Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing Silicon Valley

Posted by Soulskill on from the getaway-car-and-a-pocket-full-of-flash-drives dept.

pacopico writes "A series of robberies in Silicon Valley have start-ups feeling nervous. According to this report in Businessweek, a couple of networking companies were burgled recently with attempts made to steal their source code. The fear is that virtual attacks have now turned physical and that espionage in the area is on the rise. As a result, companies are now doing more physical penetration testing, including one case in which a guy was mailed in a FedEx box in a bid to try and break into a start-up."

28 of 139 comments (clear)

  1. the box was labelled "Supplies" by themushroom · · Score: 5, Funny

    And when the staff opened the top, a 4'5" Asian man jumped out and said "Supplies!!"

    --
    Laughter is the Spackle of the Soul.
    1. Re:the box was labelled "Supplies" by K.+S.+Kyosuke · · Score: 2

      And when the staff opened the top, a 4'5" Asian man jumped out and said "Supplies!!"

      "Good, I need a replacement keyboard and a coffee."

      --
      Ezekiel 23:20
  2. strange article by schneidafunk · · Score: 4, Insightful

    It goes from corporate espionage to some guy stealing credit card numbers as a 'hobby'.

    I work at a major corporation that has security cards to get into the building and my computer is password protected with an encrypted hard drive & a physical lock on the computer. Are security guards with guns really necessary?

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:strange article by CanHasDIY · · Score: 4, Insightful

      It goes from corporate espionage to some guy stealing credit card numbers as a 'hobby'.

      I work at a major corporation that has security cards to get into the building and my computer is password protected with an encrypted hard drive & a physical lock on the computer. Are security guards with guns really necessary?

      A security-minded person would say 'yes, because security guards with guns deter threats that locks and passwords do not.' If your valuables are really that valuable, then there is no such thing as too much security.

      Of course, the article is mainly focused on start-ups who rarely focus on security, not large corporations who have years experience at deterring the bad guys.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:strange article by gstoddart · · Score: 3, Interesting

      Are security guards with guns really necessary?

      With a little social engineering and determination, it's surprisingly easy (I hear) to bypass the entry controls in a lot of places.

      Hell, put on a green uniform and carry a clip-board and they might hold the door open for you.

      I've been at places which have a policy that if you don't recognize someone, challenge them as to why they're there. I once stopped a VP and said "ummm, who the heck are you and how did you get in?" because he had never seen before but was standing outside the lab. He was surprisingly nice about it too.

      So it all depends on how valuable what you have is, and how likely someone is to take pains to get it. From the sounds of it, this is due to actual incidents which have happened.

      --
      Lost at C:>. Found at C.
    3. Re:strange article by sosume · · Score: 3, Funny

      I always tell people I'm the newly appointed VP when they catch me around offices I shouldn't be.

    4. Re:strange article by swb · · Score: 4, Interesting

      Right after 9/11 I asked our electrician if he had been experiencing more difficulty getting into buildings to do work. I figured with security on everyone's mind it would be more challenging to show up and gain access to sensitive areas of downtown office buildings.

      He just laughed and said no. He said if I took one of his work uniform shirts (company logo polo) and carried a bunch of tools with me I could walk into any building security office downtown and check out master keys merely by handing them my driver's license. No questions asked.

      My guess is with the right employee uniform you can get away with going a lot of places you don't belong. You could probably do some serious mayhem in the local telco uniform as this would probably get you into any wiring closet in the building, and often they have patch panels and switches for local networks.

    5. Re:strange article by cascadingstylesheet · · Score: 2

      A security-minded person would say 'yes, because security guards with guns deter threats that locks and passwords do not.' If your valuables are really that valuable, then there is no such thing as too much security.

      Of course, the article is mainly focused on start-ups who rarely focus on security, not large corporations who have years experience at deterring the bad guys.

      Just as real computer security is hard, so is real physical security.

      I think I've worked maybe one place that had what I would consider real physical security that was worth much of anything. (And it wasn't the military, but rather a military contractor.)

    6. Re:strange article by gstoddart · · Score: 2

      I always tell people I'm the newly appointed VP when they catch me around offices I shouldn't be.

      I still made him show me his badge and checked with reception.

      I'm not the trusting sort.

