Phill ‘Sherlock’ Shade
The Time – Not so long ago
The Location – A Galaxy unfortunately all too nearby
The Crime – Data Breach / Industrial Espionage
This particular event transpired approximately three years ago; the client was a small design company of about 40 employees. I was contacted by another consultant who had been analyzing the client’s network to optimize performance. While the first engineer was able to address several routine network issues, he had requested assistance in analyzing a possible data breach.
Arriving onsite, the initial brief revealed that the company designed the distinctive cases used by major vendors to house their products. The issue was that their designs were showing up on the illegal markets, sometimes before they were even in production.
Several days’ worth of investigation using Wireshark, GeoIP and graphical Trace-Route utilities appeared to show an internal connection originating in the companies design servers and reaching to St. Petersburg, Russia. To confirm this observation, we created several fake designs and uploaded them to the server in question. We then attached Wireshark to a hub and connected the server back to the network switch using the hub. A capture filter was set inside Wireshark and set to the IP address of the server.
Within a matter of only a few hours, using Wireshark, we were able to observe a stealth connection originating in St. Petersburg and connecting into an open port on the design server. By this point, what followed wasn’t that much of a surprise as we watched the very designs we had loaded into the server copied and transferred back to Russia; we had your villain!
We saved all of our evidence, created a quick report and prepared our presentation before leaving for the day. The next day dawned and we met with our client contact to reveal our evidence and supporting documentation.
Initially the presentation appeared to go well as we laid out our evidence, explained our methodology and concluded with a series of logical recommendations such as securing the network with a series of firewalls, implementing logging of transactions and basic data encryption.
What ensued still lingers in my mind to this day for its colossal arrogance and blind adherence to a single view of things, all evidence to the contrary: Rather than accepting our findings and thanking us, the client instead stated ‘That can’t be true; you’re reading it wrong!’ To say I was surprised at this response was the understatement of the week… When I gathered my thoughts and asked why, the next shock ensued…
‘Our network can’t possibly be compromised since we only use Mac computers and they are safe from hacking!’ uttered with all the blind belief in modern advertising.
We then dared to ask what sort of security software or hardware they used to protect the network and infrastructure; we received nearly the same answer.
So hoping for the best, we presented our presentation to the Department Head, then the CTO and finally the CEO. Each piece of evidence, the Wireshark capture files, the GeoIP information and the Trace-Route results as well as the IANA address resolution was covered; only to be met with the same statement that there had to be a mistake and there was no need to follow any of the recommendations as this would make operating the network to difficult.
Completely at a loss for words, all we could do was present the invoice for services rendered and make our somewhat chagrined departure. Keeping a watch on the company revealed they were out of business in another year or so.