How your data was extracted

Data. Loss. Prevention.  Sounds wonderful, no? But in our cyber village every one of us is told that DLP will stop data loss.  The trouble is it’s predicated on people following the rules and the vendor’s pitch will be all about the normal conditions to stop email attachments (data and executables) and USB mass storage devices.

Here are a couple of scenarios to throw to the vendor during that presentation.

1.  I’ll build a LAN





Assuming that one is protecting the hard crunchy perimeter, a miscreant might simply decide to take the data out through a non-monitored channel.  They plug in a desktop switch and then map a drive, upload though PHP to a local web-server or use FTP (eg Filezilla) or SSH (eg putty) to extract files.  Job done.

2.  I’ll use the tools you’ve already given me:  Word

Microsoft Word will happily embed anything.  Simply embed an executable into the document and email away.  You may need to change the file extension but a miscreant can easily email an executable to themselves or data to someone else.  If the mail gateway blocks encrypted attachments, simply include inside a Microsoft Word container. Ba Boom.

3.  I’ll use the tools you’ve already given me: Winzip

Winzip is now a feature rich client.  It’s often installed in moderately secure environments and comes with two great features:

Winzip the miscreant's friend

“Split” and “UUencode”.

Split does just that.  It will split up the miscreant’s 200mb zip archive of their employer’s data into nice 5mb files that they can now easily fire through the mail gateway.

UUencode is even better.  It will turn a zip file of data or of a binary into plain old text.  The miscreant can then simply paste the text into a word document and fire that through the mail gateway.  There’s nothing to stop because there’s nothing to pattern match against.   As an example of how useful this is, let’s pack up Notepad and send it by text.

First we add Notepad to Winzip

Notepad in Winzip

Then we UU Encode it

UU Encode Notepad

Then we open it in Notepad (change the extension to TXT to make life easier)
Notepad.exe as text

The text for this starts as:


So now it’s a simple matter to either send or receive the text and then to use Winzip to assemble it back again.

Just what the doctorer ordered.

Make sure your DLP vendor has an answer to these scenarios.

(And a final word about USB mass storage devices.  If your DLP vendor relies on the USB firmware, USB-vendor ID, serial number or other token from the device to allow or deny access to the USB hardware, then it’s already game over.  With sufficient cunning one can overwrite the USB firmware or one can program one’s own EPROM to masquerade as an allowed device, while actually being something else. )


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s