minimum system requirements, which are as follows:
 Track4Win Professional is designed for Windows 95, Windows 98,Windows ME, Windows NT
4.0, Windows 2000 and Windows XP, Windows 2003 Server, Windows Vista (Beta)
 Track4Win Enterprise is designed for Windows NT 4.0, Windows 2000, and Windows XP
o 10 MB free disk space
o IBM compatible PC with a Pentium-class microprocessor
o TCP/IP installed
Features of Track4Win are as follows:
 Computer user/employee's current status monitoring
 Multi-user & real-time monitoring
 URL/website address capture and web content tracking
 Invisibility in Windows Task Manager.
 Free email support
 No additional hardware required
 Abundant reports, ease of use, small size, fast running speed, and cool interface
The following are the technical features of Track4Win:
 Data storage in MS Access database format
 MS SQL Server upgradeable

 Data stored in Microsoft Access database
 Support MS Access, MS SQL, Oracle, ODBC database connections
 Icon grasp and transfer
Figure 40-3: Track4Win Analyzer- File Log

Figure 40-4: Track4Win Analyzer- Hour Summary

 Spy Tool: SpyBuddy
Source: http://www.exploreanywhere.com/
SpyBuddy is a powerful spy software and computer monitoring product for monitoring spouses, children,
co-workers, or just about anyone else. It enables you to monitor all areas of your PC, tracking every action
down to the last keystroke pressed or the last file deleted. SpyBuddy is equipped with the functionality to
record all AOL/ICQ/MSN/AIM/Yahoo chat conversations, all websites visited, all windows opened and
interacted with, every application executed, every document printed, every file or folder renamed and/or
modified, all text and images sent to the clipboard, every keystroke pressed, every password typed, and
more.
Features:
 Internet Conversation Logging: Logs both sides of all chat and instant message conversations for
AOL/ICQ/MSN/AIM/Yahoo Instant Messengers.
 Disk Activity Logging: Records all changes made to your hard drive and external media.
 Window Activity Logging: Captures information on every window that was viewed and interacted
with.
 Application Activity Logging: Tracks every application/executable that was executed and
interacted with.
 Clipboard Activity Logging: Captures every text and image item that was copied to the clipboard.
 AOL/Internet Explorer History: Views All AOL and Internet Explorer websites visited before
SpyBuddy was installed, and when SpyBuddy was not recording.
 Printed Documents Logging: Logs specific information on all documents that were sent to the
printer spool.
 Keystroke Monitoring: Tracks all keystrokes pressed [including hidden system keys] and which
windows they were pressed in. Keystrokes can also be passed through a formatter for easy
viewing/exporting.
 Websites Activity Logging: Logs all website title and addresses that were visited on the PC.
 Screen Shot Capturing: Automatically captures screen shots of the desktop (or the active window)
at set intervals.
 Powerful Stealth Mode: Runs SpyBuddy in total stealth - the user will not know that it is running.

 Website Filtering: Creates website and protocol ban-lists to prevent websites from being viewed
while SpyBuddy is active.
 Website Watching: Manages a list of websites for SpyBuddy to monitor, and if a specified
keyword/phrase is found, it will record it.
 Log File Back Dating: Discretely backdates all log files to prevent file snoopers from detecting
newly created log files.
 Windows Startup: Configures SpyBuddy to start up for a single user, or to start up as a service for
all users on the system - perfect for monitoring multiple users of a PC.
 User-Based Startup: Configures SpyBuddy to only record specific users of a PC, rather than
recording all the users.
 Customizable HotKey: For total concealment, SpyBuddy allows you to customize the default
hotkey.
 Automatic Active Startup: Configures SpyBuddy to start in "Active" mode when it is started.
 Password Protection: SpyBuddy is password protected to prevent others from starting/stopping
the monitoring process, as well as changing SpyBuddy configuration settings.
 Startup Alert: Automatically have SpyBuddy display a custom alert message when it is started -
perfect for letting the users of the PC know that they are being monitored.
 Email Log Delivery: SpyBuddy can periodically send you recorded activity logs as a specified
format (HTML/Excel/Text/CSV/XML) as well as desktop screenshots to your email inbox at
specified intervals.
 Log Exporting: Export SpyBuddy Activity logs to 5 different formats, such as Microsoft Excel,
HTML, CSV, Plain Text, and XML.
 Precise User Tracking: SpyBuddy will ALWAYS log the current Windows user and the time and
date an action if performed. This will allow you to precisely track activity down to the exact user,
at the exact time it happened.
 Inactivity Timeout: Automatically suspends SpyBuddy from monitoring the PC if the machine is
inactive for a specified amount of time.
 Scheduling Agent: Automatically configures SpyBuddy to start or stop at specified times and
dates, or configures it to perform the same time everyday of the week.
 Automatic Log Clearing: SpyBuddy can automatically eradicate old/outdated logs from the
machine after a certain amount of data or keystrokes have been logged.
 Thread Priority: Adjusts SpyBuddy to adapt to your system. Using the built-in Thread Priority
utility, you can make SpyBuddy run as fast as you need it depending on your systems
specifications.

