The 3BView Point

Minnesota Ethics - Opinion 22 adopted

2010-04-21T10:06:00.005+01:00

At the meeting of the Minnesota Lawyers Professional Responsibility Board at the end of last month Opinion No 22 was adopted.

This Opinion, originally drafted in January this year, addresses lawyers' ethical obligations regarding document metadata.

Minnesota joins many other Professional responsibility committees at several bar associations in other states in the US in adopting such an opinion. A summary table of most of the Ethics Opinions in place can be found at the ABA Technology Legal Resource Centre. Taking the ABA's table headings, the summary of the Minnesota Ethics opinion is:

What is the Sender's Duty When Transmitting Metadata?
"...a lawyer is ethically required to act competently to avoid improper disclosure of confidential and privileged information in metadata in electronic documents."
May the Recipient Review or "Mine" Metadata?
"Opinion 22 is not meant to suggest there is an ethical obligation on a receiving lawyer to look or not to look for metadata in an electronic document. Whether and when a lawyer may be advised to look or not to look for such metadata is a fact specific question beyond the scope of this Opinion."
Must the Recipient Notify Sender is Metadata is Found?
Yes - "If a lawyer receives a document which the lawyer knows or reasonably should know inadvertently contains confidential or privileged metadata, the lawyer shall promptly notify the document’s sender as required by Rule 4.4(b), MRPC."

The full Minnesota opinion can be found at www.mncourts.gov/lprb/Opinion22.pdf

Opinions on document metadata in 2009

2010-02-26T18:02:00.001Z

Finishing off a presentation for a screen-cast next week and wanted to check I had a date right (well it is Friday) and found the post below in draft. So, despite it being the end of the second month of 2010, a couple of ethics opinions released in 2009 and some links to resources on other ethics opinions:

In June 2009 West Virginia Lawyer Disciplinary Board released its ethics opinion on document metadata finding that there is a burden on an attorney to take reasonable steps to protect metadata in transmitted documents.

As reported in October 2009, this was followed by the Vermont Bar Association issuing an opinion on metadata.

The ABA has a table of the opinions that it maintains (last updated Sept 2009 at the time of writing). The LegalEthics website is another good source.

Peer-to-Peer articles: access to documents from iPhone

2010-02-11T11:15:00.008Z

There was a great response to the survey we ran in October with 236 legal professionals providing us with information on what mobile devices they and their firms use and the functions/applications they use the mobile device for, with particular focus on documents and email.

What with my analysis of these responses, writing the report on the results of the survey, in parallel writing an article on the ‘The Often Overlooked Mobile Security Gap’ for ILTA’s December edition of Peer-to-Peer (it is the lead article – see page 8 or download a copy), followed by a white paper ‘Document Metadata: The Mobile Security Gap’ that comments more in depth on the results of the survey pulling in results of other surveys around mobile usage that were undertaken in the latter part of 2009, not to mention a week's vacation with the family, the Christmas holidays, a week in Chicago followed by a week in New York for LegalTech, it's been a while since I last posted a blog entry!

There are numerous numbers of items worthy of comment from the intervening months. The reprint by TechnoLawyer this week of one of the other articles in December’s Peer-to-Peer magazine provides me with a good start point. The article is by Christopher Lewis of Sonnenschein Nath & Rosenthal LLP and looks at the iPhone as a business tool and how it enhances the productivity of the attorneys at Sonnenschein when they are mobile.

One of the items that caught my eye when I re-read the article in TechnoLawyer was the success story quoted where a Sonnenschein attorney was onsite with a client who didn’t have the documents needed. The attorney accessed the Sonnenschein content and collaboration portal using his iPhone, downloaded the documents and forwarded them to the client.

56% of the respondents to the 3BView survey said that they had access to centrally stored documents from their mobile device, ie they have the same capability as the Sonnenschein attorneys.

I hope (and suspect) that this figure will increase within 2010. Why? Take a couple of other statistics from the 3BView survey alone:

39% of respondents store business documents on their mobile device. With my past experience in document management and also in DLP systems this makes alarm bells ring. I am sure the same bells are ringing for risk/security managers within law firms or for those with responsibility for corporate legal departments;

The majority of those who have access to centrally stored documents reported that they attach a document to an email they send from their mobile device at least once a month. A quarter of all respondents attach do so at least weekly.

The last thing on the attorneys mind in a situation such as the one that the Sonnenschein attorney found themself in will be the fact that they are bypassing any desktop based tools including any that scrub document metadata.

