Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

OpenDLP Aims To Stem Data Loss 53

rollcall writes "A new free and open source tool, OpenDLP, has been released that will help organizations fight data loss caused by stolen laptops, missing HDDs, or compromised systems. OpenDLP is managed from a centralized Web application and it can simultaneously send and control thousands of non-intrusive agents to Microsoft Windows systems over NetBIOS that look for user-defined regular expressions in data at rest. When sensitive data is found, the agents 'phone home' to the Web app with their results. While organizations have continued to lose sensitive data even though many commercial products are available to help prevent this, perhaps the introduction of a free alternative will finally spur organizations to locate their sensitive data proactively before it is lost."
This discussion has been archived. No new comments can be posted.

OpenDLP Aims To Stem Data Loss

Comments Filter:
  • ...isn't the problem with data loss NOT that the only copy of the data is physically lost, but that a copy of the data is out in the wild? This product seems to miss the point entirely.
    • by Amouth ( 879122 ) on Sunday May 02, 2010 @02:27PM (#32065870)

      in that sense yes - but it does fill a hole - if i have info that is supposed to ONLY be on the network or files servers and NOT on laptops that come and go in the building - i might add this to the laptops so that i can watch and catch people doing stupid things like copying a customers folder locally then leaving.

      although given that it has limited file format understanding - and can't look in archives yet - this one seems a little on the useless side at the moment.. But maybe in a few months or a year they will get it where it might be something to look at - but from where their site has it.. this isn't ready for any enterprise.

    • by CarpetShark ( 865376 ) on Sunday May 02, 2010 @02:29PM (#32065888)

      You don't get it. With this, you can put an agent on the laptops with sensitive information to contact you and inform you that the laptops have sensitive information on them.

  • by gyrogeerloose ( 849181 ) on Sunday May 02, 2010 @02:25PM (#32065864) Journal

    it can simultaneously send and control thousands non-intrusive agents

    Anyone else out there find this statement just a bit worrisome?

    • It's not a botnet. The evil bit is set to 0 on all command and control packets.
    • Re: (Score:2, Informative)

      by bragr ( 1612015 )
      Apparently you haven't run a large network. Anything we can't deploy automatically over the network pretty much gets tossed. We just don't have the time or the budget to go around to 600+ computers and install software. This principle pretty much drives our decision making for OS deployment, AV, apps, tools, etc. Something that was designed to deploy over a network, rather than something we can trick into deploying over a network, sounds wonderful.
      • Yeah, if I'd read TFA more carefully, I would have noticed that this thing is designed to be deployed over a LAN, not the Internet. My bad.

      • by jimicus ( 737525 )

        And yet it's amazing how many products intended for use in large organisations have installation instructions along the lines of "Visit every workstation in turn, double-click on setup.exe and follow the instructions..."

    • Re: (Score:3, Funny)

      by physburn ( 1095481 )
      Extremely, an whole organism has spywear put thoughtout its IT infrastructure, reporting to one central server that could be compromised to do, lord knows what harm.

      ---

      Computer Security [feeddistiller.com] Feed @ Feed Distiller [feeddistiller.com]

  • NetBIOS? (Score:5, Interesting)

    by TubeSteak ( 669689 ) on Sunday May 02, 2010 @02:26PM (#32065868) Journal

    Turning off the NetBIOS service is one of the first things I do to any new computer.
    Or did MS finally secure NetBIOS while I wasn't looking?

    • Re: (Score:3, Insightful)

      I was thinking the same thing. We've been dealing with PCI certification stuff and one of the requirements is to turn off NetBIOS.

  • DLP? (Score:4, Insightful)

    by mseeger ( 40923 ) on Sunday May 02, 2010 @02:34PM (#32065934)

    Hmmm.... While this is usefull for several security functions, it only covers a small part of what i would consider a DLP solution. When (for example) sensitive information has to be allowed on the Notebook or PC of an employee, i want to make sure of several things:

    • the disk is encrypted (or an alarm is raised),
    • writing it on a CD or USB-Stick is prevented or (when allowed) the file again again will be encrypted (and can only be read on other company PCs) and
    • the information is neither sent by email nor uploaded through a web application outside the company.

