Bulletin Board # 51

From: "Kevin D. Murray"
Subject: FYI - 1997 Espionage Survey Results

"U.S. Firms' '97 Losses to Spies Put at $300 Billion"
Los Angeles Times--Washington Edition (01/12/98) P. A1; Nelson, Jack

Foreign spies dramatically stepped up their presence in the United States during the course of 1997, draining U.S.-based companies of an estimated $300 billion worth of intellectual property, according to a new national survey conducted by the American Society for Industrial Security (ASIS).

The survey, which is scheduled to be released on Wednesday, shows that more than 1,100 documented incidents of industrial espionage were reported last year by major U.S. companies. According to the ASIS report, high-tech firms were the most frequently targeted by foreign spies, followed by manufacturing interests and service companies. U.S. firms victimized by espionage losses in 1997 said the types of data most commonly pilfered by spies included research and development strategies, manufacturing and marketing plans, and customer lists. FBI officials confirmed the seriousness of the survey results, warning American industries that the government of at least 23 foreign nations are targeting U.S. firms. The companies that are the most active on the espionage front include China, Japan, Russia, South Korea, and Germany.



Kevin D. Murray CPP, CFE, CCO, BCFE
Murray Associates

Counterespionage Consultants to Business & Government
Specialists in Electronic Eavesdropping Detection
908-832-7900 / www.spybusters.com



The following was provided by William Plante in the form of an inagural newsletter. If you would like to receive this and future copies, please contact him at

William Plante

Subject: WILLIAM PLANTE - INAUGRAL ISSUE OF "CORINTHIAN"

Tim,

This is the inaugral issue of a monthly one page infomration newsletter.

I sent you a copy, I'd apprecaite it if you give it a glance and perhaps give me some feedback at your convenience.

The document is formatted for Word of Windows.

Regards
William Plante



In this Issue: the 800 telephone number and your privacy, plus the six crucial elements of the Economic Security and Industrial Espionage Acts of 1996.

Telephony Security - Your Own!

So, you've got yourself an unpublished residential phone number. You've been careful about who gets your number and even your family are practicing good privacy. You might even use your CALL BLOCKING feature when you're calling an unknown commercial service. So, basically no more worries, eh?

Well, not so fast.

When you place a CALL BLOCKED call regardless of who you call you can do so because you are paying for the call. You are also paying for your right to privacy. This is NOT the case when you call an 800 number.

When you call an 800 number, even if you've called using a CALL BLOCK service your phone number is revealed to the receiving phone system because they are paying for the call. Consequently, who you are, the reason for the call and other relevant data is revealed.

In particular, if you call a commercial service to order goods your information becomes available within a database that can be bought and sold without your knowledge and consent.

The answer? If you're calling an 800 number and you don't want your personal information revealed try using a pay phone or a "published number". That way you can maintain the integrity of your unpublished number.

Economic Security & Industrial Espionage Acts

The Economic Security Act of 1996 concerns itself with protecting vital economic information from foreign interests. The Industrial Espionage Act of 1996 is concerned with the protection of proprietary economic information in inter-state and foreign commerce. You are in contravention of BOTH Acts if:

"(a) Any person, with intent to, or reason to believe it will, injure any owner of proprietary economic information having a value of not less than $100,000 that is produced for, or placed in, interstate commerce, and with intent to convert it to his or her own direct use or benefit or the direct use or benefit of another, knowingly- (note: the above para. is from the Industrial Espionage Act and is similar to the Economic Security Act)

(1) (1) steals, wrongfully appropriates, takes, carries away, or conceals, or by fraud, artifice or deception obtains such info. steals, wrongfully appropriates, takes, carries away, or conceals, or by fraud, artifice or deception obtains such info.
(2) (2) wrongfully copies, duplicates, sketches, draws, photographs, downloads, uploads, alters photocopies or replicates such information
(3) (3) receives, buys, or possesses such information, knowing the same to have been stolen or wrongfully appropriatedŠ.
(4) (4) attempts to commit any offence described in para. (1) through (3)
(5) (5) wrongfully solicits another to commit any offence described in para. (1) through (3)
(6) (6) conspires with one or more other persons to commit any offence described in para. (1) through (3), and one or more of such persons do any act to affect the object of the conspiracy, shall, except as provided in subsection (b) fined not more than $250,000 (industrial) $500,000 (economic) or imprisonedŠ..

Implante Tip of the Month - About Password Stealers
There are about six ways that a Trojan Horse program "password stealer" actually work. Generally, they "monitor and interrogate" the hardware and software processes. To protect yourself from someone planting a password stealer on your computer:
  1. As part of your computer security policy document, clearly prohibit unauthorized codes and programs from being loaded onto your computer system, including prohibition on installation or removal of diskettes or electronic media,
  2. investigate the various software monitors such as e-mail checkers of software & programs attached to e-mail,
  3. removal of PC's that don't require programming languages on them (BASIC & Quick Basic) and not using PC DOS if other environments are available,
  4. (4) physically securing the diskdrives and, for real tight security, installing a NetSafe program that removes operating system keyboard calls and replaces them with proprietary "Trojan" proof code.


Someone did some checking on the individual looking for info on telecom fraud and came up with the following:

Subject: Re: Bulletin Board # 49

Hey Tim,
Got some private comments:

I checked some of the references you sent and see that SCANDPOWER is a consulting agency.

Here's their company line:

"Scandpower is an international consulting and certification concern specializing in technical services within Petroleum Technology, Nuclear Engineering, Information Technology and General Industries. Established in 1971, the concern currently has about 160 employees, with offices located in Norway, Sweden, Germany, England and USA."

Call me nervous but ........ with only 160 employees and expertise in Petroleum, Nuclear, Information and General Industries I would say they are stretched pretty thin. Or, it could be that they are little more than information brokers who collect where and when they can and then find a market. (or the reverse - the market finds them and then they collect info.)

Also - (probably meaningless) their U.S. offices are located in Gaithersburg, MD and Houston, TX. Houston can be explained (oil industry). I'm not sure Gaithersburg can be as easily explained.

Anyway - I don't blame you for being reluctant to forward the specifics - could be legit or it could easily be poisoned candy.

So, that's my 2 cents worth.

C-Ya,

Mike



Tim wrote:

Mike, not rising to the defense of anyone or lending credence to their operation, either, an organization with 160 specialist is a pretty good sized organization, especially if they know their business and have a good resource list. Using TSCI (my company) for example, I'm only a one person operation, but it is very seldom that I can't locate a source of information for a client or an interested party, seldom requiring more than two phone calls. Just think what I could do if
  1. I was twins or
  2. I would work more than three hours a day.
Gaithersburg is near DC; DC houses the Department of Energy and several Major oil companies have headquarters in the general area; plus all those beltway bandits with their wealth of information. If I could afford it, I'd have an office there and in many of the major capitols around the world, myself. (After all, the lack of money is the only thing keeping me from being a multi-millionaire. Think about it.)

In conclusion, I'm extremely pleased that you took the time to research the organization and would hope you would do the same in the future for any one listed who is seeking information. I hope (and think) this is a legitimate request and that something will be developed (even if it might be done for profit) that will benifit the industry as a whole.

Even with the credentials provided, there is always the outside possibility they might NOT be legit, but I'm the eternal optimist (there has to be a pony somewhere under all the pony poop).

Tim