Thursday 27 December 2007

US legal position on metadata still unclear

As far as I can work out, the position in the US on the legal status of metadata is still being sorted out. Have a look at this good review of recent “ethics opinions” in The New York Law Journal – there still seems to be plenty of conflicting views.

The article concludes with good advice: check your local rules and case law, and use metadata scrubbing tools to remove metadata from documents you send (where this is permissible).

One day we’ll have clarity, no doubt.

Saturday 15 December 2007

PR agencies leaking data as much as the rest of us

Love or hate them, PR agencies are part of today’s business world. They do have a riskier position than most in the looking foolish stakes, though, as they are in frequent contact with journalists who will generally grab any opportunity they can to wind up their PR colleagues.

The latest one is a delightful example on Valleywag, the Silicon Valley gossip site – just look at all those tracked changes that were left in the email to the journalist from the PR.

But wait: it gets better. The PR sent an email threatening legal action if her original email wasn’t removed. Guess what? Valleywag ran that email too.

Thursday 13 December 2007

Another day, another data breach

Amazing how many of these stories are coming out now in the UK about public sector data breaches, as public attention is so focussed on it at the moment.

This week, a healthcare trust managed to email a spreadsheet containing personal financial details of 1,800 employees to four medical organisations. Surely they’ve got ILP tools to stop them doing this? Maybe not…

The gory details are in the BBC’s report here.

Monday 10 December 2007

New Scientist covers ILP

Well, nice to get some recognition for our area of technology in this article in New Scientist (subscription required, but you can read the first couple of paragraphs for free anyway).

To summarise the key points anyway: researchers at the Air Force Institute of Technology, Ohio are developing software to analyse the text of outgoing emails in companies, and flag the senders as “alienated” or “having clandestine, sensitive interests”. Sounds like what we’re doing at 3BView but it’s interesting stuff… there’s more here (New Scientist’s press release about their article).

Tuesday 4 December 2007

Scottish politician in donations row due to metadata

UK readers will be familiar with the row about dodgy political donations that’s currently surrounding the Labour party. It was perhaps only a matter of time before metadata gave someone’s secrets away – as it has a habit of doing in political rows.

Well, it happened this weekend – the Sunday Herald newspaper printed allegations that Scottish Labour chief Wendy Alexander was aware of the potentially dodgy nature of a donation weeks before she had claimed to be. The smoking gun? Metadata in a Word document showed the date it had been saved (November 5th) and that the username was her husband’s.

The row is all over the press now, and Alexander may end up having to resign, or even being prosecuted under the UK’s election finance laws. It’s becoming almost commonplace to see these metadata leaks pop up in political rows, and I’m sure the more clued-up journalists check the properties and tracked changes on every Word document they get hold of! Remember PDF documents aren’t normally safe either unless you’ve taken the right steps to make them secure.

Thursday 29 November 2007

Former DuPont scientist jailed for information theft

Gary Min, a former DuPont scientist, has just been jailed for 18 months for stealing confidential information. He downloaded 22,000 abstracts and 16,000 full-text documents over a five-month period before leaving the company. He subsequently uploaded 180 of these DuPont documents onto a corporate laptop from his new employer, Victrex, a competitor of DuPont. The information was valued at over $400million.

Apparently most of these documents were unrelated to his job at DuPont. You have to wonder why it took DuPont so long to spot this pattern and report him to the FBI, and why he had access to so much information.

It’s not quite on the scale of the UK’s HMRC fiasco, but it raises a similar question: why do employees get access to such a large quantity of information that’s not related to their jobs?

Wednesday 21 November 2007

You can’t steal what isn’t there

Yesterday’s story on the loss of 25 million child benefit records reminded me about the loss of more than 45 million customer records stolen from TJX, the parent company of retailer T.J. Maxx. The article, a while back, in Information Week describes it as the “largest breach of customer data”.

An interesting article, but the key point is right at the end: “With any luck, the TJX Effect will teach retailers this basic lesson: Thieves can't steal sensitive customer data if retailers aren't storing it.”

