-Caveat Lector- Nailing the Company Spies <http://www.wired.com/news/business/0%2C1367%2C41968%2C00.html?tw=wn20010301> by Jeffrey Benner Mar. 1, 2001 The end of the Cold War hit defense contractors such as Raytheon where it hurts. In 1999, while commercial tech companies wallowed in cash, Raytheon's profits were down 50 percent over the previous year, and its stock price plummeted from $75 to $25. Something had to be done. Raytheon decided to follow the money and put its military technology experts to work figuring out how to cash in on the tech boom. Last summer, it rolled out its first IT product, a revolutionary network security program called SilentRunner. The program, designed to "answer the insider threat," is powerful enough to be used by the government's investigation agencies, yet it is for sale on the commercial market. According to SilentRunner's slick brochure, enemies lurk within the corporate environment and they must be stopped. "We know that 84 percent of your network threats can be expected to come from inside your organization.... This least intrusive of all detection systems will guard the integrity of your network against abuses from unauthorized employees, former employees, hackers or terrorists and competitors." The program is a sophisticated information-gathering and analysis tool that makes traditional keyword "sniffers" obsolete. It captures all the information on a network, in any code or human language, and translates it into easily decipherable three-dimensional diagrams of network behavior. Never heard of SilentRunner? The scores of companies and government agencies using the program to keep tabs on their agents and employees like it that way. Organizations using SilentRunner have adopted a top-secret attitude about the product to match its military-strength intelligence-gathering capabilities. Until December 2000, when security services provider TruSecure revealed it had purchased the "lite" version of the program, not one organization, public or private, had admitted to buying SilentRunner. On Feb. 1, the computer forensic division of consulting firm Deloitte & Touche became the second to say it uses the program. Both companies provide security services to client companies. No organization has admitted to using SilentRunner to monitor its own employees. Why all the secrecy? Opinions vary. "What could be interpreted by the fact that a corporation is using SR is admission that there's a problem. That's really where the secrecy comes from," said Paul Gentile, vice president of business development for Raytheon's information-assurance division. TruSecure spokeswoman Susan Lee said the company's clients, it provides constant monitoring to nearly 400 companies, have asked not to be identified for fear hackers will be tempted to infiltrate SilentRunner-protected networks just for sport. But keeping SilentRunner under wraps has an added bonus. It allows companies using the program to avoid scrutiny from groups concerned about the erosion of privacy in the workplace. The courts have established that so long as companies make clear to their employees what sort of communication is company property, they can legally monitor their networks with programs such as SilentRunner. The law does not require employers to give details on monitoring, such as the technology that would be used, in order to do so legally. But privacy vs. security battles are still raging over gray areas such as free e-mail accounts and password-protected private websites accessed from work. In one recent case Konop vs. Hawaiian Airlines, the Ninth Circuit Court of Appeals ruled in favor of a pilot who claimed his employer had accessed his website in violation of the federal Wiretap Act. Even Raytheon admits that a program as powerful as SilentRunner gives employers the ability to step over the line. "We train for legal uses," Gentile said. "What we cannot control is abuse after licensing. It's like if we were Smith and Wesson, and you bought a gun. We demonstrate appropriate uses, but we don't really have any control over what they do after that." What companies can do with SilentRunner is see everything going over their network, from a panoramic view down to a detailed profile of precisely what an individual worker is up to on the Net. What's more, workers won't know if they are being watched. "SilentRunner is completely undetectable to end users, and it captures everything," said Kris Haworth, manager of the Deloitte & Touche computer forensics lab in San Francisco. Companies that suspect fraud inside their own organization can hire the lab to investigate. "On an individual user, we can see what you're e-mailing, where you are surfing, if you send anything to be printed, collaborate with anyone on a Word document, access or change the database, basically everything you're doing on the network," she said. Although the program gives broad access, lab analysts are careful to only scrutinize information pertinent to the case at hand, she said. SilentRunner's "collector" recognizes over 1,400 different protocols. It can detect and analyze Web pages, e-mail, digital video and sound files, spreadsheets, word documents, FTP, instant messages, passwords, you name it. "The product is pretty incredible," said Dave