T 0.14 Interception of Information / Espionage

Espionage is defined as attacks aimed at collecting, evaluating and presenting information about companies, people, products or other target objects. The presented information may then be used, for example, to provide certain competitive advantages to another company, blackmail people or build a copy of a product.

In addition to a variety of technically complex attacks, there are often also much simpler methods for gaining valuable information, for example by bringing together information from several publicly accessible sources, which looks like harmless information in isolation, but can be compromising in other contexts. Since confidential data is frequently not sufficiently protected, this can often be intercepted using visual, acoustic or electronic ways.

Examples:

• Many IT systems are protected against unauthorised access by identification and authentication mechanisms, e.g. in the form of user name and password verification. If the password is transmitted over the wire in an unencrypted form, it is under certain circumstances possible for an attacker to retrieve it.
• To be able to withdraw money out of an automatic teller machine, the correct PIN for the used electronic cash card or credit card must be entered. Unfortunately, the visual protection available for this equipment is frequently insufficient, so that an attacker can look over the shoulder of a customer entering the pin without much effort. If the attacker steals the card afterwards, he can plunder the account this way. To receive access rights to a PC or to otherwise manipulate it, an attacker can send the user a Trojan Horse which he has enclosed within an email as a supposedly useful programme.
• In many offices, workplaces are not sufficiently protected in terms of acoustics. As a consequence, colleagues and also visitors could possibly listen to conversations and come to know information which is not meant for them or is even confidential.