OpenDLP Aims To Stem Data Loss 53
rollcall writes "A new free and open source tool, OpenDLP, has been released that will help organizations fight data loss caused by stolen laptops, missing HDDs, or compromised systems. OpenDLP is managed from a centralized Web application and it can simultaneously send and control thousands of non-intrusive agents to Microsoft Windows systems over NetBIOS that look for user-defined regular expressions in data at rest. When sensitive data is found, the agents 'phone home' to the Web app with their results. While organizations have continued to lose sensitive data even though many commercial products are available to help prevent this, perhaps the introduction of a free alternative will finally spur organizations to locate their sensitive data proactively before it is lost."
Correct me if I'm wrong, but... (Score:2)
Re:Correct me if I'm wrong, but... (Score:4, Informative)
in that sense yes - but it does fill a hole - if i have info that is supposed to ONLY be on the network or files servers and NOT on laptops that come and go in the building - i might add this to the laptops so that i can watch and catch people doing stupid things like copying a customers folder locally then leaving.
although given that it has limited file format understanding - and can't look in archives yet - this one seems a little on the useless side at the moment.. But maybe in a few months or a year they will get it where it might be something to look at - but from where their site has it.. this isn't ready for any enterprise.
Re:Correct me if I'm wrong, but... (Score:4, Insightful)
You don't get it. With this, you can put an agent on the laptops with sensitive information to contact you and inform you that the laptops have sensitive information on them.
Re: (Score:2)
But what if its a double agent?
Re: (Score:2, Funny)
Re: (Score:2)
It's penetration by a double-agent that people need to worry about.
Non-Intrusive agents? (Score:3, Insightful)
it can simultaneously send and control thousands non-intrusive agents
Anyone else out there find this statement just a bit worrisome?
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:1)
Yeah, if I'd read TFA more carefully, I would have noticed that this thing is designed to be deployed over a LAN, not the Internet. My bad.
Re: (Score:2)
And yet it's amazing how many products intended for use in large organisations have installation instructions along the lines of "Visit every workstation in turn, double-click on setup.exe and follow the instructions..."
Re: (Score:3, Funny)
---
Computer Security [feeddistiller.com] Feed @ Feed Distiller [feeddistiller.com]
NetBIOS? (Score:5, Interesting)
Turning off the NetBIOS service is one of the first things I do to any new computer.
Or did MS finally secure NetBIOS while I wasn't looking?
Is That "Ironic?" (Score:1)
That well. I think you meant to say that NetBIOS didn't route that well. In my opinion, that's a much better way of wording it since you'd only be wrong grammatically instead of both grammatically and technically wrong.
Anyone else notice that parent, in an attempt to be witty with his grammatical retort, inadvertently inverting the logic of his sentence, thereby opening himself to the same criticisms? I wonder if there are individuals on /.who might wish to draw attention to such a mistake?
Re: (Score:3, Insightful)
I was thinking the same thing. We've been dealing with PCI certification stuff and one of the requirements is to turn off NetBIOS.
DLP? (Score:4, Insightful)
Hmmm.... While this is usefull for several security functions, it only covers a small part of what i would consider a DLP solution. When (for example) sensitive information has to be allowed on the Notebook or PC of an employee, i want to make sure of several things:
What i want is a tool that lets me formulate a Policy concerning the aspects mentioned above (and more). E.g. certain information must not be stored localy (covered), that information may be stored when certain security criterias are matched and this information shell not be sent by email (unless employeed confirms this has been cleared with manager X).
Trying to prevent information to be stored on a PC of an employee is only a solution for a subset of the DLP problem. While i think this opensource solution is quite usefull, the name "OpenDLP" led me to expect more.
CU, Martin
P.S. I already see some companies using this to search for the sensitive word "application" on all employeed hard disks ;-)
Re: (Score:2, Insightful)
Re: (Score:2)
For those companies who have nothing yet and the solution fits, you are correct. The trouble lies within "solution fits". If you are a typical company (e.g. your customer names being sensitive data) it will not help you to learn, that 95% of all employees have on average 23 files containing one of those names. It would help you more to find out, that a file containg more than 50 customer names is stored on an unsecured device (e.g. USB stick). Currently (IMHO) OpenDLP is more a company wide search tool.
Wher
Re: (Score:2)
It may not be perfect or complete, but it is better than nothing, which is was what a lot of companies have now.
No, it definitely has the possibility of being much worse for two reasons:
1) False sense of security. Can't happen to us! Its the only tool and/or procedure we need! Why, its the only tool we need, even for issues like SQL injection attacks against our public webserver full of customer data!
2) False positives. For example, a nice simple regex to detect improper storage of CC #s would be sixteen digits surrounded by whitespace with a dash every 4 digits. The problem is, I take home my laptop where I'm w
Re:DLP? Read these and answer your own question (Score:2)
http://en.wikipedia.org/wiki/Luhn_algorithm [wikipedia.org]
http://bavister.org/tools/genLuhn.php [bavister.org]
False sense of security is a big problem, but you went overboard on your false positives example. Try again?
