back to article Intel sues former staffer for allegedly stealing Xeon cloud secrets in USB drives and exploiting info at Microsoft

Intel has accused a former staffer of not only leaving the manufacturer with a trove of confidential documents but also trying to use the information they contained to help Microsoft. In a lawsuit [PDF] filed on Friday in a federal district court in Oregon, Intel said Dr Varun Gupta spent a decade at Chipzilla before departing …

  1. Snowy
    Facepalm

    A bit of an Intel fail

    Someone is leaving after 10 years who has access to "a trove of confidential documents" and you still allow totality free access to them on their last day of employment. At best they should have been on gardening leave with the very least they should have done is restrict their access to files towards the end of their notice.

    Intel may have "some impressive forensic capabilities" but it fails very much on document control.

    1. Falmari Silver badge

      Re: A bit of an Intel fail

      “fails very much on document control” that does seem to be the case. But I find it hard to believe Intel would not have put him on gardening leave for the period of his notice and locking him out of their systems the moment he told them he was going to leave.

      If that is the case and the files were taken after he told Intel he was going to leave it looks like he did not originally plan to take the files when he left. If he were planning to take the files surely, he would have done that before announcing he was leaving when he knew he still had access to them. Not condoning the theft but looks like a crime of opportunity.

    2. Greg 38

      Re: A bit of an Intel fail

      I can attest that Intel does indeed wall the garden much tighter after you give notice. I worked in the Oregon development fab 11 yrs ago before moving on. At least in the fab, most employees who gave notice would be escorted to the door and have their cube packed up & shipped to them, especially if they were going to work for any company deemed a competitor. I wasn't going to any such company so I was allowed to linger and tie things up for the couple weeks. However, my email was restricted to outgoing only and the fab badge was collected. It was like sort of like being a ghost.

      1. Yet Another Anonymous coward Silver badge

        Re: A bit of an Intel fail

        >At least in the fab, most employees who gave notice would be escorted to the door and have their cube packed up & shipped to them

        A bit pointless, if you knew you were going to leave you would already have copied anything before telling HR.

        A bit like someone retiring after 40years and on their last day you have security march them out in case they are going to steal office supplies.

    3. Pascal Monett Silver badge
      FAIL

      Indeed

      "Gupta moved 3,900 internal documents from his company laptop to two external USB-based drives "

      And how exactly was that possible ?

      As a consultant, I have access to the servers of a number of customers. Not one of them allows USB ports to work without administrative approval. I might be able to charge my mobile with a cable, but the computer is not going to allow the PC to access the phone.

      How is it that someone who is leaving has access to a computer that lets him connect whatever he wants to a USB port and transfer files to it ?

      Serious security fail.

      1. Anonymous Coward
        Anonymous Coward

        Re: Indeed

        1. Attach networked device to a spare ethernet port(Raspberry Pi or alternative)

        2. Zip documents

        3. encrypt e,g openssl enc -aes-256-cbc -in files.zip -out files-enc.zip

        4. sftp and send the files, or run a web server on your remote device and send via https

        (Sorry i do spend a lot of time thinking about this every time IT tell me that I cannot use USB ports to transfer data to my embedded controllers)

        1. IGotOut Silver badge

          Re: Indeed

          Even a half decent secure system

          A) won't allow unauthorised network kit

          B) won't allow unauthorised observers

          And a more secure won't allow ANY unauthorised kit on the network.

          1. druck Silver badge

            Re: Indeed

            It's not on the network, it's on a spare Ethernet port. e.g. the port on the laptop when it is connected to a dock with it's own Ethernet on the company network.

            1. DS999 Silver badge

              Re: Indeed

              Any decent corporate Windows config wouldn't allow that to happen either, and even if it did it would be present in the logging that two ethernet ports had been active on the PC at once which would put you in IMMEDIATE suspicion even if they didn't know exactly what that second device was.

