Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How you doing today on this episode of the show, we're gonna talk about metadata and its potential impact to your cybersecurity. Now, there was a good article from Thomas Brewster um in Forbes this weekend that was talking about a case that the DEA was pursuing against an alleged criminal.
Now, there's nothing weird about this case. There's nothing out of the ordinary um with it and it just raised an interesting question. I'll give you a quick summary of the case and then we'll dive into the hypotheticals that this question um that this case raised and kind of ask these questions because I think they're absolutely fascinating and a critical to security and to privacy.
So the case itself is against an alleged criminal who was dealing drugs and had an online trail that showed some of their transactions for equipment, for supplies and basically, it was helping the DEA gather and mount that case. So as a matter of course, they filed a warrant request or search order request with the courts to have a search warrant issued uh or request for information issued to um log me in uh dot com which is the parent company of lastpass, which apparently this alleged criminal was using on their devices.
So, Lastpass is a great password management service. And the idea is uh lastpass has um, a set of your passwords encrypted up in the cloud and you can access them from wherever so that you only have to remember your one password for last pass and everything else can be automatically filled in and automatically generated.
It's a great way, password managers are a great way of getting around the deficiencies in passwords themselves. If you're not using one already, I highly recommend that you do despite the, the topic of this video. Um so that being said, uh the um you know, the request went, it was a legal request.
Um logmein.com uh looks to have fulfilled that request to the best of their abilities as one would expect with a legally compliant company. Um and they were unable to hand over the passwords. No shock there. They have really good security in how they keep those passwords, um salted and hashed and fully encrypted so that they're unable to be retrieved.
Um But the interesting thing is, and what's not detailed here. So we're gonna remove from this case that raises it up, right? The facts of the case are DEA is pursuing an investigation against alleged criminal and they file a fully legal non-controversial request for information um you know, or search uh request or data dump request.
However, you want to phrase it, um, to a legal provider, um, who is then fulfilling that request and saying, here's all the information we have that we can provide based on your legally judiciary, you know, judge authorized request. So that's not controversial at all.
What is interesting is this concept? So the passwords themselves are safe, right. So we're talking about password managers, um, especially in the cloud, if you're using one, your passwords are, uh if it's a reputable provider should be completely encrypted and unaccessible, inaccessible, even in the event of a legal request like this.
So let's start going into a hypothetical. The question is what other information is actually there and part of the normal operations of that type of a service that could be challenging to your privacy or to your cybersecurity. Now, I'm not advocating this in the context of this alleged criminal and drug dealer, but just in general, I think this is an area where people fall down when they're doing cybersecurity.
You don't look at the potential of aggregate information or metadata information or behavioral analytics and it's absolutely critical. This is one of the key points I keep harping on again and again and again, and I will not apologize for it is that we keep thinking about individual systems security.
So are those passwords salted hashed and, and you know, encrypted and inaccessible? Yes, they are. We're good. Well, you gotta look at the whole, you gotta look at the holistic view of it, what other information is there that could be compromising. So if we go through and say I have a bunch of passwords, let's say, you know, I got 100 passwords, user names and passwords locked away in my password vault and the passwords themselves are safe.
We know they're inaccessible. It would take a mountain of computing power to break through that encryption. But the question is, are the services that those passwords attached to? Are those listed in plain text? Can those be provided in the response to an audit or an insider threat if somebody looks at it?
So they know I have accounts at service. A service B service C service D are the times in which I changed my password listed in the open or in an accessible format because that can be critical too. Um Go no further than have I been p.com to see if any of your previous passwords have been breached if you are.
Um, if you have a breach in something uh listed in a great service, like, have I been ped? Maybe that password in, you know, account c in your password vault hasn't been changed since that breach. Maybe it's the same password, right? Maybe there's the ability for an attacker to say, oh, that's the same password as that.
Now, I know that um, that same password that's been out in the open and I can find online somewhere is actually the same to service C. Um So those are interesting metadata points that actually raise the issue. So the, the passwords themselves are inaccessible, but the things like the service is there too or the last time they were changed or the last time you test them, that's another critical piece of metadata that could be stored.
And it can be thought of to be completely innocuous yet in a larger context. When it's added to additional information, it can create an investigation trail, it can create a timeline, it can create some really interesting spin off data, sort of unintended consequences or collateral damage depending on your perspective.
And I see this time and time again when I'm talking to folks around cybersecurity there. So myopically focused, just absolute horse blinders on one aspect of security in a larger system. And they're not looking at the whole system and then the counterpoint is no, no I am because when I'm looking this way, I'll turn slightly and then I'll be myopically focused on a completely different system and that's great.
But you can't secure them in isolation because they talk and they transfer data between the two and they're part of a larger hole. You can't just uh you know, the analogy here in the physical world would be like, well, I'm fine, my car is safe because you know, I have seat.
Meanwhile, there's no air bag, there's no brakes, the mirrors aren't working, you know, they're all cracked things like that. You need to look at each individual system. Yes, but you also need to look at the larger hole. Are you mitigating risk elsewhere? Is the connection between systems and passing of data creating additional risks?
And that is an extremely, extremely difficult thing to calculate is aggregate risk and aggregate exposure. But it's absolutely critical. And I just thought this article from Thomas Brewster at Forbes raised an interesting point because it was such an innocuous case because it was such a straightforward request.
But the implications uh from a security perspective are really, really fascinating. So that was my thought for today. Um What do you think? Let me know, hit me up online at MARK NC A in the comments down below and as always by email me at mark N dot ca, I think sort of aggregate analysis and distributed system security is absolutely fascinating.
Hopefully, you do too and we can have a great discussion about it. Uh I hope you're set up for a great day. We'll see you on the next episode of the show.
