Conference Shares the Secrets of Industrial Espionage : Security: Surveillance Expo '89 let equipment manufacturers and investigators see the latest in the snoop and stymie business.

By MEGAN ROSENFELD

Dec. 27, 1989 12 AM PT

THE WASHINGTON POST

WASHINGTON —

To hear it from the mavens of commercial surveillance, there is no such thing as paranoia: Your worst fears are probably true. If you think someone is taping your phone calls, bugging your office or reading what’s in your computer, you are probably right.

That fire sprinkler in the ceiling could be a camera; the person on the phone who says she is “Judy from accounting” could be an impostor; the janitor could be a private investigator ready for a session of “dumpster diving.”

That, at least, was the perspective permeating the air earlier this month at Surveillance Expo ’89 at the Sheraton Washington, a showcase for an industry aimed at thwarting industrial spies, computer hackers and traitorous employees scheming to sell trade secrets, get back at the boss or embezzle.

The conference provided an opportunity for equipment manufacturers, security managers and investigators to see the latest in the snoop and stymie business.

“We are not merchants of fear; we are merchants of fact,” said Dar Hyatt, the representative from Avtech Industries. The fact, however, seems to be: Don’t trust anyone. Indeed, he said, “Ninety percent of the people who attend my stand (at trade shows) are crooks!”

The crooks he was referring to are a new breed, skilled and professional, and often without any sense that what they are doing is wrong. Changing a number in a computer program may seem less criminal than holding up a service station, but it can be theft nonetheless--albeit harder to detect and harder to prove.

Given the murky legal options--much of the frontier of computer crime and industrial espionage is uncharted legal territory--many firms are looking to settle their problems themselves, hiring security firms to prevent abuses or to detect them when they occur. Security is a $14-billion industry, according to Frost and Sullivan Inc., which publishes reports with titles like “Access Control Equipment Market.”

People like Arthur Donnelly, a private investigator from New York who attended the conference, are part of the industry. Donnelly, a stocky, bearded fellow, is of the new breed of private investigator--he doesn’t try to get dirt on philandering spouses; he gets dirt on corporate executives. Or their employees. And things more mundane than that.

Once, he said, he was hired by a bank that had lost $50 million worth of business by ignoring information about a new stock about to come on the market. The bank wanted to know who had been responsible for ignoring the tip. Another time he was hired by a fast-food chain to spy on a franchisee suspected of buying supplies from another source. Donnelly sat in his surveillance van, equipped with a periscope, and watched all the delivery trucks that came and went until he had clear evidence of bootleg buns.

“Industrial espionage isn’t just one company trying to find out trade secrets,” said Donnelly during a break in the surveillance lectures. “Companies hire us to find out how their employees are reacting to a change, or to get information on the key executives in another company.

“Let’s say Yuppie A Executive and Yuppie B Executive are at the same management level,” Donnelly said. “They know they may one day be rivals for a higher position. So Yuppie A orders up an investigation of B, hoping to find something--drug problem, a money problem, a woman problem--that he can use against him later.”

One of Donnelly’s favorite techniques is going undercover--currently he is working as a data processor in a company to get information about employee reaction to a personnel change. He also has worked as a janitor, a systems director and a management trainer.

Another favorite tactic--and Donnelly is not alone in this--is posing as a “market researcher” to get information from a particular company. Is it legal?

“It’s not criminal,” said August Bequai, a Washington lawyer who led a seminar on the “Legal Loopholes of Corporate Espionage.” But, he added, “You might find yourself sued.”

Donnelly also has gotten useful information from the trash--a practice known as “dumpster diving.”

“People don’t realize what they throw out,” he said. “And the Supreme Court has ruled that once you put it out it’s public property.”

It was, he said, some clever dumpster diving by a private investigator that uncovered a recent Food and Drug Administration case against a manufacturer of phony generic drugs.

To protect himself from his peers, Donnelly has paper shredders in both his office and his home. He also has an unlisted home number and doesn’t carry pictures of his wife and daughter in his wallet.

Donnelly knows the electronics of the business--laser listening devices that can pick up a conversation through walls, the radio monitors that can tune in calls made on cellular phones, the bugs that can be placed with ease in a room--but two of his main tools are surprisingly old-fashioned. One is a colleague who can read lips; the other is the public library. While Donnelly tracks people and paper for clients, Susan Headley has been one of the people he might have found.

A self-described former hacker, she now is a professional poker player in Las Vegas.

Headley, who goes by the hacker handle Susie Thunder, described herself as a self-taught expert.

At age 8, she built a “black box,” one of those illegal devices that allowed her to make free long-distance telephone calls.

Sporting white cowboy boots and a purple tie-dyed, studded dress that made her a standout in the crowd, Headley was at the convention to give a seminar on the “psychological subversion of EDP (electronic data processing) systems.”

Her fascination is figuring out how to circumvent security systems, a talent she developed as a teen-ager at rock ‘n’ roll concerts.

Having conquered the world of bodyguards and backstage passes, she fell in with a group of teen-age computer hackers and soon was ready to tackle any computer system as long as she had a telephone.

She is blunt and open about her colorful past, she said, to create awareness about how easy it is to invade computer systems.

She said she has inveigled free tickets for airline flights and concerts, set herself up as a phantom employee of a telephone company to have access to its systems and indulged in other hacker tricks.

The conference was attended by about 600 people, somewhat fewer than organizer James A. Ross had hoped for.

A man from the Department of Defense gave an illustrated lecture on terrorism that was well attended, and Barbara A. Rowan, an Alexandria, Va., consultant on white-collar crime, lectured on the legality of recording telephone conversations.

There were a number of talks about computer security, and an exhibit hall that featured an assortment of what industry wags refer to as “toys,” ranging from a television camera in a tie clip to the latest in penetration-proof rooms.

One lecturer, Washington attorney Joel R. Wolfson, had prepared a talk on possible legal strategies for dealing with computer viruses--clandestine software programs that are designed to disrupt computer systems.

He came equipped with his own computer and a “virus” program that he had concocted to show how easy it was to wreak havoc with a system and how important it was to have safeguards.

He had only one problem: His computer wouldn’t work.