Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenDLP Aims To Stem Data Loss

Posted by kdawson on from the fly-free-little-bot-but-phone-home dept.

rollcall writes "A new free and open source tool, OpenDLP, has been released that will help organizations fight data loss caused by stolen laptops, missing HDDs, or compromised systems. OpenDLP is managed from a centralized Web application and it can simultaneously send and control thousands of non-intrusive agents to Microsoft Windows systems over NetBIOS that look for user-defined regular expressions in data at rest. When sensitive data is found, the agents 'phone home' to the Web app with their results. While organizations have continued to lose sensitive data even though many commercial products are available to help prevent this, perhaps the introduction of a free alternative will finally spur organizations to locate their sensitive data proactively before it is lost."

53 comments

  1. It won't work. by Anonymous Coward · · Score: 0

    It just won't. That is all.

  2. Correct me if I'm wrong, but... by Mr_eX9 · · Score: 1

    ...isn't the problem with data loss NOT that the only copy of the data is physically lost, but that a copy of the data is out in the wild? This product seems to miss the point entirely.

    1. Re:Correct me if I'm wrong, but... by Amouth · · Score: 3, Informative

      in that sense yes - but it does fill a hole - if i have info that is supposed to ONLY be on the network or files servers and NOT on laptops that come and go in the building - i might add this to the laptops so that i can watch and catch people doing stupid things like copying a customers folder locally then leaving.

      although given that it has limited file format understanding - and can't look in archives yet - this one seems a little on the useless side at the moment.. But maybe in a few months or a year they will get it where it might be something to look at - but from where their site has it.. this isn't ready for any enterprise.

      --
      '...if only "Jumping to a Conclusion" was an event in the Olympics.'
    2. Re:Correct me if I'm wrong, but... by CarpetShark · · Score: 3, Insightful

      You don't get it. With this, you can put an agent on the laptops with sensitive information to contact you and inform you that the laptops have sensitive information on them.

    3. Re:Correct me if I'm wrong, but... by LoRdTAW · · Score: 1

      But what if its a double agent?

    4. Re:Correct me if I'm wrong, but... by Anonymous Coward · · Score: 2, Funny

      Then you get twice as many reports.

    5. Re:Correct me if I'm wrong, but... by Anonymous Coward · · Score: 0

      Well, I guess if you have a deployment system to deploy the agents it would work. Because you sure don't want to deploy the agent from this console. Windows has a firewall for a reason and opening the machines to attack via SMB / Netbios would be silly. But if you deploy the agent via some deployment tech like SCCM / Tivoli, etc. it may be useful.

    6. Re:Correct me if I'm wrong, but... by CarpetShark · · Score: 1

      It's penetration by a double-agent that people need to worry about.

    7. Re:Correct me if I'm wrong, but... by Anonymous Coward · · Score: 0

      Double penetration? Don't worry. I can take it.

  3. Is OpenDLP a security issue? JCPenney uses GEMB by Anonymous Coward · · Score: 0

    Would OpenDLP allow the organization to search any computer, or just computers which have been set up by the organization?

    The "continued to lose sensitive data" link suggested that JC Penney credit cards may have been compromised. I have a JCP credit card, but JC Penney transferred their credit card business to GEMB (General Electric Merchant Bank) years ago. I don't know if new JCP credit cards are issued through JC Penney or through GEMB, but would guess that a hacker would need to break into GEMB (not just JC Penney) data in order to steal enough information to charge things to the stolen credit cards.

  4. Non-Intrusive agents? by gyrogeerloose · · Score: 3, Insightful

    it can simultaneously send and control thousands non-intrusive agents

    Anyone else out there find this statement just a bit worrisome?

    --
    This ain't rocket surgery.
    1. Re:Non-Intrusive agents? by fuzzyfuzzyfungus · · Score: 1

      It's not a botnet. The evil bit is set to 0 on all command and control packets.

    2. Re:Non-Intrusive agents? by bragr · · Score: 2, Informative

      Apparently you haven't run a large network. Anything we can't deploy automatically over the network pretty much gets tossed. We just don't have the time or the budget to go around to 600+ computers and install software. This principle pretty much drives our decision making for OS deployment, AV, apps, tools, etc. Something that was designed to deploy over a network, rather than something we can trick into deploying over a network, sounds wonderful.

    3. Re:Non-Intrusive agents? by gyrogeerloose · · Score: 1

      Yeah, if I'd read TFA more carefully, I would have noticed that this thing is designed to be deployed over a LAN, not the Internet. My bad.

