Small Business Defense – Encryption
- At March 12, 2009
- By Josh More
- In Business Security
- 0
I think we can probably all agree that the right way to deal with yesterday’s attack is to build a system where only the right and trusted individuals have access to sensitive data. I think we can probably also agree that this will never happen in your average small business. Rearchitecting your data storage system, doing data classification and identifying user roles is just too much work, and any project that requires that much churn and does not impact the bottom line will never get approved.
So, let’s accept the reality that you’re not going to follow my advice and you are fully committed to an insecure paradigm. How can you minimize your losses?
They key here is to look for a system that allows your data to be readable by the right people, and unreadable by the wrong people. Naturally, this means encryption. There are a lot of encryption solutions out there. Lots of people will tell you that theirs is better than the others. Some will throw bit length at you, some will talk algorithms, some will focus on speed.
None of this should matter to you.
You want a solution to a problem, not a fight over mathematical intricacies, so here’s the deal.
- The system has to be publicly verified. If the word “proprietary” appears anywhere in the marketing material, it has probably been unverified and is too weak to use.
- The system should be inexpensive. If you have to count where you’re using it and pay accordingly, you won’t use it everywhere you need to.
- The system should handle key management. If an attacker can get the key to unlock the data, you’ve lost. If the valid users lose the key to unlock the data, you’ve lost.
That’s it. Three simple rules. Nothing else matters, because right now you don’t have encryption technology in place so any encryption technology that you deploy will be a win. Don’t spin your wheels picking solutions. Get a list together, throw out everything that doesn’t fit these three rules and randomly pick one of the very few solutions remaining.
Then, after you’ve used it for a year or three, you should know enough about encryption to pick a solution that truly matches your business needs. Best of all, you won’t be out much money and you won’t have lost much data during the learning process.
As a quick note to get you started, TrueCrypt is free and can encrypt entire hard drives and GnuPG is free and can do a lot (it can be hard to use though). On the commercial side, PGP has a 30 day free trial, after which is cripples itself. It’s still usable, but not quite as usable as it used to be.
Small Business Attack – Type of Data: Proprietary Information
- At March 11, 2009
- By Josh More
- In Business Security
- 0
All businesses have it. There’s information that is important to the business. Maybe it’s a contract. Maybe it’s a client list. Maybe it’s a product roadmap. Whatever it is, odds are that you’d lose tons of money if a competitor got it. However, it’s also vital to your operations. There are employees that need access to the information to do their jobs. So, there is likely one of to scenarios at work:
1) There’s a shared drive somewhere that has the proprietary information on it, and is open to all people in the company.
2) Each employee has their own copy of the information, so there are multiple versions on multiple workstations.
So, if someone can access your network as a user or even just take an employee’s workstation, they get your data and you lose tons of money. How likely is that?
- Have you ever had a virus/malware infection in your business?
- Have you ever lost a laptop? A smartphone?
- Have you ever had an employee that worked for a week or two and then left suddenly?
- Have you ever had a breech of a web server?
- Have you ever received an email with a funny attachment? Did you launch it?
Odds are, that if an attacker wanted that data, they could get it easily. But with so many attack vectors, how do you protect the data and still allow people to access it?
Site Review – Plaxo
- At March 06, 2009
- By Josh More
- In Business Security
- 1
At first glance, Plaxo looks like a strange clone of Facebook and LinkedIn. The second glance looks much like the first. It identifies people you may now, allows you to make micro-bloggish updates and tries to organize your contacts for you. All in all, a useful site, but nothing particularly special when compared to the many other sites that do that.
If you dig deeper though, you discover that it’s really more of a hybrid than you thought. Plaxo takes the idea of “mash-up” to a whole new level. When you setup your profile, you can link to numerous other social media sites. It can tie into Flickr, Delicious, Live Journal, MySpace, Google, Facebook and more. You can use it to keep track of your friends’ updates all in one place.
Of course, to do this, it also allows your friends to keep track of your updates. Which sounds nice until you realize that you are basically also giving an unknown company complete access to your data on multiple sites… effectively making isolating a data leak impossible.
There are some security features in Plaxo that should help minimize this. However, like most things, it all comes down to how much you trust the company.
On the plus side, Plaxo doesn’t list very many partners, just Comcast, WebIS Mobile Sync and Yahoo, so your data is likely safer than at some services. The privacy policy is pretty good (the permanent opt-out is particularly nice), as are the terms of service.
