Google's RAPPOR tool – which cyber-experts describe as an “important innovation” with “great potential” – aims to help security professionals gather statistics about bugs and malware, without infringing on individual users' privacy.
Google has made RAPPOR (Randomised Aggregatable Privacy-Preserving Ordinal Response) available for free, and is currently testing the tool on its Chrome browser “to learn statistics about how unwanted software is hijacking users' settings”.
In a 30 October blog, Google head of security research, Úlfar Erlingsson, said that RAPPOR is one of the first implementations of differential privacy - “widely accepted as being the strongest form of privacy” - and provides security data while guaranteeing client privacy by building on the concept of “randomised response”.
To explain this, Erlingsson cites the example of trying to count “how many of your online friends are dogs while respecting the maxim that, on the internet, nobody should know you're a dog”.
To achieve this, he says, when asked whether they are a dog, each friend should toss a coin in secret, then answer the question truthfully if it comes up heads but always answer ‘yes' if it comes up tails. The greater-than-half number who answer ‘yes' gives a good estimate of the true count, while not revealing which friends are dogs.
Erlingsson explains: “RAPPOR allows software to send reports that are effectively indistinguishable from the results of random coin flips and are free of any unique identifiers. However, by aggregating the reports we can learn the common statistics that are shared by many users.”
He adds: “We believe that RAPPOR has the potential to be applied for a number of different purposes, so we're making it freely available for all to use. We're encouraged by the feedback we've received so far from academics and other stakeholders.”
Google will publish full technical details of RAPPOR next week at the ACM Conference on Computer and Communications Security.
Reacting to Google's claims, Tim ‘TK' Keanini, CTO at security firm Lancope, told SCMagazineUK.com: “The Google tool is an important innovation in making data private but still delivering information. In most cases, private means confidential and no information can be delivered, but the statistical abstraction delivers information from the data at a different logical level and this is important when you are trying to find the balance between privacy and visibility for security.”
Guillermo Lafuente, security consultant with MWR InfoSecurity, told SCMagazineUK.com via email: “RAPPOR has great potential. It allows collecting data about users without the need of using any unique identifiers.
“RAPPOR could become a very useful tool for organisations that need to collect user's data while keeping the user anonymous. Therefore there are several sectors that could benefit from the technology. This can range from marketing companies to security companies which need to collect anonymous information of security breaches.”
Keanini agreed the tool could go beyond security uses, telling SC: “It solves a big problem as matters of privacy are universal. In the case of digital marketing and advertising, this tool sets up a nice border between data that needs to remain undisclosed and yet delivers the information that they need to ‘better' serve you.
“The same can be said about software vendors trying to get more information into quality control and UX design. All of these statistics can drive decisions loops that will yield a better product in a shorter amount of time.”
Meanwhile, Facebook's Osquery open-source tool, also released this week, offers a more straightforward (SQL) query-based way to find out which processes are running on your company's operating systems, and expose those where the original binary used to launch the process no longer exists, “a common tactic used by malicious actors”.
In a 29 October blog, Facebook security software engineer Mike Arpaia said companies can use the framework to “maintain insight into the security, performance, configuration and state of your entire infrastructure”.
Osquery works cross-platform on Ubuntu, CentOS and Mac OS X systems, and the code and documentation is available on GitHub.
Commenting on the tool, David Chismon, security consultant with MWR InfoSecurity, told SCMagazineUK.com via email: “Facebook is introducing a way of querying data on Apple OS X computers as well as Linux computers, throughout the enterprise. This is likely to be a highly useful tool, although its use will depend on what people now write to exploit the information available.”
Keanini commented: “Facebook's tool is really about scale and the folks who like the SQL paradigm for inquiry. This solves the endpoint insight one would need to maintain operational control in near real time. Let's hope that more thought into security went into this than did the inventors of SQL!”
Commenting on both tools Keith Bird, UK managing director for Check Point, told SCMagazineUK.com via email: “Organisations need customisable threat intelligence that can be immediately used within their network environments to prevent cyber-attacks from occurring.
“With Facebook and Google offering feeds, it expands the range of intelligence available, giving businesses more choice of what works for them. It is important that businesses have as many tools at their disposal as possible to keep up-to-date with the latest threats.”
* Also this week, Google detailed the encryption-by-default and other security features contained in the latest ‘Lollipop' version 5 of its Android operating system – described by Google as the “biggest update for Android to date” and due for release next week.
The company also detailed how the next versions 39 and 40 of its Chrome browser will deal with the SSL v3 ‘POODLE' bug, but that when introduced “some buggy servers may stop working”.