Figure 40-5: SpyBuddy Screenshot (Source: http://www.buy-spybuddy.com)

 Tool: NetVizor
Source: http://www.netvizor.net/
NetVizor is the employee monitoring software for corporate networks, which is the latest in award-
winning network monitoring software. It is easy to monitor your entire network from one centralized
location with the help of NetVizor. It allows the user to track workstations and individual users that may
use multiple systems on a network. It allows the user to perform essential user activity monitoring,
content filtering, remote administration, and more - from one central location.
The features of NetVizor are as follows:
 It logs keystrokes typed, website visits, searches, application usage, files, and documents used
 It logs Internet connections made, chat conversations, windows opened, email activities, all
Internet traffic data, uploads, and downloads
 It offers detailed user activity reports and network activity reports
 It offers real-time visual remote monitoring, and web-based remote control
 It disables spyware detectors


Figure 40-6: NetVizor screenshot

 Tool: Privatefirewall w/Pest Patrol
Source: http://www.privacyware.com/
Privatefirewall is a personal firewall and intrusion detection application that eliminates unauthorized
access to the PC. Its intuitive interface allows users to adjust default settings to create custom
configurations.
Features:
 Packet Filtering
 Port Scanning
 IP/Website Protection
 Email Anomaly Detection
 Advanced Application Protection

Figure 40-7: Private firewall with anti-spyware (Source: http://www.softpicks.net)

 Internet Spy Filter
Source: http://www.tooto.com/spyhunter/
Internet Spyware Filter blocks spyware, web bugs, worms, cookies, ads, scripts, and other intrusive
devices to protect from being profiled and tracked. When the user is online, the attacker may be
monitoring or tracking without the user’s knowledge or explicit permission. Hackers, advertisers, and
corporations may use web bugs, spyware, cookies, worms, ads, and scripts to gain access to the user’s
information and invade the privacy.
Internet Spy Filter is designed to provide advanced protection from known data-mining, aggressive
advertising, parasites, scum ware, selected traditional Trojans, dialers, malware, browser hijackers, and
tracking components. It functions like a firewall and protects online privacy and security. It acts as a
spyware remover, personal firewall, and virus stopper.

Figure 40-8: Internet Spyware Filter screenshot

 Spybot S&D
Source: http://www.safer-networking.org/
Spybot - Search & Destroy detects and removes spyware. Spyware silently tracks your surfing behavior to
create a marketing profile for you that is transmitted without your knowledge to compilers and sold to
advertising companies. It can also clean usage tracks; an interesting function if you share your computer
with other users and do not want them to see what you have been working on. It allows you to fix some
registry inconsistencies and extended reports.
Figure 40-9: Spybot - Search & Destroy screenshot (Source: http://www.globalfreeware.com)