On the negative side, Plaxo only functions well if all your other friends are also using Plaxo, so it tends to be a bit spammy. It also requires ongoing maintenance for managing security settings. It’s all well and good to post an update tagged as “friends-only”, but having to manage which people are in which friends groups on different sites is troublesome enough. When you have an aggregator that has it’s own permissions model and doesn’t stay in sync with the groupings on other sites, the security concerns get far more complex.
So, unsurprisingly, it’s another one of those tools that has some risk, but the benefit may outweigh the risk… but only for a small percentage of the people out there. If you decide to use Plaxo, go for it… but be careful.
Small Business Defense – Source Repositories and Honey Tokens
- At March 05, 2009
- By Josh More
- In Business Security
- 0
As mentioned yesterday, source code is a nice juicy target for an attacker. So, what can you do about it?
The first thing to do is to make sure that you have the ability to detect whether an attacker was able to make changes to your code. To do this, you need a way to ensure that you have a good clean reference copy of what the code should be. The easiest way to do this is to use a revision control system. Though there are many, I prefer subversion, as it is both free and fairly easy to use. Once your code is checked into your revision control system, it’s easy to look for differences in running code and stored code. In addition, if you are compiling your code (or converting it into bytecode), you can keep all the code in the system. Then, you can add strict access rules to the repository and gain an extra layer of defense.
So, that takes care of protecting your assets and helps you confirm if they are stolen, but how do you detect the theft in the first place in case someone does get through? That’s where a “honey token” system comes in. This sort of system is often installed at the edge of your network and simply checks all outgoing traffic for certain key words and phrases. It’s fairly easy to come up with specific strings to embed into your source code (or other intellectual property of interest), and then set these systems to look for them. They’re not perfect and may miss transfers that are compressed or encrypted, but they’re better than nothing.
And after all, protecting your assets is a matter of incremental improvement.
Small Business Attack – Type of Data: Source Code
- At March 04, 2009
- By Josh More
- In Business Security
- 0
One of the types of data that may exist on your network is that of source code. Though it’s more likely to be there if you are an I.T. company, a great many companies out there have custom written business applications. Though users will generally use the application either by clicking an icon on their desktop or accessing it via a web browser, the real “nuts and bolts” of the application likely lays in the source code.
Traditionally, the term “source code” refers to the raw code that is written by people and later compiled into another format to be used by a computer. There are other forms of code, like bytecode, interpreted code, etc. However, the point of this entry is not about the differences. For the purposes of this post, “source code” means “business logic that both humans and computers can read”. (I’m sure I just upset some tech purists that read this blog.)
The important thing to realize, as a business owner, is that the applications that you use often reveal a huge amount of data about how you do business. There are likely flowcharts and checklists out on a shared drive somewhere. There may be a technical manual or five somewhere. However, we are in a digital age, and a lot of effort is being put forth to automate repetitive tasks and use technology to accelerate the speed with which business can be done. In short, more and more of the key business activities are being move to the computer. This is great for efficiency… but it also provides a great target for an attacker.
If an attacker gets a checklist, they might learn what problems your business commonly has. They might be able to misrepresent themselves as a client and abuse the checklist to gain further information about your business. They might find their own flaws in your procedure and use it to make your competitors more efficient. But if they can get the source code to one of your systems, they gain much much more.
The code that runs your systems might contain usernames and passwords that interface with other systems. It contains detailed business logic. It might even mention identified, but not repaired problems in your business. An attacker could not only duplicate much of your business, but they might also be able to integrate with your billing and sales systems, and steal money and client lists. They might be able to access exist customer accounts and take anything they want.
In short, they’d be able to do anything that you can do, and since they don’t have the overhead to develop it in the first place, they could to it better, faster and cheaper.
How are you protecting yourself?
Ten Stupid Ideas to Harm Iowa
- At March 02, 2009
- By Josh More
- In Business Security
- 1
As I was reading the March 2, 2009 edition of the Des Moines Business Record this morning, I was surprised to read the editorial section “Iowans offer ideas on budget”. The gist of the article is that the Democrats and Republicans are soliciting ideas for ways to save money. The general tone seemed to be that Iowans have some good ideas, and express some doubt as to whether the legislators would actually listen to them.
Now, this isn’t a political blog, it’s about security (as well as nature, technology, business and mythology… but mostly about security). The hardest thing about working in security is that it’s impossible to be perfect. In many cases, one has to look at the problem and pick the least horrible solution. If you’re really really lucky, you can align technology and security with the business goals and work towards a common goal. Mostly though, it’s about looking at tradeoffs.
