Feeds

Hacking: the must-have business tool

Give yourself a competitive advantage

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Your competitor has a wildly successful web-based tool which is being used by many of your customers. Do you (A) give up and get out of the business; (B) set up a team of product developers to make a competing product; or (C) hack into the competitor's website, steal the code, and for good measure hire their critical employees to develop an exact duplicate of their website. If you answered (C) then congratulations and welcome to the new world of competitive hacking.

On 15 October, the United States Court of Appeals for the Ninth Circuit in Seattle, Washington had to deal with the case of two competing websites geared at helping long-distance truckers take on additional revenue-producing load to avoid the unprofitable practice of "dead-heading" - driving a truck that was less than full. One company, Creative Computing, created a successful website called Truckstop.com to help match truckers with loads. In the words of the court, a second company, Getloaded.com, "decided to compete, but not honestly".

Getloaded.com used many mechanisms to acquire data from the Truckstop.com website. Initially, they just copied the most current lists of unmatched drivers and loads. When Truckstop started using user IDs and passwords, Getloaded did the same. Reasoning correctly that truckers using both sites would create the same userid's and passwords, Getloaded officials logged into Truckstop's site using their customers' IDs. Then they registered a defunct company as a subscriber as another route to getting access to the data.

But this wasn't enough. As the court of appeals noted: "Getloaded's officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded's president and vice-president hacked into Creative Computing's website through the back door that this patch would have locked."

Sound familiar?

We in the security business have long preached patch management and access control. This case demonstrates the consequences of failure. Increasingly, companies are keeping confidential and competitive information either on web-accessible databases, or on databases that are vulnerable to unauthorized access via standard Internet protocols and their vulnerabilities.

Some of this in unavoidable: for truckers to have access to the website, it must necessarily be open and accessible. Access control for the general public is almost always accomplished via a user-defined userid and password, and users almost always select the same userids and passwords on multiple sites. Accounts are compromised as a result. Software robots can then be used to scrape competitive data off the site.

Economic Espionage

The answer to these problems is partly technical and partly legal. From a technical standpoint, companies must do a better job in selecting access control methodologies and auditing potential unauthorized access to a website. If you suddenly see thousands of attempted Web accesses from a small range of IP addresses (especially those associated with your competitor) its likely that something fishy is going on. Intrusion detection, log monitoring, and of course patch management all become part of the overall security of the website and the contents. Its not enough to simply patch, you also have to employ technologies that will alert you to new vulnerabilities, new ports opening, and verify and validate the fact that patches have been applied properly.

From a legal standpoint, blocking competitors is tricky. You essentially have created a "public" space, but want to put terms and conditions on what can be done in that space. It's sort of like the porn sites that say, as a condition of access, that you certify that you are not a cop, that naked pictures don't offend you, that you are over 18, and that you are aware of the contemporary community standards of wherever you live. Presumably, if you lie to obtain such access, you are violating the law.

Thus, part of your overall website defense is to create terms and conditions that prevent data on your site from being used against you: by entering the site the visitor agrees not to commercially use the data on the site, not to reverse engineer the software, or for that matter, not to do anything else that you want to prohibit.

Making "fair use" of copyrighted materials is not a copyright violation, but here you are setting terms and conditions of entry into your space. If these terms and conditions are not unreasonable or oppressive, or don't otherwise violate some compelling public policy, then a court is likely to find them enforceable.

This was exactly what the courts did in a series of cases going back several years. For example, a court in San Francisco in 2000 found that an eBay competitor could not use an autobot to scan the eBay site for auction materials, as this constituted an "unauthorized access" to the site, and therefore a "trespass to chattels" which resulted in injury to eBay. Similarly, when a travel agents site was likewise scoured by a competitor, a federal court in Boston found that the competitor had exceeded the scope of their authorization, and had not only committed a tort, but also a criminal violation of the federal computer crime law. Automated spam programs have likewise resulted in "unauthorized access" or "exceeding authorized access" claims.

The problem with such website policies is demonstrating in court that visitors agreed to be bound by them. A standard "clickwrap" agreement is sufficient. If you have a portion of your website that you want to protect with a userid and password, you should force subscribers to agree to a set of reasonable terms and conditions of use of the website and its content - one that could be enforceable in court.

In the trucking case, hacking alone wasn't sufficient, and Getloaded also "hired away a Creative Computing employee who had given Getloaded an unauthorized tour of the truckstop.com website," the court noted. "This employee, while still working for Creative, accessed confidential information regarding several thousand of Creative's customers. He downloaded, and sent to his home e-mail account, the confidential address to truckstop.com's server so that he could access the server from home and retrieve customer lists."

The Getloaded case reflects what I believe is a growing trend in hacking: intrusion for competitive advantage. But the case also reinforces that old-fashioned techniques of competitive espionage remain a threat.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Your data is at risk - from everything
Watch out! Incoming mass hack attack
Dot-Com firms are hacking each other - expert

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.