Skip to content

The Rise of Personal Data Exfiltration

Dr Julius Neubronner patented a miniature pigeon camera activated by a timing mechanism, 1903You may have heard that LG is collecting usage data, as well as more information, from its SmartTVs, even if you opt-out. They promise to issue a firmware update to fix it, but most consumers will never apply it as it requires a manual configuration to update and a wired Ethernet connection. In other words, LG will continue to collect this data. There are more details here and here. Clearly, the news story here is that they failed to honor the opt-out configuration, but that’s really not what we should be focused on. This is really about data exfiltration. Consider the other devices you have in your house, like that Xbox or Wii, or that blu-ray player that streams Netflix, or any of the myriad other Internet connected devices occupying an IP address on your network. They can all collect usage information and send it off to the manufacturer. Do you know if you opted in for that kind of data collection? I bet most of you don’t, and outside the security community, I’m sure most people don’t.

The fact is that we’re sending data about ourselves to companies all the time, and we have little control over it. We do this, for the most part, willingly because there seems to be very little consequence. What if you could see what data you’re sharing? I suspect that would make a difference. There’s room for a nice, open-source project here, that collects and catalogues the data exiting a home network, then presents it in a data exfiltration oriented way. Consider things like top outgoing URLs, percentage of encrypted traffic, grouping by source devices. This kind of information is certainly available, if only someone would collect and organize it. It would be an interesting offering for an enterprising, consumer-focused ISP to offer too.

Top Posts for October



  1. The Other Effect of the Shutdown on Information Security
  2. What Are You Investing In?
  3. The Age of Self-Surveillance

Crowdsourced, Commercialized Surveillance

Tile1-300The Tile is an object you can put on things in order to find them using your phone. This is useful. But if your phone isn’t close enough to the object, what then? Well, you mark that item as lost and then everyone’s phone (with the app) will look for your missing item too. Think about that for a second. You can stick a tile to an object and then ask other phones to look for it.

If you work in information security, you’ve probably already run through a dozen scenarios of how this might affect privacy, and how it might be broken, in the time it took me to write this sentence. The thing is, most of the world doesn’t work in information security. Facebook is the proof. It’s a world of self-surveillance; if you think something, share something (and the world can watch).

Anyone want to take bets on how quickly it’s cracked?

The Age of Self-Surveillance

PSM V88 D058 The pigeon spy and his war work


If you see something, say something.

Most of us are familiar with that little message, but I think we got it backwards. It’s focused on being the observer, not the observed; so inefficient. After all, we are all observing ourselves all the time. What if, instead, we went with “if you think something, share it.” Now that is a message that lives at the heart of our techno-social society. If we can be both the observer and the observed, we make surveillance so much easier. The information we freely share provides fantastic fodder for surveillance, and the culture of constant sharing makes non-sharing nearly suspicious enough to be probable cause … nearly.

The Other Effect of The Shutdown on Information Security

Crystal Project ShutdownLast week I spent a little time talking to folks about the effect the shutdown has on information security. Here are the links:

DefenseOne, CNN, Tripwire.

There are lots of examples of how a lack of personnel may affect the ability of government agencies to respond, and how it may be a good time to attack the US government electronically because there are fewer folks paying attention, and how compromises that are successful now may not be detected for a long time. I described in there the idea of an immediate and a ripple effect of the shutdown on information security.

Here, I want to touch on a side of this that’s not as obvious: the effect of the shutdown on the information security industry.

Consider the Federal Government’s budget for Information Security. In fact, it’s hard to do because of how it’s distributed (lots of agencies, various means of allocating budget). Still, there are some facts. The 2014 budget includes:

  • $1B for DHS “for the protection of federal computers and networks against malicious cyber activity”
  • $93M at the Justice Dept for “cybersecurity enhancements”
  • $500 million be allotted to promote innovation and economic growth to fund research and development advances in cybersecurity

The fact is that there is more than a billion dollars in the Federal budget related to information security. You can imagine that with the Government shutdown, quite a lot of those funds are not being spent. At the end of that spending chain are not only the direct employees of the Federal Government, but also the contractors, system integrators and vendors who supply them. This, too, has an immediate and a ripple effect. Some people will immediately stop getting paid and stop delivering services. The post-shutdown cleanup will have the effect of delayed projects, which in turn will push revenue out. For some, that might be beneficial. For others, it may very well do material damage to their business.

