Sometimes we get a little too focused in on what the root of a vulnerability is. I find myself thinking this a good bit with the advent of geolocation tagging and “check-ins” as the security world runs around with hair on fire.
Rather than accept that our tools and users will be GPS connected and tracked, we take the extreme of labeling it all bad. By doing so we have removed what is a valuable tool to our folks. We can all agree that geolocation unfettered is a bad idea, but can’t we agree that geolocation in and of itself is not?
In the intelligence world the mere presence of an object does not guarantee its value. As such the difference between something that is valuable or not can boil down to the triangle below. Those from the community will scream that I am missing multiple aspects of the equation, but bear with me.
Intelligence (or in the security world a vulnerability) is more than the image or the long/lats. Before we can for sure state that it is vulnerability we must factor in 3 things at the least:
- Does it expose a time?
- Does it provide a location?
- Does it reveal capabilities?
There was an example or a robbery due to a home owner “checking in” on facebook exposing they were out of the house. Many jumped to blame this squarely on geolocation. Here is why it was not:
- Does it expose a time? – Yes it exposed that during certain hours or during this time the home owner was not on the premises, but couldn’t this have been verified without facebook? If I post “Hey guys I am heading out to Delray for some drinks, anyone wants to hang-out I’ll be there till 2200.” doesn’t than in essence provide the same capability? There is no reason to believe I would post this as a lie. If you wanted to verify you could pull up to the house and look for the signs on someone being home.
- Does it provide a location? – In this example it provide a location I was not at. We can say that this added to the vulnerability.
- Does it reveal capabilities? – No it didn’t. Had the individual said “I am leaving for the next few hours and taking my guns, dog, and security system with me.” It would have. The risk is still there for the robber to find a security system (dog or electronic) and another human there also.
So what did geolocation provide that was any different than someone posting on twitter their dinning selection for the night?
Lets take a counter-example of when Geolocation and pictures are a bad idea. “Why aren’t pictures from the SR-71 or U2 all declassified at this point?”
- Does it expose a time? – 30 year old pictures showing a truck traveling a road in some remote location provides little Intel at this point.
- Does it provide a location? – No one cares about the remote road depending on if we were officially there or not :)
- Does it reveal capabilities? – Here is the catch. If you know that the SR-71 flew at a certain altitude and can see how many hairs the truck driver has on his head you can begin to extrapolate the capabilities of the plane and imagery sensors. Then if you think about it being 30 years old you can make some educated guesses about whats out there today. Revealing these pictures would show capabilities we aren’t prepared to showcase, even if they are 30 years old.
More so than the personal angle there are businesses very concerned over this. Surely there are reasons that some folks need to worry about this depending on the type (or classification) of work they are performing, but overall most of the presumed vulnerabilities of geolocation check-ins or photographs are not new. If you think that someone taking a picture of them and a friend outside of your building and posting it on twitter is a vulnerability you are in dire need of evaluation your boundary. Occam’s razor tells us that the easiest path will most likely be the one taken. Scavenging foursquare and twitter pictures is a lot harder than sitting on the corner under a tree counting folks.
Now a little devils advocacy before the emails pour in:
- You didn’t think about the pictures people will take inside buildings showing our layout and systems
- You allow cameras in your building? Isn’t that really the vulnerability?
- Geolocation makes it easier to social engineer!
- It provides another avenue, but its not a slam dunk. I would argue it can provide little more than a few days of tailing won’t match. It speeds up the process and allows for quicker target acquisition, but does not guarantee success.
- So you think we should just let our users 4square into our work locations and post whatever they want?!?!?!
- Unless you are providing the mobile tool that provides that capability and you failed to lock it down, then shut the front door. Your users have their own phones and you sending out a corporate memo won’t change that. In addition if you begin farming the same data that could be used against you there coud be legal issues (IANAL)
What is the fix? The fix is to accept that there are tools that provide this data in your enterprise, company issued or other. Turn the tables and ask yourself why it worries you:
- The data will show our physical security system … i_s rhythmic and antiquated. The picture of that day-time only FOSCAM will expose that you have weaknesses at the barrier._
- The data will expose our company locations (as will Google Earth, Wikileaks, Sat photos, Maps, etc.)
- Our personnel will be targeted – they already are…
This vulnerability should force the issue that you need to practice better Force Protection. Upgrade those cameras, stagnate security sweeps, and educate your users. Ultimately you will need to help your users understand why this is dangerous to them and the enterprise. Publish your company policy (security without policy != security) and fire those that do not follow. Just don’t pretend though that the HR-focused approach will fix all your problems. Information is not something you can erase after its out in this day and age.
How is this any different than when cell phones first entered your enterprise? It was many moons ago, but back then the voice traversing those handy little (relatively speaking) devices was unencrypted. Anybody with a basic understanding of RF and antenna theory could listen in on conversations your teams were having in the field. We waited too long before accepting we weren’t getting rid of this new tool and forcing encryption, frequency hoping, and other techniques to be implemented.
It is time to change Infosec Teams from being the “No” guys to the team that is willing to work with the technology. We must weigh risk with mitigation and in some cases pull up our pants when caught with them down.