    What i want is a tool that lets me formulate a Policy concerning the aspects mentioned above (and more). E.g. certain information must not be stored localy (covered), that information may be stored when certain security criterias are matched and this information shell not be sent by email (unless employeed confirms this has been cleared with manager X).

    Trying to prevent information to be stored on a PC of an employee is only a solution for a subset of the DLP problem. While i think this opensource solution is quite usefull, the name "OpenDLP" led me to expect more.

    CU, Martin

    P.S. I already see some companies using this to search for the sensitive word "application" on all employeed hard disks ;-)

    • Re: (Score:2, Insightful)

      by bragr ( 1612015 )
      It may not be perfect or complete, but it is better than nothing, which is was what a lot of companies have now.
      • by mseeger ( 40923 )

        For those companies who have nothing yet and the solution fits, you are correct. The trouble lies within "solution fits". If you are a typical company (e.g. your customer names being sensitive data) it will not help you to learn, that 95% of all employees have on average 23 files containing one of those names. It would help you more to find out, that a file containg more than 50 customer names is stored on an unsecured device (e.g. USB stick). Currently (IMHO) OpenDLP is more a company wide search tool.

        Wher

      • by vlm ( 69642 )

        It may not be perfect or complete, but it is better than nothing, which is was what a lot of companies have now.

        No, it definitely has the possibility of being much worse for two reasons:

        1) False sense of security. Can't happen to us! Its the only tool and/or procedure we need! Why, its the only tool we need, even for issues like SQL injection attacks against our public webserver full of customer data!

        2) False positives. For example, a nice simple regex to detect improper storage of CC #s would be sixteen digits surrounded by whitespace with a dash every 4 digits. The problem is, I take home my laptop where I'm w

        • Performs additional checks on potential credit card numbers to reduce false positives

          http://en.wikipedia.org/wiki/Luhn_algorithm [wikipedia.org]

          http://bavister.org/tools/genLuhn.php [bavister.org]

          9999-9999-9999-9999 has Luhn check-digit 6

          False sense of security is a big problem, but you went overboard on your false positives example. Try again?

          • sure- my work we always used 42+ 12 zeros to fake out our POS system.

            it does check out.. and if I were writing something to test, I'd use that

            however, I'd also expect that a positive result on the security software under discussion would be followed up on by a human eye looking at the data-- at which point it would be dismissed from consideration as a violation...

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          yes, that makes perfect sense and isn't at all paranoid or delusional, because the next logical step after the existence of this piece of software is that companies will blindly give it the ability to fire employees without any investigation or human intervention.

        • If you were to get fired because of something like what you describe, you were on the chopping block already.

    • To do something like what you described, you'ld need a filesystem that had an ACL for all trusted programs on you're computer. So that any time a file is requested to be read, the fs checked to see if the requesting program has permission. You've now just made a lot of enemies on /. for implementing computer wide DRM.

      • by mseeger ( 40923 )

        Strangely i have made very few enemies on /. though i am often away from the mainstream here. Probably that's why i still wander around here :-). Doing IT (and IT-Security) for 20+ years give me some pointed opinion. E.g. while i like an "Open" in any software name (espescially if they mean it), it does not sanctify that software instantaneously.

        Besides in this case i won't be alone. Implementing any kind of effective DLP in the workplace of the average Slashdot-reader, you will make enemies by the dozen. B

        • actually i've decided I was wrong.

          I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?
          That way you could only interact with the encrypted data using the trusted programs.

          Though, if one of those programs allowed you to copy/move the files, then the system could be circumvented, perhaps it does need to be done on the OS/

          • Re:DLP? (Score:4, Insightful)

            by mseeger ( 40923 ) on Sunday May 02, 2010 @04:05PM (#32066448)

            I think you could easily do that on a linux system today. If the encrypted partitions are mounted with only read permissions of a certain group, and all trusted programs are setguid and a member of that group, wouldn't that do what you wanted?