Reading this list of suggestions is a wonderful exercise in this type of thinking. Let’s take a look at the tradeoffs around what seems to be passing for “prudent thinking” among today’s Iowans.
“Set up toll booths on the interstate highways. One variation: Only charge out-of-state drivers.”
The intent here seems to be to raise revenue for the state by leveraging our interstate system which, if I recall, was largely funded by Federal dollars. Assuming that it is even legal to do this, is it wise to effectively to institute a tax on mobility? For years I’ve heard concerns about the “brain drain” in Iowa. Do you really think that smart kids will stick around in a state that actively hampers their movement?
Also, even if it’s only a tax on out-of-state drivers (which has some implementation difficulties), is it a good idea to make it economically worthwhile for truckers and travelers to re-route through Minnesota or Missouri?
Lastly, how would we pay for all the toll booths?
“Suspend maintenance of bicycle trails for a year and concentrate on the roads and sidewalks instead”
Right. We are living in a state with increasing numbers of people who are out of work. With a growing population who can’t afford to repair failing vehicles. Where pollution is on the rise and gas prices are expected to follow soon. And lastly, where obesity and heart disease are leading health concerns… and the solution is to take away the bike paths?
We’d be saving tens of dollars now and then paying thousands of dollars to repair the ecological damage and deal with the health impact.
“I am a 30-year DOT (Iowa Department of Transportation) employee. … There are far too many do-nothing positions in the DOT that could easily be eliminated, saving millions of dollars.”
I’m all in favor of efficiencies, but I have to wonder how shifting millions of dollars from minimally productive work towards unemployment benefits would be a net gain for the state. Maybe, it might make a bit more sense to turn the “do-nothing positions” into “do-something positions” instead?
“Audit the recent tax returns of the upper 10 percent of Iowa’s taxpayers.”
This logic only holds up if you believe that the upper 10 percent of Iowa’s taxpayers are crooks. In fact, if you’re in the upper 10 percent, you’re likely NOT a crook. The crooks would be the ones who find the loopholes to appear in the lower 90 instead. The really big crooks would be the ones that have managed to not show up on the tax rolls at all.
I suspect that this suggestion would result in a lot of busywork for the auditors and, in the end, would result in MORE crooks getting away, not boosting the state’s coffers.
“Establish a whistle-blowers committee to reward everyone who reports waste of public money.”
Um, reward them how exactly? With public money? With tax credits? Who pays for the committee?
I think I have some waste to report.
More seriously, security is all about checks and balances and there ought to be a good way to report such wastes. Personally, I think that reporting such things to the media and our elected officials is working pretty well.
“The salaries of Iowa’s elective officials are generally the second or third highest (compared with the seven surrounding states), and the judges are consistently the second highest. … The salaries need to be reigned in.”
Suppose I’m the CEO of a large company make $500,000 a year and am engaged in some sort of illegal business practice. Suppose this practice puts you out work and you have to sue me. Now suppose that you have very little money, and your only hope at economic survival is for justice to be served.
Now suppose the judge makes so little that I can spend ten percent of my yearly income ($50,000) to bribe the judge to rule in my favor. Suppose I could spend less than one percent of my yearly income ($5,000) and give “campaign contributions” to our elected officials to change the laws in my favor.
I don’t know about you, but I’d much rather live in a society where our elected officials and judges are as hard to corrupt as possible. If this means paying them more, then by all means, let the dollars flow.
“A 10 percent pay cut for every state employee making a salary of more than $100,000.”
OK, so there’s something magical about the $100,000 figure. I can understand that. I can also understand how people that make substantially less can be upset that many people are making more than that. However, the thing to remember is that people don’t tend to just step into such jobs. Such a high salary is often the result of years of hard work and compromise in other areas of their life. A sudden drop in salary from $100,000 to $90,000 is a really good way to tell employees “you’re not valued here and you should go back to the private sector where you could both be valued and make around $200,000”.
The follow-on question to ask here is whether or not we could afford to replace all of the $100,000 workers at the state, and what that would cost. I bet it’d be a heck of a lot higher than the savings that we would get by cutting their salaries.
“Stop allowing state employees to drive state vehicles to and from work.”
As I understand it, such a perk is one of the reasons that state employees accept lower salaries than the private sector. If we take them away, are we prepared to raise their salary to compensate? Are we prepared to replace them entirely should they leave?
Also, might it not make sense to encourage people to drive the state vehicles as often as possible? The more ethanol consumed the more our farmers make. The more cars that need repair, the more work the dealerships make. The more cars we buy, the more the car factories make.