      --
      This ain't rocket surgery.
    4. Re:Non-Intrusive agents? by physburn · · Score: 2, Funny
      Extremely, an whole organism has spywear put thoughtout its IT infrastructure, reporting to one central server that could be compromised to do, lord knows what harm.

      ---

      Computer Security Feed @ Feed Distiller

    5. Re:Non-Intrusive agents? by jimicus · · Score: 1

      And yet it's amazing how many products intended for use in large organisations have installation instructions along the lines of "Visit every workstation in turn, double-click on setup.exe and follow the instructions..."

  5. NetBIOS? by TubeSteak · · Score: 4, Interesting

    Turning off the NetBIOS service is one of the first things I do to any new computer.
    Or did MS finally secure NetBIOS while I wasn't looking?

    --
    [Fuck Beta]
    o0t!
    1. Re:NetBIOS? by Anonymous Coward · · Score: 0

      Are you from 1990?

    2. Re:NetBIOS? by Anonymous Coward · · Score: 0

      Do they really mean NETBIOS? Cause last time I checked NETBIOS didn't route that good. ;-)
      Maybe they mean something on top of NETBIOS on top of IP. Odd to specify a single part of a software stack like that... and a part that went out with the LUN.

    3. Re:NetBIOS? by Anonymous Coward · · Score: 0

      Yeah, those SAMBA people are crazy...
      And no one ever uses network shares any more.
      And WMI and other such tools are useless.

      Please never let me work at a company where you manage the network.

    4. Re:NetBIOS? by Anonymous Coward · · Score: 0

      Do they really mean NETBIOS? Cause last time I checked NETBIOS didn't route that good. ;-)

      That well. I think you meant to say that NetBIOS didn't route that well. In my opinion, that's a much better way of wording it since you'd only be wrong grammatically instead of both grammatically and technically wrong.

      NetBIOS routes fine (NetBEUI too, if you care). Most routers don't route it because it doesn't have obvious "layer 3" routing information, but the same can be said of SNA which is also routable (and also for which most routers can't route). I suppose we could be pedantic and say that because we want to consider NetBIOS a layer 6 protocol that it isn't being routed--and instead being handled via gateways--but then we might want to explain that the IP "default gateway," which is at layer 3, is called a gateway because gateways basically move things between networks.

      But seriously, even normal routers deal with NetBIOS fine using technologies like DLSW. Anyway, I'm getting cranky so it's probably time for a nap. It's tough getting old... Is this where I tell you to get off my lawn?

    5. Re:NetBIOS? by ducomputergeek · · Score: 2, Insightful

      I was thinking the same thing. We've been dealing with PCI certification stuff and one of the requirements is to turn off NetBIOS.

      --
      "The problem with socialism is eventually you run out of other people's money" - Thatcher.
    6. Re:NetBIOS? by Anonymous Coward · · Score: 0

      So, what you are saying is "NetBIOS don't route that good". Isn't that what the first post said? WHY it don't route that good is beside the point.

  6. DLP? by mseeger · · Score: 3, Insightful

    Hmmm.... While this is usefull for several security functions, it only covers a small part of what i would consider a DLP solution. When (for example) sensitive information has to be allowed on the Notebook or PC of an employee, i want to make sure of several things:

    • the disk is encrypted (or an alarm is raised),
    • writing it on a CD or USB-Stick is prevented or (when allowed) the file again again will be encrypted (and can only be read on other company PCs) and
    • the information is neither sent by email nor uploaded through a web application outside the company.

    What i want is a tool that lets me formulate a Policy concerning the aspects mentioned above (and more). E.g. certain information must not be stored localy (covered), that information may be stored when certain security criterias are matched and this information shell not be sent by email (unless employeed confirms this has been cleared with manager X).

    Trying to prevent information to be stored on a PC of an employee is only a solution for a subset of the DLP problem. While i think this opensource solution is quite usefull, the name "OpenDLP" led me to expect more.

    CU, Martin

    P.S. I already see some companies using this to search for the sensitive word "application" on all employeed hard disks ;-)

    1. Re:DLP? by bragr · · Score: 2, Insightful

      It may not be perfect or complete, but it is better than nothing, which is was what a lot of companies have now.