But governments have to store sensitive data -- they really do need to get things sorted, or the trust of the public will be lost forever.


Tuesday 20 November 2007

The HMRC leak – unbelievable

Really, words fail me. I’ve just watched on TV the UK chancellor Alistair Darling tell the House of Commons that this massive data leak (25 million people’s bank details etc) is due to HMRC staff not following procedures. Pardon me? Apparently it was sent via unrecorded post on unencrypted CDs.

Liberal Democrat acting leader Vince Cable asked why the data was posted on CDs and why HMRC didn’t have an electronic means of sending the information securely. He’s got a point.

I’m sure we’ll learn more soon.

AT&T lawsuits rumbling on

AT&T is one of the highest profile companies that’s been publicly identified as having committed an ILP faux pas – letting the cat out of the bag about alleged collusion with the US government in alleged illegal wiretapping (the lawsuits are still going on – so I’m going to use the word ‘alleged’ as often as I can just in case).

They must be regretting this a LOT! There’s an interesting article in the Guardian about this case and the general topic of privacy and how it’s changing in the electronic world.

Friday 16 November 2007

The customer is always wrong

Perhaps it’s stating the obvious, but good to have confirmation from high-paid consultants: Deloitte’s recent report says that people are the biggest security risk for financial institutions.

Well, they actually say it’s customers, and the report raises good questions about how far banks should go in being responsible for customers’ IT security, and points out that the financial institution must manage its third-party relationships or take the blame when things go wrong.

Out-law.com has a good write-up, including a link to the original report.

Tuesday 13 November 2007

Google adds outbound email security features

Since they bought Postini recently, Google hasn’t wasted any time adding their email security features to Google Apps (even if it’s only on the “Premier Edition” so far).

The press release from Google says the new features will “Centrally manage all outbound content policy, including adding footers to every message based on business policy rules, blocking messages with specific keywords or attachments, and preventing emails with sensitive company information from being sent.”

I had a dig around the Google page linked to from the press release, and the Postini pages it directed me too, and couldn’t find anything too specific about the outbound email filtering it mentioned, but it’s encouraging for those of us at the ILP coalface that the behemoth of Google is recognising the need for ILP tools. Will be interested to see how it works…

Wednesday 31 October 2007

UK House of Lords attacks government response to cybercrime report

Disappointing news this week about the UK government’s poor response to the House of Lords Science and Technology Committee report on Internet security (which originally came out in August).

The Lords committee has criticised the government in no uncertain terms - the Earl of Erroll, a member of the committee, said, “Unfortunately, the government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand."

The report was also criticised by Richard Clayton in a pretty strongly-worded post on his blog. Clayton was involved in assisting the Lords committee.

Ho hum, back to the coal face.

Monday 22 October 2007

E-discovery seminar and downloadable presentations

I attended a very interesting e-discovery seminar just over a week ago in Washington DC, organised by GTSI and with an excellent set of speakers. Metadata and archive formats (ODF and PDF/a are key archival formats) were mentioned frequently.

The presentations are all available at this page.

E-discovery and the FRCP amends – one year on

It’s nearly a year since the US’s Federal Rules of Civil Procedure (FRCP) that govern e-discovery were amended. CNET has an excellent round-up of recent legal cases covering the discovery of electronic data – really a must-read for anyone concerned with this area.

The author also quotes Williams v Sprint, a slightly older case from 2005, where the judge ruled that where electronic documents are required to be produced, they must be in the original format including metadata. This still seems to be a grey area, and the FRCP guidance seems to also have picked up on the judge’s statement in this case that producing documents “as they are maintained in the regular course of business” is sufficient.

The lesson? Put in place a policy now that manages and cleans metadata in business documents, before any litigation!

Monday 15 October 2007

Error by FTC gives away Whole Foods’ business secrets

This Sunday’s Observer newspaper in the UK carried a book review talking about innovative business practices that mentioned Whole Foods as an example of using new internet techniques (not sure if that includes your CTO criticising rivals online under a pseudonym?)

