Data. Loss. Prevention. Sounds wonderful, no? But in our cyber village every one of us is told that DLP will stop data loss. The trouble is it’s predicated on people following the rules and the vendor’s pitch will be all about the normal conditions to stop email attachments (data and executables) and USB mass storage devices.
Here are a couple of scenarios to throw to the vendor during that presentation.
1. I’ll build a LAN
Assuming that one is protecting the hard crunchy perimeter, a miscreant might simply decide to take the data out through a non-monitored channel. They plug in a desktop switch and then map a drive, upload though PHP to a local web-server or use FTP (eg Filezilla) or SSH (eg putty) to extract files. Job done.
2. I’ll use the tools you’ve already given me: Word
Microsoft Word will happily embed anything. Simply embed an executable into the document and email away. You may need to change the file extension but a miscreant can easily email an executable to themselves or data to someone else. If the mail gateway blocks encrypted attachments, simply include inside a Microsoft Word container. Ba Boom.
3. I’ll use the tools you’ve already given me: Winzip
Winzip is now a feature rich client. It’s often installed in moderately secure environments and comes with two great features:
“Split” and “UUencode”.
Split does just that. It will split up the miscreant’s 200mb zip archive of their employer’s data into nice 5mb files that they can now easily fire through the mail gateway.
UUencode is even better. It will turn a zip file of data or of a binary into plain old text. The miscreant can then simply paste the text into a word document and fire that through the mail gateway. There’s nothing to stop because there’s nothing to pattern match against. As an example of how useful this is, let’s pack up Notepad and send it by text.
First we add Notepad to Winzip
Then we UU Encode it
Then we open it in Notepad (change the extension to TXT to make life easier)
The text for this starts as:
M4$L#!!0``@`(`.T4[CKEO?/]*AH"``#T`@`+````;F]T97!A9"YE>&7L_0E\ M3=<;,`KO3,00)X9#@A`$B1A"4!$AAQ/.X80@).9$!@F9).<0!(DDB.V82LVJ MK9:VVM)J2VC%&/,\ST4Y$4,T571:W_,\:YTAP?]]W_O>[W[W?O=_\MMY]EYK
So now it’s a simple matter to either send or receive the text and then to use Winzip to assemble it back again.
Just what the doctorer ordered.
Make sure your DLP vendor has an answer to these scenarios.
(And a final word about USB mass storage devices. If your DLP vendor relies on the USB firmware, USB-vendor ID, serial number or other token from the device to allow or deny access to the USB hardware, then it’s already game over. With sufficient cunning one can overwrite the USB firmware or one can program one’s own EPROM to masquerade as an allowed device, while actually being something else. )