[ISN] Hacking: the must-have business tool

InfoSec News isn at c4i.org
Thu Oct 28 04:32:30 EDT 2004


By Mark Rasch
26th October 2004 

Your competitor has a wildly successful web-based tool which is being
used by many of your customers. Do you (A) give up and get out of the
business; (B) set up a team of product developers to make a competing
product; or (C) hack into the competitor's website, steal the code,
and for good measure hire their critical employees to develop an exact
duplicate of their website. If you answered (C) then congratulations
and welcome to the new world of competitive hacking.

On 15 October, the United States Court of Appeals for the Ninth
Circuit in Seattle, Washington had to deal with the case of two
competing websites geared at helping long-distance truckers take on
additional revenue-producing load to avoid the unprofitable practice
of "dead-heading" - driving a truck that was less than full. One
company, Creative Computing, created a successful website called
Truckstop.com to help match truckers with loads. In the words of the
court, a second company, Getloaded.com, "decided to compete, but not

Getloaded.com used many mechanisms to acquire data from the
Truckstop.com website. Initially, they just copied the most current
lists of unmatched drivers and loads. When Truckstop started using
user IDs and passwords, Getloaded did the same. Reasoning correctly
that truckers using both sites would create the same userid's and
passwords, Getloaded officials logged into Truckstop's site using
their customers' IDs. Then they registered a defunct company as a
subscriber as another route to getting access to the data.

But this wasn't enough. As the court of appeals noted: "Getloaded's
officers also hacked into the code Creative used to operate its
website. Microsoft had distributed a patch to prevent a hack it had
discovered, but Creative Computing had not yet installed the patch on
truckstop.com. Getloaded's president and vice-president hacked into
Creative Computing's website through the back door that this patch
would have locked."

Sound familiar?

We in the security business have long preached patch management and
access control. This case demonstrates the consequences of failure.  
Increasingly, companies are keeping confidential and competitive
information either on web-accessible databases, or on databases that
are vulnerable to unauthorized access via standard Internet protocols
and their vulnerabilities.

Some of this in unavoidable: for truckers to have access to the
website, it must necessarily be open and accessible. Access control
for the general public is almost always accomplished via a
user-defined userid and password, and users almost always select the
same userids and passwords on multiple sites. Accounts are compromised
as a result. Software robots can then be used to scrape competitive
data off the site.

Economic Espionage

The answer to these problems is partly technical and partly legal.  
 From a technical standpoint, companies must do a better job in
selecting access control methodologies and auditing potential
unauthorized access to a website. If you suddenly see thousands of
attempted Web accesses from a small range of IP addresses (especially
those associated with your competitor) its likely that something fishy
is going on. Intrusion detection, log monitoring, and of course patch
management all become part of the overall security of the website and
the contents. Its not enough to simply patch, you also have to employ
technologies that will alert you to new vulnerabilities, new ports
opening, and verify and validate the fact that patches have been
applied properly.

 From a legal standpoint, blocking competitors is tricky. You
essentially have created a "public" space, but want to put terms and
conditions on what can be done in that space. It's sort of like the
porn sites that say, as a condition of access, that you certify that
you are not a cop, that naked pictures don't offend you, that you are
over 18, and that you are aware of the contemporary community
standards of wherever you live. Presumably, if you lie to obtain such
access, you are violating the law.

Thus, part of your overall website defense is to create terms and
conditions that prevent data on your site from being used against you:  
by entering the site the visitor agrees not to commercially use the
data on the site, not to reverse engineer the software, or for that
matter, not to do anything else that you want to prohibit.

Making "fair use" of copyrighted materials is not a copyright
violation, but here you are setting terms and conditions of entry into
your space. If these terms and conditions are not unreasonable or
oppressive, or don't otherwise violate some compelling public policy,
then a court is likely to find them enforceable.

This was exactly what the courts did in a series of cases going back
several years. For example, a court in San Francisco in 2000 found
that an eBay competitor could not use an autobot to scan the eBay site
for auction materials, as this constituted an "unauthorized access" to
the site, and therefore a "trespass to chattels" which resulted in
injury to eBay. Similarly, when a travel agents site was likewise
scoured by a competitor, a federal court in Boston found that the
competitor had exceeded the scope of their authorization, and had not
only committed a tort, but also a criminal violation of the federal
computer crime law. Automated spam programs have likewise resulted in
"unauthorized access" or "exceeding authorized access" claims.

The problem with such website policies is demonstrating in court that
visitors agreed to be bound by them. A standard "clickwrap" agreement
is sufficient. If you have a portion of your website that you want to
protect with a userid and password, you should force subscribers to
agree to a set of reasonable terms and conditions of use of the
website and its content - one that could be enforceable in court.

In the trucking case, hacking alone wasn't sufficient, and Getloaded
also "hired away a Creative Computing employee who had given Getloaded
an unauthorized tour of the truckstop.com website," the court noted.  
"This employee, while still working for Creative, accessed
confidential information regarding several thousand of Creative's
customers. He downloaded, and sent to his home e-mail account, the
confidential address to truckstop.com's server so that he could access
the server from home and retrieve customer lists."

The Getloaded case reflects what I believe is a growing trend in
hacking: intrusion for competitive advantage. But the case also
reinforces that old-fashioned techniques of competitive espionage
remain a threat.

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the
Justice Department's computer crime unit, and now serves as Senior
Vice President and Chief Security Counsel at Solutionary Inc.

More information about the ISN mailing list