As I’ve been stating in articles/papers to date, and will keep on saying throughout this year and beyond, increasing productivity of the legal professional even when they are mobile makes sound business sense. However, the management, control and security measures in place for in office equipment must be extended to mobile devices. This includes document security aspects such as scrubbing metadata.

SWISS red-faced over metadata information left in press release

2009-10-29T19:53:00.004Z

Whatever your view on where we are on the economic road to recovery (or not) no business can afford any tarnish to its external image. As reported in the Guardian this week Swiss International Air Lines Ltd has a red face and a tarnish to its image in Canada at least due to an inadvertent link of metadata.

SWISS, as they refer to themselves in the press release, included review comments in the document that they sent out. Although the press release might be 'boring,' as reported by the Guardian, it provides a salutary lesson on how features that are useful in the review stage of a document can be a danger if they are not managed correctly when completing the final version that will be sent out.

The file, comments and all, can be found on the Guardian website.

Companies need to remember that converting a document to PDF alone does not protect them from leakage of confidential or embarrassing information via metadata. Although I was not personally sent the press release, and it is not obvious from the posting on the Guardian site, I would say that the release was sent in PDF. Take a look at the other metadata in the PDF file and see what you think (PDF Producer: produced on a Mac, author: initials in this instance, and so on).

This is the perfect example of why it is so important to ensure you have a system in place to automatically remove the metadata information within a document. While the data contained in this file wasn’t damaging to the company, it was definitely embarrassing. Had the data been company private, this could have been a very different situation for them. Make sure your company and your data is protected.

Only a week left for the Survey on Mobile Device Usage

2009-10-16T15:30:00.002+01:00

We are delighted with the number of participants who have already completed the 3BView Survey on Mobile Device Usage and Document Security over the last two weeks. The results are already looking very interesting.

With just one week left until this survey closes (end of day EDT 23rd October), if you have not yet contributed then your participation would be very welcome. Please access at http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C

The survey focuses on access to, and usage of, business applications from mobile devices, with particular focus on the risks associated with information contained within document metadata when using these applications.

We will be publishing summary results on our website, with full results available to survey participants, who will also will be entered into a draw to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.

3BView Surveys the Legal Market on Mobile Device Usage and Document Security

2009-10-02T12:16:00.003+01:00

Following on from my post last week, we at 3BView are conducting a survey on the usage of mobile devices in the day-to-day practice by legal practictioners around the world. The survey focuses on access to, and usage of, business applications from mobile devices in particular access to documents and risks associated with information contained within document metadata via such applications.

We will be publishing summary results on our website, with full results available to survey partcipants. Survey participants also will be entered into a drawing to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.

Access the survey at http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C from now until Otober 23, 2009.

More details can be found here.

The Risks and Benefits of Mobile Computing

2009-09-25T13:01:00.006+01:00

More and more solo and small firm practitioners are making the most of the advancement in technology to practice law using mobile devices and remote applications. The launch over the last few months of the latest iPhone and Blackberry Storm has been another leap forward in enabling technology.

Not only does mobile technology assist attorneys in managing their client base, it also helps in lowering their business overhead. Mobile devices enable attorneys to work from anywhere. The term ‘Mobile Attorney,’ while meaning a specialization in the past, now relates to the practice of using mobile technology to conduct business.

One of the key aspects of the Mobile Attorney is that they no longer just have a laptop running Microsoft Windows. They are now accessing their email, documents and other business applications via webmail, mobile enabled Document Management Systems (DMS) and a broad array of devices such as Blackberry, iPhone, PDAs, NetBooks and Apple Macs.

But, this brings up an interesting fact. While being a Mobile Attorney has many significant benefits, it does introduce new security risks, especially where the firm's security tools, such as their metadata removal application, is limited to a desktop tool. The Mobile Attorney using the web, DMS or mobile device does not have access to these tools and so fall foul of what I refer to as 'the mobile security gap'. If you are a Mobile Attorney – are you aware of these risks and are you doing anything to make sure you and your data is protected?

PDF documents and metadata - some examples

2009-02-28T16:55:00.004Z

Before I do a deeper dive into what metadata a PDF document contains, let's take a look at what must have been the main headline hitting example in 2008 of sensitive information being discovered within PDF metadata.

