Hacking: the must-have business tool

Give yourself a competitive advantage

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Your competitor has a wildly successful web-based tool which is being used by many of your customers. Do you (A) give up and get out of the business; (B) set up a team of product developers to make a competing product; or (C) hack into the competitor's website, steal the code, and for good measure hire their critical employees to develop an exact duplicate of their website. If you answered (C) then congratulations and welcome to the new world of competitive hacking.

On 15 October, the United States Court of Appeals for the Ninth Circuit in Seattle, Washington had to deal with the case of two competing websites geared at helping long-distance truckers take on additional revenue-producing load to avoid the unprofitable practice of "dead-heading" - driving a truck that was less than full. One company, Creative Computing, created a successful website called Truckstop.com to help match truckers with loads. In the words of the court, a second company, Getloaded.com, "decided to compete, but not honestly".

Getloaded.com used many mechanisms to acquire data from the Truckstop.com website. Initially, they just copied the most current lists of unmatched drivers and loads. When Truckstop started using user IDs and passwords, Getloaded did the same. Reasoning correctly that truckers using both sites would create the same userid's and passwords, Getloaded officials logged into Truckstop's site using their customers' IDs. Then they registered a defunct company as a subscriber as another route to getting access to the data.

But this wasn't enough. As the court of appeals noted: "Getloaded's officers also hacked into the code Creative used to operate its website. Microsoft had distributed a patch to prevent a hack it had discovered, but Creative Computing had not yet installed the patch on truckstop.com. Getloaded's president and vice-president hacked into Creative Computing's website through the back door that this patch would have locked."

Sound familiar?

We in the security business have long preached patch management and access control. This case demonstrates the consequences of failure. Increasingly, companies are keeping confidential and competitive information either on web-accessible databases, or on databases that are vulnerable to unauthorized access via standard Internet protocols and their vulnerabilities.

Some of this in unavoidable: for truckers to have access to the website, it must necessarily be open and accessible. Access control for the general public is almost always accomplished via a user-defined userid and password, and users almost always select the same userids and passwords on multiple sites. Accounts are compromised as a result. Software robots can then be used to scrape competitive data off the site.

Economic Espionage

The answer to these problems is partly technical and partly legal. From a technical standpoint, companies must do a better job in selecting access control methodologies and auditing potential unauthorized access to a website. If you suddenly see thousands of attempted Web accesses from a small range of IP addresses (especially those associated with your competitor) its likely that something fishy is going on. Intrusion detection, log monitoring, and of course patch management all become part of the overall security of the website and the contents. Its not enough to simply patch, you also have to employ technologies that will alert you to new vulnerabilities, new ports opening, and verify and validate the fact that patches have been applied properly.

From a legal standpoint, blocking competitors is tricky. You essentially have created a "public" space, but want to put terms and conditions on what can be done in that space. It's sort of like the porn sites that say, as a condition of access, that you certify that you are not a cop, that naked pictures don't offend you, that you are over 18, and that you are aware of the contemporary community standards of wherever you live. Presumably, if you lie to obtain such access, you are violating the law.

Thus, part of your overall website defense is to create terms and conditions that prevent data on your site from being used against you: by entering the site the visitor agrees not to commercially use the data on the site, not to reverse engineer the software, or for that matter, not to do anything else that you want to prohibit.

Making "fair use" of copyrighted materials is not a copyright violation, but here you are setting terms and conditions of entry into your space. If these terms and conditions are not unreasonable or oppressive, or don't otherwise violate some compelling public policy, then a court is likely to find them enforceable.

This was exactly what the courts did in a series of cases going back several years. For example, a court in San Francisco in 2000 found that an eBay competitor could not use an autobot to scan the eBay site for auction materials, as this constituted an "unauthorized access" to the site, and therefore a "trespass to chattels" which resulted in injury to eBay. Similarly, when a travel agents site was likewise scoured by a competitor, a federal court in Boston found that the competitor had exceeded the scope of their authorization, and had not only committed a tort, but also a criminal violation of the federal computer crime law. Automated spam programs have likewise resulted in "unauthorized access" or "exceeding authorized access" claims.

The problem with such website policies is demonstrating in court that visitors agreed to be bound by them. A standard "clickwrap" agreement is sufficient. If you have a portion of your website that you want to protect with a userid and password, you should force subscribers to agree to a set of reasonable terms and conditions of use of the website and its content - one that could be enforceable in court.

In the trucking case, hacking alone wasn't sufficient, and Getloaded also "hired away a Creative Computing employee who had given Getloaded an unauthorized tour of the truckstop.com website," the court noted. "This employee, while still working for Creative, accessed confidential information regarding several thousand of Creative's customers. He downloaded, and sent to his home e-mail account, the confidential address to truckstop.com's server so that he could access the server from home and retrieve customer lists."

The Getloaded case reflects what I believe is a growing trend in hacking: intrusion for competitive advantage. But the case also reinforces that old-fashioned techniques of competitive espionage remain a threat.

Copyright © 2004, SecurityFocus logo

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Your data is at risk - from everything
Watch out! Incoming mass hack attack
Dot-Com firms are hacking each other - expert

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.