Slashdot Mirror
iPod: Your Portable Corporate Hellraiser
MrAndrews writes "In an article on ZDNet UK, a Gartner says that "Companies should consider banning portable storage devices such as Apple's
iPod from corporate networks as they can be used to introduce malware or
steal corporate data" I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern? No more music on the way into the office?"
My father works in the Aerospace industry. He is required to leave his iPAQ at the front door every day.
Is this overkill? Perhaps. But sometimes such heavyhanded policies make sense, especially when it comes to making war.
(I was only an egg, but then I cracked)
Seems to me the first step should be to disable USB on machines which do not need it in the BIOS then lock the BIOS....
The German c't magazine recently had a short article about disabling the USB storage driver for non-administrator users on Windows 2000 and XP - effectively eliminating the security risk. This policy could be enforced by any system administrator on all desktops. Similar things could be done for Firewire ports and storage devices that attach to it. Basically it works by making the driver non-readable and non-executable for the average Joe Schmoe user logging into the system.
;)
Bring your own USB sticks? No problem. Can't use em anymore
Christian
--- Eat my sig.
Oh yes I remember this! A supposedly high security installation and there are USB ports on the keyboard! Puhhhlease! In high security environments where it matters, there aren't supposed to be disk drives and USB ports, or a easily accesible means to get data off the network.
I have a friend that works for the Department of Defense and though he wanted an iPod however, employees aren't allowed to bring in any device that data could be written to, so he couldn't use it at the main place he'd wanted to.
Question everything
I'm certain all of them will gaze with a steady stare and nod gravely when you explain the corporate policy against data on personal devices.
And I'm convinced if you have a policy against bringing such devices to the workplace, you'll never ever see one carrying one.
The "solution" of banning the devices is the wrong one, I'll grant you, but the companies here probably just can't think of anything else to do that's as easy as the stroke of a pen in the rulebook. Hiring employees you can trust is done exactly how? How do you know you can trust them? How long does someone have to work for you before you -know- they're not going to burn you?
There were Soviet spies who lived as "normal" Americans for decades before becoming active. With all the money in corporate espionage at stake, I'm sure you could find a few poeple who would work to become trusted for years, until they could strike, possibly gaining access to more data the entire time.
Hey
I work in India in a major software park. The company in the oppposite quadrant is a typicall BPO company and they have a LARGE poster stuck outside the entrace - "Please get checked and declare all your belongings at security". Several friends too told of similar rules in their companies.
In short, for BPO firms, the data of their clients is of utmost importance. Even CEO of the company is required to go through the mandatory check! Internet access is locked down. No CDROM/CDRW/Floppy/USB/Firewire ! Even printer access is restricted and fully logged and accounted for!
You can get fired for trying to access an irrelevent site (eg Yahoo briefcase), forget about bringing in that 40GB iPod or your favorite USB key.
Oh yeah, did I tell you that even cameras are forbidden and you'd be handed over to police if you're seen taking a "group picture" with your team mates in the office! A camera phone can send you in for good.
Folks, its sometimes business *requirement* not to allow such kind of things. You want to listen to music ? Fine, bring along a vanilla walkman/discman/portable MP3 CD player whatever... just leave the fancy gadgets behind and you'll be fine.
Fortunately I work in a company that has fairly open policies and our data is our own, so the rules are less stringent... no CDRW/USB drive, but still very open policies.
- mritunjai
The USB drive didn't come up in the CIA scans because the drive wasn't active; the inactive drive wasn't giving off any EM for them to detect.
Do YOU remember the movie? The reason the drive didn't come up in the CIA scans was because the agent always managed to leave the coffee cup on the security counter while she went through the scanner - the cup itself was never scanned.
This is a common tactic in several caper movies, and is equally implausible in all of them.
Or if you are one of the few Linux desktop shops, you could:
/sbin command, and your users aren't running as root, are they?
1) Not build usb-storage into the kernel.
2) Compile the module (for admin use, if need be). But not load it at boot. Modprobe _is_ an
This will allow USB devices other than those requiring the usb-storage module to be used. Repeat as necessary for other USB devices . . .
