Modern field guide to security and privacy

Michael Schrenk on stealing data your company gives away for free

In advance of his presentation at the Def Con conference in Las Vegas, Passcode spoke with Schrenk about the insider information he's paid to glean from the open Internet – and how companies can better protect themselves from having their inside plans exposed or used against them by competitors.

|
Courtesy of Michael Schrenk
Competitive intelligence consultant Michael Schrenk takes data companies don't know they are giving away.

To find out a company's trade secrets, you hire Michael Schrenk. 

But Mr. Schrenk is not a hacker; he does not need to break into company networks or steal data from servers to get critical inside information. The competitive intelligence consultant has a different specialty: Designing automated programs to mine companies' websites for information they don't even realize they are giving away.

With a bot that tracks changes in, say, a company's hiring ads, Schrenk says he can figure out its plans for expansion. A simple example: Posts for new middle management positions in California may mean the company is moving West.

In advance of his presentation at the Def Con hacker conference starting next week in Las Vegas, Passcode spoke with Schrenk about the insider information he's paid to glean from the open Internet – and how companies can better protect themselves from having their inside plans exposed or used against them by competitors. Edited excerpts follow. 

Passcode: What kind of trade secrets are being leaked online?

Schrenk: All kinds of stuff. Here's an example: I work with data journalists quite a bit. I love working with them. An investigative journalist is basically a hacker that writes, right? One time we were talking about DNS [the domain name system] and the information that's offered when people register domain names.

So I gave him a problem. I said, "Okay, I want you to tell me the year that Sarah Palin first thought about running for president."

They tried to find [website] registrations for “Sarah Palin for president” and whatnot. We tracked it down to being ... well earlier than she had ever been approached [by then-presidential candidate John McCain] to be the vice president. It's things like that – little nuggets you can pull out of things that are published in DNS.

Human resources are also a huge, huge leak of strategic plans. If you're applying these hacker concepts, and you're periodically looking at a company's job postings, and suddenly they start posting new locations, new skills, new job titles – they're leaking information. 

Passcode: Is it possible to avoid that? I mean, what is a way around posting job listings?

Schrenk: It’s a matter of what information they include. In general, if they were smart, they would do a better job of hiding their data, I think, as opposed to making it more available.

But it's really difficult for some companies to avoid leaking data, depending on the business that they're in, because in order to be transparent and useful, they also end up just leaking all kinds of information.

For example, you can get a lot of information from online stores. Anybody who sells online and sells unique items is a prime target. That could be anything from collectibles or vehicles which list the VIN [vehicle identification number]. Or any item where they specify stock numbers.

If you watch the website, you can tell when items come and go. You can figure out what's selling, and what's not selling. You can figure out how much merchandise that they have that's still sitting there, and it is six months old. You can figure out an awful lot about a business just by looking at what they offer for sale. You can almost do their books for them.

Passcode: If I were a business, what would I need to do to lock down my information and keep people like you from mining it?

Schrenk: If somebody approaches me with a competitive intelligence campaign that they want to do, if they want to get information, the first thing I suggest to them is: Lock down your own stuff.

Before putting anything online, have it go through a committee or some kind of a process that looks at it. There are too many well-meaning people that post things online without having any kind of an idea of the repercussions that it might have when things are viewed outside of the context that they think it's going to be viewed. A job applicant is going to look at a 'Help Wanted' posting very differently than somebody who is a competitor who is trying to find out what they're doing.

That can mean it’s important to limit social media in ways you might not expect. I can do a search on a company in LinkedIn and I can find out who their business development people are. I can figure out their Twitter account. I can look on there and pretty much figure out who their client list is. If you're going to be using social media, I think that they should have specific organizational accounts for that.  

Passcode: So, is there any recourse for businesses if their data is mined?  

Schrenk: If you don’t pace how often you connect to a server, you can get into trespass to chattels [legal] issues. What trespass to chattels means is you're basically preventing somebody from using their own property. If, let's say, you park your car in my driveway and I decided to build a fence around your car on my own private property, then even though it's my own private property, you can sue me for trespass to chattels because you can't get to your car. It's that kind of a thing.

If you use so much server resources that nobody else can access their property, they can say, "Well, you're in violation of trespass to chattels."

There was a real famous case of it back in the 1990s. At the time, there were eBay auctions. Yahoo had auctions. And there probably a half a dozen fairly popular auction sites.

Well, one company decided to aggregate all of the listings.

To do, that they had to hit eBay what was probably millions of times a day. EBay, was thinking, “Wow look at all this traffic we're getting. We need to expand.” They started adding more racks in their server room and they finally realized what was going on.

Initially, they sued [the aggregating company] for copyright infractions. But the court said they couldn’t copyright what was really just publicly available data.

Their lawyers went back. They regrouped. They sued again under trespass to chattels for clogging its servers and forcing it to expand. And won.

Passcode: You’re a regular fixture at hacking conferences, which is sort of weird, in that what you’re doing is sort of the exact opposite of hacking – you’re just taking the data.

Schrenk: I go out and I try to find trade secrets. I try to find strategic plans that are leaked online. I try to find pricing strategies. I build trend lines on the commission I collect. That's what separates me from most competitive intelligence people. Most of them have a marketing bent. I have a hacking bent.

When I approach a competitive intelligence project, I'm much more process driven than perhaps a marketing person would be.

I will actually use some hacking elements in my business. By that I mean, I'll work remotely. I'll work anonymously. I'll apply automation wherever I can. While your traditional competitive intelligence people with a marketing bent, they're looking at previously published data. I'm looking at new data. I'm getting to do things before other people are able to do it. That, in itself, is a competitive advantage – just being first to know something.

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Michael Schrenk on stealing data your company gives away for free
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0730/Michael-Schrenk-on-stealing-data-your-company-gives-away-for-free
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe