Feeds

Hacking: the must-have business tool

Give yourself a competitive advantage

  • alert
  • submit to reddit

Seven Steps to Software Security

Your competitor has a wildly successful web-based tool which is being used by many of your customers. Do you (A) give up and get out of the business; (B) set up a team of product developers to make a competing product; or (C) hack into the competitor's website, steal the code, and for good measure hire their critical employees to develop an exact duplicate of their website. If you answered (C) then congratulations and welcome to the new world of competitive hacking.

On 15 October, the United States Court of Appeals for the Ninth Circuit in Seattle, Washington had to deal with the case of two competing websites geared at helping long-distance truckers take on additional revenue-producing load to avoid the unprofitable practice of "dead-heading" - driving a truck that was less than full. One company, Creative Computing, created a successful website called Truckstop.com to help match truckers with loads. In the words of the court, a second company, Getloaded.com, "decided to compete, but not honestly".

Getloaded.com used many mechanisms to acquire data from the Truckstop.com website. Initially, they just copied the most current lists of unmatched drivers and loads. When Truckstop started using user IDs and passwords, Getloaded did the same. Reasoning correctly that truckers using both sites would create the same userid's and passwords, Getloaded officials logged into Truckstop's site using their customers' IDs. Then they registered a defunct company as a subscriber as another route to getting access to the data.

But this wasn't enough. As the court of appeals noted: "Getloaded's officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded's president and vice-president hacked into Creative Computing's website through the back door that this patch would have locked."

Sound familiar?

We in the security business have long preached patch management and access control. This case demonstrates the consequences of failure. Increasingly, companies are keeping confidential and competitive information either on web-accessible databases, or on databases that are vulnerable to unauthorized access via standard Internet protocols and their vulnerabilities.

Some of this in unavoidable: for truckers to have access to the website, it must necessarily be open and accessible. Access control for the general public is almost always accomplished via a user-defined userid and password, and users almost always select the same userids and passwords on multiple sites. Accounts are compromised as a result. Software robots can then be used to scrape competitive data off the site.

Economic Espionage

The answer to these problems is partly technical and partly legal. From a technical standpoint, companies must do a better job in selecting access control methodologies and auditing potential unauthorized access to a website. If you suddenly see thousands of attempted Web accesses from a small range of IP addresses (especially those associated with your competitor) its likely that something fishy is going on. Intrusion detection, log monitoring, and of course patch management all become part of the overall security of the website and the contents. Its not enough to simply patch, you also have to employ technologies that will alert you to new vulnerabilities, new ports opening, and verify and validate the fact that patches have been applied properly.

From a legal standpoint, blocking competitors is tricky. You essentially have created a "public" space, but want to put terms and conditions on what can be done in that space. It's sort of like the porn sites that say, as a condition of access, that you certify that you are not a cop, that naked pictures don't offend you, that you are over 18, and that you are aware of the contemporary community standards of wherever you live. Presumably, if you lie to obtain such access, you are violating the law.

Thus, part of your overall website defense is to create terms and conditions that prevent data on your site from being used against you: by entering the site the visitor agrees not to commercially use the data on the site, not to reverse engineer the software, or for that matter, not to do anything else that you want to prohibit.

Making "fair use" of copyrighted materials is not a copyright violation, but here you are setting terms and conditions of entry into your space. If these terms and conditions are not unreasonable or oppressive, or don't otherwise violate some compelling public policy, then a court is likely to find them enforceable.

This was exactly what the courts did in a series of cases going back several years. For example, a court in San Francisco in 2000 found that an eBay competitor could not use an autobot to scan the eBay site for auction materials, as this constituted an "unauthorized access" to the site, and therefore a "trespass to chattels" which resulted in injury to eBay. Similarly, when a travel agents site was likewise scoured by a competitor, a federal court in Boston found that the competitor had exceeded the scope of their authorization, and had not only committed a tort, but also a criminal violation of the federal computer crime law. Automated spam programs have likewise resulted in "unauthorized access" or "exceeding authorized access" claims.

The problem with such website policies is demonstrating in court that visitors agreed to be bound by them. A standard "clickwrap" agreement is sufficient. If you have a portion of your website that you want to protect with a userid and password, you should force subscribers to agree to a set of reasonable terms and conditions of use of the website and its content - one that could be enforceable in court.

In the trucking case, hacking alone wasn't sufficient, and Getloaded also "hired away a Creative Computing employee who had given Getloaded an unauthorized tour of the truckstop.com website," the court noted. "This employee, while still working for Creative, accessed confidential information regarding several thousand of Creative's customers. He downloaded, and sent to his home e-mail account, the confidential address to truckstop.com's server so that he could access the server from home and retrieve customer lists."

The Getloaded case reflects what I believe is a growing trend in hacking: intrusion for competitive advantage. But the case also reinforces that old-fashioned techniques of competitive espionage remain a threat.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Your data is at risk - from everything
Watch out! Incoming mass hack attack
Dot-Com firms are hacking each other - expert

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.