Slashdot Mirror
Sensitive Data Stolen Via Digital Cameras
Jack writes "ITO is running an interesting story on a new security threat connecting digital cameras and hackers." From the article: "Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. 'Camsnuffling', the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera." We've previously discussed this problem.
I always log in as anonymous coward.
Since the article seems to be more concerned about using cameras to store information, rather than taking pictures of sensitive documents, how long until USB Memmory sticks are targeted? Floppies? Geez, if they're that worried about security they need to be concerned about anything that stores info, not just what appears to be everyday items.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
when you can just buy a thumb drive and plug it in to any machine and get almost whatever you want.
I recently came into contact with a similar policy at a consulting firm that was concerned that top-secret information might escape through my USB watch, and made me leave it at the front desk every day. In that case, I know it was absurd overkill ... but is this concern a legitimate concern?
Not to skirt the question, but is this really "absurd overkill?" I'm sure that USB pens/watches/etc have been a boon to corporate espionage. With a USB storage device, you don't have to worry about burning CDs or emailing your stolen information off-site.
Having said that, I do think that some companies need to quit treating their employees like potential criminals. But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space. (thin clients would have gone a long way towards solving this problem, but that's another discussion)
Check out my website: Playfully Clever
Like the computers in a cabinet, and only allow bonded techs to get in to install peripherals :)
I know its not realistic, but alot of security problems can be fixed if we give up convenience.
Not sure if I understood the problem completely, but don't most companies disallow cameras in the workplace anyways? I used to work with Intel and we were supposed to declare even camera phones at the entrance, let alone digicams.
You'd think a publication called the "IT Observer" could get the hacker vs "malicious hacker" or "cracker" wording right.
If you or your company, is truly serious, then the steps to limit these sorts of things are pretty straightforward (no iPods/cameras in the workplace, locking the bios to prevent new usb, no admin rights on your machine, etc...).
:)
The problem starts when the copmpany talks the talke, but doesn't back it up with action, leaving IT staff with a mixed message.
A clear, well-written security policy that has been bought off by and supported by exec mgmt is the only way to go. Sarbox is a great tool for scaring mgmt into line here.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Sensitive data should not be in plain view. Camera phones, then, are not a problem.
Since when has this country used intellectual elite as a pejorative term?
Why not just repeat this article on a regular basis, updating a list of things with some sort of commonly used comm port/interface and simple file-system storage? Right now it's phones, PDAs, pens, music widgets, camerads, fobs... but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex. This article is mostly about how you can't trust people you can't trust. Cameras don't have much to do with it, per se. If cameras provided a way around an established lack of trust, then we'd have an article to read.
Don't disappoint your bird dog. Go to the range.
Most of us must have read the story about a crow wanting to drink from a jug of water, but the water being too low, the crow could not drink it. So it dropped some pebbles/stones in it and then the water rose so that the crow could drink it. If a crow can be resourceful like this applying its brain (however small), so can humans. And "hackers" (why lord why! it is crackers) are resourceful and how much ever technology progresses, there will be people who will defeat the technology by sheer brainpower and kludges. So, such things are inevitable and in fact extremely necessary to spinoff the growth of new better technology.
From the article
----
If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission.
----
This guy needs a solid whack with a clue-by-four. I work with a lot of people who use their iPods at work to.... SURPRISE listen to music.
duh.
A friend of mine has one of the big zoom cameras, an 18x canon, and has often found the info revealed in one of them is insanely high. zooming in to take a photo of an aged guy on a park bench reading a newspaper brought out a picture that revealed every word on the front page of it. I found myself zoomed in and reading that article before realising how simple it was, and that we were more than a hundred feet from him.
Anyone here run a business with a display visible from a window, even one half a city block from the next window?
I know that Snuffleupagus was up to something.
Disallow pen and paper, and blind-fold visitors until they are escorted to where they are supposed to go.
When I left my previous job I had agreement from the firm to copy some personal files off the laptop I was using (kids pictures, etc.)