I am referring to the situation Google found themselves in with a submission they made, supposedly anonymously, to the Australian Competition and Consumer Commission regarding eBay and their proposal to force their users to use PayPal. After speculation on many blogs about the author of the anonymous submission one Dave Bromage took a look at the metadata in the PDF document and let the world know who it was. Despite the submission being replaced with a new version without the revealing metadata the word was out. I won’t comment on the reasons why this was at least embarrassing to Google (this is one report that gives the details as well as showing the metadata contents), but will add that there was an additional chuckle in the techie community that the metadata also showed that the document had not been created using Google’s own word processing app, one being The Register. My main comment is that this unintentional leakage of information involved a regulator as well as embarrassment at the very least to the originator (author and company).

The submission also had masked what would have been visible text about the submitter within the document. However the PDF did not have any security applied to it so it was very easy to copy that area of the document and paste it into another text processor to see the underlying information. Facebook/ConnectU have just this month fallen foul for the same reason. Numerous other examples in this area, GE and the US Justice Department being a couple of examples from 2008. If you want to mask visible text at the very least add security settings to the PDFs that you generate to disallow copying and pasting of text. Also look at redacting software which fully removes and masks text whilst retaining the layout in the PDF document.

I am sure it is pure coincidence that one of the other headlines in 2008 around information garnered from PDF metadata also involved Google, but from the other side of the fence. As reported here metadata in a PDF version of a lobbying letter from the Corn Farmers to Congress linked, albeit tentatively, the author back to some of Google’s political adversaries.

The lesson from these examples is that you should not assume that converting and sending/publishing a PDF removes metadata that could contain sensitive information.

It might have been quiet on this blog for a while but elsewhere...

2008-10-31T11:10:00.004Z

I know, I know, it has been a long while since I last posted to this blog! Thank you to all of you who have been checking in regularly.

It has been a busy six months both in terms of data loss instances and also for 3BView. In the case of the latter we have gained great new customers and partners in the intervening time ... you'll be able to find out more about some of them on our website - a new improved version of which is going live next week.

On the former: well watch this space. Many things to blog about, and I will be doing just that over the coming weeks.

Good eWeek article on DLP

2008-03-18T13:50:00.002Z

EWeek has an interesting article comparing Database Activity Monitoring (DAM) with Data Leak Prevention (DLP).

In the article, Paul Proctor, a Gartner analyst who’s tracked this area for a while, says: “"Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly.” Yep, I’d agree with that.

California Bar Journal reviews legal metadata position

2008-02-28T17:46:00.000Z

The California Bar Journal, in this article, presents an excellent round-up of the problems for lawyers, including the myth that PDF documents are safe from metadata leaks, and the latest legal position in the US. Worth reading.

Eli Lilly’s lawyers accidentally emails confidential info to New York Times

2008-02-18T10:45:00.000Z

We’ve been here before, but this is a corker. All the pieces of a classic ILP mistake: the $1bn lawsuit, the external law firm accidentally emailing confidential information to the wrong person, and the fact that the wrong person happened to be a New York Times reporter. Oops.

Law firms, get yourself some ILP tools now, before it’s you!

Scottish council caught out by tracked changes

2008-01-30T11:19:00.000Z

It’s that old classic: sending out a Word document with information you really, really don’t want to reveal left in tracked changes.

This time the metadata culprit is Aberdeenshire County Council, which managed to send out a report on waste management, containing incriminating details of problems in tracked changes that hadn’t made it into the final report.

Even worse than the information revealed is the inference that the council had covered up the information it didn’t like on the problems – and the press has certainly taken this line.

That Jeremy Clarkson story

2008-01-19T08:45:00.000Z

I know I’m coming a little late to this story and there’s been a lot of debate about it. In case you’ve not read about this: the UK TV presenter Jeremy Clarkson published his bank details in a newspaper column, in which he claimed the furore about lost personal details from the HRMC was a fuss about nothing. Of course, a kind soul promptly used the details to set up a direct debit payment from Clarkson’s account to a charity.

On reflection, you could argue that in fact the system works – the UK’s direct debit scheme provides safeguards to protect the consumer, and to refund any disputed money. In this kind of situation, no doubt Clarkson is covered financially.

But you could imagine a consumer being less than happy if, say, the money taken out of their account meant they went overdrawn, other payments bounced, and they then had to sort out the unholy mess.

And Clarkson himself says he only discovers the loss when he read his bank statement – how many people do that every month? And would they notice the loss if it was £50 not £500?

For me, it does highlight two important issues: firstly, the context in which personal data is used is important. As many commentators have said, Clarkson only divulged information that we give to anyone whenever we give them a cheque. But, he did so in a highly public way. “Security by obscurity” has long been a facet of protecting data, and shouldn’t be forgotten when risk is being assessed.

