{"id":3098,"date":"2018-02-05T13:48:02","date_gmt":"2018-02-05T20:48:02","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3098"},"modified":"2019-08-19T13:40:05","modified_gmt":"2019-08-19T20:40:05","slug":"strava-heatmap-exposes-sensitive-military-bases-invokes-the-law-of-unintended-consequences","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/strava-heatmap-exposes-sensitive-military-bases-invokes-the-law-of-unintended-consequences\/","title":{"rendered":"Strava Heatmap Exposes Sensitive Military Bases"},"content":{"rendered":"
Issue<\/strong> With so many interconnecting devices, where is the boundary of your data?\u00a0 If you don\u2019t know where your data is, and where it goes, you cannot secure it.\u00a0 With multiple devices providing cloud or syncing functionality, the ease at which data can unintentionally leak out of the environment is astounding.<\/p>\n Impact<\/strong> Recommendations<\/strong> InGuardians also recommends implementing a Mobile Device Management (MDM) solution to enforce policy onto the devices managed by your organization.\u00a0 Implementing steps in order to lock down functionality on these devices based on your internal processes and policies is critical.\u00a0 Unknown, unmanaged devices should not be allowed on your network.\u00a0 The larger concern goes beyond \u201cStrava\u201d and may include data that is gathered but not publicly mapped.<\/p>\n Additional Resources<\/strong><\/p>\n Strava Heatmap and related articles<\/strong><\/p>\n https:\/\/labs.strava.com\/heatmap\/#6.00\/34.08716\/29.07362\/hot\/all<\/a><\/strong><\/p>\n https:\/\/www.washingtonpost.com\/news\/the-switch\/wp\/2018\/01\/31\/lawmakers-demand-answers-about-strava-heat-map-revealing-military-sites\/?utm_term=.7e78368ca5af<\/a><\/strong><\/p>\n
\nSomething as innocuous as a running application paired with cloud access and GPS location data allowed users to identify sensitive military and government bases and users.\u00a0 The Guardian newspaper used a script to generate GPS data to upload to a Strava account.\u00a0 Following this, they used the application to find other users that also do the same run.\u00a0 The runs matched sensitive locations such as military installations and classified government facilities.\u00a0 They identified 50 users by name.<\/p>\n
\nThe impact from the Strava heatmap to InGuardians customers is relatively low.\u00a0 The issue does present us with the conundrum of securing our data, performing operational security, and still being able to use that data and the many applications that have become intrinsic to our businesses.<\/p>\n
\nInGuardians primary recommendation is to analyze the potential exfiltration threats that applications pose, and create a policy to deal with these accordingly.\u00a0 Some examples of applications and policies in this arena would be social media use policy, on-site photography or mobile phone use, or modifying the metadata.<\/p>\n