My son had been begging me for an MP3 player especially a 1GB model that was on sale.
Now, an MP3 player isn't much more than a memory stick with some extra intelligence to recognize music files.
So, I buy the MP3 player, copy the files off to the player then offload those to my home PC.
My son will get the MP3 player he wanted for Christmas.
Having proven that this is possible, will companies now have to ban MP3 players from being used in their offices?
If you don't want to repeat the past, stop living in it.
The Camera Phone, they must all be disallowed in the work place. That is going to be difficult, since most phones have a camera, and people are going to want them in case the kids get sick.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
I thought 'camsnuffling' was breathing heavily through the nose while taking a picture?
He who knows best knows how little he knows. - Thomas Jefferson
Let's consult the Oracle:
"Your search - camsnuffling - did not match any documents.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords."
Someone will get in, if they have access to your local intranet. It's that simple.
I'd bet everyone here has seen a picture of the USB flash drive disguised as a PEZ(tm) dispenser. What about the new Swiss Army Knife that has one built in? Heck, you could mod a USB drive to look like a Zippo or a Bic lighter. As others have said, I can't even see why camera phones are such a hot deal other than for their ability to take pictures; storing documents can be done in a far less noticeable way when there's access to USB ports.
Never look down your nose at others. Someday, someone is bound to see your boogers.
Other than the obvious typos, the article pretty much sucked.
when you can just buy a thumb drive and plug it in to any machine and get almost whatever you want.
Really the point of the article is to remind IT folk that cameras should fall into the same category as memory sticks, thumb drives, mp3 players. Not that they should focus on dig cameras to the exclusion of the other technologies. Anyone who cares about this article probably already has banned thumb drives and mp3 players.
Any big company I worked for banned cameras from their campus. What is old is new.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
...then I read TFA, and the OP copied verbatim the first couple of the article's grammatical blunders. There used to be editors, fact checking...it's sad when this kind of article is called journalism.
They check everyone who enters, no cameras are allowed. Everyone needs a special Id issued by them to eneter. No jackets are allowed. No loose sweaters are allowed. They have lockers where any banned item can be kept, outside the secure area. Once you make it to the guards station, they stamp every sheet of paper you take in. When you leave, you can only take out papers they stamped. They check EVERYTHING. And they have a ton of security cameras in the building, and employees that keep track of who comes and goes. I needed papers which were in a secure area. They made me wear an ID tied around my neck, and I was escorted by an employee.
They also make it a crime to try and decieve them (for example, sneak a camera in). People can go to jail, and there are heavy penalties. They have multiple checks. The first one is a metal detector and a police officer who is more than willing to use the hand wand. The next step is the security officer who checks you in.
If companies want security, it is not hard to ban everything, hire 20 or 30 police officers, make it a crime to violate their policy, and treat everyone as dishonest liars who are more likely to steal.
A chain is only as strong as the weakest link. That is the mentality these institutions have, so they don't trust anyone, not even thier own guards.
What are they doing? Taking pictures with the camera of the data on the screen? Sending video over the net?
/. already covered data loss via USB ports before.
I read TFA, and both the article and the title would lead a nontech savvy person to believe that's how they were being used. I think
I am Bennett Haselton! I am Bennett Haselton!
How am I supposed to smuggle jokes for Mike into the computer complex if you instate a policy like that?!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
If stuff is really sensitive, cameras should have been kept out long before. Lock up the USB ports but allow camera? People will just print and snap.
Didn't anyone learn anything from watching old James Bond Movies? http://www.mwbrooks.com/submini/flicks/ Those old Minox camera even had the lanyard marked to let you know the proper focus distance for shooting a document.
If they're too lazy to disable the USB ports on machines they think may be security risks, then yes. MP3 players really are nothing more than glorified thumb drives.