The second key point is that it’s much, much easier to not leak data in the first place, than to deal with the consequences even if there is no nominal financial risk. As I mentioned, the UK’s banks guarantee to refund any money that a consumer loses due to a mistake with a direct debit. In practice, I imagine it’s still a difficult process to go through, and can cause much inconvenience. It’s the same with any company’s data – you might theoretically not have any negative consequences of a leak, but managing the process when information goes missing can be time-consuming and costly.

Frank Abagnale tells the inside story on IT security

2008-01-11T09:13:00.000Z

You might know him best from the Spielberg film “Catch Me If You Can”, but former fraudster Frank Abagnale has spent the last 30 years working with the FBI on improving security, and more recently this has included a big element of IT security.

There’s a good Q&A with him at ComputerWorld that’s worth reading, as he makes some interesting points about IT and financial security – not least that the internal threat to companies is more significant than external hackers.

Two good articles on security: user behaviour and balancing risk

2008-01-07T18:32:00.000Z

Happy New Year! This seems a good opportunity to mention two good articles I read last year, but didn’t blog on at the time.

Firstly, Network World ran an article by Michael Osterman in June based on a survey of user behaviour. It’s short and to the point, but contains useful gems like the fact that 71% of users check work-related email from home on their own computer. Certainly confirms for me that we’re on the right lines to put our ILP protection on the email server, not on the desktop – if you’ve got server-based protection, you’re covered regardless of which PC is used.

Then this article in APC magazine contains some interesting views from Microsoft on why the security threat is often “overblown”, and how you need to balance the cost of a security measure against the perceived risk and the cost of any security problems that may arise. It’s common sense really, but worth remembering, and I’d add the point that you need to think about how long a solution may take before it’s up and running effectively; sometimes the simple and fast solutions are the best.

US legal position on metadata still unclear

2007-12-27T18:11:00.000Z

As far as I can work out, the position in the US on the legal status of metadata is still being sorted out. Have a look at this good review of recent “ethics opinions” in The New York Law Journal – there still seems to be plenty of conflicting views.

The article concludes with good advice: check your local rules and case law, and use metadata scrubbing tools to remove metadata from documents you send (where this is permissible).

One day we’ll have clarity, no doubt.

PR agencies leaking data as much as the rest of us

2007-12-15T17:06:00.000Z

Love or hate them, PR agencies are part of today’s business world. They do have a riskier position than most in the looking foolish stakes, though, as they are in frequent contact with journalists who will generally grab any opportunity they can to wind up their PR colleagues.

The latest one is a delightful example on Valleywag, the Silicon Valley gossip site – just look at all those tracked changes that were left in the email to the journalist from the PR.

But wait: it gets better. The PR sent an email threatening legal action if her original email wasn’t removed. Guess what? Valleywag ran that email too.

Another day, another data breach

2007-12-13T20:26:00.000Z

Amazing how many of these stories are coming out now in the UK about public sector data breaches, as public attention is so focussed on it at the moment.

This week, a healthcare trust managed to email a spreadsheet containing personal financial details of 1,800 employees to four medical organisations. Surely they’ve got ILP tools to stop them doing this? Maybe not…

The gory details are in the BBC’s report here.

New Scientist covers ILP

2007-12-10T15:03:00.000Z

Well, nice to get some recognition for our area of technology in this article in New Scientist (subscription required, but you can read the first couple of paragraphs for free anyway).

To summarise the key points anyway: researchers at the Air Force Institute of Technology, Ohio are developing software to analyse the text of outgoing emails in companies, and flag the senders as “alienated” or “having clandestine, sensitive interests”. Sounds like what we’re doing at 3BView but it’s interesting stuff… there’s more here (New Scientist’s press release about their article).

Scottish politician in donations row due to metadata

2007-12-04T09:16:00.000Z

UK readers will be familiar with the row about dodgy political donations that’s currently surrounding the Labour party. It was perhaps only a matter of time before metadata gave someone’s secrets away – as it has a habit of doing in political rows.

Well, it happened this weekend – the Sunday Herald newspaper printed allegations that Scottish Labour chief Wendy Alexander was aware of the potentially dodgy nature of a donation weeks before she had claimed to be. The smoking gun? Metadata in a Word document showed the date it had been saved (November 5^th) and that the username was her husband’s.

The row is all over the press now, and Alexander may end up having to resign, or even being prosecuted under the UK’s election finance laws. It’s becoming almost commonplace to see these metadata leaks pop up in political rows, and I’m sure the more clued-up journalists check the properties and tracked changes on every Word document they get hold of! Remember PDF documents aren’t normally safe either unless you’ve taken the right steps to make them secure.

