Tracking devices is nothing new. In the auto industry, multiple vendors compete to convince drivers to install the devices in their cars, promising that if it gets stolen, the cops will know right where to find it. In law enforcement, criminals on probation sometimes are required to wear an ankle bracelet that does the same thing – tells authorities exactly where they are.
It is also possible to do that with data. Digital watermarking can track where it is being viewed or downloaded, and also identify the IP address and the type of device doing it. It is not in widespread use, according to experts, and could in some cases have privacy implications, but its advocates say while it doesn’t prevent a data breach, it can let an organization that has been breached know about it almost immediately, instead of months later.
Their mantra is: Breaches are not preventable, but they are discoverable.”
As Rich Campagna, vice president, products, at Bitglass put it, “The average data breach goes undetected for seven months. Identifying a breach early can help prevent further exfiltration and render breached data useless,” by, for example, canceling and reissuing credit cards before they can be sold.
To demonstrate the effectiveness of watermarking and to illustrate how widely stolen data can “travel”, Bitglass created a fake data file earlier this year of 1,568 names, Social Security numbers, credit card numbers, addresses and phone numbers. It watermarked the file and then posted it anonymously to DropBox plus seven other sites on the Dark Web suspected of being cybercrime marketplaces.
According to the company, the watermarking can survive copying, pasting and other file manipulations. Every time the file is opened, it “calls home” with information on where and how it was accessed.
The company reported that after 12 days, the file had been accessed from 22 countries on five continents, including the U.S., Brazil, Nigeria, Hong Kong, Spain, Germany, the United Kingdom, France, Sweden, Canada, the Russian Federation, the Czech Republic, Italy and Turkey.
The data was viewed 1,081 times, with 47 unique downloads, and was accessed most frequently from Nigeria, Russia and Brazil. Campagna said that, “very few of the people who downloaded the file took any steps to obscure their location or device.”
Of course, knowing where your stolen data went, or even who downloaded it isn’t going to help you get it back, like a car, or even erase it. Many of the countries from which the downloads occurred are essentially beyond the reach of U.S. law enforcement.
Still, knowing about it has enormous value, according to Paul Henry, IT security consultant for Blancco Technology Group, who said he has used watermarking in his incident response and forensics business since 2007.
“It’s a great tool,” he said. “I’ve used it in several email-related cases to determine specifically who was reading another party’s email without their permission. I also use it with retained clients with their intellectual property-related data to eliminate false positives when searching sites like Pastebin and others on the Dark Web to see if their data shows up.”
Henry agreed that there is value in being able to take measures quickly to mitigate damage from stolen data. But he said the amount of identification it provides can help in legal proceedings as well.
“When used properly, you actually can see an evidence trail that meets court requirements for admissibility,” he said. “For enterprise businesses, that’s going to help them solidify their intellectual property defense in court.”
And, relatively speaking, it does not amount to big bucks. Campagna said watermarking is part of the company’s broader security package with a monthly license fee starting at $5 per user.
While watermarking is still not nearly as common as software aimed at detecting and preventing malware, it got a burst of publicity during the past two weeks in connection with the high-profile hack of Hacking Team, the Italian company that sells hacking and surveillance tools to governments and law enforcement agencies, and is viewed as an “enemy of the Internet” by privacy and human rights groups.
Reportedly, Hacking Team watermarks its Galileo software, which would mean that anyone reading those hacked files will be able to find out who is using it and who their targets are.
That prompted Bruce Schneier, security guru and CTO at Resilient Systems, to muse on his blog, “It's one thing to have dissatisfied customers. It's another to have dissatisfied customers with death squads. I don't think the company is going to survive this.”
Campagna said the Bitglass watermarking is different. “Hacking Team has watermarked its software to prevent piracy,” he said. “A copy sold to the U.S. government would have a different watermark than a copy sold to the Russian government. If the software later showed up elsewhere, Hacking Team could track that copy back to the customer from which it was taken.”
By contrast, he said, Bitglass watermarking is designed for visibility, wherever the data go. “When data is found on Dropbox or on an identity trafficking site, the company can verify that it was Paul from accounting that leaked the document, as an example,” he said.
Still, Henry said there are legal and privacy implications with watermarking, since it causes a device to execute an instruction that does not come from the user or that the device would do on its own.
“Certain law enforcement agencies cannot cause a computer to exercise any instruction it would not have issued itself or it is considered entrapment,” he said, and a watermark does, in fact, cause the user's computer to exercise instructions it otherwise would not have issued.”
And, as is the case with any security tool, it is not bulletproof. Henry said there is no doubt in his mind that a criminal savvy to watermarking, “could have the information containing the watermark and still remain undiscovered.”
And Campagna acknowledged that it is possible to defeat a watermark by taking a screenshot of a file or converting it to plaintext.
Still, it is a visibility tool that Henry said could provide some legal muscle – what he called, “the ‘smoking gun’ evidence” that could support a prosecution.
This story, "When stolen data can ‘phone home’" was originally published by CSO.