 Anti Spy Tool: SpyCop
Source: http://www.spycop.com/
SpyCop finds spy programs such as Spector designed specifically to record your screen, email, passwords,
and much more. It detects and disables all known commercially available PC surveillance spy software
products that are currently available to everyone.
Features:
 Stop Password Theft: It detects spy software that is placed on your computer to capture your
passwords
 Keeps Your Emails Private: It alerts you if your emails are being snooped by spy software
 Kills Instant Message & Chat Spy Software: It keeps your online chats and instant messages safe
from prying eyes
 Stops Surfing Monitors: SpyCop can prevent spy software from capturing and recording what
websites you are visiting
 Stops Keystroke Loggers: SpyCop protects you from spy software that can capture and record
each keystroke
 Prevents Online Credit Card Theft: SpyCop can keep your credit card information safe if you shop
online


Figure 40-10: SpyCop screenshot

 Spyware Terminator
Source: http://www.spywareterminator.com
Spyware Terminator is an adware and spyware scanner. It can remove spyware, adware, Trojans,
keyloggers, home page hijackers, and other malware threats.
Features:
 Removes Spyware- Spyware terminator scans the computer for known threats and reports
findings in a manner that is easy to read and interpret
 Scheduled Scans- It gives users the ability to schedule spyware scans on a regular basis to ensure
the computer’s integrity
 Antivirus Integration- It includes a popular award-winning open-source antivirus software, Clam
AntiVirus (ClamAV), for optional integration to achieve a higher level of security


Figure 40-11: Spyware Terminator Scan Progress
 XoftSpySE
Source: http://www.xoftspy.co.uk/
XoftSpySE is a spyware detection, scanning and removal tool, protecting you from unwanted spyware.
Features:
 XoftSpySE scans complete PC including memory & registry
 It removes all spyware parasites, unwanted toolbars, and browser hijacks
 It prevents identity and credit card theft
 It increases your computer's speed
 It is a user-friendly interface


Figure 40-12: XoftSpySE Screenshot(Source: http://www.grumpyphil.com)

 Spy Sweeper
Source: http://www.spychecker.com/
Spy Sweeper safely detects and removes more traces of spyware including Trojans, adware, keyloggers,
and system monitoring tools.
The features of spy sweeper are as follows:
Offers real time protection: Spy Sweeper smart shields block sophisticated spyware threats in real-time,
before they can infect your system. This new version of spy sweeper advances the industry-standard in
spyware blocking, stopping threats like Trojan-Downloader-LowZones and SpySheriff from ever installing
in the first place. With spy sweeper, it is easy to keep your system spyware-free.
Advanced Detection and Removal: Its advanced detection and removal capabilities are effective at fully
removing spyware that is notorious for being difficult to eliminate. Even the most malicious spyware
programs are removed in a single sweep. You won't have to scan and restart your PC a number of times
with Spy Sweeper - one sweep and your PC is clean.
Accurate Risk Assessment: It uses a risk assessment test when detecting spyware programs to let you
know how dangerous different spyware programs are - some may pose an immediate danger to your
personal information while others are simply annoying. Spy Sweeper gives you a quick overview of each
threat, what it does, and its potential danger.
It has the ability to run spyware scans automatically, prevent new malware from being installed, prevents
unauthorized system changes to your browser settings, startup programs, host files, and so on.

Figure 40-13: SpySweeper screenshot

 Counter Spy
Source: http://www.sunbeltsoftware.com/
Counter Spy detects and removes adware and spyware from the system. It is a powerful spyware and
malware remover but treads lightly on system resources.
Features of counter spy are as follows:
System Scans: The scanning engine checks your entire computer by using in-depth scans of your
computer's hard drives, memory, process, registry, and cookies. It uses a continually updated database of
thousands of known spyware signatures to provide you with ongoing and accurate protection. You can
scan for spyware manually or schedule times for Counter Spy to scan your computer.
First Scan: FirstScan is Counter Spy's new scan and remove on-boot technology designed specifically to
detect and remove the most deeply embedded malware. Counter Spy V2 is able to scan the disk and clean
malware prior to Windows startup, so that hard-to-kill malware and rootkits can be exterminated.
Triggered through a Counter Spy system scan, FirstScan will run at the system's boot time, bypassing the
Windows operating system, to directly scan certain locations of the hard drive for malware, removing
infections where found.
Hybrid Engine: Counter Spy is powered by a revolutionary hybrid engine that merges spyware detection
and remediation with Sunbelt's all-new VIPRE technology, a new anti-malware technology created by
Sunbelt which incorporates both traditional antivirus and cutting-edge anti-malware techniques in order
to combat today's increasingly complex, blended malware threats.
Kernel-level Active Protection: The "kernel" is the heart of Windows. Counter Spy's Active Protection now
works inside the Windows kernel (the core of the operating system), watching for malware and stopping it
before it has a chance to execute on a user's system. As in the previous version of Counter Spy, Active
Protection will also alert users for potentially harmful changes to their system, based on behavioral
characteristics.
System Tools: My PC Explorers let you explore and manage key elements of your system that are
normally hidden and difficult to change. My PC Checkup helps secure your computer by updating your
computer settings to recommended security levels. The History Cleaner is a privacy tool that removes all
Internet history usage logs and 75 different activities. The Secure File Eraser is a powerful deletion tool
that completely erases any files you want removed from your computer.
ThreatNet: ThreatNet provides ongoing security risk information, which is used to update the Counter
Spy spyware database. ThreatNet is a revolutionary network community that connects diverse Counter
Spy users to share and identify new applications and signatures. This information helps block new
spyware.

