Backdoors: Rogue, Proprietary, and Government-Mandated

Subscribe To Download This Insight

By Michela Menting | 2Q 2017 | IN-4510

Columbia Sportswear filed a lawsuit in March (2017) against a former senior IT employee, Michael Leeper, for exfiltrating confidential business information and providing it to his new employer, Denali, a reseller of technology services to Columbia. The sportswear firm alleges that before leaving its employ, Mr. Leeper used a fake name to create a new account with wide access permissions to Columbia’s corporate networks and email system. The lawsuit claims Leeper accessed the account over 700 times after he left and passed corporate data on to Denali over the course of two years. By setting up the rogue account, Leeper effectively created a backdoor to his ex-employer’s network, enabling him to continue to access Columbia systems in all impunity.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Insider Threats

NEWS


Columbia Sportswear filed a lawsuit in March (2017) against a former senior IT employee, Michael Leeper, for exfiltrating confidential business information and providing it to his new employer, Denali, a reseller of technology services to Columbia. The sportswear firm alleges that before leaving its employ, Mr. Leeper used a fake name to create a new account with wide access permissions to Columbia’s corporate networks and email system. The lawsuit claims Leeper accessed the account over 700 times after he left and passed corporate data on to Denali over the course of two years. By setting up the rogue account, Leeper effectively created a backdoor to his ex-employer’s network, enabling him to continue to access Columbia systems in all impunity.

Marketing Makeover

IMPACT


Mr. Leeper’s alleged backdoor was relatively easy to create. He did not need to use any complex tools or exploit hidden backdoors. It seems he relied instead on Columbia’s less-than-thorough approach to user account management. Often, the weakest link in such exfiltration cases, especially when dealing with insiders, is the human supervision and auditing element. It may be that Columbia trusted in Leeper’s moral compass, but it is more likely the firm simply did not understand or effectively assess the potential risk associated with departing IT employees. This is a grave omission, especially as the enterprise IoT will expand the threat footprint within many organizations going forward, enabling those with inside knowledge to access more than just emails and file repositories.

Backdoors are increasingly marketable these days and are often sold as value-added features by the manufacturers themselves. There are many legitimate uses for such tools, i.e., servicing a device, providing remote management, patching and updating firmware, etc. Manufacturers do not typically market them as backdoors, but have instead rebranded them as remote access tools—a feature in high demand for IoT devices. The negative connotations associated with backdoors are forgotten, as IoT management services emit a more positive aura. However, it should be noted that manufacturers are keen to ensure prospective users know they can shut off such ‘services’ if they do not require them. The advent of the IoT has made proprietary backdoors acceptably mainstream.

Only Fools and Hashes

COMMENTARY


Certainly, this makeover is a boon for vendors. Placing backdoors into products has always been controversial, and the Snowden revelations left many in the U.S. red-faced and scrambling to salvage reputations. Certainly, government-mandated backdoors are not new, but vendors have been keen to keep such features strictly confidential. Since 2013, there has been increased focus on addressing user concerns about mass exfiltration of data through such backdoors. Certain vendors have been more forthcoming on the existence of backdoors, emphasizing compliance with legally-mandated backdoors but stressing their exclusive use by government. European vendors have been quick to take advantage of the resulting distrust of American vendors, marketing their origins and lack of obligation to the U.S. government as a guarantee against the existence of such distasteful, privacy-violating backdoors in their own products and services.

European politicians and legislators have been less enthusiastic about such guarantees. On the contrary, they are keen to ensure access to ICTs is open for them, and have been pushing for mandated backdoors in the name of national security. More worryingly, they are increasingly calling for such backdoors to be created in encryption products, as well. The U.K. overhauled the Investigatory Powers Act in November 2016, with a provision forcing vendors to remove ‘electronic protection’ at the behest of government. In addition, the Interception of Communications: Code of Practice accompanying the Powers Act requires vendors to notify the government ahead of new products and services that launch “in order to allow consideration of whether it is necessary and proportionate to require the communication service provider to provide a technical capability on the new service.” Such ‘technical capabilities’ could apply to any ICT product, including cybersecurity technologies.

Following a similar path, the French and German interior ministers published a joint letter in February (2017) addressed to the European Commission. The letter calls for legislation to be enacted that would impose obligations on manufacturers of encryption technologies to allow law enforcement access in the context of the fight against terrorism. This tall order seems to go against established positions by both the French government and the European Commission, which had previously ruled out legislating on backdoors in encryption systems. The recent terror attack at Westminster Parliament in the U.K. sparked the debate again on obtaining access to secure mobile communications platforms, such as WhatsApp, via backdoors in the encryption.

The U.S. government has had a similar experience, with the FBI trying to force Apple to provide access to encrypted data in the iPhone 5C belonging to the San Bernardino terrorist. This case is just one in a long line of challenges between the government and the private sector on this topic. The debate is an old one, started in the early 1990s with the NSA’s Clipper chip and it seems that it is one that is not likely to die out, as politicians continue to misunderstand the complex cybercrime landscape and underestimate the grave dangers in enabling backdoors in encryption. It is one thing to mandate backdoors in various ICT products, but to require them in encryption technologies is not just foolish, but downright dangerous. One positive outcome of the Snowden leaks, however, is that vendors are working hard to develop cybersecurity mechanisms that are completely closed off to them so that they are unable to comply with warrants requesting access. Ephemeral keys, perfect forward secrecy, and other technologies are a start in that direction.

Services

Companies Mentioned