Yo, there was this guy long time ago, you know, called C.J. Caesar MC, and he was, like, worried that the Man would steal his secretz, 'namean?, so he came up with this gimmick where he wrote something on a piece of dead skin, how gross is that?, man, but if you had read it it wouldn't have made no sense, but if you had known HOW to read it, then hell yeah, lotsa sense there... than his buddy later called this thingamajig ROT-13 or some such nerdy word, and then lotsa other guys did the same, but more powerful...
I hope you liked this short intro to ENCRYPTION and understand how it can solve some of your problems. Thank you and goodnight.
Global warming is a cube.
I can't bring a camera to work, so this isn't a big deal to me at all. Considering how small flash drives are getting, and how much storage can be kept in phones/PDAs today, how does anyone expect this to work?
Someone has a PDA that can store 2 GB of data in a SD card. If they want, they can have as many of these as they need.
2.5" drives are very discret, and are normally powered by USB.
Don't give anyone access to USB/Bluetooth/WiFi.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
If you're a HAL9000, you do it from across the room.
I suggest you read Slashdot
The human larynx is the biggest security risk. It's a ubiquitous device that can broadcast via sound waves any proprietary information a knowledge-worker has been exposed to.
Of course this description is (intended to be) humorous, but the serious point is one we've heard often enough: you can't solve a human problem with a technological solution.
org.slashdot.post.SignatureNotFoundException: ewg
I have heard of a company that does a good job of plugging these types of 'holes' through effective management of the desktop environment... (the guy I know complains that he can't attach *anything* USB to his machine). The funny thing is, after all that, they let him and other people (sales team, managers, etc) walk out of the front door with their laptops
This article is just the latest in a never-ending trend of "danger ! these devices can be used in bad ways" that seem to come out of the security INDUSTRY (go figure). Anyone remember back when email, or even printers were the prime danger ?
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
If you read the article, you would know that there's nothing in it about taking *pictures* of sensitive data. Rather, the article is talking about how difficult it is to prevent employees from removing data from the workplace via storage media which is not traditionally used for transporting data (other than the data it's supposed to transport, mp3's, pictures, etc).
Their cash registers were the old fashioned ones where you have to hand your card to the cashier. Naturally, the cashier loves to wave your card around and expose your numbers to everyone. Not a big hassle, except the really poor looking couple behind me WAS AIMING THEIR PHONE RIGHT AT MY CARD AND CONTINUOUSLY TAKING PICTURES!
People have been using cameras to sneak around for dozens of years.... Be it as a data storage medium, or going through someone's secret files and taking pictures of them (ala TV spies), it'll always be a threat....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Guns don't kill people, per se. People do.
Personally, where I work, personal mp3 players and cameras are banned (we obviously have cameras for business use, not mp3 players). We also have our USB ports locked out. You can't just plug in a flash drive or anything without prior admin approval, so even if you brought your mp3 player in from home, it wouldn't work. Companies simply need to implement this to solve this problem. I know there are always ways around it, but this would simply be a step in the right direction.
Just like in the long, long trailer!
Seriously though, cameras have been used for copying documents since they were made portable. The big news here is some tech-related publication is making noise about it. Whoopee.
..you told him it was a USB watch? Hmmn. And what if a data thief has a Sandisk combo SD/USB stamp-sized card in his belt buckle? Ah, but *he* lied about having it.
Great security. Relies on thieves being honest enough to confess. About as smart as the DHS asking whether you are a terrorist or not (yes, they really do: read form I-94W).
K.
This is becoming more of a problem for me too... I'm an amateur photographer. I have enjoyed photography for about 10 years, but over the last 3 years or so, businesses have become much more paranoid about cameras. Concert venues have cracked down, and many stores will kick you out for walking around with a camera, let alone taking pictures. Personally, I have always thought that (for the most part) you should be able to photograph anything that you are allowed to freely look at, but because of abuses, that isn't usually the case. It's sad really.
12345?
That's the kind of combination an idiot would have on his luggage!
