Issue 20, 16 December 2014 WhiteNews Global corporate espionage news
Editorial: WhiteRock Updates: All About Privacy 2 Threat: Are LinkedIn Contacts Trade Secrets? 3 News: $400 Bn Military Espionage; Code Fishing 4 News: Falcani Black List; Football Whistleblower 5 Feature: Willy Wonka’s Lessons in Espionage 6-7 Technology: Hearing Aid for Corporate Spies 8-9 Extra: FBI’s Untold Story; Spy on Your Rival 10-11 Letter From America: Spying Breakfast Club 12 Exclusive Reporting for WhiteRock’s Clients Risk of Public Disclosure: Learning from Willy Wonka
Our feature story is seemingly seasonal and light-hearted, but the film ‘Charlie and the Chocolate Factory’ carries a very strong espionage message that is relevant even 50 years later. Willy Wonka was a brilliant CEO who knew that the only person who could protect his trade was himself. Wonka’s story translates superbly into today’s corporate world, and in this issue we are discussing how the contemporary big players are maintaining their edge and success over their competitors. This is equally relevant for small and medium-sized businesses, who really don’t prioritise their trade secrets, making their advantage extremely vulnerable. In the technology section we analyse the delicate matter of hearing aid systems. They’re everywhere, including in corporate meeting rooms, and nobody really considers these as a threat. We’re examining how to achieve a balance between protecting valuable corporate information without creating an embarrassing situation that in turn could lead to reputational damage! Our extra section may give you a wrong impression this time. No, we’re not teaching you how to spy, this is not our bag. The article is about knowing your competitors and getting as much authorised information about them as possible. In the eve of WhiteRock celebrating 20 years in the information security business, our focus is all about PRIVACY. This cements everything we do, ranging from consultancy and technical services to technology installations. Without revealing too much yet, we can already say that along with the awareness and policy work, mobile device security is going to be a big focus – so look out for WhiteRock’s brand new MobileWatch™! Finally, to thank you for believing in WhiteRock in 2014, we’re sending you our 20th cocktail, a sensational Christmas pudding vodka. PUDKA is complex and warming with notes of Rudolf on the nose and a long lingering glow of spiced tangerines and cinnamon humbugs!
Enjoy the season and see you in 2015!
Raili Maripuu, WhiteRock MD
“The Wonka Way is All About Privacy,” Crispin Sturrock, WhiteRock CEO
WhiteRock - A Bond of Trust
WhiteNews20-Final-Print.indd 1 12/11/14 8:33 AM Editorial Page 2 11 Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire, HP13 5RE, UK +44 (0) 844 247 4538 [email protected] www.whiterockglobal.com
WhiteRock Updates: Contents:
All About Privacy Threat 3 Wow, what a year this Year of the Horse has been – literally crazy galloping all the way! As we are approaching the News end of the year, WhiteRock is reflecting the changes and achievements that 2014 brought to our business. 4-5 We have now completed our major restructuring that we started earlier this year. I’m really proud to say that we have a fantastic and a strong team of people bringing you a better Feature and even more professional WhiteRock. 6-7
With the new team, WhiteRock has redefined our services Technology with the aim to bring more clarity to what we do. We outgrew the TSCM market long ago, as we strongly believe that ‘bug sweeps’ are not the sole answer to organisations’ information 8-9 security challenges. Extra We have played around with the ‘corporate information protection’ and ‘audio-visual privacy’ terminology, and Spy on Your Rival: 10 Authorised Ways 10 along with our clients’ feedback concluded that both are too ambiguous and wide to define our role in the corporate Letter From America information security function. Kevin Murray: No Winners in Spying Breakfast Club 12 The above very naturally evolved into a ‘Privacy Cover’, which embodies everything that WhiteRock does and is a solid foundation for all our products. In a broad sense, ‘privacy’ Cartoon of the Month: is part of the overall ‘information security’, closing the gap between the IT and physical security, whilst working very Beware of These Jingle Bells! closely with these functions within organisations.
The gap we are talking about involves mostly human and vulnerable technology, the two biggest threats to high-value information! With nearly 20 years experience in protecting confidential corporate information, WhiteRock has developed nine different products that are designed to achieve the desired Privacy Cover for organisations. These can be grouped into three and range from the consultancy and technical services to technology installations.