“I recently read that the state wants to provide ‘diversity’ training to all 21,000 state employees at the cost of $250,000. Surely the state can come up with a better way to spend $250,000.”
The United States of America was founded on immigration (along with other, less pleasant realities). No one person can do everything, and no one culture can be the best at everything. Immigration provides for an inexpensive workforce that is also often skilled in special ways. Immigrants will often make the tradeoff of a lower salary for a better (or different) way of life. Some will work hard at multiple low-wage jobs simply to provide a better life for their children. In short, immigration is a wonderful thing and an often-overlooked driver for our economy.
The states on the coasts benefit from this more than Iowa, because they’re easier to get to. As such, they’ve developed a culture that is perceived as more welcoming of others than the Midwestern states. “Diversity Training”, as dumb as it sounds, is intended to counter this perception.
Like it or not, Iowa has a branding problem. If we want to be the fast-moving, accepting, challenging environment that I’ve been hearing about. You know, the state that won’t drive all the kids away after college, we have to change the perception. If such training lets us attract just five young people earning $50,000 a year (or ten at $25,000), we’re making progress.
“Use more videoconferencing, rather than sending state employees to meetings that require driving and overnight stays.”
I actually like this one. Iowa has a wonderful distance-learning solution with the ICN. That could be leveraged to reduce travel and overnight stays, and save money across the board.
What I like most about it is the phrasing “use more”, as opposed to “require” or “use only”. There are certain areas where face-to-face meetings are often most effective. We should not have to give up effective meetings and trainings to save money. We should simply use the technology where it makes sense to do so.
“Eliminate most mowing along roads and highways.”
Wow. Just wow.
I grew up in the country. I’m used to unmown ditches where the weeds and grasses use our prairie soil to reach truly amazing heights. I love nature. I love the sound of the tall grasses rustling in the breeze. I love animals. I love deer. I do not love hitting them when I’m moving at 70mph. I’m also not a fan of rats, ticks and opossums.
We mow along roads and highways for a reason. Public safety should not be compromised to save a few bucks. Besides the salaries that we would save would, again, be converted directly into unemployment benefits.
Surprisingly, there’s no suggestion for the one logical step towards a budget shortfall. Taxes will have to go up. No one likes paying taxes, but if the alternatives are:
- Driving away interstate commerce
- Having an unhealthy population and environment
- Laying off tons of people
- Producing busywork for tax auditors
- Spending money to track where our money went
- Having corruptible judges and congresspeople
- Driving away the high performers
- Owning a fleet of never-used state vehicles
- Driving away energetic immigrants who could jumpstart our economy
- Increasing interstate deer-related fatalities and intra-city disease
I’ll gladly pay more.
Luckily, I live in a representative democracy that, like security, is based on checks and balances. I trust my representatives to do what is best for the state. And they, in turn, trust me not to vote them out if they decide to make unwise cuts to produce short-term gains that will cause larger long-term losses. After all, it was that sort of thinking that got us into this mess in the first place.
And we’ve all learned our lessons, right?
Tech Review – Telephones
- At February 27, 2009
- By Josh More
- In Business Security
- 0
This blog is about technology, business and security, and even though telephones are older technology, they are still technology.
Earlier this week, I received a phone call. As I was busy, it went to voice mail. Upon checking it, I heard the following:
Hi, this is Travis. Calling about full time and part time work. 555-555-5555.
First of all, I do not know Travis. Secondly, I do not know if Travis was looking for work or looking to hire. Third, I have no idea what company Travis is representing (or if he even is). I returned his call and left a message with my name, company, reason for calling and a contact number.
This morning, my phone rings and the following conversation ensues:
- Phone: Ring Ring
- Me: “This is Josh”
- Note, I deliberately answer the phone this way, because many of the automated systems listen for a “hello” or a “yes”. It’s also a good way to put people off their guard and give me the upper hand in case they’re trying a scam.
- Phone: Pause
- This indicated to me that I was being called by a machine.
- Travis: “Yes, I’m looking for Josh”
- I just told him who I was. This tells me that he’s not listening.
- Me: “This is Josh”
- Note, making me repeat myself is not a good way to start a conversation or a relationship.
- Travis: “I think I received a call from this number looking for part time work”
- OK, first of all, his message was full or part time work, so he’s changed his story. Second, he clearly doesn’t know who he’s calling. Third, I have some doubts as to whether he’s actually listened to my message.
- Me: “May I ask who is calling?”