Former DuPont scientist jailed for information theft

2007-11-29T09:36:00.000Z

Gary Min, a former DuPont scientist, has just been jailed for 18 months for stealing confidential information. He downloaded 22,000 abstracts and 16,000 full-text documents over a five-month period before leaving the company. He subsequently uploaded 180 of these DuPont documents onto a corporate laptop from his new employer, Victrex, a competitor of DuPont. The information was valued at over $400million.

Apparently most of these documents were unrelated to his job at DuPont. You have to wonder why it took DuPont so long to spot this pattern and report him to the FBI, and why he had access to so much information.

It’s not quite on the scale of the UK’s HMRC fiasco, but it raises a similar question: why do employees get access to such a large quantity of information that’s not related to their jobs?

You can’t steal what isn’t there

2007-11-21T17:40:00.000Z

Yesterday’s story on the loss of 25 million child benefit records reminded me about the loss of more than 45 million customer records stolen from TJX, the parent company of retailer T.J. Maxx. The article, a while back, in Information Week describes it as the “largest breach of customer data”.

An interesting article, but the key point is right at the end: “With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it.”

But governments have to store sensitive data -- they really do need to get things sorted, or the trust of the public will be lost forever.

The HMRC leak – unbelievable

2007-11-20T16:25:00.000Z

Really, words fail me. I’ve just watched on TV the UK chancellor Alistair Darling tell the House of Commons that this massive data leak (25 million people’s bank details etc) is due to HMRC staff not following procedures. Pardon me? Apparently it was sent via unrecorded post on unencrypted CDs.

Liberal Democrat acting leader Vince Cable asked why the data was posted on CDs and why HMRC didn’t have an electronic means of sending the information securely. He’s got a point.

I’m sure we’ll learn more soon.

AT&T lawsuits rumbling on

2007-11-20T12:43:00.000Z

AT&T is one of the highest profile companies that’s been publicly identified as having committed an ILP faux pas – letting the cat out of the bag about alleged collusion with the US government in alleged illegal wiretapping (the lawsuits are still going on – so I’m going to use the word ‘alleged’ as often as I can just in case).

They must be regretting this a LOT! There’s an interesting article in the Guardian about this case and the general topic of privacy and how it’s changing in the electronic world.

The customer is always wrong

2007-11-16T13:10:00.000Z

Perhaps it’s stating the obvious, but good to have confirmation from high-paid consultants: Deloitte’s recent report says that people are the biggest security risk for financial institutions.

Well, they actually say it’s customers, and the report raises good questions about how far banks should go in being responsible for customers’ IT security, and points out that the financial institution must manage its third-party relationships or take the blame when things go wrong.

Out-law.com has a good write-up, including a link to the original report.

Google adds outbound email security features

2007-11-13T09:06:00.000Z

Since they bought Postini recently, Google hasn’t wasted any time adding their email security features to Google Apps (even if it’s only on the “Premier Edition” so far).

The press release from Google says the new features will “Centrally manage all outbound content policy, including adding footers to every message based on business policy rules, blocking messages with specific keywords or attachments, and preventing emails with sensitive company information from being sent.”

I had a dig around the Google page linked to from the press release, and the Postini pages it directed me too, and couldn’t find anything too specific about the outbound email filtering it mentioned, but it’s encouraging for those of us at the ILP coalface that the behemoth of Google is recognising the need for ILP tools. Will be interested to see how it works…

UK House of Lords attacks government response to cybercrime report

2007-10-31T13:14:00.000Z

Disappointing news this week about the UK government’s poor response to the House of Lords Science and Technology Committee report on Internet security (which originally came out in August).

The Lords committee has criticised the government in no uncertain terms - the Earl of Erroll, a member of the committee, said, “Unfortunately, the government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand."

The report was also criticised by Richard Clayton in a pretty strongly-worded post on his blog. Clayton was involved in assisting the Lords committee.

Ho hum, back to the coal face.

E-discovery seminar and downloadable presentations

2007-10-22T08:39:00.000+01:00

I attended a very interesting e-discovery seminar just over a week ago in Washington DC, organised by GTSI and with an excellent set of speakers. Metadata and archive formats (ODF and PDF/a are key archival formats) were mentioned frequently.

The presentations are all available at this page.

E-discovery and the FRCP amends – one year on

2007-10-22T08:36:00.000+01:00

It’s nearly a year since the US’s Federal Rules of Civil Procedure (FRCP) that govern e-discovery were amended. CNET has an excellent round-up of recent legal cases covering the discovery of electronic data – really a must-read for anyone concerned with this area.

