Editor’s Note: This is the fifth installment of an occasional series of feature stories exploring some of the most important insider threat cases in U.S. national security history.
Those familiar with the satellite television service DirecTV know that it takes more than an account with DirecTV, a satellite dish and a satellite signal receiver to tune into your favorite binge-worthy television series. It also requires a smart card that is inserted in a slot in the back of the receiver that authorizes receipt of the digital signal.
One of those cards was the DirecTV Period 4 access card, and it cost the company $25 million to develop in 2002. DirecTV worked for years with its security partners to develop the card because all three previous versions had been cracked by hackers, enabling them to decode the encrypted signals and circumvent DirecTV programming controls.
DirecTV has spent millions of dollars trying to combat unauthorized access to its programming signals, including preventing legitimate users from exceeding their authorized programming packages. The company has employed a wide variety of methods to accomplish this, including electronic countermeasures to jam counterfeited or illegally modified smart cards. However, the company has been up against an organized “pirate community” that is engaged in an aggressive program to continually develop ways to beat DirecTV’s countermeasures and feed a black market in illegal access cards.
In 1997, DirecTV took its first step to address the problem by contracting with a company called NDS Americas Inc. to develop a replacement access card for the company’s first generation of cards. The so-called Period 2 card was then developed and distributed to all DirecTV subscribers. But the hacker community quickly developed a way around the card’s security.
By Feb. 1999, DirecTV incurred great expense to develop a third generation of security-enabled access cards – the Period 3 card. The first hacked versions of the Period 3 card were announced by the pirate underground in Nov. 2000.
The Period 4 card, or the Fourth Generation smart card, was the result of two years of research and development by DirecTV and its security partner NDS. In addition to the extreme R&D cost, the card is said to include proprietary DirecTV technologies that had until that time never been used in a smart card application.
At the time, Igor Serebryany, 19-year-old University of Chicago student, was living in the Los Feliz area of Los Angeles, Calif., and was working for a copying service that had been hired by Jones Day Reavis & Pogue, a Los Angeles-based law firm representing DirecTV in a civil litigation case against one of its security vendors.
In Sept. 2002, DirecTV and Jones Day began preparing for their case. Part of that preparation involved sharing secret documents pertaining to the Period 4 access card with lawyers from the firm. Some of the data shared with the law firm was so sensitive that DirecTV had stored it in a secure facility and in encrypted format.
But on October 10, executives at Jones Day telephoned the local U.S. attorney’s office and the FBI about a theft of trade secrets belonging to DirecTV and NDS. Responding to the call were Assistant U.S. Attorney James W. Spertus, FBI special agent Christopher Beausang, and FBI special agent Tracy Marquis Kierce. When they arrived at Jones Day, they met with Larry Rissler, the vice president of Signal Integrity at DirecTV, Joshua I. Halpern, director of Threat Management Services for the Internet Crimes Group, Inc., and attorneys from the law firm.
The story told that day and the ensuing investigation revealed that DirecTV’s trade secrets had been compromised once again and the evidence was pointing to somebody on the inside.
.. -. … .. -.. . / .— — -…
The story begins in August 2002, when DirecTV and its legal counsel, Jones Day, began preparing the paperwork to support a civil case against NDS for breach of contract. Executives from DirecTV delivered to Jones Day lawyers in Los Angles 27 boxes of documents, many of which had until that time only existed in secure electronic form.
Jones Day immediately set-up a case room to store the boxes of documents belonging to DirecTV. Access to the room was strictly controlled and limited to the law firm’s legal assistants and lawyers who were working on the case and had a need to know what information was contained in the documents. It was in this room that legal assistants spent much of their time compiling lists of documents that were deemed critical to the case against NDS. As a result, many of these documents had to be copied as soon as possible so that they could be placed in case binders.
Jones Day maintained an imaging center on the premises of its corporate headquarters. On-site photocopying was deemed the best way to ensure the documents didn’t fall into the wrong hands. So, the boxes that had been marked for copying were sent from the case room to the imaging center, which was operated by a firm called Uniscribe.
