Hacking: the must-have business tool

Give yourself a competitive advantage

  • alert
  • submit to reddit

The essential guide to IT transformation

Your competitor has a wildly successful web-based tool which is being used by many of your customers. Do you (A) give up and get out of the business; (B) set up a team of product developers to make a competing product; or (C) hack into the competitor's website, steal the code, and for good measure hire their critical employees to develop an exact duplicate of their website. If you answered (C) then congratulations and welcome to the new world of competitive hacking.

On 15 October, the United States Court of Appeals for the Ninth Circuit in Seattle, Washington had to deal with the case of two competing websites geared at helping long-distance truckers take on additional revenue-producing load to avoid the unprofitable practice of "dead-heading" - driving a truck that was less than full. One company, Creative Computing, created a successful website called Truckstop.com to help match truckers with loads. In the words of the court, a second company, Getloaded.com, "decided to compete, but not honestly".

Getloaded.com used many mechanisms to acquire data from the Truckstop.com website. Initially, they just copied the most current lists of unmatched drivers and loads. When Truckstop started using user IDs and passwords, Getloaded did the same. Reasoning correctly that truckers using both sites would create the same userid's and passwords, Getloaded officials logged into Truckstop's site using their customers' IDs. Then they registered a defunct company as a subscriber as another route to getting access to the data.

But this wasn't enough. As the court of appeals noted: "Getloaded's officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded's president and vice-president hacked into Creative Computing's website through the back door that this patch would have locked."

Sound familiar?

We in the security business have long preached patch management and access control. This case demonstrates the consequences of failure. Increasingly, companies are keeping confidential and competitive information either on web-accessible databases, or on databases that are vulnerable to unauthorized access via standard Internet protocols and their vulnerabilities.

Some of this in unavoidable: for truckers to have access to the website, it must necessarily be open and accessible. Access control for the general public is almost always accomplished via a user-defined userid and password, and users almost always select the same userids and passwords on multiple sites. Accounts are compromised as a result. Software robots can then be used to scrape competitive data off the site.

Economic Espionage

The answer to these problems is partly technical and partly legal. From a technical standpoint, companies must do a better job in selecting access control methodologies and auditing potential unauthorized access to a website. If you suddenly see thousands of attempted Web accesses from a small range of IP addresses (especially those associated with your competitor) its likely that something fishy is going on. Intrusion detection, log monitoring, and of course patch management all become part of the overall security of the website and the contents. Its not enough to simply patch, you also have to employ technologies that will alert you to new vulnerabilities, new ports opening, and verify and validate the fact that patches have been applied properly.

From a legal standpoint, blocking competitors is tricky. You essentially have created a "public" space, but want to put terms and conditions on what can be done in that space. It's sort of like the porn sites that say, as a condition of access, that you certify that you are not a cop, that naked pictures don't offend you, that you are over 18, and that you are aware of the contemporary community standards of wherever you live. Presumably, if you lie to obtain such access, you are violating the law.

Thus, part of your overall website defense is to create terms and conditions that prevent data on your site from being used against you: by entering the site the visitor agrees not to commercially use the data on the site, not to reverse engineer the software, or for that matter, not to do anything else that you want to prohibit.

Making "fair use" of copyrighted materials is not a copyright violation, but here you are setting terms and conditions of entry into your space. If these terms and conditions are not unreasonable or oppressive, or don't otherwise violate some compelling public policy, then a court is likely to find them enforceable.

This was exactly what the courts did in a series of cases going back several years. For example, a court in San Francisco in 2000 found that an eBay competitor could not use an autobot to scan the eBay site for auction materials, as this constituted an "unauthorized access" to the site, and therefore a "trespass to chattels" which resulted in injury to eBay. Similarly, when a travel agents site was likewise scoured by a competitor, a federal court in Boston found that the competitor had exceeded the scope of their authorization, and had not only committed a tort, but also a criminal violation of the federal computer crime law. Automated spam programs have likewise resulted in "unauthorized access" or "exceeding authorized access" claims.

The problem with such website policies is demonstrating in court that visitors agreed to be bound by them. A standard "clickwrap" agreement is sufficient. If you have a portion of your website that you want to protect with a userid and password, you should force subscribers to agree to a set of reasonable terms and conditions of use of the website and its content - one that could be enforceable in court.

In the trucking case, hacking alone wasn't sufficient, and Getloaded also "hired away a Creative Computing employee who had given Getloaded an unauthorized tour of the truckstop.com website," the court noted. "This employee, while still working for Creative, accessed confidential information regarding several thousand of Creative's customers. He downloaded, and sent to his home e-mail account, the confidential address to truckstop.com's server so that he could access the server from home and retrieve customer lists."

The Getloaded case reflects what I believe is a growing trend in hacking: intrusion for competitive advantage. But the case also reinforces that old-fashioned techniques of competitive espionage remain a threat.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Your data is at risk - from everything
Watch out! Incoming mass hack attack
Dot-Com firms are hacking each other - expert

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?