The author also quotes Williams v Sprint, a slightly older case from 2005, where the judge ruled that where electronic documents are required to be produced, they must be in the original format including metadata. This still seems to be a grey area, and the FRCP guidance seems to also have picked up on the judge’s statement in this case that producing documents “as they are maintained in the regular course of business” is sufficient.

The lesson? Put in place a policy now that manages and cleans metadata in business documents, before any litigation!

Error by FTC gives away Whole Foods’ business secrets

2007-10-15T22:50:00.000+01:00

This Sunday’s Observer newspaper in the UK carried a book review talking about innovative business practices that mentioned Whole Foods as an example of using new internet techniques (not sure if that includes your CTO criticising rivals online under a pseudonym?)

Anyway, it reminded me of the bizarre story from August: the Federal Trade Commission (FTC) managed to electronically file documents as part of a court case involving Whole Foods Market’s proposed $565 million takeover of Wild Oats Markets. The words looked redacted but were just shaded black.

The accidentally revealed portions included Whole Foods’ marketing strategies, and how it apparently negotiates with suppliers to drive up costs for Wal-Mart stores.

Guess what? The Associated Press managed to download the document before the FTC realised their mistake and replaced it with a clean version. The Washington Post has the full story here.

Come on guys, it’s not rocket science to avoid these mistakes. Is it?

Company insiders are biggest IT security threat

2007-10-07T12:48:00.000+01:00

According to the Computer Security Institute, the biggest threat to corporate IT security isn’t viruses, it’s insiders.

The CSI has released its 2007 “Computer Crime and Security Survey” – there’s a good write-up here and you can also download the full report (PDF).

The report is based on responses from IT security staff in U.S. businesses and government bodies. 59% of respondents reported “insider abuse of network access or e-mail”.

MacUser covers data disasters and information leak prevention

2007-09-29T18:27:00.000+01:00

The recent MacUser edition (14^th September) has got a great article about potential data disasters from hidden data and emails. And guess what? 3BView gets a mention as we are the only metadata removal tool for Macs (as far as I’m aware).

The article doesn’t appear to be online yet, but MacUser’s site is here.

The financial view of ILP

2007-09-25T21:56:00.000+01:00

Just a quick mention of my colleague Ges Ray, who’s also blogging on information leak prevention – in his case, on the financial technology site Finextra.

Ges’s blog has some interesting points, and the whole site is good reading for anyone interested in the financial sector.

Leaked emails reveal company’s secrets

2007-09-19T19:26:00.000+01:00

Controversial P2P “mitigation” company MediaDefender has got itself into trouble when 700MB of internal emails were distributed on the Internet this weekend. It appears that an employee had forwarded all of his emails to a Gmail account, which has then been accessed by someone else.

According to this report, the emails gave away many secrets about the company’s operation, including evidence that MediaDefender had intentionally misled the outside world about some of its activities. The emails apparently also included financial details including salaries, Social Security numbers and home addresses of some of the company’s employees.

It’s a point that everyone must be familiar with, but it bears repeating: email is a dangerous thing. And it’s not rocket science to realise that having controls to filter and monitor emails going outside your company can help avoid this kind of problem.

Stating the obvious: mobile mistakes are easy to make

2007-09-09T08:15:00.000+01:00

It seems common sense to me that anyone using email out of the office is going to be more at risk of making silly mistakes. It may be late in the evening, they may be rushed as they’re concentrating on something else, or they may be using a mobile device that’s not as easy to use as their main office PC or laptop.

The business climate nowadays only encourages this, what with mobile working being so heavily encouraged, clients in different time zones and so on.

So it only seems logical that information leak prevention should cover users when they’re out and about. Doesn’t it?

It still surprises me that so much effort in ILP focuses on desktop tools, which by definition won’t cover remote working and PDAs, Blackberrys etc. The server seems the only sensible place to put the ILP protection.

I did get my assumptions backed up recently by some research from Nokia, which is always nice. This says three quarters of workers use mobile devices to email clients outside working hours, and paints a picture of them “writing their emails from locations including pubs, parties and taxis”. Scary stuff!

So what’s PCI and what’s it got to do with ILP?

