By now you have heard of the secret intelligence files left on a commuter train in England.
Keith Vaz MP, chairman of the powerful Home Affairs select committee told the BBC: “Such confidential documents should be locked away…they should not be read on trains.”
This should be a reminder to the private sector regarding trade secrets.
Trade Secrets
A trade secret is not protected by a Patent, Trademark, or Industrial Design. A trade secret is confidential and proprietary information that you protect because of its commercial value and the competitive advantage that it produces for your company.
Competitive Intelligence
Exposing a trade secret in public by working on a critical document on an airplane, leaving a trade secret on a commuter train, or exposing it in an proposal, may eliminate the confidential nature of the data, and once you do that, you have, by definition, given up protecting it, therefore, it is not a trade secret that you can claim as proprietary — your former trade secret moves into the public domain for all to see and use.
As a competitive intelligence practitioner, I often find former trade secrets loose in the public domain due to irresponsible security practices. If the owner does not protect the trade secret, it ceases to be confidential and proprietary data, and is likely to become somebody else’s competitive advantage, or worse still, it might become a standard practice for an entire industry.
The US Government Accountability Office says that stolen sensitive military items have been purchased by undercover government officials on Craigslist and eBay. However, this is like the kettle calling the pot black. The same subcommittee determined that the Defense Department sold chemical protective suits and biological warfare laboratory equipment to the public.
While it is easy to see an element of fear mongering in this, it does remind us that private sector businesses should be checking eBay and Craigslist for their own product and counterfeits. Doing so may reveal a problem with theft, grey marketing, or counterfeiting.
When I travel for work, I undertake what some people consider extreme measures to protect proprietary client data from theft by officials at international borders. These officials do not need warrants to seize or examine anything in your possession when crossing a border and that makes border officials excellent spies. This issue arose recently regarding the actions of the US border officials:
In Canada, one law firm has instructed its lawyers to travel to the United States with “blank laptops” whose hard drives contain no data. “We just access our information through the Internet,” said Lou Brzezinski, a partner at Blaney McMurtry, a major Toronto law firm. That approach also holds risks, but “those are hacking risks as opposed to search risks,” he said.
Creating a “blank laptop” entails more than just hitting the delete key or even using a utility to overwrite existing data. The hacking risk is also greater than most people realize, especially with wireless connections. Even with secure end-to-end encryption, traffic analysis can yield very useful intelligence.
Nigel Stanley, at Bloor Research article entitled Ounce Labs weighs into rogue code about the dangers of outsourcing software development. The most interesting part of the article follows:
Industrial espionage, or good old fashioned spying, is as alive and well today as it has ever been. In fact, a lot of time and effort from the security agencies is tied up in dealing with this issue, and contacts have assured me it is worse now than it has ever been as developing countries try to steal a march (maybe even literally) against the developed world. Spying between developed nations is also a problem, with some larger European countries having a dreadful reputation for trying to obtain industrial secrets from so called allies. Software development is an obvious target…
The downside of this approach is that decision makers get seduced by green lights whilst their developers look for even more creative ways of inserting malicious code. No sensible person will ever declare that a product such as Ounce 5 will guarantee that your code is 100% secure…
An excellent CI related blog, Brand Killer Robots, offers this fun comparison of the black-hat hacker and the good guy training people to protect their assets.
Why have Ethical Hacker Training companies got it so wrong?
We ask, just who are the people that you are sending on Ethical hacker training courses and why are you sending them?
So lets first look at the white hats. Continue reading ‘Why Ethical Hacker Training Fails’
In its 2007 decision in Catalyst Partners Inc. v. Meridian Packaging Ltd., [2007] A.J. No. 667 (C.A.), the Alberta Court of Appeal considered what evidence is required to satisfy the criteria for obtaining an Anton Piller order. In overturning the lower court’s decision and setting aside the Anton Piller order in this case, the Court of Appeal made it clear that strong evidence showing a real possibility the defendant will destroy documents is necessary before such an extraordinary order will be granted.