Figure 40-14: Counter Spy screenshot

 SUPERAntiSpyware Professional
Source: http://www.superantispyware.com/
SUPERAntiSpyware Professional scans and protects your computer for known spyware, adware, malware,
Trojans, dialers, worms, keyloggers, hijackers, and many other types of threats. It is one of the most
thorough anti-spyware scanners that are available. This multi-dimensional scanning and process
interrogation technology will detect spyware and will remove all the spyware that other products tend to
miss.
Features of SUPERAntiSpyware Professional are as follows:
 It offers Quick, Complete and Custom Scanning of hard drives, removable drives, memory,
registry, individual folders, and so on
 It includes trusting items and excluding folders for complete customization of scanning
 It detects and removes spyware, adware, malware, Trojans, dialers, worms, keyloggers, hijackers,
and many other types of threats
 It repairs broken Internet connections, desktops, registry editing, and more with our unique
repair system
 It offers Real-Time Blocking of threats to prevent potentially harmful software from installing or
re-installing
 The feature of Multi-Dimensional Scanning detects existing threats as well as threats of the future
by analyzing threat characteristics in addition to code patterns
 It schedules either quick, complete, or custom scans daily or weekly to ensure your computer is
free from harmful software
System requirements:
The following are the requirements for installing SUPERAntiSpyware professional:
 Windows 98, 98SE, ME, 2000, XP, Vista, or Windows 2003
 300 Mhz CPU or above
 128 MB Memory (minimum)

Figure 40-15: SUPERAntiSpyware screenshot
Figure 40-16: SUPERAntiSpyware- Detect and Remove Harmful Software

 IMonitorPCPro – Employee Monitoring Software
Source: http://www.imonitorpc.com/
IMonitorPCPro monitors computer activities and Internet use by employees. It helps in discovering
employee productivity and documents it. It is easy to use and configure, intuitive, and password
protected. It runs invisibly and records the user’s activity, such as:
 Programs used
 Websites visited
 Whole history of chat room activity (with advanced find)
 Social network usage
 Screen captures
 Detailed activity reports
 Summary reports
IMonitorPCPro also includes:
 Website blocking
 Program usage limits
 Chat user blocking
 User alerts
 Advanced filtering

Figure 40-17: IMonitorPCPro screenshot

 Case Study: HP Chief Accused of Corporate Spying
HP chief accused of corporate spying
Source: http://www.thepeninsulaqatar.com/
Hewlett-Packard chairwoman Patricia Dunn clung to her job as she was blamed with accusations that she
ordered a probe in which board members and reporters are illicitly spied. California Attorney General Bill
Lockyer vowed to prosecute wrongdoers at the end of his investigation for any private detectives hired by
HP impersonated board members and journalists to get private telephone records.
Lockyer’s office started investigation after getting word that telephone records of board members are
obtained by a ruse known as pretexting. No law in California has books about pretexting.
“We are fully cooperating with the attorney general’s office and providing any material they request from
us,” Wischhusen said. Dunn followed the former chief executive officer Carly Fiorina to find how
information from supposedly confidential board meeting was channeled to the press.
The probe initiated by Dunn found that the board member George Keyworth leaked the information. The
trick is used to get personal telephone records of nine journalists. The US Society of Professional
Journalists (SPJ) said that pretexting is a violation of press rights and suggested that HP should stand for
Hackers of Privacy.

