Aug 20, 2016 Your Technology Vendors May Be Stealing From You: How to Know, and What to Do
I recently read an extremely provocative article on the topic of what information major providers–including Microsoft, McAfee, and others–are routinely capturing from their customers.
Some of it may appear benign, and the article is focused on consumers, who bear the brunt of the information exposures. The companies cited as examples are established providers, not fly-by-night-organizations, that often serve as strategic partners to large enterprises. Such strategic partners would (presumably) be unwillng to risk their relationships with their cash-cow customers.
So as an enterprise infosec professional, you may be thinking the issue shouldn’t be a major concern.
You’d be wrong. A closer look at the types of information that gets routinely captured by the default configurations of a lot of software (operating systems for laptops and mobile devices, security software, and IP telephony software) shows that even enterprise organizations may be giving up information that can put the compay at risk.
Take telemetry data, for instance.
The default settings for Windows 10 provide device location data back to Microsoft. That data could be very interesting indeed for the employees of, say, a private equity firm. Knowing that a particular individual is in a particular location at a particular time, perhaps with another individual from a different company, can be a highly actionable insight for a day trader or a rival equity firm. (Microsoft Ventures, anyone)?
Similarly, knowing who phoned whom and when could be extremely valuable–it’s one reason that the government regulates telephone companies’ exposure of such metadata. Personally, I’d like to see Warren Buffett’s phone records!
The article’s proposes a range of responses, some tactical, some at the regulatory level. I don’t agree with all of them, and not all apply to enterprise users. So here are mine:
- Start at the contractural level. All vendors must agree that any and all devices, software, and services will be delivered in a default condition that does not capture data and returns it to the provider–or captures and returns only specified, mutually agreed-upon data. The provider should bear legal liability if this is not done. Additionally, the customer should be able to turn off any data capture mechanism–even if previously agreed upon–at any time, for any reason. I realize this is a tough clause to get into procurement contracts, but a good house counsel should be able to drive it home, at least at larger firms.
- Trust, but verify. Subject all devices, software, and services to a hands-on review to confirm that settings are appropriate. For operating systems, that would include not only checking the settings provided by the vendor, but monitoring traffic in real time to confirm that no unauthorized data is being sent offnet.
- Consider working for regulatory overhaul. I don’t think the Federal Government should mandate that, for instance, all “phone home connections be made via HTTPS”, as the article’s author suggests. But a national discussion on privacy is long overdue–and at the very least, enterprise organizations should make this a priority for themselves and their employees.
The bottom line? Don’t assume that just because software came from a large vendor who’s a trusted partner, it will keep your company’s data safe. (But you knew that, right?)