    2. Re:DLP? by coolsnowmen · · Score: 1

      To do something like what you described, you'ld need a filesystem that had an ACL for all trusted programs on you're computer. So that any time a file is requested to be read, the fs checked to see if the requesting program has permission. You've now just made a lot of enemies on /. for implementing computer wide DRM.

    3. Re:DLP? by mseeger · · Score: 1

      For those companies who have nothing yet and the solution fits, you are correct. The trouble lies within "solution fits". If you are a typical company (e.g. your customer names being sensitive data) it will not help you to learn, that 95% of all employees have on average 23 files containing one of those names. It would help you more to find out, that a file containg more than 50 customer names is stored on an unsecured device (e.g. USB stick). Currently (IMHO) OpenDLP is more a company wide search tool.

      Where it could help you: You are a paranoid company developing a new smartphone version. You have specs for the new product and a code name. You want to scan all PCs that nobody has neither stored the Specs nor the code name on a network connected PC. But in this case you would need a Mac version of the software :-). Sorry Steve, couldn't resist.

      CU, Martin

    4. Re:DLP? by mseeger · · Score: 1

      Strangely i have made very few enemies on /. though i am often away from the mainstream here. Probably that's why i still wander around here :-). Doing IT (and IT-Security) for 20+ years give me some pointed opinion. E.g. while i like an "Open" in any software name (espescially if they mean it), it does not sanctify that software instantaneously.

      Besides in this case i won't be alone. Implementing any kind of effective DLP in the workplace of the average Slashdot-reader, you will make enemies by the dozen. But it's the same with all IT-security stuff. Read the article a few days ago on endpoint sdecurity (disk encryption). Security (with DLP being a subset) is always about policy. Policies are not made to be flexible, they are not ment to be more lax on the (often self rated) knowledgeable guy and they always lead to situations, where their application is only stupid. Good and bad security policies do not differ in that regard. The difference between those two are more subtle and and usually lie within the mindest of the policy maker.

      CU, Martin

    5. Re:DLP? by vlm · · Score: 1

      It may not be perfect or complete, but it is better than nothing, which is was what a lot of companies have now.

      No, it definitely has the possibility of being much worse for two reasons:

      1) False sense of security. Can't happen to us! Its the only tool and/or procedure we need! Why, its the only tool we need, even for issues like SQL injection attacks against our public webserver full of customer data!

      2) False positives. For example, a nice simple regex to detect improper storage of CC #s would be sixteen digits surrounded by whitespace with a dash every 4 digits. The problem is, I take home my laptop where I'm writing training documents. I'm not stupid enough to use a real CC, so I use 9999-9999-9999-9999 in my power points. Now intentionally infecting the network with a virus would get someone fired, so why not fire anyone whom tries to smuggle out CC numbers? And the software clearly triggered on my laptop because 9999-9999-9999-9999 fits the regex. Therefore, fired! Especially if I have enemies whom merely need an excuse. And we can't disclose the internal details of our security system to someone whom just tried to steal from us, so no recourse or explanations are possible.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    6. Re:DLP? by coolsnowmen · · Score: 1

      actually i've decided I was wrong.

      I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?
      That way you could only interact with the encrypted data using the trusted programs.

      Though, if one of those programs allowed you to copy/move the files, then the system could be circumvented, perhaps it does need to be done on the OS/kernel level.

      I give up for now.

    7. Re:DLP? by mseeger · · Score: 3, Insightful

      I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?

      This is a way to solve one technical aspect (i would guess you are correct about the technical aspect). The difficult thing is to design a solution that let's you enforce a policy in your enterprise. First it has to run in the environment that is already in place (i regret to inform the audience, that this usually isn't Linux). Second it should help you to enforce the policy and not force you to adopt the policy to the technical limitation of the solution. And third (and most important) the solution has to scale. While it is relatively easy task to secure one PC or even a dozen, it is a hell of a job (real-life example) to do this for 12.000 PCs when you only have 5-6 guys for the IT-security (including firewalls, VPN, virus scanners, certificate manegement, anti spam solutions, RADIUS, WLAN, etc.

      I give up for now.

      No surrender accepted :-) Keep on ....

      CU, Martin

    8. Re:DLP? by Anonymous Coward · · Score: 1, Insightful

      yes, that makes perfect sense and isn't at all paranoid or delusional, because the next logical step after the existence of this piece of software is that companies will blindly give it the ability to fire employees without any investigation or human intervention.

