Social Engineering xxxi
In a recent case [16], conviction was upheld against violators of 18
U.S.C. § 1832 in an appeal of Mr. Pin-Yen Yang and his daughter Hwei
Chen Yang (Sally) for industrial espionage, among other crimes. Mr. Yang
owned the Four Pillars Enterprise Company, Ltd., based in Taiwan. This
company specialized in the manufacture of adhesives. Mr. Yang and his
daughter conspired to illegally obtain trade secrets from their chief U.S.
competitor, Avery Dennison Corporation, by hiring an ex-employee of
Avery Dennison, a Dr. Lee. Lee was retained as a consultant by Yang and
the group conspired to pass confidential trade secrets from Avery to Four
Pillars. When the FBI confronted Lee on the matter, he agreed to be video-
taped in a meeting with Mr. Yang and his daughter. During the meeting,
enough evidence was gathered to effect a conviction [17].
Measures against industrial espionage consist of the same measures that
are taken by companies to counter hackers, with added security obtained
by using data encryption technology. Where this is not possible due to
government regulations (France, for example), proprietary compression or
hashing algorithms can be used, which results in the same effect as encryp-
tion but with a higher chance of being broken by a determined adversary.
Legal protections exist, of course, but were once very difficult to dissect
from the vast amount of legislation in Title 18 of the U.S. Code. Congress
amended the many laws dotted throughout Title 18 code into a compre-
hensive set of laws known as the 1996 National Information Infrastructure
Protection Act.
Social Engineering
The weakest link in security will always be people, and the easiest way to
break into a system is to engineer your way in through the human interface.
Most every hacker group has engaged in some form of social engineering, in
combination with other activities, over the years and they have been able to
break into many corporations as a result. In this type of attack, the attacker
chooses a mark, whom they can scam to gain a password, user ID, or other
usable information. Because most administrators and employees of compa-
nies are concerned with providing efficiency and helping users, they may be
unaware the person they are speaking to is not a legitimate user. And
because there are no formal procedures for establishing whether an end-user
is legitimate, the attacker often gains a tremendous amount of information
in a very short amount of time, often with no way to trace the information
leak back to the attacker.

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.