2007-08-28T11:24:00.000+01:00

That’s PCI as in “Payment Card Industry” – and specifically the PCI Data Security Standard (PCI DSS). Basically the big credit card companies (Visa, MasterCard, American Express etc) got together and created a new set of standards to deal with card fraud. The aim of PCI is to force organisations like merchants and service providers (basically anyone that handles, transmits or stores card details) to protect the card data properly. For anyone who doesn’t comply, there’s fines, and potentially the card companies are threatening to block people from processing their card data altogether – a big deal if you’re a retailer or anyone who depends on credit cards.

A worthwhile industry initiative to combat fraud? Or a shameless attempt by the banks to push the risk and responsibility onto others?

Whatever you think of PCI, there’s many, many companies that need to comply. And taking auditable steps to stop credit card information leaking is an important part of the puzzle – ILP is really a must-have if you need to comply with PCI.

The deadlines for compliance are complicated depending on what you do and where you are, but 30^th September 2007 is an important date for many US-based companies, and really everyone ought to be compliant or nearly there already.

The official page isn’t really the most helpful, but here’s a great blog that helps with PCI, and an interesting recent discussion on Slashdot.

Automated Metadata Removal

2007-08-16T20:36:00.000+01:00

Take a look at the report on the TechnoLawyer Blog

Mobile doesn’t have to mean unsafe

2007-08-15T17:00:00.000+01:00

I know from talking to customers and colleagues that mobile devices cause all sorts of security headaches. It’s all very well having your desktops and laptops locked down and secure, but no company can ignore Blackberries and other mobile devices. And keeping laptops of remote workers properly updated and set up with security software is notoriously difficult.

This article in Network World has some useful perspectives, but I think it misses the most important point. If you put your email security and data loss prevention technology onto the email server, not the mobile device, then you’re protected for any messages that go through the server – whether users have sent them from desktops, laptops, PDAs, or whatever. Simple but effective.

Data breach laws to come to the US

2007-08-07T14:41:00.001+01:00

The USA is working to push through a national law on data breaches, which is a major shift away from the existing mix of state laws and other regulations. Currently, the requirements for disclosure and the definitions of what counts as personal information vary from state to state, making it tricky to comply if you do business nationwide.

The new laws aren’t yet defined and there’s a lot of complexity to wade through, but the bottom line is that US firms are going to have to take protecting information even more seriously in the future. The indications are the laws are only going to get stricter, and enforcement more enthusiastic.

There’s more detail in this Computerworld article, which has an excellent round-up of existing US and European Union laws and their evolution.

Insert naval pun here

2007-08-01T16:39:00.000+01:00

It’s an old (ish) story, but I couldn’t resist linking to The Register and one of its prime candidates for headline of the year, “Smut-swapping sailors leak secret missile specs“. The Reg’s story is safe to read at work, but is a lesson on what happens when classified missile data gets mixed up with indecent images. I, of course, hope that none of you reading this have inadvertently sent out the wrong information with indecent images, but there is probably a fair percentage of you who have just plain sent the wrong information to the wrong person by mistake.

Too much exposure in images - more on EXIF

2007-07-27T13:37:00.000+01:00

Following the Harry Potter story, EXIF stores even more personal information than I first thought in images – as you’d expect Wikipedia has all the details. The camera serial number is the obvious personal information you might want to remove, but date and time are stored which could be tricky. And cameras with GPS capability can store the location the photo was taken as well. Scary!

One of the least obvious but perhaps potentially most embarrassing aspects, though, is that if you edit a photo, the EXIF data may still contain a thumbnail of the original photo. Can you guess where this is leading? Yes, a certain Cat Schwartz (who’s apparently a minor celebrity in some circles) posted cropped photos of herself on her blog, and the EXIF data contained thumbnails of the original, uncropped photos that showed her posing topless. Full story here (but the links to Schwartz’s blog and the photos are now dead).

Harry Potter and the hidden metadata

2007-07-24T15:24:00.000+01:00

Wouldn’t that be a great book title?

Sadly not yet written, but there’s an interesting story doing the round about how metadata could catch the culprit who leaked ‘Harry Potter and the Deathly Hallows’ on the internet.

The leaked copy was actually painstakingly-taken images of each page of the book, and the hidden EXIF metadata in the images contains the camera’s serial number. It’s a Canon Rebel 350D, apparently, and the company is trying to find out if the camera was registered and therefore they can use the serial number to track down the errant photographer.

It certainly puts me off registering the products I buy.

UK threatens prison for information misuse

2007-07-19T12:27:00.000+01:00

Is it just me, or does it feel like some companies don’t take data security seriously? Well, the UK government is threatening to get tough – in a damning report the Ministry of Justice (love that new name) has said prison sentences could be handed down to anyone deliberately misusing personal data. And they’re not happy with accidental breaches either.