Photocopiers can be used to copy sensitive data. Please dispose of all photocopiers in your company...
Okay, I did RTFA, but I'm not entirely sure "how" a digital camera is a threat other than being used to take snapshots of sensitive data. Sure, you can plug it into a USB slot, but for a lot of cameras, they're little more than thumbdrives when they're connected via USB, so a thumbdrive would certainly be less conspicuous, but then you have to ask how this is much different from say, floppy disks, which until recently, were pretty ubiquitous.
The article mistakenly states: "Hence, simply plugging it into a computer's USB can allow hackers to obtain sensitive data." How? Does plugging in a camera suddenyl disable all security in a computer? Suddenly all your encrypted data is decrypted? Suddenly the camera has access to everything? This is a completely unqualified statement that means nothing. It's a thumb drive and you have no more access to sensitive data than the person at the keyboard which is presumably the same person with the camera.
Sorry, maybe I'm missing something, but this seems like a pretty stupid article.
1. The NA can afford to spend a lot on the security, while a company has to watch the bottom line.
2. It's acceptable for the NA to annoy or even "piss off" some visitors with an overly stringent security proecess, whereas a company usually wouldn't want to offend guests or employees.
3. A company needs to balance between productivity and security.
Tyranny isn't the worst enemy of a democracy. Cynicism is.
Just wait until those rascally hackers start taking pictures of a screen because the USB port is all gummed up. That'll learn ya!
"just slip one in your pocket."
I could've been hiding it in my POCKET? Oh shit...
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
That is to say that the conveniece of plug-n-play mass storage (whether it be usb stick, camera, iPod) can be a major security risk. Add that to unsecured systems running as administrator (or root, etc.) in the workplace or showroom, and you have a great potential for mischief.
I worked at a government installation about 15 years ago where we were required to flip the venetian blinds such that a satellite overhead couldn't take a picture of what was on your desk. To have good security you have to look at what's possible and try to prevent it. If you can't afford for the data to leak you have to close off the leaks, even if it seems ridiculous at the time. There are companies where you can't enter the premises with your cell phone (or any other electronic device for that matter). If they are really serious about it, they'd have you go through a metal detector before entering (I've had to do that). We have a mix of security here. Our PCs have firewall and security software, but nothing prevents use of the USB port. Granted, you have to login, but if somebody were to fail to logout... We run a Wifi network here, but it only goes as far as the public side of a VPN router - you have to establish a tunnel to go any further, but if you've got a laptop and ethernet cable you can plug right in and use DHCP to get an ip address and you're good to go. My point is that there will always be holes, some of them glaring. Removing a threat like a camera would require banning them at the gate - anything else is useless.
Classification of information and treating that information accordingly is at the heart of the issue. It is impracticle to have to protect all information. Organisations need to decide what needs to be protect and to what extent and then implement policies based on those decisions. If you have highly senstive information, clearly classify it so, limit who has acesses it and how they access it.
When I did defense work, classisfied systems sat on seperate networks behind locked doors. Only those who knew the combinations to the locks and had electronic key cards with the right pins could access the rooms. There were no connections from the machines to the outside world and in fact many rooms were RF sheilded to prevent EM snooping. Cameras, IPods, Thumb-drives and USB watches were certainly not allowed in these rooms.
I am not suggesting that all organisations need this kind of security but using seperate physical networks, limiting physical access, and disallowing the presence of certain devices around these machines is not beyond the pale.
A passion for apathy.
This is why cameras of any kind are banned from the Indian call center I work with.
In case of Emergency, Curl up in the Fetal position, and lick a Bible for comfort!
Ian Callens, Icomm Technologies, explains: "If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission."
Apparently the millions of people who listen to music on their iPods are "more than likely" criminals and spies.
Talk about sowing FUD -- I wonder how much the RIAA pays this guy?
It's so new, that I can't find one reference on Google about it!
Strange women lying in ponds distributing swords is no basis for a system of government.
