Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on YouTube
marknca

Mornings With Mark
no. // 0 0 0 6

Metadata Trails

Subscribe to the podcast.

Watch the episode here

Join the discussion on LinkedIn

Tweet about this episode

Full machine generated transcript follows

Morning, everybody. How you doing today on this episode of the show. We're going to talk about metadata and its potential impact to your cyber security. Now there was a good article from Thomas Brewster in Forbes. This weekend was talking about a case that the DEA was pursuing against an alleged criminal now, there's nothing weird question.

I'll give you a quick summary the case then we'll dive into the hypotheticals that this question that this case raised and kind of ask these questions because I think they're absolutely and so the case itself is against alleged Criminal Who was dealing drugs and had an online Trail and that showed some of their transactions for equipment for supplies, and it was helping at the DEA gather.

I'm in Mount that case. So I'm as a matter. Of course, they filed a request or search or request with the Court's time to have a search. I'm issued a request for information issue to log me in, which is the parent company of LastPass, which apparently this alleged criminal was using on their devices.

So LastPass is a great password Management Service. The idea is LastPass has a set of your passwords encrypted up in the cloud and you can access them from wherever so that you only have to remember your one password for LastPass and everything else can be automatically filled in automatically generated.

It's a great way password managers are great way of getting around the deficiencies in passwords themselves for not using one already a highly recommend that you do despite the topic of this video. That being said she looks to have fulfilled that request of the best of their abilities as one would expect with a legally compliant company and they were unable to hand over the passwords.

No shock there. They have really good security and how they keep those passwords assaulted in hash and Encrypted so that they're unable to be retrieved and put the interesting thing is and what's not detail for your summer going to remove from this case that raises it up, right? The facts of the case are DA's pursuing an investigation into alleged criminal and they finally fully legal non-controversial request for information and you know or search request for data dump request are we want to phrase it and to a legal provider and who is that in fulfilling that request and here's all the information we have that we can provide based on your legally Judiciary judge authorized request.

What is interesting is this concept so the passwords themselves, right? So we're talking about password managers, especially in the cloud. If you're using one at your passwords are for the rubbish provider should be completely encrypted in on excessive inaccessible even in the event of a legal request like this.

So let's start going in a hypothetical. The question is what other information is actually there and part of the normal operations of that type of a service that could be challenging to your private. Georgi or cyber security now, I'm not advocating this in the context of this alleged criminal and truck dealer but just in general, I think this is an area where people fall down when they're doing cyber security.

If you don't look at the potential of aggregate information or metadata information of Behavioral analytics, and it's absolutely critical. This is one of the key points. I keep harping on again and again and again and I will not apologize for it is that we keep thinking about individual systems Securities.

Are those passwords salted hash in a o in Krypton inaccessible. Yes. They are a good look at the whole the holistic view of it what other information is there that could be so if we go through and say I have a bunch of passwords and say, you know, I got a hundred passwords username and password locked away in my password vault in the passwords themselves are safe.

We know there are inaccessible it would take them out and if your power to break through that encryption, but the question is are the services that those passwords attached to are those listed in plane tix text. Can those be provided in the response to an audit or an intern? Play the front of somebody looks at it.

So they know I have Accounts at service a service B service e-service teak are the times in which I changed my password listed in the open or in an accessible format because that can be critical to go. No further than have. I been pwned.com to see if any of your previous passwords have been breached.

If you are if you have a breach in something at listed in a great service I have I been pwned. Maybe that password and you know account see in your password Vault hasn't been changed since that breach. Maybe it's the same password right? Maybe there's the ability for an attacker to say that's the same password is that now? I know that that same password that's been out in the open and I can find online somewhere is actually the same to service C.

I am so those are interesting metadata points that actually raised the issue. So they're the passwords themselves are inaccessible. But the things like a service is there 2 or the last time they were changed or the last time you access them. That's another critical piece of metadata that could be stored and it could have thought of to be completely innocuous yet in a larger context when it's add additional information.

It can create an investigation trout and create a timeline in create some really interesting spin off date of unintended consequences or collateral damage depending on your perspective and I see this time and time again when I'm talking to folks around cybersecurity. They're so myopically Focus just absolute horse blinders on one aspect of Purity in a larger system and they're not looking at the whole system and then the Counterpoint is not who I am because when I'm looking this way, I'll turn slightly anunoby myopically focused on a completely different system and that's free for you can't secure them in isolation because they talk and they transfer data between the two and they're part of a larger whole you can't just use the analogy here in the physical world would be like, well, I'm fine.

My car is safe because you know, I have seatbelts. Meanwhile, there's no airbag. There's no breaks. The mirrors aren't working. You know, they'll crack things like that. You need to look at each individual system. Yes, but you also need to look at the larger whole are you mitigating risk else? Where is the connection between systems in passing of data creating additional risks? And that is an extremely extremely difficult thing to calculated risk and aggregate exposure, but it's absolutely critical and I just thought this article from Thomas Brewster at Forbes really raised an interesting point because it was such an innocuous case because it was such a straightforward request.

But the implications are from a security perspective are really really fascinating. So that was my thought for today. And what do you think? Let me know. Hit me up online at Mark NCAA in the comments down below and as always by email me at Mark and Dottie. I think of aggregate analysis in distributed systems Securities absolutely fascinating.

