by JM Addison
Chapter 12
Mike Ludwik was convinced the security problems Sequitus was experiencing was due to some sort of subversion from an outside entity. Typically, security leaks were caused by inside people. On occasion someone could casually mention something sensitive to a neighbor or a friend and then that person might pass it along. All very innocent, but damaging anyway. More seriously, a disgruntled or former employee might want to “get even” over some imagined issue and maliciously spy or sell sensitive information.
But not in this case. This company was relatively small. Everyone had a lot at stake personally that depended on the success of the company. He knew everyone and they were all friends with strong engineering and computer backgrounds. Any of them could do a lot of damage, especially with the highly competitive nature of the race to be the first to develop and patent the Pico timer technology. But he trusted everyone involved at Sequitus. Their common goals made them more like a family.
Still, somehow, someone outside was stealing sensitive information. Perhaps a phone was tapped. Maybe the trash was getting stolen and examined for clues by a competitor. A listening device planted somewhere. It was that cutthroat. He was taking all the steps he could to identify and stop any such theft. He instituted a new policy to shred all documents that were being discarded. He was having all the phones and lines examined as well as doing a sweep of all the office facilities for hidden transmitters. He had to examine the computer infrastructure in some detail, so he just called in his computer technology technical manager, Annette Amitage, to discuss the situation.
“As you know, we are experiencing some sort of information leak and trying to get to the bottom of it,” he began. “I was thinking you could give me some of the details about just how we are protecting our data and computerized information from exposure to someone unfriendly on the outside.”
Annette thought a moment and said, “Well, we have the latest security practices and policies in place. Our corporate data flows pretty freely between users and systems inside the company. Users can be restricted from any area by based on their log on identity, but most people have access to everything simply because they need it.”
“I was thinking more in terms of a way someone outside Sequitus could view sensitive information. What about monitoring our internet traffic, hacking the firewall, emails to people outside, that sort of thing.”
“Again, we use some pretty good stuff to protect ourselves. For remote access, we have a couple of people that access the systems from home or while travelling, but they need a authentication passkey to connect. We trust those people who have passkeys and even if they lost one, someone finding it would still need a valid PIN number to use it.
“As far as the internet is concerned, we have the latest internet firewall equipment and software from Viiradium. That protects us from people on the outside, people on the internet, from getting at any computerized data on our corporate side. And even if they did manage to access the firewall and copy data transactions, we use standard encryption practices for authentication and secure data access – even emails.”
Mike considered this for a moment then asked, “So let’s say that someone was able to copy or somehow ‘capture’ an electronic conversation between Sequitus and an outside contractor or a remote employee or government office or something. You’re saying that there’s no way they could decode or decrypt what we’re sending or receiving so that it becomes usable?”
“It’s not impossible, but so impractical to make it very unlikely. We encrypt using standard, government grade, one hundred twenty eight bit encryption. What this boils down to is that it would take someone with a heck of a lot of computing power and a lot of years to spend trying trillions of different combinations to crack the encryption.”
“What about the authentication techniques you mentioned?” Mike asked.
“Again, using accepted, standard stuff. Two Thousand Forty Eight bit keys. We give out a public key that someone could use to encrypt a message intended for us. Once the message is encrypted, only the private key that we hold can de-scramble the message. If we want to return a message, we use their public key they provide to us to encrypt a message which can then only be understood by their use of the private key that only they hold.
“We even use digital certificates to authenticate the keys themselves. The certificates are ‘signed’ electronically by a government sponsored registering authority for verification. Again, common practice in the industry.”
“So let me ask you hypothetically,” Mike said, “suppose you wanted to steal information from us. You’re a computer security expert, how would you go about doing it?”
Annette gave it a moment’s thought and said, “Well, tracing and capturing an individual electronic transaction among hundreds on the internet is difficult enough. You would have to know someone that managed one of the routers or firewalls that connects the web together. Even if you could do that, you are still in the possession of this recording of a digital conversation that’s entirely scrambled.
“Now, of course network break-ins have occurred because there is plenty of motivation to do so. A lot of private things like credit card numbers move around the internet all the time and those are worth a lot to criminals.”
“So you’re saying our security can be compromised by a bunch of half-wit criminals with a PC at home?”
