Risk
1/23/2013
06:04 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New BYOD Threat: Email That Self-Destructs

Employees who bring apps like Wickr to work could bypass enterprise security systems.

People should be more aware of their digital footprint, said Sell. She points out that when you send a message in the traditional way, it's stored on multiple servers where others can potentially see it by accessing or hacking a database. "There's stuff that is easy to get," she said. "And money can buy you crazy stuff about people via the deep Web." At the other end of the spectrum, "criminals are all over the world. If you have money or anything of value, you need to start looking at your digital footprint," she said.

The United States is Wickr's biggest market, but the app is available in 110 countries and is the number-one free social app in Greece, Singapore and South Africa, in the same category as Facebook and Twitter. Sell attributes that popularity to people wanting to have control over private, anonymous free speech. "Private correspondence is important to a free society," she said.

Security expert Dan Kaminsky, an advisor for Wickr, agreed. "Non-permanent communication came first -- humans have been speaking before they have been writing," he pointed out. "Communicating privately ... is core to the experience of being human. People need to be able to express their thoughts and converse with their friends, family and spouses -- and feel secure in their communication."

But Wickr also raises a lot of hard questions about security and regulation. Sell acknowledges that when she works with chief security officers, questions about regulation in the enterprise come up frequently. How will IT leaders manage communications when apps such as Wickr and Snapchat inevitably make their way into the enterprise? Many companies are required by law or regulation to keep records of all communications for many years. These new apps could make that much more difficult, if not impossible.

Derek Schueren, who co-founded data management, governance and analytics company Recommind, helps companies organize and index unstructured data. Recommind uses a technology called CORE that can help enterprises organize their data and make it easier to search and sort.

Most companies have a wide variety of electronically stored information, much of it in spreadsheets, databases, text messages, instant messages, email, file fragments and digital images. In most cases, that information can be searched and specific bits of data can be retrieved, if necessary, to respond to lawsuits or patent disputes or for other reasons. Many companies have policies that specify when certain types of data can be deleted. Other companies try to keep everything for decades.

"You have an obligation [to retain data] if there's a possibility of litigation. This includes email [and other forms of communication]," Schueren said.

Companies might worry about Wickr from a legal perspective, according to Schueren, but a bigger concern may be that Wickr could be used for destructive purposes. An employee could take photos of company secrets or forthcoming products and send them to someone outside the company.

"It used to be files were locked in a cabinet and you knew who had the key," Schueren said. "Now everyone has the key. Everyone has connections to the outside world and companies are more exposed than they used to be."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JasonRemillard
50%
50%
JasonRemillard,
User Rank: Apprentice
2/7/2013 | 2:40:57 AM
re: New BYOD Threat: Email That Self-Destructs
It is interesting how 'end users' are taking 'governance' controls into their own hands this way - as with all tools - good and bad can come from it. I agree with Drew, some of this new technology is moving so quickly now that corporate policies and juristictional laws simply aren't keeping up. Imagine an HR policy on 'self destruct' messaging conduct? :)
Boons
50%
50%
Boons,
User Rank: Apprentice
1/25/2013 | 11:37:38 PM
re: New BYOD Threat: Email That Self-Destructs
Melanie, I agree. The threatening messages could be a problem. People need to be held accountable.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Apprentice
1/25/2013 | 6:52:58 PM
re: New BYOD Threat: Email That Self-Destructs
Not to mention cyber bullying, sending false information with no trace, the slippery slope goes on and on. Visit any forum and you'll see what anonymity creates - a horrible, venomous pit of nastyness, racism and sexism. This will only feed that horrible troll. Sorry, I think the bad outweighs the good in this one.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/24/2013 | 11:04:38 PM
re: New BYOD Threat: Email That Self-Destructs
I'd rather have tools like Wickr be available to help people protect speech and just accept the risk that these tools present to corporate information. Given that there are already myriad ways to get sensitive corporate information out the door, this doesn't seem to raise the risk bar much higher than it already is. What's really interesting are the legal ramifications of issues like a hostile work environment, where someone could use Wickr to send threatening messages to a coworker. That seems like a more difficult issue.

Drew Conry-Murray
Editor, Network Computing
Melanie Rodier
50%
50%
Melanie Rodier,
User Rank: Apprentice
1/24/2013 | 10:07:25 PM
re: New BYOD Threat: Email That Self-Destructs
There are of course benefits to having self-destruct messages, and it's an interesting concept, but it still seems a little dangerous from a compliance and legal and just from a general 'good citizen' standpoint not to leave any digital footprint at all...What if someone sends threatening messages that self-destruct without a trace? I think there's something to be said for people realizing that any digital behavior can be traced, for better or worse.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.