News
3/19/2014
09:29 AM
Connect Directly
RSS
E-Mail
50%
50%

Metadata Poses Both Risks And Rewards

For companies, metadata can both be an opportunity to better secure the business and a threat that leaks sensitive data

The National Security Agency's focus on metadata has raised awareness of the threat that activity tracking poses to individual privacy and has renewed debates over the level of monitoring that should be permissible by government and businesses.

For businesses, the lessons are more subtle. Organization can both inadvertently leak metadata -- giving adversaries a look into their operations and a potential covert communications channel -- and analyze their own metadata to gain information on anomalous activity within their network. Metadata, a by-product of the adoption of technology, should be helpful -- and can be -- if companies are aware of the issues posed by the data, says Will Irace, vice president of threat research at General Dynamics Fidelis Cybersecurity Solutions.

"I don't look at metadata as some boogeyman," he says. "Instead, we have to figure out how to distill knowledge from the massive amounts of raw information that we are collecting."

Metadata arrived in the lexicon of everyday technology users in 2013, when the leak of classified documents from the National Security Agency highlighted the amount of information collected by service providers and requested by the government. While the U.S. government is barred from collecting the content of communications without a warrant, metadata -- loosely defined as data about data -- has historically been fair game. Yet metadata is as important -- and many technologists argue, more important -- than the content of messages or documents because it can be used to create mappings of the relationships between content and the creators of that content.

[Establishing 'normal' behaviors, traffics, and patterns across the network makes it easier to spot previously unknown bad behavior. See Network Baseline Information Key To Detecting Anomalies.]

In an ongoing study using volunteers who allow their information to be tracked, Stanford University has found that significant information about participants can be inferred just from their phone metadata. In one instance, a subject contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop. In another instance, a participant made "calls to a firearm store that specializes in the AR semiautomatic rifle platform [and[ they also spoke at length with customer service for a firearm manufacturer that produces an AR line," according to a March 12 update on the research by Jonathan Mayer, a PhD student in computer science at Stanford University.

From a privacy perspective, the term "metadata" is typically used to identify what legal experts believe is data that can be collected, whether by business or government, without infringing on the privacy of citizens. Yet the MetaPhone project shows that such data about content still leaks significant privacy-infringing information, Mayer says.

"I think the notion of metadata and privacy as being separate ... is not born out," he says. "Even if you excise the personally identifiable information, someone could still re-identify the data set or make sensitive inferences. So getting rid of the PII does not get rid of the privacy problems."

While the MetaPhone project focused on data about who called whom, metadata includes a wide variety of machine-generated information: Browser histories, document information, network packet headers, and access logs are all common sources of metadata produced by companies and their employees. Attackers frequently seek out this information to use in reconnaissance against a targeted firm and gain valuable knowledge about their employees and network infrastructure.

While doing research on metadata leakage (PDF), Spanish security firm Eleven Paths created a tool that could mine the data from public documents available on a company's website. Because firms frequently do not sanitize the information placed in documents, attackers can gain information about who authored the file, when they created it, and on what type of machine. In a more recent 2013 study, the company found that data-loss prevention firms do not fully sanitize their own files and documents, leaking potentially sensitive information. In some cases, file servers and printers can also be revealed.

"A persistent attacker can create a piece of malware for a specific target and use information taken from documents to create a more targeted attack," says Chema Alonso, CEO of Eleven Paths. "By looking at metadata, they can identify people and figure out what internal servers they need to infect."

Yet companies that become more aware of metadata can collect data on and analyze their employees' activities to gain more visibility into their networks and detect anomalous activity. Frequently referred to as big data analytics, such monitoring and analysis projects can help companies identify what activities may need more scrutiny.

They are, however, not easy, says General Dynamics' Irace.

"Big data analytics brings to mind a magical black box that takes in all this raw data and produces a diamond of actionable knowledge, but it is much messier than that," he says. "It is much more human-driven."

Companies should dip their toe into collecting and analyzing metadata to gain experience and a grasp of what kinds of information should be collected and how the company should process it correctly, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.