If by "automatic weapons," you mean the M-16, then yes, they might fire it if need be.
The M-16 no longer uses a full burst. The modern M-16 has a switch that selects either single automatic fire (Which is what it is usually set to, because it is by far the most accurate) or tri-burst, which is a series of three shots.
The M-16 was designed to be something of a poor man's sniper rifle, so if a solider in an airport had to shoot someone from a distance, he could probably do it with striking accuracy.
Of course, this is still not highly likely. Protocol probably states that they use deadly force as a last resort.
vi ~/.emacs
So as an employer you'd like to limit what personal effects people bring into work.
How about beards? Hair cuts? What other things that have no bearing on work would you like to take control of?
I'd be happy with a company that says I can't listen to my mp3 player at work. I'd not work for a company that says I can't listen to an mp3 player on my way to and from work.
Perhaps lockers would be an answer.
so you can put all your prohibited items in a locker before entering work.
Yes I read the post.
... he is not. He is, like the NRA, weak and ready to compromise rights away at a moments notice.
"even Charleton Heston would balk at this"
That implies that Mr Heston is the "peachiest pie in the sky" when it comes to defending RKBA
The sea changes color, but the sea does not change.
I'm not saying that they will or will not use them, I think this basically comes down to a mixture of situation, orders and individual, but the problem isn't the accuracy of the weapon so much as its design. It's a small bullet shot with a lot of power, the problems occur when the bullet exits the target assuming it hits the target. A bullet from an M16 is going to keep going for some distance, the MP5 that was mentioned earlier wouldn't be any where nearly as bad in this regards.
For the most part, the guys in the airports are National Guard. They tend to have the A1 model, not the A2 (are the handguards round, or triangular?).
The A1 can rock-n-roll full auto. The A2 has the three round burst.
If you can't bring in your USB watch, how about my bluetooth cell phone? Okay, bluetooth technology isn't as common as USB, but my phone can hold a gigabyte of data. Plus, it has a camera, so I can take pictures of secured areas.
.01 percent that will destroy you.
How can your office stop someone from bringing in their cell phone? Or a USB key on their keychain? Or their PDA?
I'd hate to be responsible for corporate data security now with all of these devices floating around. Someone could discretely download a lot of data onto their key chain. Heck, it is even easier with my bluetooth phone. I don't even need a wired connection, just be with in 15 feet of my PC. I don't even have to be near my PC in order to download data.
A few years ago, I worked for a large financial corporation when someone stole the HR database and sold it to idenity thieves. Hundreds of us "highly compensated" employees suddently discovered that someone was using our identity to buy electronic hardware, get bank loans, etc.
It took me five months to clean up the mess, and I was lucky. I found out about it the very day it happened because one of the stores that gave this guy instant credit called me to verify if I had just applied for credit.
Still, in a twelve hour period, that person went to over 3 dozen different stores from Atlantic City to Philidelphia getting instant credit and buying over $200,000 of goodies. I could literally figure out which roads he took by looking at the various times he hit the stores and applied for credit.
Other people weren't so lucky because they didn't find out about it until either a collection agent called, or they were denied credit because of this attack.
And who was the person who gave the information to the thief? Heck, it could have been almost any lowly paid clerk in HR. If you're only making $30,000 per year, someone offers you $100K or so for this kind of information, and you know the likelyhood of you getting caught is almost nill, what would you do?
Millions of employees with access to valuable data, and hundreds of ways to get around corporate security. Maybe 99.99% of your employees are dedicated, hardworking, and honest, but it's the other
This is probably expected at any sort of secure military or defense contracting site.
I remember helping my father burn a CD full of MP3s once so he'd have something to listen to in the secure section where he worked. No portable radios or music players were allowed, no PDAs, no portable storage devices, nothing. The systems didn't have floppy drives or recordable CD drives and (obviously) weren't on the internet. I think that's just standard operating procedure.