              1. Anonymous Coward
                Anonymous Coward

                Re: Indeed

                Any decent corporate Windows config wouldn't allow that to happen either

                Really? There are many reasons that a 2nd ethernet port may be needed.

                Even if they were not allowed, laptops have this habit of being taken home where they have to be connected to 3rd party networks, 3rd party wifi links. Unless the company policy is to ban all ethernet and wifi links there is a limit to what can be controlled. Anyone with a bit of technical nounce and determination can get around such barriers, and in a way which makes detection nigh impossible.

                So why bother? well the USB ban was bought in more to avoid accidental loss of data on unencrypted data, however the move to network stores has made a lot of that moot. Secondly it keeps controls the low-level company espionage down, both by active policing, adding the big-brother fear factor and distinguishing between accidental and malicious information stealing . But largely I suspect its there because it makes the CEO feel good, and any weaknesses are just glossed over

                1. DS999 Silver badge

                  Re: Indeed

                  What's the use case for plugging into BOTH a dock that's got an ethernet connection and using the built in ethernet connection, whether at work or at home?

  2. trevorde Silver badge

    Air gapped espionage

    He should've taken photos of his laptop screen with a film camera. Very old school but a leaves no digital trail.

    1. Greg 38

      Re: Air gapped espionage

      The software used to access and view the controlled documents placed water marks across the screen of "Intel Top Secret" and such along with your username + IP address. It won't stop you from taking a photo, but any photo would pinpoint back to you.

      1. DS999 Silver badge

        Re: Air gapped espionage

        People doing this wouldn't share the documents/photos with others, they'd share the information they'd gleaned from them. They don't tell their boss "here's a copy of some Intel confidential material to help us in our decision" they say "well in my experience I think Intel would do x, so I recommend y" and when it turns out they're right their bosses are happy because they got inside info while maintaining plausible deniability - so if found out they can feign horror at the criminal act and wash their hands of the guy!

        Even if it doesn't say "Intel confidential" or "Top Secret property of US government" you can't know if they've done something to modify a few pixels that encode information like your username or email address so you'd be stupid for sharing the document - whether a photo, printout or a copy that had (supposedly) such watermarks removed. If it is really sensitive you can't know if they haven't changed a few details in your copy that are different in someone else's copy that will bite you later, like how mapmakers would place fictitious islands or bogus details of shoreline to catch those who would copy their maps.

  3. Falmari Silver badge
    Black Helicopters

    Impressive forensic capabilities

    Impressive forensic capabilities, no shit Sherlock bloody impressive. Not only could they tell what make of USB drives were connected but also which files were downloaded to which drives.

    With those forensic capabilities and the highly confidential information they knew the soon to be ex-employee had access to hence the confidentiality agreement. I would have thought they would have checked to see what he had downloaded before he signed and left. I am not saying Intel security was lax maybe it would be deemed out of order to do that kind of forensic check, an invasion of privacy.

    1. DS999 Silver badge

      Re: Impressive forensic capabilities

      I suspect Intel has gigabytes of logs of people connecting external drives and downloading stuff, and if they investigated them all (even from departing employees) they'd need a lot more staffing for their security team. If they didn't have people who need to do this as part of their workflow (if only because they find it helps them work more efficiently) they would simply ban USB storage connection or only allow whitelisted storage devices owned by Intel and suitably encrypted so they wouldn't work when connected to non-Intel owned PCs.

      They were clearly alerted to this by the guy using Intel proprietary knowledge and doing the digging after the fact to find out what information he had accessed. In a way that's smart - if you catch the guy when he's walking out the door you can't prosecute because he hasn't attempted to misuse the info. If you wait until he does, you can send him away for a few years for theft of trade secrets and set a MUCH better example when word of jail time gets around to other Intel employees versus "hey did you hear when Bob was walking out they stopped him and he had copied some data onto an external drive earlier that day so they made him erase it before he could leave?"

    2. Roland6 Silver badge

      Re: Impressive forensic capabilities

      Not really...