Thomas Edison was one of the world’s greatest note-takers. He considered his note-taking and filing system as a vital part of all his endeavours. This often lead to his victory in legal disputes and it was also the reservoir for what seemed like an amazing memory.
Famous inventor Thomas Edison is probably the most experienced note-taker in the world. His diary which is still maintained as an important part of the United States historical record contains five million (5,000,000) pages.
Edison certainly subscribed to the philosophy that if life is worth living, it is worth writing about.
Misleading RCMP data undermines counterfeiting claims by Michael Geist
“The RCMP has been the single most prominent source for claims about the impact of counterfeiting in Canada since its 2005 Economic Crime Report pegged the counterfeiting cost at between $10 to 30 billion dollars annually.”
“Responding to an Access to Information Act request for the sources behind the $30 billion claim, Canada’s national police force last week admitted that the figures were based on “open source documents found on the Internet.” In other words, the RCMP did not conduct any independent research on the scope or impact of counterfeiting in Canada, but rather merely searched for news stories on the Internet and then stood silent while lobby groups trumpeted the figure before Parliament.”
We do a lot of trademark searches for due diligence and competitive intelligence research. I often contemplate how hard it must be to think-up something original that isn’t utterly ridiculous or just plain stupid.
It seems Dilbert has the same problem.
A friend who works for a very security conscious government organization surprised me when he asked why I had a plastic cup on my desk containing half a dozen dice cubes. Everybody knows why you keep dice at your desk, don’t they?
Passwords were the cornerstone of data security. It doesn’t matter if you are signing onto the company LAN, starting your laptop, or receiving email, passwords were required to keep out the thieves and brigands. Well today passwords are obsolete! Today you need a passphrase! Continue reading ‘Information Security is a Roll of the Dice Away’
Have you ever sent an important report out to be copied and bound?
How Investigators and Consultants handle deliverables after the final editing may affect the security of the entire job. Yet they often give the product of their genius to some unknown person for copying and binding, then leave to have lunch. We have all seen this.
Another version of this slipshod security practice is emailing unsecured reports. Or unwarranted reliance on the passwords in Word or PDF files to protect the contents.
Anybody who thinks that file passwords are completely secure should look at this Google Directory for Password Recovery software or this one for PDF Password Crackers. All password systems have weaknesses that can be exploited under some circumstances. Security comes from minimizing the exposure of the password-protected report files to circumstances that could lead to unauthorized access. Knowing the weaknesses of the password system and experience with the tools used to break it form your best defence.
The word “Steganography” is from the Greek meaning “covered, or hidden writing”. Generally, a steganographic message will appear to be something else: a picture, a report, or some other document. The advantage of steganography over cryptography alone is that messages do not attract attention to themselves. A visible coded message, no matter how unbreakable, will arouse suspicion.
A steganographic message in plaintext is first encrypted, and then a covertext is modified to contain the encrypted message. The recipient can recover and decrypt it if he knows the techniques used to conceal and encrypt the hidden message.
Stories of terrorists using steganographic messages began with USA Today articles written by Jack Kelley, who was fired in 2004 for fabricated stories and inventing sources. Private Investigators have far more mundane uses for steganography.
Steganography is used for “Watermarking” which has taken on a new importance in the digital era. Digital images, video, and text, are all easily copied and illegally distributed. By embedding identifying information in a file, steganography software enables Investigators to control the distribution of, and to verify ownership of their digital information. It essentially conceals copyright and distribution information within digital information. One easy-to-use program for this purpose is wbStego.
However, beware that the more important the steganographic message, the more likely someone will try to remove it. StirMark and other software may remove copyright information from files.
The Federal Court of Canada has recently awarded Microsoft Canada Co. the highest statutory damages in an intellectual property case in the country.
The court’s decision directing Inter-Plus Inc., a Montreal-based software reseller, to pay Microsoft a total of $500,000 in statutory damages and $200,000 in punitive damages was called “ground breaking” by software industry insiders.
LINK
