How Microsoft tracked down a spy who leaked its secrets

[anuseems]

Summary: Alex A. Kibkalo, the former Microsoft employee charged this week with leaking the company's trade secrets, was a little too loyal to Microsoft services. That turned out to be his undoing.

Heres a pro tip if youre planning to get into the industrial espionage business: Dont use your companys free email, file storage, and messaging services to do the actual business of transferring that same company's trade secrets to a shadowy figure overseas.

A snippet from an IM exchange between the alleged spy and a French blogger

That advice comes courtesy of the very bad example set by Alex A. Kibkalo, a former Microsoft employee who was charged this week with a single count of violating Title 18, United States Code, Section 1832, Theft of Trade Secrets.

According to an affidavit from FBI Special Agent Armando Ramirez III, a disgruntled Kibkalo stole top-secret source code and software development kits, pre-release hotfixes, and documents from Microsoft. He then used Windows Live Messenger to send links to the stolen files, which he had placed in his personal Windows Live SkyDrive account. And for good measure, he sent email messages with additional details to the Hotmail address of his contact in France.

The French Windows enthusiast, widely believed to have used Canouna as his alias, developed quite a reputation during the months leading up to the release of Windows 8, when he became a star in underground circles with leaks of information and code.

According to the FBI, Microsofts Trustworthy Computing Investigations department (TWCI) had been trying to track down Canounas true identity but had failed. They could not determine if the blogger was an external party obtaining information from a contact within Microsoft, or whether the blogger was a Microsoft employee.

Around September 3, 2012, Canouna sent an email to a person in Redmond, allegedly including some sample code from the Microsoft Activation Server Software Development Kit and asking if the recipient could help him better understand its contents. The outside source, who asked to remain anonymous, contacted Microsofts Steven Sinofsky instead.

Four days later, on September 7, 2012, the FBI says Microsoft acted:

The source indicated that the blogger contacted the source using a Microsoft Hotmail e-mail address that TWCI had previously connected to the blogger. After confirmation that the data was Microsofts proprietary trade secret, on September 7, 2012 Microsofts Office of Legal Compliance (OLC) approved content pulls of the bloggers Hotmail account. [emphasis added]

Those email messages in turn led to instant messaging conversations and links to files shared on SkyDrive. Every piece of data was stored on Microsoft servers using an account allegedly linked to Kibkalo.

And there's no question that both parties knew they were breaking the law, as this snippet of conversatrion shows:

Three days after that exchange, on September 24, Microsoft investigators hauled their employee, Kibkalo, in for two days of questioning.

If the messages and files in question had been transferred using Gmail and Dropbox, Microsoft would have probably asked for and received court orders to get access to these communications. But because Kibkalo and his French connection had used servers that are run by Microsoft, the company was able to exercise the rights it had reserved in section 3.5 of the Microsoft Services Agreement:

Content that violates this agreement or your local law isnt permitted on the services. Microsoft reserves the right to review content for the purpose of enforcing this agreement. [emphasis added]

In its Code of Conduct for Microsoft services, which is part of the agreement mentioned in that section of the TOS, Microsoft expressly mentions "software piracy" under the Prohibited Uses section.

Microsoft Online Privacy Statement includes similar wording:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or © act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public. [emphasis added]

The internal-only code that Kibkalo allegedly leaked includes the Microsoft Activation Server SDK, which is a core piece of Microsofts anti-piracy infrastructure. In the FBI affidavit, Microsoft admits that the potential for harm from misuse of the SDK is generally considered low, but the risk is that someone could use the code to reverse-engineer a reliable generator of valid product keys for Windows and Office. That prospect is guaranteed to give Microsoft executives major heartburn.

It's worth noting here that this whole incident happened in Summer 2012, before Ed Snowden upended all the pieces on the online privacy game board. In response to a request for comment on this story, a Microsoft spokesperson initially nprovided the following statement:

During an investigation of an employee we discovered evidence that the employee was providing stolen IP, including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.

As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

http://www.zdnet.com/how-microsoft-tracked-down-a-spy-who-leaked-its-secrets-7000027545/

Edited March 22, 2014 by anuseems

[The Owl]

Amazing how the so called "Clever" people can be so basically STUPID and have no common sense (mind you nowadays its not so "Common")

[SnakeMasteR]

Exactly that is what no one would expect maybe that is why it all happened "internally". Dumb decision is dumb. :ph34r:

[GRiM]

Amazing how the so called "Clever" people can be so basically STUPID and have no common sense (mind you nowadays its not so "Common")

Common sense has never been common. Its an oxymoron.

[anuseems]

The Seattle PI is reporting that Alex Kibkalo, ex-Microsoft architect (according to his LinkedIn profile), is facing criminal charges for stealing and leaking early Windows 8 code to a French tech blogger. Windows 8 formally released to the public on October 26, 2012, Kibkalo delivered the stolen code in mid-2012.

In addition to the Windows 8 code, it is also alleged that Kibkalo stole Microsoft's "Activation Server Software Development Kit" which is a propriety system designed to deter criminals from making unauthorized copies of Microsoft applications. This bit of code can be used to reverse engineer applications by a hacker. The kit was used by the French blogger to make unauthorized copies of Windows 8 with the intent of cracking protections in Microsoft products.

But, this was not the first incident for Kibkalo. He also bragged about leaking large portions of Windows 7 program files before its release and admitted to delivering internal memos and documents.

Kibkalo's reason? He was angry with a performance review.

This was an angry, angry man, apparently. There's no indication about when he received the poor performance review that sent him over the edge, but it seems Kibkalo must've retained his anger for 4 years or so, since Windows 7 released in July of 2009. Like a bad spy movie from the 1980's, Kibkalo, who is a Russian national, at one point broke into Building 9 on Microsoft's Redmond campus to copy software from protected servers.

Ironically, prior to his arrest, Kibkalo was working for a security software company, 5Nine Software, Inc., that specializes security and management for Windows Server and Hyper-V. I'm sure this report is of interest to his current employer, however two members of the company's executive team also have ties to Russia, receiving degrees from institutions in Moscow. As part of the investigation and fact gathering, I'm sure the 5Nine has been queried already by the FBI investigators.

Interestingly, Kibkalo left Microsoft in September of 2012 after working there since 2005. The last reported criminal incident was recorded at the beginning of September 2012. One has to wonder if he left on his own accord because he felt he would get caught, or if Microsoft and investigators have actually been working on this case for the last 2 years. Kibkalo left Microsoft in 2012 to freelance and didn't acquire another real job (with 5Nine) until August of 2013. This seems to indicate he attempted to lay low for a while and when he believed the coast was clear he sought another private sector job, but who knows for sure.

http://windowsitpro.com/industry/angry-performance-review-microsoft-employee-steals-and-shares-trade-secrets

Edited March 23, 2014 by anuseems