Security Experts:

Dealing With Data Loss Your Firewall Can't Stop

Information security is built on the pillars of confidentiality, integrity, and availability. Confidentiality is about making sure your secrets stay secret.

There are four ways that sensitive information can make its way out of your network: 1) malware or an intruder can find the information and exfiltrate it; 2) insiders can intentionally transmit the information or physically carry it outside the facility; 3) the information can be accidently revealed to unauthorized parties; and 4) a user’s behavior and patterns of activity can reveal confidential information and plans. The fourth example is called Passive Information Leakage (PIL), and it is one of the least known and most difficult forms of data lost to prevent. 

The main approaches to ensuring confidentiality are preventing unauthorized access to the information, and stopping attempts to exfiltrate it from organizational networks. Data Loss Prevention (DLP) solutions are designed to stop the exfiltration by trying to recognize sensitive information and prevent it from leaving the network, but are ineffective at stopping passive information leakage. Several years ago, I became acutely aware of PIL and focused on this issue after two experiences.

The first event was when I purchased my first iPad. One of the first things I tried was the map app. As soon as it opened, the map centered on my house and placed a blue dot right on my roof. This shocked me because I had purchased the less expensive model without cellular or GPS capabilities. How could it know where I was? It turns out that my WiFi was “passively” giving me away. Apple, Google, and others have built huge databases of the locations of almost every WiFi base station in the world. They create them by tracking phones and other devices with cellular and GPS connections, and looking at all the WiFi base stations around them to collect anonymous sets of data. The behavior of individuals moving through the world with these devices allows them to build up this comprehensive database.

The other event started with a call from an angry customer. They were upset because Google knew where they were. This might not seem like a problem, but we were selling them a service that was supposed to make them look like they were on the other side of the world.

We searched in a panic for any indication of a failure or leak in our systems, but everything looked like it was working fine. Then we asked how they knew that Google had their true location, and they said they saw it when they logged into their personal gmail accounts. We quickly discovered that they used our tools all the time, even for personal internet activity.

Google had discovered their true location based on their patterns of activity: specifically, their web searches and map lookups. Google assumed, correctly, that the average location of all the places they search for, such as the pizza shop where they order lunch, is probably very close to where they really are. This location was very sensitive information, which was passively leaked through ordinary user activity.

Two key factors create PIL: patterns and identity. The things you do online, particularly the web pages you visit, are a reflection of your real world interests and intents. Your web browsing history reflects many of the projects you are engaged with, and it is visible to exactly the wrong people. By itself, it could be useful to the operators of a website to know that someone is visiting their website with a particular purpose. Combine that with knowing who you are, and they have real actionable intelligence about you. You have just suffered Passive Information Leakage.

PIL can crop up in many different situations, including R&D, investigations, and as I discussed in a previous article, M&A. During product research and development, all of the teams involved will be actively visiting competitor websites. For example, product managers will be looking at the features and capabilities of competitive products, engineers will be looking at technical white papers to understand specifications underlying technologies, and marketing will be studying ads, brochures, and other creative.

A savvy competitor can track your entire development process in detail by doing nothing more than studying their own web logs. Ultimately, they could figure out what you are building, what features are important, and approximately when it will come out.

In the case of criminal or intelligence investigations, the consequences of PIL have included loss of life. The fact that a police department is investigating a child pornography site, a financial institution is investigating an online fraud, or the national security community is investigating terrorist networks, is of great interest to those targets. Criminals can see who is watching them online and what aspects of their activity are being scrutinized. Knowing this, they can easily change plans, switch identities, or try to counter-attack.

Preliminary work on mergers and acquisitions leaves similar fingerprints. A targeted company will be visited by your senior management, and specialized consultants / attorneys / bankers. Unlike typical visitors, this activity will focus on the management team, sales information, partnership announcements, and financials. The company of interest can get significant warning of your interest, allowing them to reach out to other potential acquirers, talk to advisors, and generally position themselves to maximize their valuation and your cost. In some cases, it could cause you to miss out on the acquisition entirely.

 The problem with trying to stop PIL is that the valuable information you are trying to protect never directly crosses your network. Rather, it is an emergent property of your identity markers combined with the accumulation of your activities. There is no way to write a filter to spot when information is being passively leaked, or to block activities that could leak information. To prevent PIL, you need to disrupt the two key factors: pattern and identity. If you prevent your target from being able to connect your activities to each other, they can’t build a pattern. If you prevent them from connecting your activity to your identity, they can’t attribute the information.

Passive Information Leakage is pervasive but little understood, primarily because it cannot be addressed through conventional security practices. Fortunately, it can be prevented by taking appropriate precautions whenever engaging in activities that could leak sensitive information.

The first step is to hide your identity while online, but that is not enough. Even if your target can’t identify you, simply seeing the pattern of activity from a single unknown source may be enough to cause problems. To break up the pattern, you need to look like a different, unknown visitor each time you show up. A single datapoint is almost worthless to the target.

By constantly changing your apparent identity, you can prevent them from collecting multiple data points that reveal the valuable, sensitive information. Ensuring that you hide your identity and obscure your patterns when conducting R&D, M&A, and investigation activities will prevent most of this potential damage.

view counter
Lance Cottrell founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. As Chief Scientist, Lance continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats. Lance is a well-known expert on security, privacy, anonymity, misattribution and cryptography. He speaks frequently at conferences and in interviews. Lance is the principle author on multiple Internet anonymity and security technology patents. He holds an M.S. in physics from the University of California, San Diego and a B.S. in physics from the University of California, Santa Cruz. In his spare time Lance grows high-end pinot noir grapes in the Russian River Valley AVA.