$this->articleCE->primaryUrlById(3526816) = /security/article.php/3526816/When+EMail+Isnt+Monitored.htm
When E-Mail Isn't Monitored - InternetNews.
RealTime IT News

When E-Mail Isn't Monitored

Tech employees sending out trade secrets to competitors. Government workers e-mailing hate mail and pornography. Private financial and health information routinely sent out over the Web unencrypted and unprotected.

These are but a few of the startling assertions in the new book, The Insider: A True Story Reveals the Threat to Intellectual Property From High-Tech Industry Insiders.

"Identity theft is a hot buzz phrase and a real concern, but after writing this book I came to the conclusion the actual theft of identity is a symptom of a much worse cancer growing inside organizations," said author Dan Verton in an interview with internetnews.com. "The mishandling of information on the inside is enabling identity theft to happen."

Verton said most of the cases of abuse involved employees unwittingly sending sensitive, private and proprietary information unprotected over the Internet, typically using Web e-mail services like Hotmail or Gmail. The next worm or virus, he said, starts by harvesting these e-mails."

But intentional abuses are also a huge problem. Former Attorney General John Ashcroft estimated in October that intellectual property theft costs U.S. companies about $250 billion a year.

Silicon Valley-based Reconnex assisted Verton in his research. The company's iGuard Content Analyzer functions as a high-speed enterprise security appliance designed to monitor all information flowing over an organization's network. The system registers all sensitive or proprietary data created in any type of electronic format, such as images, text-based files or database records.

It provides real-time alerts on exact matches of content registered by the Reconnex iController. For example, the system can look for specific keywords in any electronic communication sent on a company's network, or it can look for number formats that resemble a credit card or Social Security card.

"We have the most comprehensive database in terms of what is leaking from companies and governmental agencies," said Don Massaro, founder and CEO of Reconnex. "Up to now what's been available have been estimates based on surveys. We have the first hard data."

As part of its sales pitch to large companies and government agencies, Reconnex conducts a 48-hour risk assessment where it attaches the iGuard to a company's network gathering data at 1 gigabyte per second speeds onto a petabyte storage device.

The company allowed Verton to view abstracts of the results at over 50 sites at the same time they were presented to the potential customers (companies and government agencies). "There wasn't one assessment where someone didn't lose their job after the data was presented," said Verton.

Verton, a former Marine intelligence officer, doesn't name names as part of his confidentiality agreement with Reconnex, which is also helping to market the book. Yet some of the examples leave little to the imagination.

In one case, he described a company as "one of the largest technology developers in the country whose products everyone uses." The results of the 48-hour assessment showed that this company had 50 different employees all looking for a job, and one of these sent out proprietary documents on a new product to a direct competitor.

At one government agency, Verton said the results included thousands of pornographic images, hate mail and gambling bets sent over a 48-hour period.

"Some of the content was so horrible that when some of the government employees saw it they turned their heads down or left the room," said Verton. "The porno sites are a major security problem because they can install spyware and spam proxies on the user's machine."

Employees can be prosecuted for misuse of a company's e-mail.

"There is a basic problem with privacy laws in that telephone use has formed the basis of employer surveillance," said Chris Hoofnagel, a lawyer with the Electronic Privacy Information Center, a public interest research group. "You are not supposed to monitor purely personal messages. That's in the federal statutes. But it's one thing to stop listening to a phone call; with e-mail it's impossible to stop."

Meanwhile, the details in Verton's book aren't likely to leave any managers calling for more privacy controls. In one case, Verton claims the monitoring unveiled an Al Qaeda operative working at a government agency. "A counter-intelligence department in the government [used iGuard] and found an individual who was e-mailing to a private address back and forth discussing how to [exploit] a government agency's network," said Verton.

In another 48 hour assessment a financial institution told Massaro that it had a Web-mail blocker in place. But one of the first results in the filter of keywords was an e-mail by an employee to a private address on the outside that said, "I just found out a way to get around the Web-mail blocking."