The term “Zero Day”

319px-Seven segment display 0 digit 16px spacing

The varied use of this term has been bugging me lately.

Zero Day Vulnerability

A vulnerability that has not been published, either by the vendor or some other reasonably public entity (MITRE/NIST/OSVDB/ETC). The key here is that the vendor in question has has zero days to actually do anything about delivering a patch or mitigation.

Zero Day Exploit

An exploit that takes advantage of a zero day vulnerability.

I’ve seen people talking about vulnerabilities that don’t have a patch as ‘zero days.’ This isn’t really accurate because those conditions are published and known. The fact that a vendor chooses not to address a condition doesn’t make it a zero day.

What Are You Investing In?

At this very moment you are doing something. It could be that you’re heads down on an important project, or it could be that you’re watching funny cat videos on YouTube. Regardless, you are doing something. piggy

Everything we do is an investment, even the seemingly meaningless entertainment we may seek out at the end of a long day. Sleep is an investment in the next day, via our ability to think and perform. The work we do to further a specific project, please a specific customer or close a deal are all investments with clear, short-term purpose. Taking a break from work is an investment in our mental health, and in turn in our ability to return to that work.

When we learn new skills we invest in longer term benefits, sometimes without fully understanding what they are. Being conscious about what you are investing in at a given moment, whether it be short or long term, gives you power to mold the outcome. So what are you investing in right now?

Tweetsplanation: Paw Prints and the iPhone 5s

Look, a cat’s paw print can unlock an iPhone 5s.

The Tweet:

tweet iphone

Seems silly, right? But there are some practical considerations of why this might be important. First, the technology to identify an individual animal via a paw print could be useful in animal control, in wildlife management. What if you could place these senors around a large land area (Yellowstone?) and use them to track individual animal movements? What about animal access control? Why not manage a cat or dog door based on unique paw prints?

What about the inevitable fingerprint database that will be created by the iPhone 5s (or the technology used in some other way? Here’s a means of polluting it with animal prints.

What about the thieves cutting off your finger when they steal your iPhone. If you could use a rabbit’s food as a token, you could thwart their access. I mean, they’d still cut off your finger, but at least you can imagine how annoyed they’ll be when it doesn’t work.

Tweetsplanation: The NSA and Crypto

The Tweet:

tweet nsa

The Explanation:

If one starts with the assumption that the NSA wants to actually compromise encryption mechanisms in some technical way, as opposed to legally compromising them, then the secrecy of those mechanisms is key. It’s not *the* key however. As long as there are cryptographically inclined persons who also subscribe to open source as a viable model for building software, new, open cryptography tools will continue to emerge. The NSA is hard pressed to technically compromise an open source tool. So, the NSA, in order to accomplish this assumed goal, would be best served by severing the connections between people with cryptography skills and people with open source philosophies. That amounts to compromising the community. They could do that by intentionally hiring all those people, or by working to shrink the community of shared interests. I can imagine all kinds of nefarious ways this could be accomplished, but I’m no conspiracy theorist.

Pre-nomaly Detection: Generating Change to Identify Non-Conformance

chameleonIt was recently reported that Belgacom, Belgium’s primary telecom company, discovered a compromise that had been present for years. It reminded me of the Nortel compromise that was discovered a while back. The fact is that we’ve seen an increase in these kinds of discoveries. Details on how exactly the compromise was found are hard to come by, but I can’t help but wonder how an organization might do a better job detecting persistent compromise.

@tkeanini suggested something he called “detection in diversity.” I might interpret that as a sort of ‘try everything’ approach. What if we consider a more novel approach instead?

Start with the assumption that what matters is what you can control, and what you can’t control (whether through compromise or other causes) is a kind of risk. Taking this stance, you can then effectively generate anomolous activity through prescriptive change excuted across some specified set of objects you control.

Make a change, look for who didn’t keep up, go remediate. If you build this kind of activity into the system, then you create a more resilient system overall, and you constantly weed out risk.