      A client uses Panda Adaptive Defense 360 (ie. a mainstream security offering aimed as small businesses). Within the device security section you can configure much of this behaviour.

      Although AD360's device security is a little basic, so block the connection of modems and it will report every time someone plugs their phone in to charge...

  4. Anonymous Coward
    Anonymous Coward

    Really...?

    "If nothing else, this tells us that Microsoft and Intel both have some impressive forensic capabilities."

    Most enterprise Endpoint security suites* can log and control USB devices based on vendor ID's, serial numbers, etc - and log all files copied. (It might also be natively possible in Windows...)

    Some customers only approve encrypted drives, only approving drives from a specific manufacturer, only approving drives with known and approved (by IT) serials, or combinations of the above to absolutely block unapproved devices and prevent breaches. (Same with Cloud Storage.)

    More of an abuse of trust, than a technical failure...

    *Anon as I work for such a vendor.

    1. Falmari Silver badge

      Re: Really...?

      Seems impressive to those of us not in the know. :)

      I just a programmer and "enterprise Endpoint security suites" are not in my area. But I do now consider myself forewarned and for that have an up vote.

      1. needmorehare
        Trollface

        See no evil, hear no evil

        The lesson learned is to view documents slowly, over time, and capture their contents using a video capture device between monitor and laptop, while accessing everything remotely from home. Then you can use that knowledge bit by bit without leaving a trail behind. Correctly configured capture devices won't affect presented EDIDs and such but might break HDCP, which is so buggy anyway that it can't be used as forensic evidence anyway...

        The capture device would be connected to an entirely separate computer to do the dumping, leaving no events to give away the changes. The funniest part about this approach is that the more invasive the auditing is, the more overconfident the company will be that nothing has leaked when you leave.

        See no evil, hear no evil.

      2. Roland6 Silver badge

        Re: Really...?

        But if you had played around with USB devices in Windows, particularly if you've had to fix stuff by visiting the registry and deleting stuff, you would have seen an extensive list of every USB device that has been connected to your system since Windows was installed.

        1. sreynolds

          Re: Really...?

          I was thinking about using a microsd like snowden, and pulp fiction's christopher walken's technique for hiding gold watches.

  5. IGotOut Silver badge

    So these amazing companies...

    ...still don't have a fucking clue about basic document security i.e. stop external drives being plugged in.

    Maybe they could use McAfee to stop this sort of thing? Or maybe Group policies?

    Nah, just let them do what they want.

    1. katrinab Silver badge
      Flame

      Re: So these amazing companies...

      They would be using McAfee for this sort of thing. That's the problem.

  6. Jonathan Richards 1 Silver badge

    MAC address

    I'm thinking that all that has to happen is to capture the MAC address of any device mounted on the network - the OUI prefix gives you the manufacturer, and it could probably be narrowed down to a specific device instance with the assistance of the OEM. See, e.g., Wireshark OUI Lookup Tool

    1. DS999 Silver badge
      FAIL

      Re: MAC address

      How is that going to help when he connected a USB drive to his Intel owned PC and MAC addresses were not involved at all? Especially if he had done so while working from home.

      1. anothercynic Silver badge

        Re: MAC address

        USB devices also have prefixes and codes similar to MAC addresses. It allows the OS to figure out what device has been connected, what type it is, who the manufacturer is (for the driver), which model etc.

        So, if they (Intel) went through the Windows registry to discover portable drives with specific prefixes identifying manufacturers and models, they would've been able to provide that information to Microsoft, who would've been able to spelunk through the registry of both the system on-site at Microsoft and any other device issued to the staffer to see if devices with that prefix/identifier/serial number had ever connected.

        So, whilst not MAC address, there is still an address of some sort involved :-)

        1. doublelayer Silver badge

          Re: MAC address

          From the article, that's almost exactly what they've already done. Most discussions here are about prevention, but they appear to already know how to do the detection part.