Once again, access to the documents was limited to only a select few employees at Uniscribe. Each employee – Yelena Tsvetkova, Peker L. Mikhaie (aka Michael Peker) and Abraham Filoteo – were required to read and adhere to a written policy governing control and access to the documents and the confidentiality requirements governing their content.
The process of copying paper documents sounds simple enough. But at Jones Day, that process was anything but simple. There were six computers that were used to scan the documents into electronic format. The scan created a TIF image file. After scanning, numbering codes and confidentiality statements were appended to the image files. The image files were then scanned using optical character reader (OCR) technology to create an additional text file. At that point, the TIF images and the OCR files were written to CDROMs that were either stored in the imaging center or provided to Jones Day attorneys. Seems like the end of the process, right? Wrong.
Surprisingly, an additional hard copy of each document, called a “blowback,” was then created. Those too were either stored temporarily in the imaging center or provided to attorneys. Finally, the hard copy documents would be scanned and stored in digital form on storage media connected to the computers in the imaging center. From an information security and control standpoint, this was a disaster waiting to happen.
On Sept. 6, DirecTV and Jones Day presented their case to a federal court. Because the case would involve discussions of ongoing research and development – the bulk of which was based on trade secrets belonging to DirecTV – the complaint and related documents were kept under seal to ensure that the pirate and hacking communities did not gain access to secret data pertaining to the Period 4 access card.
But the case was far from over and there were more documents that needed to be copied. On Sept. 13, Jones Day requested Uniscribe to begin working overtime to get all of the documents copied. As many as 22 of the 27 boxes that had been earmarked for copying were now delivered to the imaging center for photocopying. Uniscribe agreed to do whatever was necessary to get the job done. And it was at that time that a fourth person volunteered his services to the copying team that had been assigned to the DirecTV case. His name was Igor Serebryany.
.. -. … .. -.. . / .— — -…
At 6:45 PM on Sept. 16, 2002, a user who went by the nickname Igor32 conducted a Google search using one of the six computers in the Jones Day imaging center. The computer was connected to the public Internet to provide employees with e-mail connectivity. The user entered his search term: Vcipher. In seconds, references to the popular pirate site appeared on the screen. Among the search results was another interesting site: DSS-Hackers.com.
Igor then located MAXXIMUS, the Web site administrator of DSS-Hackers. He drafted an e-mail to MAXXIMUS in which he stated that he had internal documents and secret information that belonged to DirecTV and NDS. Igor emphasized that he would only have access to the documents for a short time and he wanted desperately to get them posted on the Internet. Time was running out, Igor said, especially since he had to first convert the documents into Adobe Acrobat format before e-mailing them.
MAXXIMUS pondered the identity and motive of his new friend. Perhaps he was a disgruntled former employee of one of the companies? Perhaps he was a hacker who got lucky or an insider looking to make some money? It didn’t matter. But a sample would be nice.
Igor sent MAXXIMUS a few documents through Yahoo! Messenger. MAXXIMUS realized immediately that his new friend was for real. But Igor had too many documents for MAXXIMUS to upload to his Hong Kong-based Web server. So he forwarded the documents on Igor’s behalf to PiratesDen.com, an online forum dedicated to sharing information about how to circumvent the security controls of DirecTV’s satellite signals. He then told Igor that he knew somebody who could help him find a place to upload the rest of the documents. MAXXIMUS then cut off all communications with Igor and destroyed the few documents he had received. It was a wise move.
The moderator of MAXXIMUS’ Web site said he had a friend in Canada who maintained a server that would allow Igor to use FTP (File Transfer Protocol) to upload as many documents as he wanted. Igor then made several CDs containing the DirecTV and NDS documents using one of the computers in the Jones Day imaging center. He placed the CDs in a CD holder labeled “The Doors LA Woman” so that they would appear to be music files. Igor took the CDs home and used his parents’ high-speed Digital Subscriber Line (DSL) Internet connection to upload the files.
