Risk
1/23/2013
06:04 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New BYOD Threat: Email That Self-Destructs

Employees who bring apps like Wickr to work could bypass enterprise security systems.

People should be more aware of their digital footprint, said Sell. She points out that when you send a message in the traditional way, it's stored on multiple servers where others can potentially see it by accessing or hacking a database. "There's stuff that is easy to get," she said. "And money can buy you crazy stuff about people via the deep Web." At the other end of the spectrum, "criminals are all over the world. If you have money or anything of value, you need to start looking at your digital footprint," she said.

The United States is Wickr's biggest market, but the app is available in 110 countries and is the number-one free social app in Greece, Singapore and South Africa, in the same category as Facebook and Twitter. Sell attributes that popularity to people wanting to have control over private, anonymous free speech. "Private correspondence is important to a free society," she said.

Security expert Dan Kaminsky, an advisor for Wickr, agreed. "Non-permanent communication came first -- humans have been speaking before they have been writing," he pointed out. "Communicating privately ... is core to the experience of being human. People need to be able to express their thoughts and converse with their friends, family and spouses -- and feel secure in their communication."

But Wickr also raises a lot of hard questions about security and regulation. Sell acknowledges that when she works with chief security officers, questions about regulation in the enterprise come up frequently. How will IT leaders manage communications when apps such as Wickr and Snapchat inevitably make their way into the enterprise? Many companies are required by law or regulation to keep records of all communications for many years. These new apps could make that much more difficult, if not impossible.

Derek Schueren, who co-founded data management, governance and analytics company Recommind, helps companies organize and index unstructured data. Recommind uses a technology called CORE that can help enterprises organize their data and make it easier to search and sort.

Most companies have a wide variety of electronically stored information, much of it in spreadsheets, databases, text messages, instant messages, email, file fragments and digital images. In most cases, that information can be searched and specific bits of data can be retrieved, if necessary, to respond to lawsuits or patent disputes or for other reasons. Many companies have policies that specify when certain types of data can be deleted. Other companies try to keep everything for decades.

"You have an obligation [to retain data] if there's a possibility of litigation. This includes email [and other forms of communication]," Schueren said.

Companies might worry about Wickr from a legal perspective, according to Schueren, but a bigger concern may be that Wickr could be used for destructive purposes. An employee could take photos of company secrets or forthcoming products and send them to someone outside the company.

"It used to be files were locked in a cabinet and you knew who had the key," Schueren said. "Now everyone has the key. Everyone has connections to the outside world and companies are more exposed than they used to be."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JasonRemillard
50%
50%
JasonRemillard,
User Rank: Apprentice
2/7/2013 | 2:40:57 AM
re: New BYOD Threat: Email That Self-Destructs
It is interesting how 'end users' are taking 'governance' controls into their own hands this way - as with all tools - good and bad can come from it. I agree with Drew, some of this new technology is moving so quickly now that corporate policies and juristictional laws simply aren't keeping up. Imagine an HR policy on 'self destruct' messaging conduct? :)
Boons
50%
50%
Boons,
User Rank: Apprentice
1/25/2013 | 11:37:38 PM
re: New BYOD Threat: Email That Self-Destructs
Melanie, I agree. The threatening messages could be a problem. People need to be held accountable.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Guru
1/25/2013 | 6:52:58 PM
re: New BYOD Threat: Email That Self-Destructs
Not to mention cyber bullying, sending false information with no trace, the slippery slope goes on and on. Visit any forum and you'll see what anonymity creates - a horrible, venomous pit of nastyness, racism and sexism. This will only feed that horrible troll. Sorry, I think the bad outweighs the good in this one.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/24/2013 | 11:04:38 PM
re: New BYOD Threat: Email That Self-Destructs
I'd rather have tools like Wickr be available to help people protect speech and just accept the risk that these tools present to corporate information. Given that there are already myriad ways to get sensitive corporate information out the door, this doesn't seem to raise the risk bar much higher than it already is. What's really interesting are the legal ramifications of issues like a hostile work environment, where someone could use Wickr to send threatening messages to a coworker. That seems like a more difficult issue.

Drew Conry-Murray
Editor, Network Computing
Melanie Rodier
50%
50%
Melanie Rodier,
User Rank: Black Belt
1/24/2013 | 10:07:25 PM
re: New BYOD Threat: Email That Self-Destructs
There are of course benefits to having self-destruct messages, and it's an interesting concept, but it still seems a little dangerous from a compliance and legal and just from a general 'good citizen' standpoint not to leave any digital footprint at all...What if someone sends threatening messages that self-destruct without a trace? I think there's something to be said for people realizing that any digital behavior can be traced, for better or worse.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.