        2. Jonathan Richards 1 Silver badge

          Re: MAC address

          > whilst not MAC address, there is still an address of some sort involved

          Yes, sloppy use of terms on my part. 3/10 Must try harder. :)

    2. hammarbtyp

      Re: MAC address

      MAC addresses can be changed or spoofed

      1. Anonymous Coward
        Anonymous Coward

        Re: MAC address

        > MAC addresses can be changed or spoofed

        I prefer to call them vanity MAC addresses.

  7. Korev Silver badge

    By this time Intel had asked Microsoft for help. The Windows giant, we're told, discovered the first drive had been used within its walls, including on Gupta’s Microsoft-issued PC.

    Is anyone else surprised that MS didn't block USB drives? I'm assuming there's someone in the company who knows how to do it...

    1. Falmari Silver badge
      Facepalm

      Maybe the head of security at MS was previously employed at Intel.

      I mean seriously your take on this story is “MS didn't block USB drives” that’s it!

    2. AVR

      Probably sufficiently VIPs can make policies bend to them when it comes to devices they declare essential to their work. I'm not sure exactly how high up a principal of strategic planning is but it's not an entry-level peon.

  8. aidanstevens

    MS have confirmed that he used one of their drives on one of their systems. If the reason for the alleged data theft is to benefit the new employer (MS) then why are they co-operating with the Intel investigation, or am I missing something obvious?

    1. IGotOut Silver badge

      Because that's what any responsible company would do. For starters would you want a suspected trade secrets thief working for you?

    2. ExampleOne

      Because, complicit or not, it plays out much nicer for MS to cooperate and deny all knowledge. I mean, they already got the benefit.

    3. doublelayer Silver badge

      "If the reason for the alleged data theft is to benefit the new employer (MS) then why are they co-operating with the Intel investigation, or am I missing something obvious?"

      For starters, the goal could have been to benefit Microsoft, but could also be to benefit the employee as in "That guy always gets the good prices from Intel. Let's give him a raise". Someone stealing information might want to avoid telling the new employer that he's going to use illegal means to benefit them; they might be pleased and go along with the crime, but they might turn him in. Much safer just to help them without telling them what you're doing, bag the rewards, and have the ability to do the same with someone else in case they don't give you as much reward as you want. I think it's more likely that Microsoft was surprised to here this happened rather than expect the corruption to go to the top.

      Meanwhile, whether that's the case or Microsoft wanted to commit the crime, it's dangerous not to go along with the investigation. Stealing data is illegal. If they can claim that Microsoft did it, Intel gets a ton of money and Microsoft gets investigated by law enforcement. Microsoft isn't going to let that happen. Also, if this ever happens in reverse, Intel will help Microsoft investigate too. No reason to throw that away.

    4. love not war

      Crime doesn't pay

      Because MS (and its executive suite) doesn't want to be prosecuted / fined as a party to a crime?

      It is a little hypocritical, as they presumably hired the guy in the first place partly because he knows something incidental about Intel. On the other hand, it's not in their interest to be a blatantly criminal enterprise.

  9. razorfishsl

    Hardly........

    "impressive" forensics.......

    GLPI & the fusion-inventory engine tracks all drives + serial numbers plugged into computers....

    It even pulls manufacturers data..

    As does "bit defender" cloud.... these are hardly "expensive" products....

    once you have this info, it's just a simple action of cross-referencing what files were downloaded to the machine during that time.

    you have gone from tens of thousands of employees to a single employee.... in two steps.

    I worry when a top level rag is impressed by even the most rudimentary low level Software products...., what's next?

  10. Ribfeast

    Pop the files as attachments in a draft e-mail, but don't send it.

    Go home/somewhere else and log into webmail.

    Download the attachments from the draft e-mail to your disk/USB/NAS/whatever

    Delete the draft

    Doubt it would show up on logs as the e-mail was never sent.

    1. anothercynic Silver badge

      Except web activity would show uploads (but not what) of data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021