Stopping the leak

Steve Allen tells a salutary tale of how a disgruntled employee used technology to steal information and damage his employer's reputation.

Our Electronic Countermeasures Team (ECM) finds on average half a dozen active devices a year, so it came as no great surprise when a call came to inform us that one had been found in the boardroom of our client, a well known UK-based organisation. The device was sophisticated, live, and hidden behind an air vent grill - and the board meeting was scheduled for that morning.

This was the start of a fascinating case which lasted for several months and dealt with a technophile senior employee hell-bent on obtaining information about our client's activities. It ended with a court injunction, the delivering-up of stolen information, and the discovery of an array of computer and communications equipment, listening devices and recording media.

Our client was in the midst of some delicate negotiations and had commissioned a physical security review which, in addition to a comprehensive ECM sweep programme, paid particular attention to the safeguarding of proprietary information, its main asset. A major part of the review was a security assessment of the networked information communications technology (ICT) system.

Our report concluded that:

even the most fundamental logical security was absent

there was no defined policy on centralised IT function and resources

there was no security strategy documentation

access controls had been applied equally to all applications

there was no tried and tested disaster plan

the server system was outdated, with only a small library of attendant security utilities

no encryption algorithms or digital signatures were deployed

the use of passwords was inadequate and they were seldom changed

software at the firewall needed to be hardened to control access attempts by remote sites

the A drives on PCs were not blocked off with software released to users of the network, so as to prevent the introduction of Trojan horses

no intrusion detection system (IDS) was installed

the relevant parts of the client's database were not securely classified.

These deficiencies were subsequently all acted upon.

It came as a shock when we heard of the 'spamming' of several hundred of our client's customers a few days later. The rogue e-mail was sent using an unidentifiable e-mail account. It contained:

verbatim extracts from past board meetings

accurate summaries of some key recent internal policy decisions

confidential and accurate financial information

acidic comments about board members

an incitement to lobby against the interests of the client.

Some of the recipients received printed hard copies of the offending e-mail (which warned of further, similar missives to come) by post.

Initial suspicions
A provisional profile of our client's potential opponents and adversaries came up with a raft of competitors and former employees and even posed the possibility of foreign government intervention. However, analysis of the e-mail revealed a level of knowledge and a familiarity with internal procedures indicative of only a few senior employees. Also, the spamming audit trail, partly listing the recipients of the e-mail, was a direct match with an internal e-mail database that was only accessible to the CEO and his secretary. The investigation was homing in.

Detailed background checks, using online databases and the internet, confirmed that a senior employee had an employment history which was at variance with his CV and job application. Only cursory background checks had been conducted prior to his employment. He was an erratic timekeeper, often staying late and regularly working over weekends. He appeared to enjoy challenging authority and was a gifted writer of prose. We had a suspect.

Legal advice
It is vital in the early stages of any investigation to document the reasons for deciding to launch, and subsequently to continue with, an enquiry. These reasons need to be justifiable, in accordance with data protection and human rights legislation, and must steer a fine path between the rights of the client and the rights of suspects.

Our early overview concluded that there had been an unauthorised, and hence illegal, attempt to bug a board meeting, that confidential information had been stolen, and that a database had been downloaded from our client's computer system. While not discounting the potential for a criminal action, our objectives were to identify the miscreants, recover our client's information, get financial restitution and issue injunctions to limit further damaging and publicly humiliating e-mails. This was to be a civil law case.

Initial investigative options included:

reviewing selected personnel files

real-time electronic audits of boardroom meetings to monitor interceptions

covert disk imaging of PCs and laptops

reviewing the client's server to monitor outgoing e-mail traffic

telephone call log analysis of key employees

intercepting the telephone and fax lines of selected employees

fingerprint analysis of the envelopes and contents of the letters

DNA matching from the stamp and envelope with selected staff samples

handwriting analysis to match the writing on envelopes with control samples

indented impression (ESDA) testing on envelopes and contents

striation testing to match printed pages with printers and photocopiers

covert desk searches of employees

physical surveillance of employees

'disputed utterance' analysis of written material

lifestyle analysis and background checks on staff

creating an 'incident' to elicit a response

working with informants or undercover operatives to obtain more intelligence.

During the initial phases of an investigation that is likely to develop at speed, it is essential to obtain legal advice from a law firm which is familiar with investigative techniques, has a strong stomach for litigation, and a track record of successfully applying for injunctive relief in the courts. We chose the law firm Mishcon de Reya (MDR). They went about thet essential task of collecting employment contracts and associated papers that might be used as the basis for an affidavit and for laying a complaint.