      --
      Lost at C:>. Found at C.
    7. Re:strange article by nospam007 · · Score: 2

      "You plug into a network, right? Where's the switch? Where's your server? Where are the project files? Are they encrypted? Where are all of the domain controllers? Who has access to the printer hard drives? Are all of your co-irkers as conscientious as you are? Who controls access to the network closets? What's the procedure to access them? Can people get away with tailgating into the building? "

      We asked Borland or Inprise or whatever it was called at that moment for the source code for dBase III+ in the late nineties, they would have given us the code perhaps, but nobody was able to find out where it was.
      The developers were retired, dead or moved one a decade ago when they took over Ashton-Tate.

    8. Re:strange article by lgw · · Score: 2

      Bullshit. People will always take short cuts, even in the military. But if your company exists to create software, the guys who create software are ultimately the real assets.

      Good security revolves around understanding that people take shortcuts. Make the right thing to do easier than the wrong thing. For example, any security door between where people sit and the smoking area will be propped open - guaranteed. You can try to resolve that with shouting, or you can simply build a smoking area inside the secure perimeter. With the latter approach it's now easier to smoke in the smoking area than not, and no one will be working around your security for their convenience (and to avoid tracking).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    9. Re:strange article by cusco · · Score: 3, Informative

      Or you can install an obnoxious sounder that goes off every time the door is held open more than X-many seconds. That works really well, we do it all the time.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    10. Re:strange article by cusco · · Score: 4, Interesting

      This exact scenario happened recently where I currently work. An executive from headquarters showed up with his party to inspect a new data center, his staff had accidentally left his name off the list of people to be granted temporary access. He made all kinds of noise about it, but ended up sitting in the lobby while the rest of the party took in the dog and pony show. Once he got home and cooled down he sent a letter of commendation to the guard staff at the data center. Don't know what happened to the staffer that left his name off the list.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    11. Re:strange article by AJH16 · · Score: 3, Insightful

      Actually, the people taking shortcuts should be educated on why not to take shortcuts and the procedures reviewed to see if they can be improved. Overly burdensome security will harm moral and could possibly increase the chance of an internal breach, which is always the biggest risk since the people inside are supposed to have at least some access.

      --
      AJ Henderson
  3. Credit please... by SuperKendall · · Score: 4, Informative

    To the master, Weird Al.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Those who forget the past... by Virtucon · · Score: 4, Interesting

    Are doomed to repeat it. Espionage is nothing new and it's been around for centuries. The plans for the Atomic Bomb were stolen by people who were sympathetic to the Soviets.

    Sometimes technology can be given away, stupidly, when somebody is trying to build better relations or is reverse engineered like the TU-4 bomber.

    While we've been concerned with Cyber Espionage it's still nice to see that old fashioned bribery and cunning are still in use and that countries and competitors will still go to whatever lengths are necessary to steal technology. We've allowed billions in technological innovations to be stolen and given away and it will come back to haunt us.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  5. Security starts with inventory by onyxruby · · Score: 3, Interesting

    This shouldn't really surprise someone. When you think about a data center or server rack is arguably about the most valuable square footage that you can have. Think of a comparison to a typical jewelry shop, it might have $250,000 to a $1,000,000 in a vault and it's not easy to liquidate for anything resembling it's retail value. Now think of a typical bank vault, it probably has a typical amount of money, and again liquidation is an issue (look up money laundering for the challenges drug dealers face plus serial numbers).

    Now think of a single rack in a data-center where a low end server can easily cost $5000 and nobody blinks an eye at something costing $25,000. A single rack can easily be worth a million dollars or more depending on how it is loaded. You can also easily resell IT equipment or part it out and there is a much smaller chance of getting caught. Serial numbers are an issue of course, but if something gets sent overseas the cost of getting caught drops significanly while the value is pretty much retained.

    If you were to look at the sheer value of the contents of a building the only buildings that could possibly compete with a data center would be the exceptional bank vault and factories such as where they build new jetliners.

    1. Re:Security starts with inventory by mlts · · Score: 2

      What I've found is sometimes the best protection for data center rack protection is sometimes things that are fairly simple.

      Something as simple as pin-Torx or pin-Robertson (square head) screws can keep equipment from vanishing, assuming the bits are stored somewhere fairly secure. It isn't near 100%, but it will slow someone down who managed to get in, and who is looking to unbolt something out of a rack and then make a break for it out the fire door.