In recognition of the fact that human behaviour creates 80% of information leaks, 2014 saw a surge of WhiteRock’s legal and consultancy services. We delivered corporate mobile device security policies and the same for managing the security at high-value corporate meetings. We also delivered around 20 awareness sessions, which is up nearly 10-fold in comparison to the previous year.
In the eve of WhiteRock celebrating 20 years in the information security business, we are very excited to Did You Know? welcome the new 2015. Without revealing too much yet, we can already say that along with the awareness and policy It’s not quite telepathy, but a group of scientists work, mobile device security is going to be a big focus – so have successfully eavesdropped on our inner thoughts look out for WhiteRock’s brand new MobileWatch™! Using a newly designed algorithm, researchers at University of California in the US were able to work out Raili Maripuu Managing Director Using a technique called electrocorticography, which measures neuronal activity via electrodes placed on the surface of the brain, the team took recordings while the patients read out
WhiteRock - Editorial Page
WhiteNews20-Final-Print.indd 2 12/11/14 8:33 AM Threat 3 11 Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire, HP13 5RE, UK +44 (0) 844 247 4538 [email protected] www.whiterockglobal.com
Spy Networking: Do LinkedIn Contacts Qualify as Trade Secrets?
At first glance, this seems like any other trade secret theft dispute between an employer and a former employee. However, when Cellular Accessories For Less Inc. that supplies large organisations with wireless phones and accessories in the US, sued its ex-manager David Oakes and a rival, Trinitas The defendant argued further that Oakes’ LLC, the case created a new legal puzzle in LinkedIn contacts could not possibly be corporate espionage legislation: do LinkedIn considered trade secrets as these would have 8 Point Action Plan: contacts qualify as trade secrets? In fact, been viewable to any of his other LinkedIn they may do. connections, which the plaintiff says is How to Guard Your not correct. Oakes also claims that Cellular Oakes, a sales account manager for Cellular, authorised salespeople to disclose the Contacts decided to strike out on his own after six identities of clients to potential customers as Regardless of the possible changes years with his employer. He had signed a way of attracting new business, and failed in legislation, businesses should an employment agreement requiring that to inform employees that LinkedIn contacts proprietary information did not leave the were proprietary or confidential. monitor their company’s and premises, and a statement of confidentiality employees’ presence in professional forbidding the knowing disclosure or use of networking sites, such as LinkedIn, this information. their client lists, customer base, However, in 2010, when Cellular terminated and other information they want Oakes, he started his competing business, Trinitas, and allegedly violated the previously mentioned terms of confidentiality, plus suggestions for how to guard your some more. According to the lawsuit filed in secrets better: the Central District Court of California, Oakes emailed himself a customer information file with 900+ personal and business contacts, detailed billing preferences, pricing and nature of customer information client strategy documents. Also, what looks The court declined to take judicial notice of like a violation of the same seriousness – the functions of LinkedIn and stated that he maintained his LinkedIn contacts after the parties did not make sufficiently clear privacy settings and train employees termination. whether and to what degree Oakes’ contacts how to maintain barriers against were indeed made public. The judge found genuine issues of material fact as to trade secret misappropriation, but social media accounts remain he did not state that LinkedIn contacts are not trade secrets. completely separate from their business accounts, which should Although perhaps not such a good decision be linked only to a company email for Cellular in this case, this ruling has a remarkable importance and may serve as a precedent or open the door for similar lawsuits in the future. Even though millions to employees upon termination of of companies use social media to build their businesses, professional networking sites such as LinkedIn are still perceived more as to inform employees that LinkedIn professional environments than Facebook contracts, non-competition and contacts were proprietary or or Twitter. Therefore, it is widely assumed non-disclosure agreements, as well that the company has some control over its employees’ contact base especially if the trade secrets in the context of online firm has encouraged such networking as part A federal judge denied the defendant’s of their work. motion for a summary judgement in October, finding there were issues of material fact Although the intricacies of social networking conditions regarding the use of surrounding the question whether LinkedIn and the availability of privacy settings seem contacts were protectable trade secrets. The still to be new for judges, these kinds of defendants claimed that all information was disputes are likely to end up in court more easily obtainable though public sources and often from now on. The mentioned lawsuit spent to compile customer contact Internet searches of Fortune 1000 companies. is still in court and we must wait and see Cellular, on the other hand, said that building how the parties network their way through. its customer list had necessitated a significant Whatever the result is, it will probably expenditure of time and money because it inspire some required changes to US trade in a password-protected internal “hired and paid employees who were tasked secret protection and violation legislation. database, rather than rely on social with cold-calling companies and working their way past the ‘gatekeepers’.”