Annette continued, “Not exactly, first, most home users or would be consumers only encryption methods that are not at the same strength as ours. It seems impractical to try to break encryption, but some of the weaker really only need about a dozen cheap PC’s and about a week’s worth of computing time before you start decrypting transactions. If fact, if your criminal spreads his computing costs over a year, he can probably break codes and obtain valid credit card numbers for about fifty bucks for each number obtained.”
“That seems like a lot of effort which must add to the cost and certainly there must be some risks. What about these notorious internet security hacks that keep making the papers? How are they being done? Don’t their victims have good encryption technologies?
“Most of the time, it starts with something much less sophisticated than you think. One could simply to set up a business on the web to do something like, say, sell coffee or whatever. All a consumer needs to do to get some of the ‘world’s finest’ coffee is enter their credit card information and in two or three days have the best cup of coffee you have ever tasted. And, by the way, your transactions are totally secured. The only trouble is… Ha! There is really no intent to actually sell any coffee, just to attract people to think they are buying something to lure them into exposing their credit card numbers. After a couple of days, the criminal who was offering the goods – the coffee - simply shuts the site down and disappears. Before you know it, he’s got a couple of hundred valid numbers. Not bad since the cost of setting up a new site with a unique name is cheap and in fact practically free really.
“Another way is to simply masquerade as a well established supplier of consumer goods. Let’s say Land’s End. You only have to fool the internet name resolution process into thinking you are the real Land’s End and Presto! You’re collecting credit card numbers.
“Being able to trick people into giving up something innocent sounding is another way that seems to find good success. You make a phone call asking for something and sounding like an authority. It could be something simple like asking for a password.”
“People are so dumb that they just give away their password?”
“No, but let’s say that the person asking sounds like someone you could trust. What if you were having some computer access trouble so you call and ask the computer support team for some help. They say, ‘Sure! Glad to help! Can we get you password so we can check out the problem you are having?’ Would you give away your password then?”
“But I trust them.”
“Right. We all do. But what if the person in the support department isn’t reall
y them? They could have initiated a call to you offering to help you with a problem that doesn’t really exist yet they sound convincing enough, so you go along and five them your password. They ‘fix’ the problem and thank you and then use your password to get whatever they were after.”
“So we could be so easily tricked into giving away the keys to the store?”
“Well, not really. We are using 128 bit encryption strength which is still much too difficult to de-scramble and the other scenarios don’t really apply to us. We don’t operate in a consumer market. To avoid being fooled into transmitting to a party that is impersonating one of our business partners, we have separately verified all the internet addresses. We all know the people in tech support. We have trained everyone to trust no one on the outside.”
“Thanks for the explanation of all this,” Mike said, “I guess I understood most of this before, but hearing you explain things makes it much clearer. You still haven’t answered my question about how you would steal information from us.”
“I guess I would resort to the same old tricks that have always seemed to work. Finding someone that is upset over something and willing to talk or reveal something. Bugging a phone line or an office perhaps. Or, what about some of the possibilities of the very equipment we are developing here? The Pico timer technology represents some attractive and even revolutionary concepts for spying on people. Our competitors would stop at nothing, perhaps they are just a bit ahead of us and are using the very same kind of equipment we are developing to watch us closely.”
He hadn’t even considered it, but he would be very surprised if a competitor was that far ahead. Sequitus seemed to be the most advanced and the first to produce anything that could be patented. So he doubted that would be a serious threat to consider.
“Do me a favor Annette, think about our information setup. Try to come up with any ways someone could be reading any of our data. I’m at the point to just about pull the plug on all the computers so that no one can network to anything. It would be terribly inconvenient but you know what’s at stake. Products based on Pico timer technology are revolutionary. Our success could translate into millions for all of us. If our ideas are stolen or even if information was circulated based on half-truths to ruin our reputation to slow us down, we could end up with nothing.
“Examine our security policies and our setup again. Make sure everyone is securing all transactions. If you find anything or even think of anything, come see me, then between the two of us, we can brainstorm toward a solution to any problems you might discover.”
“No problem Mike. I agree that this is important. I doubt that our computer security is at risk, but it can’t hurt to continuously review and check our security position.”
“Thanks. Let me know what you find.” Annette got up, collected her notes and went back to her own office. Mike had confidence in Annette. She was a little reckless about her attitude and a little young to take things seriously, but she really knew her stuff. She had a unique ability to break things down to their simplest components for analysis and a clear layman’s explanation of complicated details.
He was still no closer to understanding if they were exposed and how they were infiltrated previously. He couldn’t help thinking that something simply was being overlooked.