Thursday, March 17, 2016

Inadequate DLP or insider screws FBI

Not that there was ever any doubt, but the FBI crusade against Lavabit is conformed to have been aimed at obtaining information on Edward Snowden.

Hundreds of pages of previously sealed court documents were released.  However, the pages were heavily redacted.  But there was a single reference to Snowden that was missed.  So now we have proof that the FBI caused the shutdown of an email service used by many over a single email account.

However you feel about that, there's a clear infosec angle here.  If you are redacting something, you have to make sure you do it right.  If Snowden's name and/or email were supposed to be fully redacted (which is almost certain based on the redactions) a simple keyword search would have confirmed that the documents no longer contained any references to the redacted subject.  No matter how you feel about DLP, you have to admit that it would have saved the FBI some face here.  Redacting 99% of the references doesn't really matter if you miss one - close only counts in horseshoes and hand grenades.

Another possibility (besides incompetence) is that an insider redacted the documents and decided to leave in a single reference.  This offers the redaction professional plausible deniability as to their intent, but still gets the name out there.

What do you think - bad DLP, incompetence, or insider?

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.