WhiteWhiteRockRock -- ThreatNews
WhiteNews20-Final-Print.indd 3 12/11/14 8:33 AM News 4 11 Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire, HP13 5RE, UK +44 (0) 844 247 4538 [email protected] www.whiterockglobal.com
News Bites: Combating Interception: Germany Seeks Foreign Foxconn Sued Ex-Employee for Trade Secret Theft Tech Firms’ Source Code
Taiwanese electronics manufacturer Technology firms that sell software to the Foxconn sued its former manager German government or companies critical Bao Qiao-Hong for disclosing to its security are likely to be forced to company trade secrets and violating reveal their top-secret source codes to the authorities. At least, that is the aim of the used the company email account country’s authorities seeking to guard it after quitting to send product margin China’s New Fighter Jet: against snooping after the NSA revelations. and cost information to his personal Result of US$400 Billion The German government has proposed a new email, before he started to work as bill, expected to become law, that excludes a general manager for a rival, also Industrial Espionage US technology companies from its digital China launched its new Shenyang J-31 economy. stealth fighter at the Zhuhai international air show last month. This provoked press reports Foreign firms would have to be forced out about cross-border industrial espionage. from bidding for contracts in Germany, as Reverse Engineering: New Industrial According to US military officials and pilots, they are unlikely to reveal the source code, Espionage Threat the capabilities of the Chinese aircraft are a which is the backbone of software. As a result, the companies could miss contracts The EU Trade Secrets Directive should match for Lockheed Martin’s F-22 Raptor or worth billions of euros from Germany, be amended to better protect product F-35 Lightning II Joint Strike Fighter. which is the largest market for information developers, said the prestigious Max In July, a Chinese entrepreneur was arrested technology in Europe. Planck Institute for Innovation and in Canada at the request of the FBI after he stole information for 32 military projects, to change a current situation where including the F-35. Allegedly, the J-31 is reverse engineering techniques designed using technology stolen from the Pentagon’s above-mentioned US$400 billion products are made in order to make Lockheed Martin F-35 Joint Strike Fighter program. We reporter on the theft briefly in WhiteNews, Issue 132. Also, Chinese hackers have been noted for their frequent success Japan Sets Tougher Penalties for at obtaining sensitive information relating to Trade Secret Theft US defence projects. New guidelines about how the The aim of China’s military establishment companies can protect themselves was to make the J-31 capable of landing against trade-secret theft will on aircraft carriers, giving them a role Meanwhile, technology giants such as Google similar to the F-35C’s. The J-31 is about and Yahoo have taken significant steps to tougher penalties against corporate the same size as the F-35. But the Chinese encrypt their data, both when it is stored and espionage, and makes it easier to airframe has smaller engines and a flatter as it flows through their own data centres, classify documents, client lists and fuselage, implying a focus on air-to-air just to protect against governments’ spying. combat. The J-31’s design would increase the plane’s overall fuel efficiency and Also, Apple and Google have most recently speed, as it would suffer from less drag. increased the encryption of mobile data, However, one former US military pilot said which means the codes Germans seek are Luxury Car Firm Accuses Former that the J-31 would likely out-perform a even less likely to be shared. Employee in Espionage handful of US fourth-generation fighters, After the leaked NSA documents revealed such as the F-15 and the F/A-18E/F Super that the NSA had spied on the phone Hornet. end luxury vehicle industry are in conversations of Merkel, the country ended Although jet engines remain a weak spot for a contract with US telecoms firm Verizon China, the country has made much progress in because of the security concerns, and developing their aerospace industry, say the warned that search provider Google could be employee Jason Catlin downloaded US officials, as it has yet more stolen military broken up and regulated like a utility due to information acquired through espionage. its dominance. and lists before taking up a general manager position at rival, Travers also solicited other employees to Did You Know? 17 US spy agencies spent nearly $68 billion in 2014, according to the director of
WhiteRock - News WhiteRock - News
WhiteNews20-Final-Print.indd 4 12/11/14 8:33 AM News
5 11 Manor Courtyard, Hughenden Avenue, High Wycombe, Buckinghamshire, HP13 5RE, UK +44 (0) 844 247 4538 [email protected] www.whiterockglobal.com