Hopefully you do too and we can have a great discussion about it. I hope your setup for great day will see you on the next episode of the show. Morning, everybody. How you doing today on this episode of the show. We're going to talk about metadata and its potential impact to your cyber security.

Now there was a good article from Thomas Brewster in Forbes. This weekend was talking about a case that the DEA was pursuing against an alleged criminal now, there's nothing weird question. I'll give you a quick summary the case then we'll dive into the hypotheticals that this question that this case raised and kind of ask these questions because I think they're absolutely and so the case itself is against alleged Criminal Who was dealing drugs and had an online Trail and that showed some of their transactions for equipment for supplies, and it was helping at the DEA gather.

I'm in Mount that case. So I'm as a matter. Of course, they filed a request or search or request with the Court's time to have a search. I'm issued a request for information issue to log me in, which is the parent company of LastPass, which apparently this alleged criminal was using on their devices.

So LastPass is a great password Management Service. The idea is LastPass has a set of your passwords encrypted up in the cloud and you can access them from wherever so that you only have to remember your one password for LastPass and everything else can be automatically filled in automatically generated.

It's a great way password managers are great way of getting around the deficiencies in passwords themselves for not using one already a highly recommend that you do despite the topic of this video. That being said she looks to have fulfilled that request of the best of their abilities as one would expect with a legally compliant company and they were unable to hand over the passwords.

No shock there. They have really good security and how they keep those passwords assaulted in hash and Encrypted so that they're unable to be retrieved and put the interesting thing is and what's not detail for your summer going to remove from this case that raises it up, right? The facts of the case are DA's pursuing an investigation into alleged criminal and they finally fully legal non-controversial request for information and you know or search request for data dump request are we want to phrase it and to a legal provider and who is that in fulfilling that request and here's all the information we have that we can provide based on your legally Judiciary judge authorized request.

What is interesting is this concept so the passwords themselves, right? So we're talking about password managers, especially in the cloud. If you're using one at your passwords are for the rubbish provider should be completely encrypted in on excessive inaccessible even in the event of a legal request like this.

So let's start going in a hypothetical. The question is what other information is actually there and part of the normal operations of that type of a service that could be challenging to your private. Georgi or cyber security now, I'm not advocating this in the context of this alleged criminal and truck dealer but just in general, I think this is an area where people fall down when they're doing cyber security.

If you don't look at the potential of aggregate information or metadata information of Behavioral analytics, and it's absolutely critical. This is one of the key points. I keep harping on again and again and again and I will not apologize for it is that we keep thinking about individual systems Securities.

Are those passwords salted hash in a o in Krypton inaccessible. Yes. They are a good look at the whole the holistic view of it what other information is there that could be so if we go through and say I have a bunch of passwords and say, you know, I got a hundred passwords username and password locked away in my password vault in the passwords themselves are safe.

We know there are inaccessible it would take them out and if your power to break through that encryption, but the question is are the services that those passwords attached to are those listed in plane tix text. Can those be provided in the response to an audit or an intern? Play the front of somebody looks at it.

So they know I have Accounts at service a service B service e-service teak are the times in which I changed my password listed in the open or in an accessible format because that can be critical to go. No further than have. I been pwned.com to see if any of your previous passwords have been breached.

If you are if you have a breach in something at listed in a great service I have I been pwned. Maybe that password and you know account see in your password Vault hasn't been changed since that breach. Maybe it's the same password right? Maybe there's the ability for an attacker to say that's the same password is that now? I know that that same password that's been out in the open and I can find online somewhere is actually the same to service C.

I am so those are interesting metadata points that actually raised the issue. So they're the passwords themselves are inaccessible. But the things like a service is there 2 or the last time they were changed or the last time you access them. That's another critical piece of metadata that could be stored and it could have thought of to be completely innocuous yet in a larger context when it's add additional information.

It can create an investigation trout and create a timeline in create some really interesting spin off date of unintended consequences or collateral damage depending on your perspective and I see this time and time again when I'm talking to folks around cybersecurity. They're so myopically Focus just absolute horse blinders on one aspect of Purity in a larger system and they're not looking at the whole system and then the Counterpoint is not who I am because when I'm looking this way, I'll turn slightly anunoby myopically focused on a completely different system and that's free for you can't secure them in isolation because they talk and they transfer data between the two and they're part of a larger whole you can't just use the analogy here in the physical world would be like, well, I'm fine.

My car is safe because you know, I have seatbelts. Meanwhile, there's no airbag. There's no breaks. The mirrors aren't working. You know, they'll crack things like that. You need to look at each individual system. Yes, but you also need to look at the larger whole are you mitigating risk else? Where is the connection between systems in passing of data creating additional risks? And that is an extremely extremely difficult thing to calculated risk and aggregate exposure, but it's absolutely critical and I just thought this article from Thomas Brewster at Forbes really raised an interesting point because it was such an innocuous case because it was such a straightforward request.

But the implications are from a security perspective are really really fascinating. So that was my thought for today. And what do you think? Let me know. Hit me up online at Mark NCAA in the comments down below and as always by email me at Mark and Dottie. I think of aggregate analysis in distributed systems Securities absolutely fascinating.

Hopefully you do too and we can have a great discussion about it. I hope your setup for great day will see you on the next episode of the show.