Capuano, TruSecure's VP of product management. "It can collect any traffic on the network. We've seen it collect at 195,000 packets per second. That's about twice as fast as traditional collectors. It can get all the data on a 250-terminal network in about 20 minutes." For TruSecure's needs, it generally uses SilentRunner to locate the most valuable parts of a client's network -- the program actually captures too much information, Capuano said. "As a service provider, I don't want to collect e-mail information" on a client, he said, citing liability concerns. "If their tool is going to succeed in the market, they'll have to create some filters for it." Unlike the FBI's Carnivore as well as commercially available "sniffer" programs that search for keywords, SilentRunner uses algorithms to analyze data 25 different ways. It assesses data on the "packet" or binary level, clustering similar patterns of ones and zeroes. This grouping mechanism allows the program to diagram conversations on specific topics going on among members of a network. For example, a cabal spending a lot of time e-mailing one another about inside trading information would light up the screen. Messages passing outside the usual channels of information would stick out as well, for example, from an R&D lab to an out-of-network e-mail account. SilentRunner presents the results of data analysis in three-dimensional diagrams, which, reportedly, any lay person can easily decipher. "You can actually 'see' an attack on the network," Haworth said. Functioning at a binary level affords SilentRunner some extraordinary capabilities. For example, given a writing sample, the program can easily identify any other document written by the same author, so long as both are written in the same language or code. "An e-mail could be fed to the system as a template, and then it would cluster others like it," said Christopher Scott, a chief architect of the software. "It's like a DNA sample of someone's writing." The program analyzes text of any language with equal acuity, he said. According to Gentile, in addition to unnamed government agencies, buyers thus far include financial houses worried about insider trading, drug companies with valuable intellectual property to protect, banks with accounts to secure, and health care organizations with confidential medical records stored online. Raytheon (RTN.A) has sold 140 copies of SilentRunner for a total of $8.4 million. The top-of-the-line edition costs $65,000. A less powerful version goes for $25,000. The average customer gets one license, but one government agency bought 50. Does the "internal threat" demand this new level of technology and vigilance? Security experts say it does. A study of 3,180 businesses worldwide conducted by Omni Consulting used the data to estimate that worldwide corporate losses due to insecure networks jumped from $4.3 billion in 1999 to $11.6 billion in 2000. While crackers get the bulk of media attention, Omni manager Frank Bernhard attributed the dramatic losses to the sharp increase in telecommuting and "employee transience"the tendency of workers to change jobs frequently, often taking valuable information with them. And, with the rise of the knowledge-based economy, information has become a larger portion of assets. "The loss is happening so quickly because more and more value is knowledge-based, and information is portable," Bernhard said. "Employee mobility is one of the single biggest threats to an organization's security. Due to telecommuting, people are working on less secure networks." Omni measured a 19 percent increase in telecommuting from 2000 over 1999 alone. It also found a 44 percent increase in corporate spending on network security in 2000 over the year before, with 62 percent of that spent on securing networks from internal threats. In 1999, Raytheon took action against some of its own employees it suspected of compromising company information. Some of them learned the hard way that talking about one's employer "privately," and even anonymously, can be risky. In February of that year, Raytheon sued 21 "John Does" for $25,000 in damages due to criticisms of the company made on Internet message boards. Raytheon said it suspected current and former employees were responsible for the anonymous postings, accusing them of revealing confidential information. The company successfully subpoenaed Yahoo to find out who made the comments, then abruptly dropped the suit. At least four of the 21, including one VP, resigned after being identified. International Data Corporation estimates the worldwide corporate market for network monitoring and filtering products will rise from $62 million in 1999 to $561 million in 2004. At a presentation to investors on Feb. 7, Raytheon set a revenue target for its IT security division, of which SilentRunner is the centerpiece at $250 million by 2005. <A HREF="http://www.ctrl.org/">www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance—not soap-boxing—please! These are sordid matters and 'conspiracy theory'—with its many half-truths, mis- directions and outright frauds—is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html">Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/">ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om