When stolen data can ‘phone home'

Tracking devices is nothing new. In the auto industry, multiple vendors compete to convince drivers to install the devices in their cars, promising that if it gets stolen, the cops will know right where to find it. In law enforcement, criminals on probation sometimes are required to wear an ankle bracelet that does the same thing tells authorities exactly where they are.

It is also possible to do that with data. Digital watermarking can track where it is being viewed or downloaded, and also identify the IP address and the type of device doing it. It is not in widespread use, according to experts, and could in some cases have privacy implications, but its advocates say while it doesn't prevent a data breach, it can let an organization that has been breached know about it almost immediately, instead of months later.

Their mantra is: Breaches are not preventable, but they are discoverable."

As Rich Campagna, vice president, products, at Bitglass put it, "The average data breach goes undetected for seven months. Identifying a breach early can help prevent further exfiltration and render breached data useless," by, for example, canceling and reissuing credit cards before they can be sold.

To demonstrate the effectiveness of watermarking and to illustrate how widely stolen data can "travel", Bitglass created a fake data file earlier this year of 1,568 names, Social Security numbers, credit card numbers, addresses and phone numbers. It watermarked the file and then posted it anonymously to DropBox plus seven other sites on the Dark Web suspected of being cybercrime marketplaces.

According to the company, the watermarking can survive copying, pasting and other file manipulations. Every time the file is opened, it "calls home" with information on where and how it was accessed.

The company reported that after 12 days, the file had been accessed from 22 countries on five continents, including the U.S., Brazil, Nigeria, Hong Kong, Spain, Germany, the United Kingdom, France, Sweden, Canada, the Russian Federation, the Czech Republic, Italy and Turkey.

The data was viewed 1,081 times, with 47 unique downloads, and was accessed most frequently from Nigeria, Russia and Brazil. Campagna said that, "very few of the people who downloaded the file took any steps to obscure their location or device."

Of course, knowing where your stolen data went, or even who downloaded it isn't going to help you get it back, like a car, or even erase it. Many of the countries from which the downloads occurred are essentially beyond the reach of U.S. law enforcement.

Still, knowing about it has enormous value, according to Paul Henry, IT security consultant for Blancco Technology Group, who said he has used watermarking in his incident response and forensics business since 2007.

"It's a great tool," he said. "I've used it in several email-related cases to determine specifically who was reading another party's email without their permission. I also use it with retained clients with their intellectual property-related data to eliminate false positives when searching sites like Pastebin and others on the Dark Web to see if their data shows up."

Henry agreed that there is value in being able to take measures quickly to mitigate damage from stolen data. But he said the amount of identification it provides can help in legal proceedings as well.

"When used properly, you actually can see an evidence trail that meets court requirements for admissibility," he said. "For enterprise businesses, that's going to help them solidify their intellectual property defense in court."

And, relatively speaking, it does not amount to big bucks. Campagna said watermarking is part of the company's broader security package with a monthly license fee starting at $5 per user.

While watermarking is still not nearly as common as software aimed at detecting and preventing malware, it got a burst of publicity during the past two weeks in connection with the high-profile hack of Hacking Team, the Italian company that sells hacking and surveillance tools to governments and law enforcement agencies, and is viewed as an "enemy of the Internet" by privacy and human rights groups.

Reportedly, Hacking Team watermarks its Galileo software, which would mean that anyone reading those hacked files will be able to find out who is using it and who their targets are.

That prompted Bruce Schneier, security guru and CTO at Resilient Systems, to muse on his blog, "It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. I don't think the company is going to survive this."

Campagna said the Bitglass watermarking is different. "Hacking Team has watermarked its software to prevent piracy," he said. "A copy sold to the U.S. government would have a different watermark than a copy sold to the Russian government. If the software later showed up elsewhere, Hacking Team could track that copy back to the customer from which it was taken."

By contrast, he said, Bitglass watermarking is designed for visibility, wherever the data go. "When data is found on Dropbox or on an identity trafficking site, the company can verify that it was Paul from accounting that leaked the document, as an example," he said.

Still, Henry said there are legal and privacy implications with watermarking, since it causes a device to execute an instruction that does not come from the user or that the device would do on its own.

"Certain law enforcement agencies cannot cause a computer to exercise any instruction it would not have issued itself or it is considered entrapment," he said, and a watermark does, in fact, cause the user's computer to exercise instructions it otherwise would not have issued."

And, as is the case with any security tool, it is not bulletproof. Henry said there is no doubt in his mind that a criminal savvy to watermarking, "could have the information containing the watermark and still remain undiscovered."

And Campagna acknowledged that it is possible to defeat a watermark by taking a screenshot of a file or converting it to plaintext.

Still, it is a visibility tool that Henry said could provide some legal muscle what he called, "the smoking gun' evidence" that could support a prosecution.

Join the CSO newsletter!

Error: Please check your email address.

Tags no companysecuritydata breach

More about BlanccoDropboxGalileoTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place