    9. Re:DLP? by Anonymous Coward · · Score: 0

      why not fire anyone whom tries to smuggle out CC numbers? And the software clearly triggered on my laptop because 9999-9999-9999-9999 fits the regex. Therefore, fired! Especially if I have enemies whom merely need an excuse.

      I agree. This software really needs to be fixed to protect vlm from enemies who only need an excuse to fire him. It's just not ready for the desktop before that feature is implemented.

    10. Re:DLP? by ArsonSmith · · Score: 1

      If you were to get fired because of something like what you describe, you were on the chopping block already.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    11. Re:DLP? by ArsonSmith · · Score: 1

      There's a company called Vormetric that's doing exactly this. They have an encryption piece and a model similar to SELinux that loads at the kernel level and gives you similar fine grained control not just of what user can do what but what user, using what program, can do what. Including locking down root.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
  7. I'm happy... by Securityemo · · Score: 1

    Now we just have to wait for the version that flatlines intruders through DNI overstimulation and erases the data from the attacking host(s).

    --
    Emotions! In your brain!
  8. "microsoft", "windows", "control", "non-intrusive" by pem · · Score: 2, Funny

    Too many oxymorons here -- I don't know where to start!

  9. Cure causes disease by russotto · · Score: 1

    The question that occurs to me is "How does it scan for sensitive information without revealing it?". That is, these regular expressions must contain strings which are uniquely (or nearly) found in sensitive information. Thus they, themselves, are very likely sensitive. And the agents containing them are running on computers which aren't supposed to contain sensitive information.

    If all the sensitive information is marked by caveats which are not, themselves, sensitive (e.g. "IBM Confidential"), and you're only worried about whole documents, you can get around that. But that's not the most common case, I don't think.

    1. Re:Cure causes disease by fuzzyfuzzyfungus · · Score: 1

      Hashes, perhaps?

      The SHA-1, or equivalent, of a sensitive file tells you basically nothing useful about that file(or if you are addressing situations where things are likely to be split up, you can look for hash matches for smaller subsections of potentially sensitive files).

      Since hashes are designed to detect tampering, that would largely ruin the value of the tool against dedicated exfiltrators(since making small modifications that result in totally different hashes; but do nothing to degrade the human utility of a file is quite trivial); but it would allow you to address the vast field of "humans are stupid and lazy, and complexity invites mistakes" style leaks, without having the tool reveal anything useful about what it is looking for.

    2. Re:Cure causes disease by Jaime2 · · Score: 2, Informative

      Here is a regular expression for the most common types of credit card numbers:

      ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

      Notice that it contains no sensitive information. I would guess that 90% of lost sensitive information that causes a panic contains either credit card numbers or social security numbers.

  10. Ooh, ooh, I've got a regex to use! by TheSpoom · · Score: 2, Insightful

    ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

    Oh yeah, it'll totally prevent loss...

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
    1. Re:Ooh, ooh, I've got a regex to use! by corychristison · · Score: 2, Informative

      For those wondering, that regex is used as a simple verification if a credit card number is entered according to the various numbering schemes used by major credit card companies.

      So, essentially the parent is pointing out that it could be used to find unencrypted credit card numbers on stored on the hard drives of those controlled by OpenDLP.

    2. Re:Ooh, ooh, I've got a regex to use! by Anonymous Coward · · Score: 0

      For those wondering, that regex is used as a simple verification if a credit card number is entered according to the various numbering schemes used by major credit card companies.

      So, essentially the parent is pointing out that it could be used to find unencrypted credit card numbers on stored on the hard drives of those controlled by OpenDLP.

      Even better, its actually a feature

      "Performs additional checks on potential credit card numbers to reduce false positives" (from tfa)

  11. Do I get this right? by Anonymous Coward · · Score: 0

    So, in order to look for sensitive data in the wild I have to send sensitive data to agents in the wild?

    At least they can claim a 100% hit rate.

  12. Review of tool by RockPaperScissors · · Score: 2, Informative

    A review of the tool was done a couple of days ago: http://blog.rootshell.be/2010/04/30/keep-an-eye-on-your-data-using-opendlp/

  13. important problems solved by ascari · · Score: 1

    This product seems to solve two hacking problems in one fell swoop. First, it's well known that social engineering is time consuming. Secondly, once you have your hands on somebody else's data it's tedious to figure out which bits are the good ones.

    With OpenDLP it's left to the user to set up a rudimentary botnet and then identify the juicy parts through a regex. Brilliant!