- Travis: “Travis”
- Uh huh. Either this guy is utterly clueless or there’s some sort of scam going on here.
- Travis: “Are you looking for part time work?”
- Yes, as a matter of fact, I am. In fact, I don’t even care what the work is, where it is, when it is, or how much you pay.
- Me: “Um, what kind of work?”
- Travis: “Well, we’re in the health care industry”
- Right. Are they a hospital? Are they looking for nurses, doctors, janitors, receptionists? Maybe they do health insurance. Maybe they run around breaking people’s kneecaps and then driving them to the ER. So many options, so little time.
- Me: “I work in I.T.”
- Travis: “Umm, err”
- At this point, I decide to let him off the hook, as I’m busy and have real work to do. Even if he is trying to scam me, I don’t have the time or legal authority to set a trap for him.
- Me: “I suspect that you have the wrong number. In the future, it would be useful to know which company you represent and what sort of work you are referring to.”
- Travis: “Thanks for the tip!”
- Phone: Hang Up
The telephone is a form of electronic communication, much like email, blogging, IM and Twitter. As with all forms of communication, there is a minimal standard of etiquette as well as a layer of etiquette that is technology-specific. In this case, were Travis a legitimate caller, he should have given me his company name and a reason for his call in his initial message. That would have given me the information necessary to return his call and leave a message indicating that he had dialed the wrong number. That would have much more efficient for everyone involved.
Also, were Travis a scammer, he should have researched me before calling me (I’m not difficult to find) and constructed a scam that would have appealed to me. Odds are “I need help with my computer” would have sufficed. At that point, we could have had a conversation about the type of work I do, which would have enabled him to better tune the scam at getting either free work or money out of me.
By not following the appropriate form of social etiquette for the communication medium, he tipped me off that there was something hinky going on. Much like misspelled words in email, poor (or perfect) grammar in spam, or letter-abbreviations in instant messages, a variance from established social convention is often the first tip we get that a security violation is taking place. Watching for those is the best way to protect yourself against scams and shady business dealings. It’s also a good way to recognize business errors before they start to take too much of your time.
In case you need one, there are many phone etiquette guides.
Small Business Defense – Remote Logging and Analysis
- At February 26, 2009
- By Josh More
- In Business Security
- 0
The first thing to realize when it comes to protecting your logs from attackers is that if the logs aren’t there, they can’t be attacked. At a minimum, you should consider setting up a remote logging server. This does not have to be a brand new top-of-the-line server. It can be an older server, a workstation or a virtual machine. The big thing to keep in mind is that it will need a lot of disk space. Depending on your network, it may also need a very fast network connection.
A nice free option to use is syslog. It’s not as user friendly as some of the commercial systems, but you can’t beat the price. For this tool, you just install one of the syslog-compatible systems on your remote server and configure each of your other systems to log to it. There are Windows tools and guides so you can capture those logs as well.
Of course, there are some commercial options as well. These often include enhanced tuning and searching. Splunk , Snare and LogLogic are known in the industry.
The second thing to consider when looking at logs is that you actually have to look at them. Remote logging may get the logs away from the attacker, but if it also gets them away from you, they’re not terribly effective. Most of the log management tools fall into three categories:
- those that find problems and alert you
- those that let you search the log
- those that help you visualize the data.
Before looking at any of the many tools out there, ranging from application-specific to purpose-specific to problem analysis, you should first consider what you care the most about. Logging involves a lot of data, and if you start with alerting before you tune anything, you’ll be drowning in it. Similarly, it doesn’t make much sense to put considerable analysis time into an application that isn’t business critical.
Instead, it’s best to start by getting all of your logs in one place, and focusing on doing that well. That’s a large project in of itself. Once that’s done, start looking at the sizes of the log files that you’re creating and work on reducing them. Odds are that at least one of your logs was set to maximum verbosity for testing something and never set back. Once you know that all of your logs have the data they need in them and as little garbage as possible, start with the biggest and look for a free tool that helps you pull out the important information. Then, move on to the next. Yes, it will take a lot of time and many tools. It may not look pretty, but it will work.
And, after all, working is what matters the most.
Then, later, once you have a greater level of inspection than you’ve ever had, you’ll know enough to seriously consider the big log management players. There’s no point in spending lots of money until you know what you’re spending it on.
Small Business Attack – Changing Logs
- At February 25, 2009
- By Josh More
- In Business Security
- 0
In I.T., we love logs. They’re organic, they float, they burn and you can build houses out of them! Of course, we also like the other kind of logs as well.