            This is a way to solve one technical aspect (i would guess you are correct about the technical aspect). The difficult thing is to design a solution that let's you enforce a policy in your enterprise. First it has to run in the environment that is already in place (i regret to inform the audience, that this usually isn't Linux). Second it should help you to enforce the policy and not force you to adopt the policy to the technical limitation of the solution. And third (and most important) the solution has to scale. While it is relatively easy task to secure one PC or even a dozen, it is a hell of a job (real-life example) to do this for 12.000 PCs when you only have 5-6 guys for the IT-security (including firewalls, VPN, virus scanners, certificate manegement, anti spam solutions, RADIUS, WLAN, etc.

            I give up for now.

            No surrender accepted :-) Keep on ....

            CU, Martin

          • There's a company called Vormetric that's doing exactly this. They have an encryption piece and a model similar to SELinux that loads at the kernel level and gives you similar fine grained control not just of what user can do what but what user, using what program, can do what. Including locking down root.

  • Now we just have to wait for the version that flatlines intruders through DNI overstimulation and erases the data from the attacking host(s).
  • by pem ( 1013437 ) on Sunday May 02, 2010 @02:56PM (#32066080)
    Too many oxymorons here -- I don't know where to start!
  • The question that occurs to me is "How does it scan for sensitive information without revealing it?". That is, these regular expressions must contain strings which are uniquely (or nearly) found in sensitive information. Thus they, themselves, are very likely sensitive. And the agents containing them are running on computers which aren't supposed to contain sensitive information.

    If all the sensitive information is marked by caveats which are not, themselves, sensitive (e.g. "IBM Confidential"), and you'r

    • Hashes, perhaps?

      The SHA-1, or equivalent, of a sensitive file tells you basically nothing useful about that file(or if you are addressing situations where things are likely to be split up, you can look for hash matches for smaller subsections of potentially sensitive files).

      Since hashes are designed to detect tampering, that would largely ruin the value of the tool against dedicated exfiltrators(since making small modifications that result in totally different hashes; but do nothing to degrade the hum
    • Re: (Score:3, Informative)

      by Jaime2 ( 824950 )
      Here is a regular expression for the most common types of credit card numbers:

      ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

      Notice that it contains no sensitive information. I would guess that 90% of lost sensitive information that causes a panic contains either credit card numbers or social security numbers.
  • ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

    Oh yeah, it'll totally prevent loss...

    • Re: (Score:3, Informative)

      For those wondering, that regex is used as a simple verification if a credit card number is entered according to the various numbering schemes used by major credit card companies.

      So, essentially the parent is pointing out that it could be used to find unencrypted credit card numbers on stored on the hard drives of those controlled by OpenDLP.

  • A review of the tool was done a couple of days ago: http://blog.rootshell.be/2010/04/30/keep-an-eye-on-your-data-using-opendlp/ [rootshell.be]
  • This product seems to solve two hacking problems in one fell swoop. First, it's well known that social engineering is time consuming. Secondly, once you have your hands on somebody else's data it's tedious to figure out which bits are the good ones.

    With OpenDLP it's left to the user to set up a rudimentary botnet and then identify the juicy parts through a regex. Brilliant!

    OK it might not be so, but nothing on the project website suggests it isn't. We'll know for sure only if the next release automates th

  • Then you're pretty much hosed? .doc, .ppt, .xls, etc. Sure, this OpenLDP may have a viewer, but what about .osts? .psts? .mdb? .edb? ? In Window land, there's so many opaque file formats and databases that to a regex parser would be garbage, but in knowledgeable hands can easily be opened and viewed.
    • by jimicus ( 737525 )

      If you run most of those files through strings(1), you'll find that quite often the important data is stored as plaintext within the file.

      I'm more concerned that the developers decided the best way to manage this over a network was to use NetBIOS. I can't think of anything less suitable for a modern network - lots of companies disable it, it was designed for use over a single, localised subnet and performs very poorly over a slow (think WAN or VPN) link and looking at Windows 7, I'd say that while it's not

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...