      If I need more secure tamper-resistant screws, Bryce Fastener can make custom-headed screws that only each customer would have bits to. This is low-tech and won't stop someone who has the ability to haul 500+ pounds out on a rack, but it is a good line of defense.

      Computer-wise, for very sensitive servers, I always have some sort of DAR (disk at rest) encryption (with the recovery keys stored in multiple secure, but recoverable locations.) That way, if someone grabs all the disks from an array, the data is useless without the LUKS or BitLocker keys. Similar on the SAN side. With encryption enabled on the drive controllers and the drives being hardware self-encrypting, a theft becomes "just" a hardware loss, not both hardware loss and a major security breach.

      None of these measures are 100%. A computer that uses BitLocker Network Unlock can be decrypted via a RAM dump. Security screws can be drilled or slotted with a Dremel tool. However, it is better to have some measures in place than none.

  6. nothing new here by frovingslosh · · Score: 2

    Just more proof that information wants to be free.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  7. Movie time by SJHillman · · Score: 3, Funny

    I bet it's those Pirates of Silicon Valley. Damn pirates, always stealing everything.

  8. Did They Do Attack Trees? by bill_mcgonigle · · Score: 5, Interesting

    C'mon, guys, if you'd have done your attack trees, you'd know that the guy who empties the waste basket can install a keylogger for a day for much less cost than it would take to break your 4096 bit PGP key.

    I suppose this story does highlight some changing costs on the nodes, though - if physical penetration is becoming more prevalent, then either the cost of hiring somebody to do it is falling (due to massive unemployment, perhaps?) or the costs of other attacks are rising.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:Did They Do Attack Trees? by cusco · · Score: 5, Interesting

      The cost of doing it is dropping because the tools are getting cheaper, easier to use, and easier to deploy. A local software company got hacked by someone just plugging a wireless router into an unoccupied network port in a conference room and taping it under the table (they think it was a job applicant being interviewed), and then just browsing their network from the parking lot that night. I've heard (second hand) of an office where the janitorial staff plugged a netbook into a port under a desk, let it sniff all network traffic for a couple of days, and then handed it off to whoever hired them. I've seen USB keyloggers advertised for under $100, and some of the newer remote control/viewing software can be autoinstalled and is unnoticeable to the casual user. It just isn't rocket surgery any more.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  9. War By Other Means. by tekrat · · Score: 4, Informative

    I remember reading "War By Other Means" (http://www.amazon.com/War-Other-Means-Economic-Espionage/dp/0393318214/ref=sr_1_3?ie=UTF8&qid=1381510831&sr=8-3&keywords=war+by+other+means) more than 10 years ago.

    The book starts off with how the USA, during it's early years, sent "spies" to European nations to gather their technology regarding weaving and agriculture, as well as the start of the industrial revolution, and how that enabled the USA to become a superpower, and now it's being turned around on us that other countries such as China are doing the same thing, except that they are doing it on a much larger scale.

    That this is happening on a small scale in the valley is no surprise, since the lead-time on new tech is now incredibly small. Look how Samsung introduced a "smartwatch" based on a RUMOR that Apple was doing that.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:War By Other Means. by artor3 · · Score: 2

      The US didn't become a superpower by stealing loom technology. It became a superpower because every other major power was a bombed out husk following World War II.

  10. Governmor Brown is being questioned? by s.petry · · Score: 4, Funny

    Oh wait, this is not about the business taxes in CA.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  11. Re:Credit please... only where credit due by Beorytis · · Score: 2

    Perhaps, but he certainly put more class into the delivery

    Do you mean "class" or "crass"?

  12. Deja vu all over again by TheloniousToady · · Score: 3, Interesting

    Sounds like the kindda stuff Kevin Mitnick was doing to The Phone Company decades ago. He once broke into a local Ma Bell office to steal manuals, as reported in his book "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker".

    The book is a pretty good read. In it, Mitnick repeatedly claims he never profited from any of his adventures - except by selling books and becoming a security consultant, of course. Heck, some of the reported robbers in Silicon Valley might be even more ethical.

  13. Re:LOL Racism by Beardo+the+Bearded · · Score: 2

    Actually, that's mostly true. Some regions of Canada use the most lightly-accented form of English.

    I've been interviewed just for my voice to test my accent.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.