The kind of logs I want to talk about are the ones that keep track of what’s going on with your systems. They are intended to make it easier to reconstruct strange behavior and trace issues between systems. System administrators will check the logs to see if there are problems involving CPU, memory or disk usage. Network administrators can use them to trace network congestion and connectivity issues. Developers can use them to find out why certain programs aren’t functioning properly. Also, security professionals can use them to help identify attackers and how far they penetrated a system or network.
At least, in theory we can. There’s one problem: attackers can write logs too.
A common technique that attackers use is to erase or modify the logs after they successfully compromise a system. They can cover up vulnerabilities, erase their tracks and make things appear to be running OK even when they’re not. They can also read the logs and use the information in them to identify other targets.
If you have a system that is backed up on a regular basis, an attacker can find those logs and use them to identify the backup server. Once they know that, they can focus their efforts on getting the data that’s over there. They can use logs to identify which users might have elevated permissions on other systems. They can also use them to determine what “normal” activity looks like, so they can hide their activities in places you can’t find them.
Like many things, it’s a double-edged sword.
You need the logs, because they’re useful to you, but they’re also useful to the attackers, so what can you do?
Tool Review – ExifTool
- At February 20, 2009
- By Josh More
- In Business Security
- 0
The EXchangable Image File format (EXIF) is a method that image files use to store data about the image. It’s often referenced in relation to the image files producted by digital cameras. These files often store data about the camera that took the photo, the settings of the camera, whether or not the flash went off and other data. This is very useful in categorizing the images.
ExifTool is a neat little tool that allows you to dig into this information. It’s available for Windows, Linux and Mac, and lets you look inside your photos. Let’s look at an example. This is what results in my running the tool against a photo that I took on a recent trip:
$ exiftool dsc_6497.jpg ExifTool Version Number : 7.42 File Name : dsc_6497.jpg Directory : . File Size : 5.9 MB File Modification Date/Time : 2009:02:15 17:50:13 File Type : JPEG MIME Type : image/jpeg Exif Byte Order : Big-endian (Motorola, MM) Make : NIKON CORPORATION Camera Model Name : NIKON D200 Orientation : Horizontal (normal) X Resolution : 300 Y Resolution : 300 Resolution Unit : inches Software : f-spot version 0.5.0.3 Modify Date : 2009:02:15 17:50:13 Y Cb Cr Positioning : Co-sited Exposure Time : 1/320 F Number : 7.1 Exposure Program : Aperture-priority AE ISO : 100 Exif Version : 0221 Date/Time Original : 2009:01:25 23:44:02 Create Date : 2009:01:25 17:44:02 Components Configuration : YCbCr Compressed Bits Per Pixel : 4 Exposure Compensation : 0 Max Aperture Value : 5.7 Metering Mode : Multi-segment Flash : No Flash Focal Length : 400.0 mm Maker Note Version : 2.10 Color Mode : Color Quality : Fine White Balance : Sunny Focus Mode : AF-C Flash Setting : Normal Flash Type : White Balance Fine Tune : -2 Color Balance 1 : 1.8359375 1.35546875 1 1 Program Shift : 0 Exposure Difference : 0 Warning : Bad NikonPreview directory Flash Exposure Compensation : 0 ISO Setting : 100 Image Boundary : 0 0 3872 2592 Flash Exposure Bracket Value : 0.0 Exposure Bracket Value : 0 Crop Hi Speed : Off (3904x2616 cropped to 3904x2616 at pixel 0,0) Serial Number : Image Authentication : Off Tone Comp : Auto Lens Type : D VR Lens : 80-400mm f/4.5-5.6 Flash Mode : Did Not Fire AF Area Mode : Dynamic Area AF Point : Center AF Points In Focus : Center Shooting Mode : Continuous, Auto ISO Auto Bracket Release : Manual Release Color Hue : Mode1 Light Source : Natural Shot Info Version : 0207 Vibration Reduction : On (1) Hue Adjustment : 0 Noise Reduction : Off WB RGGB Levels : 470 256 256 347 Lens Data Version : 0201 Exit Pupil Position : 128.0 mm AF Aperture : 5.7 Focus Position : 0x03 Focus Distance : 59.57 m Lens ID Number : 101 Lens F Stops : 5.67 Min Focal Length : 80.0 mm Max Focal Length : 403.2 mm Max Aperture At Min Focal : 4.5 Max Aperture At Max Focal : 5.7 MCU Version : 107 Effective Max Aperture : 5.7 Sensor Pixel Size : 6.05 x 6.05 um Image Data Size : 6218124 Image Count : 26181 Deleted Image Count : 1307 Shutter Count : 27488 Flash Info Version : 0101 External Flash Flags : (none) Flash Commander Mode : Off Flash Control Mode : Off Flash Group A Control Mode : Off Flash Group B Control Mode : Off Flash Group A Exposure Comp : 0 Flash Group B Exposure Comp : 0 Image Optimization : Custom Multi Exposure Version : 0100 Multi Exposure Mode : Off Multi Exposure Shots : 0 Multi Exposure Auto Gain : Off High ISO Noise Reduction : Off User Comment : (c) Josh More www.starmind.org Sub Sec Time : 55 Sub Sec Time Original : 55 Sub Sec Time Digitized : 55 Flashpix Version : 0100 Color Space : sRGB Exif Image Width : 3872 Exif Image Height : 2592 Interoperability Index : R98 - DCF basic file (sRGB) Interoperability Version : 0100 Sensing Method : One-chip color area File Source : Digital Camera Scene Type : Directly photographed CFA Pattern : [Green,Red][Blue,Green] Custom Rendered : Normal Exposure Mode : Auto Digital Zoom Ratio : 1 Focal Length In 35mm Format : 600 mm Scene Capture Type : Standard Gain Control : None Contrast : Normal Saturation : Normal Sharpness : Hard Subject Distance Range : Unknown GPS Version ID : 2.2.0.0 Compression : JPEG (old-style) Thumbnail Offset : 3388 Thumbnail Length : 9164 Subject : Bird Viewing Area Image Width : 3872 Image Height : 2592 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:2 (2 1) Aperture : 7.1 Blue Balance : 1.355469 Image Size : 3872x2592 Lens ID : AF VR Zoom-Nikkor 80-400mm f/4.5-5.6D ED Lens : 80-400mm f/4.5-5.6 D VR Red Balance : 1.835938 Scale Factor To 35 mm Equivalent: 1.5 Shutter Speed : 1/320 Thumbnail Image : (Binary data 9164 bytes, use -b option to extract) Circle Of Confusion : 0.020 mm Depth Of Field : 6.28 m (56.59 - 62.87) Field Of View : 3.4 deg (3.55 m) Focal Length : 400.0 mm (35 mm equivalent: 600.0 mm) Hyperfocal Distance : 1125.03 m Light Value : 14.0 Date/Time Original : 2009:01:25 23:44:02.55
As you can see, there is a lot of data here. Far more than you might expect to be in a simple picture. Moreover, I’ve bolded some of the more interesting information. A photographer might be interested in knowing that I used a Nikon d200 to take this photo. I also apparently used an AF VR Zoom-Nikkor 80-400mm f/4.5-5.6D ED lens. Note that there is technical data about not just the focal length and aperture used, but also the maximal and minimal settings for the lens. Note as well that the date appears in numerous places. Now things are getting interesting, as there’s a way to verify that I took the photo when I claim to have done.
After all, I might have fabricated evidence.
So sure, this is good to know, in case I am claiming to have captured Bigfoot, but that doesn’t happen very often in business. However, information leaks do.
Let’s take a quick trip over to Wikileaks and see what we can find:
Over here, we find a nice report titled “UN finds 217 sex abuse claims against blue helmets”. Downloading the fairly nondescript file “OIOS-20070130-01.pdf“, we get:
$ exiftool OIOS-20070130-01.pdf ExifTool Version Number : 7.42 File Name : OIOS-20070130-01.pdf Directory : . File Size : 221 kB File Modification Date/Time : 2009:02:19 22:44:11 File Type : PDF MIME Type : application/pdf PDF Version : 1.5 Page Count : 17 Creator Tool : PrimoPDF http://www.primopdf.com Metadata Date : 2008:04:09 12:54:16-04:00 Document ID : uuid:a3ec6d39-037e-4672-945b-25ce88970721 Format : application/pdf Description : United Nations Organization Mission in the Democratic Republic of the Congo Modify Date : 2008:04:09 12:54:16-04:00 Create Date : 2007:04:12 17:16:25Z Title : Allegations of sexual exploitation and abuse in the Ituri region, Bunia [ID Case No. 0618-05] Creator : PrimoPDF http://www.primopdf.com Author : Date : 01/30/2007 Keywords : monuc, congo, bunia, sexual, exploitation, abuse, ituri Subject : United Nations Organization Mission in the Democratic Republic of the Congo Producer : AFPL Ghostscript 8.54
So, we’ve learned when the file was created (back in April 2007), but it was modified in April 2008. Interesting. We also learn that it originally had a more interesting description and title than “OIOS-20070130-01.pdf”.