Anyway, it reminded me of the bizarre story from August: the Federal Trade Commission (FTC) managed to electronically file documents as part of a court case involving Whole Foods Market’s proposed $565 million takeover of Wild Oats Markets. The words looked redacted but were just shaded black.

The accidentally revealed portions included Whole Foods’ marketing strategies, and how it apparently negotiates with suppliers to drive up costs for Wal-Mart stores.

Guess what? The Associated Press managed to download the document before the FTC realised their mistake and replaced it with a clean version. The Washington Post has the full story here.

Come on guys, it’s not rocket science to avoid these mistakes. Is it?

Sunday 7 October 2007

Company insiders are biggest IT security threat

According to the Computer Security Institute, the biggest threat to corporate IT security isn’t viruses, it’s insiders.

The CSI has released its 2007 “Computer Crime and Security Survey” – there’s a good write-up here and you can also download the full report (PDF).

The report is based on responses from IT security staff in U.S. businesses and government bodies. 59% of respondents reported “insider abuse of network access or e-mail”.

Saturday 29 September 2007

MacUser covers data disasters and information leak prevention

The recent MacUser edition (14th September) has got a great article about potential data disasters from hidden data and emails. And guess what? 3BView gets a mention as we are the only metadata removal tool for Macs (as far as I’m aware).

The article doesn’t appear to be online yet, but MacUser’s site is here.

Tuesday 25 September 2007

The financial view of ILP

Just a quick mention of my colleague Ges Ray, who’s also blogging on information leak prevention – in his case, on the financial technology site Finextra.

Ges’s blog has some interesting points, and the whole site is good reading for anyone interested in the financial sector.

Wednesday 19 September 2007

Leaked emails reveal company’s secrets

Controversial P2P “mitigation” company MediaDefender has got itself into trouble when 700MB of internal emails were distributed on the Internet this weekend. It appears that an employee had forwarded all of his emails to a Gmail account, which has then been accessed by someone else.

According to this report, the emails gave away many secrets about the company’s operation, including evidence that MediaDefender had intentionally misled the outside world about some of its activities. The emails apparently also included financial details including salaries, Social Security numbers and home addresses of some of the company’s employees.

It’s a point that everyone must be familiar with, but it bears repeating: email is a dangerous thing. And it’s not rocket science to realise that having controls to filter and monitor emails going outside your company can help avoid this kind of problem.

Sunday 9 September 2007

Stating the obvious: mobile mistakes are easy to make

It seems common sense to me that anyone using email out of the office is going to be more at risk of making silly mistakes. It may be late in the evening, they may be rushed as they’re concentrating on something else, or they may be using a mobile device that’s not as easy to use as their main office PC or laptop.

The business climate nowadays only encourages this, what with mobile working being so heavily encouraged, clients in different time zones and so on.

So it only seems logical that information leak prevention should cover users when they’re out and about. Doesn’t it?

It still surprises me that so much effort in ILP focuses on desktop tools, which by definition won’t cover remote working and PDAs, Blackberrys etc. The server seems the only sensible place to put the ILP protection.

I did get my assumptions backed up recently by some research from Nokia, which is always nice. This says three quarters of workers use mobile devices to email clients outside working hours, and paints a picture of them “writing their emails from locations including pubs, parties and taxis”. Scary stuff!

Tuesday 28 August 2007

So what’s PCI and what’s it got to do with ILP?

That’s PCI as in “Payment Card Industry” – and specifically the PCI Data Security Standard (PCI DSS). Basically the big credit card companies (Visa, MasterCard, American Express etc) got together and created a new set of standards to deal with card fraud. The aim of PCI is to force organisations like merchants and service providers (basically anyone that handles, transmits or stores card details) to protect the card data properly. For anyone who doesn’t comply, there’s fines, and potentially the card companies are threatening to block people from processing their card data altogether – a big deal if you’re a retailer or anyone who depends on credit cards.

A worthwhile industry initiative to combat fraud? Or a shameless attempt by the banks to push the risk and responsibility onto others?

Whatever you think of PCI, there’s many, many companies that need to comply. And taking auditable steps to stop credit card information leaking is an important part of the puzzle – ILP is really a must-have if you need to comply with PCI.