 Case Study: India’s Growing Corporate Spy Threat
Source: http://www.atimes.com/
According to a survey, Indian corporate sector faces the highest threat of fraud, including espionage.
Many cases are recently brought to the surface Indian corporate world; targets are mostly MNC’s. Culprits
are foreign companies and smaller local competitor firms. KPMG global consultancy said that
"Organizations today face a completely different set of challenges - globalization, rapidly evolving
technology, rapid development in industry and business, risks and complexity of information and data
management; the list is endless."
Spying and the extraction of sensitive information using unfair means are new in India but such activities
are limited to government departments, defense establishments, and a few stray instances involving the
business world. "What has changed in recent years," said Ashwin Parikh of Ernst & Young, "is the
involvement of the corporate sector, and the methods used. This practice of using students [for instance]
to pick up competitors' information has become rather rampant now."

 Guidelines while Writing Employee Monitoring Policies
Source: http://www.employeemonitoring.net/
Due to security reasons, organizations monitor employees, and management should maintain policies
regarding monitoring employees. Guidelines while writing employee-monitoring policies are as follows:
It is essential to make employees aware of what exactly is being monitored. Employee monitoring policies
should be written to cover all the aspects of monitoring activities. It must be clear that monitoring occurs
only if the organization suspects a problem.
Employee should be briefed regarding the organization’s policies and procedures. When hired, employee
should learn the rules and regulations, and policies and procedures of the organization.
Employees should be made aware of policy violations, and the policies should provide detailed
information of punishment if an employee violates the rules and regulations of the organization.
The policy should be specific and should relate to every employee in the organization. Irrespective of the
post of the personnel, action should be taken against employees if they violate the rules.
Specific and technical terms that help the employee understand the policy clearly should be highlighted by
differentiating those terms by making them bold, underlined, or italicized.
It is necessary to have provisions for updating policies.
Policies should relate to the local laws of the land as there can be a chance of an employee violating the
rules, and thus the organization can bring this act of violation in front a court of justice.

Summary
 The term “Corporate espionage” is used to describe espionage conducted for commercial
purposes on companies and governments, and to determine the activities of the competitors.
 Personal relations, disgruntled employees, and easy money are the main motives behind
corporate spying
 The major techniques used for corporate spying are hacking, social engineering, dumpster diving,
and phone eavesdropping
 Steps to prevent corporate espionage are understanding and prioritizing critical assets, defining
acceptable level of loss, control access, baits, mole detection, profiling, monitoring, and signature
analysis
 Netspionage is defined as a network-enabled espionage in which knowledge and sensitive
proprietary information are generated, processed, stored, transmitted, and obtained via networks
and computer systems.

Exercise:
1. What are the reasons behind corporate espionage?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
2. What type of information do corporate spies look for?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
3. What are the different techniques of spying?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
4. Is there any technique to secure confidential data of a company from spies?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
5. What are the steps to prevent corporate espionage?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
6. How can you investigate corporate espionage cases?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
7. What are the key findings from the U.S. Secret Service and CERT Coordination Center/ SEI Study
on Insider Threat?

___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
8. What is Netspionage?
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
9. List the Anti Spy tools.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________
10. Briefly explain the guidelines for writing employee monitoring policies.
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
_______________________________________________________________

Hands On
1. Go to site http://www.usdoj.gov/criminal/cybercrime/18usc1831.htm and read § 1831.
Economic Espionage.
2. Run the tool SpyBuddy and see the result.
3. Download the tool Nitrous Anti Spy from
http://www.nitrousonline.com/antispydesc.shtml and used for spyware protection on your
personal computer.
4. Download tool Activity Monitor from http://www.softactivity.com/ run and see the result.

File000095

More Related Content

What's hot

Viewers also liked

Similar to File000095

More from Desmond Devendran

Recently uploaded

File000095