But Wikileaks scrubs data in an effort to remain anonymous (well, mostly). What about other information out there? How about we do a quick Google search on intitle:”rfp”+filetype:doc+response, looking for responses to RFPs that might be available. Suppose this searched turned up a document titled “KonnSv11.doc” that just might be an RFP response from a large multinational company that knows a little something about connectivity. Wonder what this document can tell us?
$ exiftool KonnSv11.doc ExifTool Version Number : 7.42 File Name : KonnSv11.doc Directory : . File Size : 508 kB File Modification Date/Time : 2009:02:12 22:51:53 File Type : DOC MIME Type : application/msword Title : COMPANY IPCM RFP Response Subject : Ver.1.0 Author : Tikeo Homado Keywords : Template : NormalAnglais Last Saved By : Tikeo Homado Revision Number : 18 Software : Microsoft Word 8.0 Total Edit Time : 6.9 hours Last Printed : 2000:03:21 02:34:00 Create Date : 2000:04:20 02:06:00 Modify Date : 2000:04:21 09:39:00 Page Count : 1 Word Count : 13019 Char Count : 70516 Security : 0 Company : COMPANY Lines : 1221 Paragraphs : 1012 Char Count With Spaces : 91437 App Version : 8 (0e84) Scale Crop : 0 Links Up To Date : 0 Shared Doc : 0 Hyperlinks Changed : 0 Title Of Parts : COMPANY IPCM RFP Response Heading Pairs : Title, 1 Code Page : 932 PIDGUID : {91F4D900-FDF2-14D0-BEF0-DC9E29819138} Hyperlinks : joeLogo2.gif Comp Obj User Type Len : 20 Comp Obj User Type : Microsoft Word ��
So, we get the name of the person who worked on the RFP. In this case, the same name is listed in the RFP, but it’s not unusual for companies to have an RFP team, with a project manager in charge. Might it be useful to get the names of the key project managers at a competing company? Also, note that we have learned how much time they put into writing the RFP. If, after a few searches, you can find out how much time your competitors spend on responses, might that not be useful?
Let’s look at one last example. If we do a search on intitle:”salary”+filetype:xls, we might expect to find a lot of spreadsheets containing salary data. We might even be right. Were we to find such a file and run our handydandy little tool against it, we might even see:
$ exiftool Salary info over 75000.xls ExifTool Version Number : 7.42 File Name : Salary info over 75000.xls Directory : . File Size : 131 kB File Modification Date/Time : 2009:02:11 23:10:49 File Type : XLS MIME Type : application/vnd.ms-excel Author : sgermon Last Saved By : nshoedinger Software : Microsoft Excel Last Printed : 2008:03:10 13:56:03 Create Date : 2006:12:11 15:48:19 Modify Date : 2008:10:09 12:38:55 Security : 0 Company : JANEDOE App Version : 11 (270f) Scale Crop : 0 Links Up To Date : 0 Shared Doc : 0 Hyperlinks Changed : 0 Title Of Parts : Contract; Benefits, CoDist, 'Contract & Benefits'!Print_Titles Heading Pairs : Worksheets, 2, Named Ranges, 2 Code Page : 1152
The interesting bit here is that the author and the person who last edited the document are different. So, we know that two people know the salaries in excess of $75,000 for this organization. Those names also look a lot like network username names, so we probably also have email addresses and with a bit of work, possibly accounts that we could use to access certain systems. Perhaps these names even have access to the financial data, given that they know salaries.
So, a few questions for you:
- What information are your clients putting out on the Internet about themselves? About you?
- What information are your competitors putting out there?
- What information are you accidentally leaking when you send files around?
- Did you know that exiftool can also be used to SET data as well as read it? Interesting, no?
Do you think you might want to do something about that?
Important Note
It is important to note here that search engines make public a lot of information that probably was not intended to be made public. It may or may not be illegal to access all of this data, but it should be OK to run tools like this against data that you own and find out what you’re leaking.
For my part, I modified some of the data in the exif reports listed above. The format is correct, but it seems wrong to me to propogate someone’s data security mistake just to make a point, especially when the point can be made without doing so. If you start playing with these techniques, I implore you to remember that people on the Internet are still people, and people make mistakes. There’s generally no need to make these mistakes worse for them.
Please, be kind.