The deadlines for compliance are complicated depending on what you do and where you are, but 30th September 2007 is an important date for many US-based companies, and really everyone ought to be compliant or nearly there already.

The official page isn’t really the most helpful, but here’s a great blog that helps with PCI, and an interesting recent discussion on Slashdot.


Thursday 16 August 2007

Wednesday 15 August 2007

Mobile doesn’t have to mean unsafe

I know from talking to customers and colleagues that mobile devices cause all sorts of security headaches. It’s all very well having your desktops and laptops locked down and secure, but no company can ignore Blackberries and other mobile devices. And keeping laptops of remote workers properly updated and set up with security software is notoriously difficult.

This article in Network World has some useful perspectives, but I think it misses the most important point. If you put your email security and data loss prevention technology onto the email server, not the mobile device, then you’re protected for any messages that go through the server – whether users have sent them from desktops, laptops, PDAs, or whatever. Simple but effective.

Tuesday 7 August 2007

Data breach laws to come to the US

The USA is working to push through a national law on data breaches, which is a major shift away from the existing mix of state laws and other regulations. Currently, the requirements for disclosure and the definitions of what counts as personal information vary from state to state, making it tricky to comply if you do business nationwide.

The new laws aren’t yet defined and there’s a lot of complexity to wade through, but the bottom line is that US firms are going to have to take protecting information even more seriously in the future. The indications are the laws are only going to get stricter, and enforcement more enthusiastic.

There’s more detail in this Computerworld article, which has an excellent round-up of existing US and European Union laws and their evolution.

Wednesday 1 August 2007

Insert naval pun here

It’s an old (ish) story, but I couldn’t resist linking to The Register and one of its prime candidates for headline of the year, “Smut-swapping sailors leak secret missile specs“. The Reg’s story is safe to read at work, but is a lesson on what happens when classified missile data gets mixed up with indecent images. I, of course, hope that none of you reading this have inadvertently sent out the wrong information with indecent images, but there is probably a fair percentage of you who have just plain sent the wrong information to the wrong person by mistake.

Friday 27 July 2007

Too much exposure in images - more on EXIF

Following the Harry Potter story, EXIF stores even more personal information than I first thought in images – as you’d expect Wikipedia has all the details. The camera serial number is the obvious personal information you might want to remove, but date and time are stored which could be tricky. And cameras with GPS capability can store the location the photo was taken as well. Scary!

One of the least obvious but perhaps potentially most embarrassing aspects, though, is that if you edit a photo, the EXIF data may still contain a thumbnail of the original photo. Can you guess where this is leading? Yes, a certain Cat Schwartz (who’s apparently a minor celebrity in some circles) posted cropped photos of herself on her blog, and the EXIF data contained thumbnails of the original, uncropped photos that showed her posing topless. Full story here (but the links to Schwartz’s blog and the photos are now dead).

Tuesday 24 July 2007

Harry Potter and the hidden metadata

Wouldn’t that be a great book title?

Sadly not yet written, but there’s an interesting story doing the round about how metadata could catch the culprit who leaked ‘Harry Potter and the Deathly Hallows’ on the internet.

The leaked copy was actually painstakingly-taken images of each page of the book, and the hidden EXIF metadata in the images contains the camera’s serial number. It’s a Canon Rebel 350D, apparently, and the company is trying to find out if the camera was registered and therefore they can use the serial number to track down the errant photographer.

It certainly puts me off registering the products I buy.

Thursday 19 July 2007

UK threatens prison for information misuse

Is it just me, or does it feel like some companies don’t take data security seriously? Well, the UK government is threatening to get tough – in a damning report the Ministry of Justice (love that new name) has said prison sentences could be handed down to anyone deliberately misusing personal data. And they’re not happy with accidental breaches either.

The Information Commissioner, Richard Thomas, told the BBC, “Frankly these [security breaches] are inexcusable. None of this is really rocket science - security is fundamental.” Couldn’t agree more. He also said, “The roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying."

The press release on the report is here, which includes a link to the full report.

