Michael Schrenk on stealing data your company gives away for free

In advance of his presentation at the Def Con conference in Las Vegas, Passcode spoke with Schrenk about the insider information he's paid to glean from the open Internet – and how companies can better protect themselves from having their inside plans exposed or used against them by competitors.

Competitive intelligence consultant Michael Schrenk takes data companies don't know they are giving away.

Courtesy of Michael Schrenk

July 30, 2015

To find out a company's trade secrets, you hire Michael Schrenk. 

But Mr. Schrenk is not a hacker; he does not need to break into company networks or steal data from servers to get critical inside information. The competitive intelligence consultant has a different specialty: Designing automated programs to mine companies' websites for information they don't even realize they are giving away.

With a bot that tracks changes in, say, a company's hiring ads, Schrenk says he can figure out its plans for expansion. A simple example: Posts for new middle management positions in California may mean the company is moving West.

In advance of his presentation at the Def Con hacker conference starting next week in Las Vegas, Passcode spoke with Schrenk about the insider information he's paid to glean from the open Internet – and how companies can better protect themselves from having their inside plans exposed or used against them by competitors. Edited excerpts follow. 

Passcode: What kind of trade secrets are being leaked online?

Schrenk: All kinds of stuff. Here's an example: I work with data journalists quite a bit. I love working with them. An investigative journalist is basically a hacker that writes, right? One time we were talking about DNS [the domain name system] and the information that's offered when people register domain names.

So I gave him a problem. I said, "Okay, I want you to tell me the year that Sarah Palin first thought about running for president."

They tried to find [website] registrations for “Sarah Palin for president” and whatnot. We tracked it down to being ... well earlier than she had ever been approached [by then-presidential candidate John McCain] to be the vice president. It's things like that – little nuggets you can pull out of things that are published in DNS.

Can Syria heal? For many, Step 1 is learning the difficult truth.

Human resources are also a huge, huge leak of strategic plans. If you're applying these hacker concepts, and you're periodically looking at a company's job postings, and suddenly they start posting new locations, new skills, new job titles – they're leaking information. 

Passcode: Is it possible to avoid that? I mean, what is a way around posting job listings?

Schrenk: It’s a matter of what information they include. In general, if they were smart, they would do a better job of hiding their data, I think, as opposed to making it more available.

But it's really difficult for some companies to avoid leaking data, depending on the business that they're in, because in order to be transparent and useful, they also end up just leaking all kinds of information.

For example, you can get a lot of information from online stores. Anybody who sells online and sells unique items is a prime target. That could be anything from collectibles or vehicles which list the VIN [vehicle identification number]. Or any item where they specify stock numbers.

If you watch the website, you can tell when items come and go. You can figure out what's selling, and what's not selling. You can figure out how much merchandise that they have that's still sitting there, and it is six months old. You can figure out an awful lot about a business just by looking at what they offer for sale. You can almost do their books for them.

Passcode: If I were a business, what would I need to do to lock down my information and keep people like you from mining it?

Schrenk: If somebody approaches me with a competitive intelligence campaign that they want to do, if they want to get information, the first thing I suggest to them is: Lock down your own stuff.

Before putting anything online, have it go through a committee or some kind of a process that looks at it. There are too many well-meaning people that post things online without having any kind of an idea of the repercussions that it might have when things are viewed outside of the context that they think it's going to be viewed. A job applicant is going to look at a 'Help Wanted' posting very differently than somebody who is a competitor who is trying to find out what they're doing.

That can mean it’s important to limit social media in ways you might not expect. I can do a search on a company in LinkedIn and I can find out who their business development people are. I can figure out their Twitter account. I can look on there and pretty much figure out who their client list is. If you're going to be using social media, I think that they should have specific organizational accounts for that.  

Passcode: So, is there any recourse for businesses if their data is mined?  

Schrenk: If you don’t pace how often you connect to a server, you can get into trespass to chattels [legal] issues. What trespass to chattels means is you're basically preventing somebody from using their own property. If, let's say, you park your car in my driveway and I decided to build a fence around your car on my own private property, then even though it's my own private property, you can sue me for trespass to chattels because you can't get to your car. It's that kind of a thing.

If you use so much server resources that nobody else can access their property, they can say, "Well, you're in violation of trespass to chattels."

There was a real famous case of it back in the 1990s. At the time, there were eBay auctions. Yahoo had auctions. And there probably a half a dozen fairly popular auction sites.

Well, one company decided to aggregate all of the listings.

To do, that they had to hit eBay what was probably millions of times a day. EBay, was thinking, “Wow look at all this traffic we're getting. We need to expand.” They started adding more racks in their server room and they finally realized what was going on.

Initially, they sued [the aggregating company] for copyright infractions. But the court said they couldn’t copyright what was really just publicly available data.

Their lawyers went back. They regrouped. They sued again under trespass to chattels for clogging its servers and forcing it to expand. And won.

Passcode: You’re a regular fixture at hacking conferences, which is sort of weird, in that what you’re doing is sort of the exact opposite of hacking – you’re just taking the data.

Schrenk: I go out and I try to find trade secrets. I try to find strategic plans that are leaked online. I try to find pricing strategies. I build trend lines on the commission I collect. That's what separates me from most competitive intelligence people. Most of them have a marketing bent. I have a hacking bent.

When I approach a competitive intelligence project, I'm much more process driven than perhaps a marketing person would be.

I will actually use some hacking elements in my business. By that I mean, I'll work remotely. I'll work anonymously. I'll apply automation wherever I can. While your traditional competitive intelligence people with a marketing bent, they're looking at previously published data. I'm looking at new data. I'm getting to do things before other people are able to do it. That, in itself, is a competitive advantage – just being first to know something.