May 12, 2011, 4:03 PM — by Chris Murrey, SecureState - “OpenDLP is a free and open source, agent-based, centrally managed, massively distributable data loss prevention tool.” This is how creator Andrew Gavin defines OpenDLP. While this tool could be used to monitor sensitive data on hundreds of systems simultaneously, it could also be used to steal massive amounts of data very quickly.
The setup for OpenDLP is not for the faint of heart, but once it is set up it is a very powerful attack tool. If a domain or workgroup is compromised by a malicious attacker, the OpenDLP agents can be deployed to steal any information the attacker desires. OpenDLP employs regular expressions and a combination of white and black lists to pinpoint the valuable data. Regular expression, also referred to as regex or regexp, provides a concise and flexible means for matching strings of text. This makes finding credit card data, Social Security numbers, or other custom records extremely easy. The deployed agents run at a low priority so users don’t notice the activity. These agents also remove themselves when the search is done, making it more transparent to users. However, any in-depth analysis should reveal the agents were used on these systems. Lastly, the transmission from agent to server is also encrypted using secure socket layer which is almost never inspected.
The speed and simplicity of OpenDLP make it a great choice for Penetration Testers. Unfortunately, it also does the same for an attacker. In one case, SecureState was able to sift through 50 machines to pull out various HIPAA and PCI data in less than an hour. This may result in non-compliance in both areas. With the weaponization of OpenDLP, an attacker no longer has to spend days searching systems or limiting themselves to only large file shares. Attackers can be in and out before they are ever detected.
Along the same lines, other DLP solutions can be targeted by attackers. All of the sensitive data is there; why bother looking somewhere else? These systems are the end of the rainbow for an attacker. Even though many organizations have policies regarding the storage of sensitive information, users still store sensitive information on their local machines.
Many companies focus on identifying or fixing vulnerabilities. While vulnerabilities may allow the attacker to get to the sensitive data, if there is nothing valuable to be found, the attacker moves on. SecureState has discovered sensitive data in some very obscure places, while others hid in plain sight. Running tools such as OpenDLP or agent-less scanners such as Cornell’s Spider is very important in locating these prized possessions.