Within days, more than 800 megabytes worth of trade secrets pertaining to the Period 4 access card – the only access card that criminals had not yet figured out how to crack – appeared on PiratesDen.com. The documents that were posted on the site included highly secret internal design schematics and internal correspondence between DirecTV engineers and NDS security experts that discussed the architecture of the cards and its security features. It was a worst case scenario. Everything that DirecTV and Jones Day had been doing to protect the intellectual property secrets involved in the case was for naught.
.. -. … .. -.. . / .— — -…
On October 10, Jones Day executives began the process of sealing off the imaging center and hired a computer forensics expert to begin investigating and collecting evidence that might prove who was responsible for the breach. Meanwhile, NDS was quick to state that they had nothing to do with the loss of the data and that the source of the leak was likely inside DirecTV.
While it was certainly possible that somebody inside DirecTV was responsible for sending the documents to the pirate Web site, the FBI considered it unlikely. DirecTV employed extraordinary security measures, relying on the practices of its parent company Hughes Electronics Corp. – a trusted military contractor. Among the measures taken to protect its most sensitive information is a requirement for all employees to sign a confidentiality agreement that remains in force even after their employment. In addition, color-coded badges tell security personnel whether a person is an employee, a contractor or a visitor and restrict where they can go within the facility. Visitors must inform a cadre of professional security officers manning the facility’s entrance checkpoints if they are carrying a computer and all bags are subject to search upon leaving.
A separate building houses the DirecTV engineering spaces, is guarded by a separate security force and is served by a security-controlled elevator system. And even within this separately guarded and secured building, some engineers are granted conditional access to highly sensitive programs, such as the smart card development program. Those who are granted access to such programs must not only be able to get into the engineering building and onto the engineering floor, bust must also have access to a special room that is secured with cipher locks, the combinations of which are known only to a handful of DirecTV employees. Wall-mounted security cameras monitor this area 24 hours per day, seven days per week.
From an information and communications security perspective, DirecTV employs a strict, military-like need-to-know policy for information access control. Likewise, all third party contractors, such as chip manufacturers, are assigned code names and are only referred to by those code names in all communications and correspondence within DirecTV and with outside entities. In addition to segregation of all computer networks in the engineering spaces and restriction of all external connections to those networks, all correspondence referring to the company’s intellectual property is required to be printed on color-coded paper that offers quick identification of the sensitive information. However, no information related to the super-secret Period 4 access card ever existed in hard copy format. That is, not until the lawsuit against NDS.
By Nov. 15, the investigation was coming together. The forensics expert hired by Jones Day had determined that secret information pertaining to DirecTV had indeed left the facility. Special agents Kierce and Beausang then drove to the Jones Day imaging center and began collecting evidence. They confiscated hand-written work schedules that showed Igor Serebryany had worked during the times of the alleged uploading of the documents to the pirate Web sites. In addition, a printout from a surveillance camera showed Serebryany entering the facility at 10:39 a.m. on the morning of Sept. 22.
The FBI agents interviewed Serebryany on Dec. 17 at the bureau’s Los Angeles Field Office. They explained to him why he was being questioned and that they were trying to determine the facts surrounding the leak of the DirecTV secrets. Serebryany acknowledged creating two compact discs containing TIF image files of DirecTV documents and searching for the pirate Web sites using a computer at the Jones Day imaging center where he worked. He also told the agents that he converted the files on the disc to Adobe PDF format using his parents’ computer at his home and outlined his attempts to transmit the files to the hacking and pirate community.
The FBI had their man. Despite the extraordinary security measures undertaken by DirecTV to control access within the confines of their protected buildings, Igor Serebryany managed to become a “trusted insider” without ever setting foot in a DirecTV office.
Authorities arrested Serebryany at his home in Los Angeles on Jan. 2, 2003. He pled guilty to theft of trade secrets on April 18 of that year. U.S. District Judge Lourdes G. Baird sentenced him on Sept. 8 to home detention for six months, five years of probation, and ordered him to pay $146,085 in damages.