Soccer Whistleblower: News Bites: FBI Spied on FIFA $100 Million Worth of Gaming and US Military Secrets Stolen An American football official, Chuck Blazer, US authorities charged four men was revealed as the main informant in an with hacking and stealing secrets FBI investigation into money laundering and fraud in football. Blazer co-operated with the Microsoft, the US Army, and leading FBI to the degree that he secretly recorded game manufacturers had their meetings with football executives, including systems hacked by an international anyone who was a member of the FIFA Executive Committee that voted for Russia group of hackers who vacuumed 2018 and Qatar 2022, as well as individuals intellectual property from their close to the President of FIFA, Sepp Blatter. White-Collar Crime : Blazer (photo below), a former general Falciani Black Money List secretary of CONCACAF as well as a FIFA Emerges A Former Employee Fined US$1 Executive Committee member, had not been Million for Trade Secret Theft involved in football since May 2013 as it was The black money storm raging for over six known that the Blazer was corrupt and FIFA’s years, centred around a whistle-blower now A Kentucky-based manufacturing Ethics Committee had opened investigation known as the ‘Edward Snowden of Swiss proceedings against him. However the recent banking’ - Hervé Falciani (42), finally comes it ex-employee, Phillip Lee Groves, revelations claim that Blazer was then to an end now his exposure list of more than already working for the FBI. 130,000 potential fraudsters from around that took place in 2007-2008, the world has emerged. Blazer’s co-operation with the FBI began that were copied onto a USB portable three years ago. He allegedly cut a deal with As French authorities have shared the so- the American law and tax authorities, and called HSBC or ‘Falciani list’ with other in April this year, and faces now 40 agreed to co-operate with the FBI and the countries, it also sheds light on what was IRS after being threatened with unpaid tax allegedly one of the biggest violations of crimes on as much as $29 million of income. banking and commercial secrecy as well as His work with the FBI brought down former commercial espionage scandals in recent CONCACAF president Jack Warner following decades. Canadian Couple Arrested in China the ‘cash for votes’ scandal in 2011. This investigation also ended Asian Football The story unravelled in December 2008, for Spying Confederation president Mohammed Bin when Falcani, a systems engineer who The Chinese authorities are Hamman’s bid for the FIFA presidency. worked at HSBC’s Geneva branch fled to investigating a Canadian couple, France with data on nearly 25,000 bank living close to the Chinese border with accounts. He had arguably realised that North Korea, for stealing military the way to manage data in the HSBC bank fostered tax evasion, and decided to reveal and Julie Garratt, who ran Peter’s the wrongdoing to the whole world. Over two Coffee House in Dandong and a years he had obtained data demonstrating weekly ‘English Corner’ where the tax fraud on some 130,000 of the world’s local Chinese practised English, have great fortunes. Swiss judicial authorities, accused Falciani of commercial espionage, and issued an international arrest warrant arrests occurred less than a week against him. Controversially, Falcani was now after the Canadian Prime Minister extradited, but the French authorities opened Stephen Harper publicly implicated their investigation instead against alleged China in alleged acts of cyber fraudsters he was whistle-blowing on. Falciani has since been collaborating with numerous European nations by providing Tech Firms Don’t Resist Governments the information he gathered illegally about Interception suspected tax evaders with Swiss bank accounts - specifically those with accounts in Robert Hannigan, the new chief HSBC’s Swiss subsidiary HSBC Private Bank. of Britain’s intelligence agency, France claims it recovered €186 million GCHQ, criticised technology giants (3,000 names from the list), Spain €260 such as Apple, Google, Microsoft, million (700 names) and the UK £135 million Twitter and Facebook for permitting At London Olympics in 2012, Blazer (4,000 names). In Spain alone, more than 45 organised a series of meetings with FIFA criminal proceedings were launched, based wrote in his column at Financial colleagues and football leaders at the Mayfair on Falciani’s illegal information gathering. Times, that he denounces the efforts hotel in London’s West End. He was given a This is an interesting example of large scale of the technology companies to keychain with a tiny microphone embedded corporate espionage that governments see protect against spying without legal in its specially altered fob for these meetings. as acceptable.