How Corporate Leaks are Detected
by Parity Check
Everyday in the news we see a new government or corporate scandal which has been leaked to the press. During this time, the corporate spooks are usually trying to figure out who has leaked the memo to the press in the first place. This practice has developed into an art.
The first step involves finding out who had access to the information inside the organization. A list of names is then compiled and those persons are targeted by the security team.
One method used by security personnel to stop documents from being passed around is to put them on restricted distribution lists. These are lists of names or positions that are authorized to view and/or access the document. If you aren't on the list, you don't get the document.
This has a dual effect: first, the document is restricted, making it harder for the opponent to get the document. Second, should the document be leaked to the media or opponents, security officers will have a ready made list of suspects to start their investigation from.
Once a leak has occurred, the investigation team will attempt to locate the source of the leak by using multiple techniques such as interrogation, background screening, motives, etc. These are all beyond the scope of this document and should be looked up in other publications LOD Technical Journals, etc.). I will deal here with setting up traps for the source to reveal itself and the possible countermeasures that may be used.
One method to find leakers in an organization is to set up other restricted distribution lists from the original list. In each case a segment of the original list will be used until all of the individuals are listed on different lists in a unique combination. Then each of the lists are fed food - forged documents that the target would want to leak - and then the source is found by cross-referencing the documents that are actually leaked with the distribution lists.
This method has its problems. It's time consuming because of the forgeries which need to be created and because of the lists required. Furthermore, the source will in most cases become suspicious when multiple lists are created and when "food" starts appearing in above-average quantities. Also, nothing guarantees that the source will leak all of the documents sent to it.
Another method used is the creation of "mouse-trap" documents, tailor-made to catch the source. The original document is fed into a computer along with a thesaurus. The computer then uses synonyms to replace some words in the document. Punctuation (placement of comma, etc.) is also altered as is the header style and the spaces between paragraphs. Using a combination of these techniques, a unique document is made for each person it is to be sent to, while keeping the essence of the message intact. Should the source discuss the message with another person on the document's distribution list, suspicion is not aroused as the central idea, remains the same.
Then, the document is released to the individuals. Should the document be shown on television or published in the newspaper, the security officers will be able to determine who leaked the document. However, the media have caught on to this and some only quote part of the document. Here again, because of the wording and punctuation, the source can be found. In some corporations and government entities, this process is automated top to bottom, a new version of the document created each time it is requested. Of course, this technique has its limits as the source can always steal a colleague's copy and leak that version of the document.
A possible countermeasure is the complete reversal of the process - use a thesaurus and again change the punctuation. In this manner, regardless of what was planted inside the document provided it is not shown in a picture, nothing can be traced back to the original copy.
The last technique is essentially a watered-down version of the above. Studies or documents are released in massive quantities to the individuals, but each with a small discrepancy (typo, figures off by $34, wrong date, etc.). The information in the document is low-level while still being confidential. The theory, not always truthful, behind the technique is that someone willing to leak large quantities of low-level information will also be willing to leak high-level information. The process is repeated several times until a pattern can be isolated from an individual.
In conclusion, there are several techniques each with their strong points and weaknesses. The best possible solution to finding a leak within an organization is probably some hybrid of all of them.