The Information Commissioner, Richard Thomas, told the BBC, “Frankly these [security breaches] are inexcusable. None of this is really rocket science - security is fundamental.” Couldn’t agree more. He also said, “The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying."

The press release on the report is here, which includes a link to the full report.

When does open mean shut - follow on

2007-07-11T19:35:00.000+01:00

It is all covered in this BBC news article from today.

When does open mean shut?

2007-07-09T10:05:00.000+01:00

Interesting story on the BBC on Tuesday about Microsoft working with the UK National Archives to ensure documents can be read in the future. I’ve posted on this problem before, but Microsoft’s move to promote its Open XML file format is really getting some attention.

From the BBC story, it seems that Microsoft is admirably helping out the National Archives with virtualisation technology to help it read old documents. Microsoft is then hoping to use the halo of this good deed to persuade everyone that it’s got our best interests at heart by pushing its own Open XML “standard” as a rival to the Open Document Format (ODF). I’m less than convinced, as are many others. What do you think?

The psychology of security

2007-07-06T07:30:00.001+01:00

I missed posting a link to this when it came out, but Infosecurity Today has got a great interview with Bruce Schneier of BT Counterpane in its May/June issue and on its site. They also link through to a longer essay on this topic that Schneier has posted on his website here.

It’s pretty much essential reading. He also talks about the insider risk that I’ve previously mentioned, and says “I think companies underestimate the severity of insider threat”, as well as proposing why.

The insider threat

2007-06-25T19:36:00.000+01:00

It seems to me that recently there’s been a general trend in the security industry to start thinking more about insider threats. I don’t know if this is because companies are feeling more on top of the external hackers or viruses, or whether it’s just that awareness is growing that everyone needs to control outbound information flow as well as inbound. Regulations like Basel II, Data Privacy and MiFID certainly are helping to focus a few minds.

I’ve seen a few more articles in the press about this topic over the last few weeks, as well as the news that Lloyds TSB has got itself some pattern recognition software to spot employee fraud. This article at ZDNet very sensibly includes “forgetting that data traffic is two-way” as one of its four deadly security sins.

Of course if an employee is really determined to get information out they can write it on a piece of paper and walk out the door, but it’s important to do what you can to control outbound data flow. And accidental breaches of confidential information can be costly! We’ve got a few of the more famous (and entertaining) ones listed on our website here (scroll down for the list when you get there).

We’ve been winning

2007-06-18T21:20:00.000+01:00

Not to blow my own trumpet, but 3BView has been doing pretty well in the awards stakes recently. We won the innovation category at the Big Chip Awards and one of the judges (commenting on the famous 'dodgy dossier' ) said, “If this had been around four years ago, Tony Blair might have got another term as Prime Minister.” Nice quote! We’re also shortlisted for the Liverpool Daily Post Regional Business Awards – watch this space.

Office 2007 causing problems

2007-06-14T16:51:00.000+01:00

Charles Arthur at the Guardian has written an interesting article about problems with Microsoft’s new Office 2007 document formats. As they’re not backwards compatible with previous Word formats, Microsoft’s had to put out converters for older versions of Office to read them, and the consensus seems to be it’s made a mess of the problem.

It’s not just the short-term problems that are concerning – what’s going to happen to those billions of old Word documents? Are we going to be able to read them in 10, 20 or 50 years time? I’m sure I’m not the only one old enough to remember the BBC Domesday project from 1986, and the scare when its data was nearly lost. OK, the Domesday project was more about obsolete hardware than non-standard file formats, but the point is the same. Maybe we should put everything in PDF now and cross our fingers?

So what is Information Leak Prevention (ILP)?

2007-06-13T08:52:00.000+01:00

I thought it’d be good to start off by at least attempting to define what we mean by ILP. Basically, we’re talking about organisations stopping their valuable information from leaking out where it shouldn’t, either deliberately or accidentally. Whether it’s a company losing its secrets or a financial organisation inadvertently spilling confidential customer data, it’s a big deal – and the penalties for getting it wrong can be massive.

Computer Weekly has got a good article here which covers things pretty well, although I’d argue that 3BView’s tools don’t really suffer from the false positives problems discussed at the end of the article.

About 3BView

2007-06-01T17:39:00.000+01:00

3BView provides companies with solutions to achieve secure and controlled exchange of business electronic communications and documents, ensuring teams can safely and globally collaborate.

This blog is going to talk about the company, the technology, and what's going on in our market of information leak prevention.