Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:29 AM

Metadata Poses Both Risks And Rewards

For companies, metadata can both be an opportunity to better secure the business and a threat that leaks sensitive data

The National Security Agency's focus on metadata has raised awareness of the threat that activity tracking poses to individual privacy and has renewed debates over the level of monitoring that should be permissible by government and businesses.

For businesses, the lessons are more subtle. Organization can both inadvertently leak metadata -- giving adversaries a look into their operations and a potential covert communications channel -- and analyze their own metadata to gain information on anomalous activity within their network. Metadata, a by-product of the adoption of technology, should be helpful -- and can be -- if companies are aware of the issues posed by the data, says Will Irace, vice president of threat research at General Dynamics Fidelis Cybersecurity Solutions.

"I don't look at metadata as some boogeyman," he says. "Instead, we have to figure out how to distill knowledge from the massive amounts of raw information that we are collecting."

Metadata arrived in the lexicon of everyday technology users in 2013, when the leak of classified documents from the National Security Agency highlighted the amount of information collected by service providers and requested by the government. While the U.S. government is barred from collecting the content of communications without a warrant, metadata -- loosely defined as data about data -- has historically been fair game. Yet metadata is as important -- and many technologists argue, more important -- than the content of messages or documents because it can be used to create mappings of the relationships between content and the creators of that content.

[Establishing 'normal' behaviors, traffics, and patterns across the network makes it easier to spot previously unknown bad behavior. See Network Baseline Information Key To Detecting Anomalies.]

In an ongoing study using volunteers who allow their information to be tracked, Stanford University has found that significant information about participants can be inferred just from their phone metadata. In one instance, a subject contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop. In another instance, a participant made "calls to a firearm store that specializes in the AR semiautomatic rifle platform [and[ they also spoke at length with customer service for a firearm manufacturer that produces an AR line," according to a March 12 update on the research by Jonathan Mayer, a PhD student in computer science at Stanford University.

From a privacy perspective, the term "metadata" is typically used to identify what legal experts believe is data that can be collected, whether by business or government, without infringing on the privacy of citizens. Yet the MetaPhone project shows that such data about content still leaks significant privacy-infringing information, Mayer says.

"I think the notion of metadata and privacy as being separate ... is not born out," he says. "Even if you excise the personally identifiable information, someone could still re-identify the data set or make sensitive inferences. So getting rid of the PII does not get rid of the privacy problems."

While the MetaPhone project focused on data about who called whom, metadata includes a wide variety of machine-generated information: Browser histories, document information, network packet headers, and access logs are all common sources of metadata produced by companies and their employees. Attackers frequently seek out this information to use in reconnaissance against a targeted firm and gain valuable knowledge about their employees and network infrastructure.

While doing research on metadata leakage (PDF), Spanish security firm Eleven Paths created a tool that could mine the data from public documents available on a company's website. Because firms frequently do not sanitize the information placed in documents, attackers can gain information about who authored the file, when they created it, and on what type of machine. In a more recent 2013 study, the company found that data-loss prevention firms do not fully sanitize their own files and documents, leaking potentially sensitive information. In some cases, file servers and printers can also be revealed.

"A persistent attacker can create a piece of malware for a specific target and use information taken from documents to create a more targeted attack," says Chema Alonso, CEO of Eleven Paths. "By looking at metadata, they can identify people and figure out what internal servers they need to infect."

Yet companies that become more aware of metadata can collect data on and analyze their employees' activities to gain more visibility into their networks and detect anomalous activity. Frequently referred to as big data analytics, such monitoring and analysis projects can help companies identify what activities may need more scrutiny.

They are, however, not easy, says General Dynamics' Irace.

"Big data analytics brings to mind a magical black box that takes in all this raw data and produces a diamond of actionable knowledge, but it is much messier than that," he says. "It is much more human-driven."

Companies should dip their toe into collecting and analyzing metadata to gain experience and a grasp of what kinds of information should be collected and how the company should process it correctly, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.