    OK it might not be so, but nothing on the project website suggests it isn't. We'll know for sure only if the next release automates the transfer of bank info to Nigeria.

  14. Re:DLP? Read these and answer your own question by b4dc0d3r · · Score: 1

    Performs additional checks on potential credit card numbers to reduce false positives

    http://en.wikipedia.org/wiki/Luhn_algorithm

    http://bavister.org/tools/genLuhn.php

    9999-9999-9999-9999 has Luhn check-digit 6

    False sense of security is a big problem, but you went overboard on your false positives example. Try again?

  15. What about context? by Anonymous Coward · · Score: 0

    Let's say your an organization that cares more about intellectual property loss than personally identifiable information loss. What good is a text-string search going to get you when your content is an AutoCAD drawing with no searchable text? What I've come to find is that determining WHERE content comes from (drawing repository, ERP, CRM, etc.) is often more relevant to protecting data than trying to search for strings of text that might miss huge amounts of data you just couldn't knowingly develop a regex for.

    This is an interesting first pass at a free DLP tool (the enterprise tools out there today are ridiculously expensive for small organizations), but until context is the main approach to a tool's attempt to stop data loss, it's inevitable going to leave the implementing company with rather large gaps in its data protection strategy.

  16. Re:DLP? Read these and answer your own question by way2trivial · · Score: 1

    sure- my work we always used 42+ 12 zeros to fake out our POS system.

    it does check out.. and if I were writing something to test, I'd use that

    however, I'd also expect that a positive result on the security software under discussion would be followed up on by a human eye looking at the data-- at which point it would be dismissed from consideration as a violation...

    --
    every day http://en.wikipedia.org/wiki/Special:Random
  17. So if it's not in plain text... by gravyface · · Score: 1

    Then you're pretty much hosed? .doc, .ppt, .xls, etc. Sure, this OpenLDP may have a viewer, but what about .osts? .psts? .mdb? .edb? ? In Window land, there's so many opaque file formats and databases that to a regex parser would be garbage, but in knowledgeable hands can easily be opened and viewed.

    --
    body massage!
    1. Re:So if it's not in plain text... by jimicus · · Score: 1

      If you run most of those files through strings(1), you'll find that quite often the important data is stored as plaintext within the file.

      I'm more concerned that the developers decided the best way to manage this over a network was to use NetBIOS. I can't think of anything less suitable for a modern network - lots of companies disable it, it was designed for use over a single, localised subnet and performs very poorly over a slow (think WAN or VPN) link and looking at Windows 7, I'd say that while it's not going to happen for a while yet, Microsoft are heading in the direction of obsoleting the protocol in its entirety.

      More to the point, there have been plenty of instances where laptops complete with sensitive information have gone missing. We know that happens already, we know if somebody's laptop goes walkies there's a strong chance of this. We don't need software to confirm this, we need one or more of:

      • Managed encryption (no truecrypt won't do - the benefit of things like the commercial versions of PGP is that they store keys in escrow so you don't need to tell the CEO that without his password his laptop will have to be wiped. I'm aware of the security issues inherent in storing keys in escrow, but I guarantee you that in most businesses the CEO is quite happy to take the chance with a secured escrow server if the alternative is that without the password his laptop has just become a very expensive brick).
      • Remote disk wiping. You probably don't need to wipe the entire disk to military standards - just overwrite all the metadata and any files which you know are sensitive, eg. private encryption keys. Frankly, the kind of person who remote disk wiping will be a barrier to is the junkie who's looking to sell your laptop for his next fix - it's vanishingly unlikely that said junkie will recognise the value of anything confidential on there, much less be equipped to take advantage of that. The organised criminal will have the laptop in some sort of faraday cage before you've even noticed it's missing, in which case you wouldn't be able to remotely wipe it anyhow.
  18. Is That "Ironic?" by Maarx · · Score: 1

    That well. I think you meant to say that NetBIOS didn't route that well. In my opinion, that's a much better way of wording it since you'd only be wrong grammatically instead of both grammatically and technically wrong.

    Anyone else notice that parent, in an attempt to be witty with his grammatical retort, inadvertently inverting the logic of his sentence, thereby opening himself to the same criticisms? I wonder if there are individuals on /.who might wish to draw attention to such a mistake?

  19. Seems very limited compared to a commercial DLP by Anonymous Coward · · Score: 0

    Like the Vericept/Trustwave one.
    https://www.trustwave.com/dlp-overview.php