For the private sector, depends on the paranoia level I guess. You could fit a lot of data on a 40GB iPod... =)
Did they block port 443 (https)? I've found that your can send anything through port 443 (including an SSH connection) and the proxies either don't know or don't care what goes through the line. And if they block secure http, I think that people would start to complain.
Wow... that's a pretty dense thing to do.
Speaking as an HVAC support technician, I can tell you that USB thumb drives are indeed the lesser of two evils a vendor would require you to deal with. Your other option is to open your network up to something like LapLink, PCAnywhere, or Remote Administrator.
And a few other things here...
1 - They wouldn't change the system without your permission. This includes setpoints, programming, graphics, etc. The Owner is liable to keep FDA regulations. The servicer is liable to the owner to provide a working system. Trust me when I tell you, service and support guys don't like to get sued. They usually take the most cautious path possible.
2 - They can't make any changes that you can't make. Don't let them tell you otherwise. I don't know of any manufacturer that doesn't sell the product to you. The service techs are from a dealer. They don't own that software. If they act like they do, find a new vendor.
3 - Disabling USB support won't get you anywhere when they just use your server connection to the HVAC system for a man-in-the-middle transfer. Your server is connected by a wire (with or without switches, routers, or other network junk) to the gateway module. A laptop posing as a gateway module can transfer files to the server. A laptop posing as a server can reprogram a gateway module. Wires and switches can't do anything to stop it, not even with address filtering. Changing the laptop's address will make it work either way.
We've had to do this with several of our customers. Now, we just write it into the contracts and service agreements that they will provide or allow us to provide easy network access. Then we work with their network guys to set up Remote Administrator. They don't restrict our USB drives, either. And some of our customers have a lot bigger worries than pleasing the FDA.
It's only reasonable if your business is engaged in hyper sensitive data. Otherwise the cost of treating your employees shabbily far outweighs the gains of security.
My company has actually had an incident with corporate espionage. The FBI caught the perp with blueprints and software in his briefcase on the airport tarmac about to board a jet to mainland China. Yet no one here is even remotely considering banning any form of memory storage devices. They might as well close up shop and send all the employees home if they do.
More and more it seems to me that Gartner's target audience is the stupid inexperienced MBA right out of Harvard. Because no one else is dense enough to believe this tripe.
Don't blame me, I didn't vote for either of them!
You, sir, have watched Goldfinger one too many times... A single errant shot is not near big enough to depressurize a cabin. See here or here or here or... you get the point. Thanks for playing, try again.
Be careful! Bears shouldn't consume large furry dogs.
In your opinion. But, what matters to the company is their opinion. Where I work you have to get manager approval for Internet access, it goes through a web proxy, and traffic is scanned both coming and going. Oh, and the web sites you can access are limited from the get go, and so far I have been unable to download anything of interest ( .zip files, .exe, .msi ) as I get "requestor terminated request" page evertime I go to download something. Truthfully, I haven't tried ssh'ing out of the Intranet, and I have heard you can ftp via an ftp proxy if you get permission ( mgr approved, again ), but have not tried that either.
.
Web mail is blocked, ESPN is blocked, and I am certain the "allowed" list is pretty small. One thing I have done is bring in my USB keychain drive with my code/etc on it so I wouldn't have to redo all of the functions I have already written before ( job is turnkey solution developmemt )
Oh, and I was haggled a bit about my bluetooth headset I use with my cell phone, but they let that slide, lol.
I can't afford a sig!
Hell, a strip search isn't even too likely to stop those that are determined to smuggle out corporate data. These days, simply by giving someone access to use a web browser on a PC at work, you've given them the ability to take your data. Plenty of online services (such as Yahoo) offer "briefcases" where you can upload files for storage to your personal account.
How many of these places banning USB flash drives from coming in are also preventing users from going anyplace on the Internet except specific web sites designated as "safe"?
Ultimately, it comes down to the same old thing. Treat your employees fairly and keep morale up, and you have a much more effective theft deterrent than any security measures you could ever put in place. Happy employees don't want to see their employer hurt and lose money. (Furthermore, if exceptions do exist in such a workplace, their co-workers are going to rat them out if they see them screwing over the business.)