Hacked to Pieces
Any company's E-mail system is vulnerable to attack. Don't let yours be next
Early last spring, when I was on the West Coast, I E-mailed the vice-president of our company, in New Jersey, about our new bonus structure. The next day a manager who'd accompanied me on the trip brought up the plan in conversation. I called my vice-president and asked why he'd shared my E-mail. His answer startled us both. He said, "I haven't even read that message yet."
Thus began the nightmare that has absorbed our company for the past six months: the discovery that someone was running rampant through our E-mail system. That same someone, it turned out, had for about a year been reading all the corporate E-mail and forwarding confidential mail between me and our vice-president to other employees, sending quotes and proposals to a competitor, and passing along payroll information to his buddies. He once had made up a missive under my name that slammed the technical abilities of one of our engineers and then forwarded it by "user unknown" to the engineer.
The invasion of an E-mail system, contrary to popular belief, can happen in any company. It isn't easy, but it is possible for someone with specialized knowledge--an MIS expert, an employee who's into computers--to crack a system and wreak havoc. It happened to us.
The E-mail system we use is made by a well-respected Fortune 500 company, but when we first discovered our problem, we assumed that the package must have had a security leak. How else could password-protected and encrypted E-mail messages be intercepted? We contacted the developer, who assured us that the basic system was secure. The company suggested we contact the New Jersey State Police computer-crimes unit, and before we knew it, we were setting up a sting operation.
With the police involved, we began to audit our network activity by using auditing software. That led us to our first startling discovery: there was a file server on our network that did not belong to the company. Watching this server over a couple of days, we saw a chilling event unfold: user "Admin" would log in nightly and copy files from our main production server to the unknown server. The files were the encrypted databases that contained all of our corporate E-mail.
The network address of the unknown file server was 00000042. We later discovered that "42" signifies the "answer to Life, the Universe, and Everything" in Douglas Adams's book The Hitchhiker's Guide to the Galaxy.
We reported our findings to the police and immediately set up after-hours meetings at our office. We figured out that the additional server was connected to our network through a dedicated telephone line. One night we broke the connection, one of our routers automatically reestablished the line, and we traced the phone number the router had dialed. Ultimately the police charged a former employee who knew the ins and outs of our E-mail system. (After he'd left the company, he'd helped us rebuild one of our E-mail servers when it crashed one evening. He came off as a hero, and I personally had asked him if he would consider coming back to us. Now it appears that he had purposely destroyed the system from off-site.)
We left the link in place for a few more weeks to collect possible evidence. At this point we informed a few employees about what was going on and asked them to cooperate with the investigation. Eventually we discovered a complete mirror system capable of containing our E-mail files. (The passwords had been cracked by utilities designed for just that purpose.)
Today server 00000042 is gone. Our former employee is awaiting trial in municipal court, where he has pleaded not guilty to charges of gaining unauthorized access to a computer system and theft of services. Overall we estimate the damages from that security breach to be in the millions of dollars: we lost loyal employees when "steam-releasing" E-mail messages I sent to our vice-president about them landed in their E-mail boxes, and we lost customers when pricing information was forwarded to a competitor and used against us.
Looking for a silver lining, we have taken what we learned and now consult with other companies on how better to protect internal E-mail by running regular security audits. We have new policies about what information is allowed to be sent via E-mail, and we're extra careful about how we phrase our messages. Even now--especially now--we know that there's always the potential for unintended eyes to see what we write.
Paul G. Lewis is president and CEO of MC 2 Corp., a $10-million computer networkdesign company with headquarters in Warren, N.J.