The investigation
Having confirmed that it was owned and paid for by the client, we covertly took an image of the PC on the desk used by the suspect. The machine had a large hard disk and imaging went on into the small hours. Forensic computer imaging is where a digital or optical image of a computer's hard drive is taken, for subsequent analysis. A mirror-image copy of the data, applications and operating system is garnered so that it can be replicated off-site, and a control copy kept for evidential purposes, while investigators interrogate a duplicate copy.

When a user deletes a computer file it is not lost forever, unless it is overwritten. By using a derivation of basic virus scanning software, it is possible to create a string of key text search words to run against the copy disk until you find instances of the use of the words you have flagged.

On this occasion, we found in the slack space of the computer (the swap file) an extract of extreme importance to our case. It was a part of a verbatim transcript of the recording of an earlier board meeting, using the exact words that appeared on the e-mails. We also discovered a mailing list with e-mail addresses attached, which matched those who had received the illicit e-mails.

During the course of the imaging, we searched the suspect's desk and found diary entries, contact details and background material which would later assist our case.

These and other investigative initiatives revealed that the suspect:

kept some sophisticated recording equipment in his desk

had encrypted part of the hard drive on his computer at work

kept a work's laptop computer at home

had handwriting which was a near match to that found on the posted letters

had fabricated part of his job application

had not sent the e-mail from the office

had copied the posted enclosures using the office photocopier

had regular meetings in internet cafes with third parties

had many journalistic contacts with whom he maintained close liaison

had previously flouted internal rules by accessing secure files and databases

was a volatile 'Walter Mitty' type character.

Risk mitigation
We were by now about two months down the line and had been hit with more detailed e-mail and postal campaigns. The pressure was palpable. Clients, customers and associates were demanding action to limit the haemorrhage of information.

Legal counsel's advice confirmed that the time was right to proceed with a case. We considered the legal defence and the allegations that might arise:

the case had not been brought in sufficient time without undue delay or procrastination

the demands made of the defendant via the courts were not commensurate with the damage

it was not illegal to intercept the boardroom conversations by virtue of the frequency on which the device operated

the defendant had a claim over ownership of the computers that we had imaged

our client had taken insufficient measures to protect against the loss of information

this was a fishing expedition to get at other people

the defendant was not formally reprimanded when previously caught availing himself of sensitive information, establishing a precedent

surveillance was against the defendant's right to privacy

the defendant should be free to write about his experiences

the information that the defendant was publishing was in the public interest

some of the information had already been substantially published and he was simply adding to it.

Bug-busting outcome
Our team addressed these issues in the affidavit, which succeeded in supporting an ex-parte delivery-up and gagging order. MDR accompanied a solicitor to the home address of the defendant to retrieve items to help prove our case. This was followed, when the court agreed the case to be proven, with undertakings by the defendant to provide financial restitution, and not to discuss the case.

Our suspect, as a defendant, admitted that he had sent the offending e-mail and letters and that he had bugged the boardroom. He had encrypted his hard drive to hide the fact that he had downloaded pornography, and had gained access to the database by obtaining the CEO's password. He had sent the e-mails from an internet cafe, and by using his WAP-enabled mobile phone with in-built PDA.

This account includes some changes in chronology and omits some material facts .

Steve Allen is a director of IJA International Limited Tel: 01252 781133,
E-mail: sallen@ija-int.com
Dan Morrison, fraud solicitor and litigator at Mishcon de Reya, assisted with the case, Tel: 020 7440 7000,
E-mail: dan.morrison@ mishcon.co.uk

LESSONS

Bugs happen. They can be discovered by regular communications security audits.

If you do not take reasonable steps to safeguard your assets, the inevitable will happen. Worse still, if you cannot demonstrate this action to the court, it will not be too enamoured by your application for injunctive relief.

Conduct comprehensive pre-employment and contractor screening - and continue with it on promotion or change of responsible role. The person you hired five years ago is now different.

Hardly any businesses operate without recourse to ICT. But few bother with ICT security.

Forensic science should be used as a standard operating procedure during an investigation.

Business intelligence takes many forms. It is amazing what is available on the internet.

Laws and regulations are there to help protect the rights of individuals and organisations. They must be respected and not ignored. They are also there to defend those who have been wronged, so do not be afraid to use them.

Policies to combat fraud and malpractice work. They should include conflict of interest statements and be cascaded down the organisation from the top. Review the contracts of your senior employees using a specialist employment or fraud lawyer.