Re: (Score:2)
sure- my work we always used 42+ 12 zeros to fake out our POS system.
it does check out.. and if I were writing something to test, I'd use that
however, I'd also expect that a positive result on the security software under discussion would be followed up on by a human eye looking at the data-- at which point it would be dismissed from consideration as a violation...
Re: (Score:1, Insightful)
yes, that makes perfect sense and isn't at all paranoid or delusional, because the next logical step after the existence of this piece of software is that companies will blindly give it the ability to fire employees without any investigation or human intervention.
Re: (Score:2)
If you were to get fired because of something like what you describe, you were on the chopping block already.
Re: (Score:2)
To do something like what you described, you'ld need a filesystem that had an ACL for all trusted programs on you're computer. So that any time a file is requested to be read, the fs checked to see if the requesting program has permission. You've now just made a lot of enemies on /. for implementing computer wide DRM.
Re: (Score:2)
Strangely i have made very few enemies on /. though i am often away from the mainstream here. Probably that's why i still wander around here :-). Doing IT (and IT-Security) for 20+ years give me some pointed opinion. E.g. while i like an "Open" in any software name (espescially if they mean it), it does not sanctify that software instantaneously.
Besides in this case i won't be alone. Implementing any kind of effective DLP in the workplace of the average Slashdot-reader, you will make enemies by the dozen. B
Re: (Score:2)
actually i've decided I was wrong.
I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?
That way you could only interact with the encrypted data using the trusted programs.
Though, if one of those programs allowed you to copy/move the files, then the system could be circumvented, perhaps it does need to be done on the OS/
Re:DLP? (Score:4, Insightful)
I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?
This is a way to solve one technical aspect (i would guess you are correct about the technical aspect). The difficult thing is to design a solution that let's you enforce a policy in your enterprise. First it has to run in the environment that is already in place (i regret to inform the audience, that this usually isn't Linux). Second it should help you to enforce the policy and not force you to adopt the policy to the technical limitation of the solution. And third (and most important) the solution has to scale. While it is relatively easy task to secure one PC or even a dozen, it is a hell of a job (real-life example) to do this for 12.000 PCs when you only have 5-6 guys for the IT-security (including firewalls, VPN, virus scanners, certificate manegement, anti spam solutions, RADIUS, WLAN, etc.
I give up for now.
No surrender accepted :-) Keep on ....
CU, Martin
Re: (Score:2)
There's a company called Vormetric that's doing exactly this. They have an encryption piece and a model similar to SELinux that loads at the kernel level and gives you similar fine grained control not just of what user can do what but what user, using what program, can do what. Including locking down root.
I'm happy... (Score:2)
"microsoft", "windows", "control", "non-intrusive" (Score:3, Funny)
Cure causes disease (Score:2)
The question that occurs to me is "How does it scan for sensitive information without revealing it?". That is, these regular expressions must contain strings which are uniquely (or nearly) found in sensitive information. Thus they, themselves, are very likely sensitive. And the agents containing them are running on computers which aren't supposed to contain sensitive information.
If all the sensitive information is marked by caveats which are not, themselves, sensitive (e.g. "IBM Confidential"), and you'r
Re: (Score:2)
The SHA-1, or equivalent, of a sensitive file tells you basically nothing useful about that file(or if you are addressing situations where things are likely to be split up, you can look for hash matches for smaller subsections of potentially sensitive files).
Since hashes are designed to detect tampering, that would largely ruin the value of the tool against dedicated exfiltrators(since making small modifications that result in totally different hashes; but do nothing to degrade the hum
Re: (Score:3, Informative)
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$
Notice that it contains no sensitive information. I would guess that 90% of lost sensitive information that causes a panic contains either credit card numbers or social security numbers.
Ooh, ooh, I've got a regex to use! (Score:3, Insightful)
^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$
Oh yeah, it'll totally prevent loss...
Re: (Score:3, Informative)
For those wondering, that regex is used as a simple verification if a credit card number is entered according to the various numbering schemes used by major credit card companies.
So, essentially the parent is pointing out that it could be used to find unencrypted credit card numbers on stored on the hard drives of those controlled by OpenDLP.
Review of tool (Score:2, Informative)
important problems solved (Score:1)
This product seems to solve two hacking problems in one fell swoop. First, it's well known that social engineering is time consuming. Secondly, once you have your hands on somebody else's data it's tedious to figure out which bits are the good ones.
With OpenDLP it's left to the user to set up a rudimentary botnet and then identify the juicy parts through a regex. Brilliant!
OK it might not be so, but nothing on the project website suggests it isn't. We'll know for sure only if the next release automates th
So if it's not in plain text... (Score:2)
Re: (Score:2)
If you run most of those files through strings(1), you'll find that quite often the important data is stored as plaintext within the file.
I'm more concerned that the developers decided the best way to manage this over a network was to use NetBIOS. I can't think of anything less suitable for a modern network - lots of companies disable it, it was designed for use over a single, localised subnet and performs very poorly over a slow (think WAN or VPN) link and looking at Windows 7, I'd say that while it's not