July 19, 2012

When Insider Threats Start From The Outside

A recent article describes an apparently serious FBI investigation.   The article teaches an important lesson.  In this case, the FBI wasted resources on matters of relevant little importance because they can get results fast while a huge amount of more serious data and intellectual property theft related crimes go unnoticed.

When looking at quotes from the affidavit, provided by a Simplicty EX-EMPLOYEE (!) he describes what looks like a perfectly legitimate exploration of public resources. He describes how he was INSTRUCTED to look for PUBLICLY available resources by typing legitimate resource names in the address bar. Next, the FBI claims that someone from within Simplicity’s network (or an employee of Simplicity) accessed the login form of Maxient clients.  Really?  They don’t even claim that someone tried to brute force the form, just accessed it! There is only a brief mention of a claim that Simplicity attempted SQL injection attack against Maxient’s application (which is indeed an illegal activity). Again, the claim is very general in terms that an IP address that belong to Simplicity was behind this activity.

Now my question is this: We see on a daily basis web attacks that are on a far larger scale for each there’s a far more collection of hard evidence in terms of intent and potential risk. Why is the FBI investing so many resources in this particular one? I think that the key to understanding this is the following FBI statement:

On Nov. 4, 2011, a cooperating witness who formerly had been employed by Symplicity for approximately five years provided information to the FBI concerning the conduct of Ariel Friedler, the Chief Executive Officer of Symplicity.

Someone, it seems, may have approached the FBI and pointed the finger at an alleged culprit and detailed the method of operation. Not surprisingly, that someone (by their own testimony) was actually part of the operation. At that point, the FBI together with the alleged victim of this criminal activity, who was completely unaware of this EXTREMELY unsophisticated attack, made the effort to produce audit trail evidence (which I do believe to be genuine) going back TWO YEARS showing traces of this crime.  Notice that they were not able to produce ANY data that indicates actual penetration into the application or organization or any actual illegal access to accounts.

From this point of view, it looks like a case of disgruntled employee, colluding with a competitor of Simplicity to inflict a short term or even long term damage to Simplicity’s business.  How is this for a new twist on the “insider threat” attack vector?

As stated by another quote from the article: “While the FBI's search warrant doesn't put any of Simplicity's current contracts at risk, the vendor could face suspension or be banned from future federal contracts based on the issuance of the search warrant.”

Do I believe that Simplicity people were scanning competitor site for competitive intelligence? Yes I do. Do I believe that someone from inside Simplicity attempted SQL injection against a competitor site. Yes I do. Could that someone be the same employee who reported the entire story to the FBI? Yes he could have been that someone. Do I understand why FBI are going after this case with so much rigor? No I don’t. I’d be surprised if the investigation eventually ends up with shocking discoveries about a wide network of sophisticated industrial espionage, or even of a successful breach into competitor servers. Until that happens, I think there are more pressing cyber-crime issues to go after.



Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.