Wednesday 11 July 2007

When does open mean shut - follow on

It is all covered in this BBC news article from today.

Monday 9 July 2007

When does open mean shut?

Interesting story on the BBC on Tuesday about Microsoft working with the UK National Archives to ensure documents can be read in the future. I’ve posted on this problem before, but Microsoft’s move to promote its Open XML file format is really getting some attention.

From the BBC story, it seems that Microsoft is admirably helping out the National Archives with virtualisation technology to help it read old documents. Microsoft is then hoping to use the halo of this good deed to persuade everyone that it’s got our best interests at heart by pushing its own Open XML “standard” as a rival to the Open Document Format (ODF). I’m less than convinced, as are many others. What do you think?

Friday 6 July 2007

The psychology of security

I missed posting a link to this when it came out, but Infosecurity Today has got a great interview with Bruce Schneier of BT Counterpane in its May/June issue and on its site. They also link through to a longer essay on this topic that Schneier has posted on his website here.

It’s pretty much essential reading. He also talks about the insider risk that I’ve previously mentioned, and says “I think companies underestimate the severity of insider threat”, as well as proposing why.

Monday 25 June 2007

The insider threat

It seems to me that recently there’s been a general trend in the security industry to start thinking more about insider threats. I don’t know if this is because companies are feeling more on top of the external hackers or viruses, or whether it’s just that awareness is growing that everyone needs to control outbound information flow as well as inbound. Regulations like Basel II, Data Privacy and MiFID certainly are helping to focus a few minds.

I’ve seen a few more articles in the press about this topic over the last few weeks, as well as the news that Lloyds TSB has got itself some pattern recognition software to spot employee fraud. This article at ZDNet very sensibly includes “forgetting that data traffic is two-way” as one of its four deadly security sins.

Of course if an employee is really determined to get information out they can write it on a piece of paper and walk out the door, but it’s important to do what you can to control outbound data flow. And accidental breaches of confidential information can be costly! We’ve got a few of the more famous (and entertaining) ones listed on our website here (scroll down for the list when you get there).

Monday 18 June 2007

We’ve been winning

Not to blow my own trumpet, but 3BView has been doing pretty well in the awards stakes recently. We won the innovation category at the Big Chip Awards and one of the judges (commenting on the famous 'dodgy dossier' ) said, “If this had been around four years ago, Tony Blair might have got another term as Prime Minister.” Nice quote! We’re also shortlisted for the Liverpool Daily Post Regional Business Awards – watch this space.

Thursday 14 June 2007

Office 2007 causing problems

Charles Arthur at the Guardian has written an interesting article about problems with Microsoft’s new Office 2007 document formats. As they’re not backwards compatible with previous Word formats, Microsoft’s had to put out converters for older versions of Office to read them, and the consensus seems to be it’s made a mess of the problem.

It’s not just the short-term problems that are concerning – what’s going to happen to those billions of old Word documents? Are we going to be able to read them in 10, 20 or 50 years time? I’m sure I’m not the only one old enough to remember the BBC Domesday project from 1986, and the scare when its data was nearly lost. OK, the Domesday project was more about obsolete hardware than non-standard file formats, but the point is the same. Maybe we should put everything in PDF now and cross our fingers?

Wednesday 13 June 2007

So what is Information Leak Prevention (ILP)?

I thought it’d be good to start off by at least attempting to define what we mean by ILP. Basically, we’re talking about organisations stopping their valuable information from leaking out where it shouldn’t, either deliberately or accidentally. Whether it’s a company losing its secrets or a financial organisation inadvertently spilling confidential customer data, it’s a big deal – and the penalties for getting it wrong can be massive.

Computer Weekly has got a good article here which covers things pretty well, although I’d argue that 3BView’s tools don’t really suffer from the false positives problems discussed at the end of the article.

Friday 1 June 2007

About 3BView

3BView provides companies with solutions to achieve secure and controlled exchange of business electronic communications and documents, ensuring teams can safely and globally collaborate.

This blog is going to talk about the company, the technology, and what's going on in our market of information leak prevention.