Where I work (defense contractor), the emphasis is more that they don't want sensitive data stolen when you leave your ipod you used at work earlier that day in your friends car. USB sticks are fine to have, as long as it's approved by security (not too difficult). We're given memory sticks that use biometrics to use if the memory stick is going to leave the building. Regular storage mediums just aren't secure enough. Granted that goes for employees...if a visitor were to bring in something with a memory card, that's a whole different story. That they take quite a bit more seriously.
This guy simply cut and pasted several posts from this story: http://it.slashdot.org/article.pl?sid=04/07/06/125 0212&tid=172
Instead of banning cameras, then memory sticks (as one poster said, they can be potentially hidden to look like just about anything), then iPods...remove the capability from the computer itself! Make them more of a "dumb terminal", no floppy, no CD writer, no accessible USB.
Oh, and when the news reports came out, they did also briefly ban Furbies (remember when they were marketed as being able to mimic language? Security feared they'd be used as recording devices) and Coke cans (Coke was running that contest where prize cans had a GPS transmitter in them to lead in the prize team. This is more of the signal interference than a security thing, but people weren't hot on a GPS transmitter inside secured locations either).
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Devices capable of storing data used to steal data!
akad0nric0
This sentence no verb.
so, what is new in this ?
there are companies that prohibit music recording devices, because they had cases when somebody was playing data (with special software) and recording it (through analog port), later reconstructing files.
so, if you are concerned about security at this level, you probably limit devices allowed and working components of computers.
now, most companies do not balance these measures - they get extensive security systems, restrict their users to the point where they can not perform their duties - and then the information is obtained by a cleaner (who gets $150 a month so it's not that hard to pay more than required...)
forgetting that the weakest point in your security is exactly what whole system is worth - it's not a common mistake, it seems to be a rule.
Rich
From TFA (My emphasis)
.. um let me think .. ah .. thats it .. LISTENING TO LEGALLY PURCHASED MUSIC??!?!?!?!?!
Ian Callens, Icomm Technologies, explains: "This is a very difficult issue to manage and a real threat to business continuity and data security. If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission. This is relatively easier to police.
So if you use an iPod at work you are assumed to be a criminal regardless of what you are doing with it? Like for instance
That sort of attitude really pisses me off.
I am all for security at work, but there comes a point where you have to trust your employees with some things.
I am Slashdot. Are you Slashdot as well?
In group policy, add/remove it to Computer Configuration -> Administrative Templates. Can also disable floppies, cdroms, etc. Oh yeah, right-click -> view -> filtering, uncheck "only show policy settings that can be fully managed". Look at Alexander Suhovey's post at this page.
Next up is cellsnuffling.
Two wrongs don't make a right, but three lefts do.
Don't forget the Furby!
"The digital camera device, just like iPod and Bluetooth, is a simple digital storage devices."
Just like iPod? You mean an iPod?
Just like Bluetooth? When the hell did Bluetooth become a device?
Is a simple digital storage devices?
Where do these writers come from? College would be a good first stop. Maybe you should stop trying to sound like you know what you're talking about and do some background reading. I'll go check Internet for more stories, or maybe use the Google. Fucking morons.
Security doens't mater which buzz words you stick with it. Just becase todays cameras are digital doesn't mean anything, 20 years ago McDonalds had a 28mm the size of the film roll in there happy meal box, right next to there secret decoder rings. Recordables of any type can't be allowed near sensitive materials.
I think I just cashed out all my cool points.
Seriously, Has anyone bothered to read this article? Who is this guy, and what the hell is he talking about?
This sounds alot like someone blowing their own "I'm an IT God" horn, and making a much larger issue out of this than it really is. If your really concerned about downloading music, how about blocking specific port traffic at the firewall?
Either way, this is the kind of paraniod nonsense that propagates it's way up the food chain to the "Boss" and spoils it for everyone who likes to listen to music while working.
God forbid anyone use thier Ipod to listen to music while they work...
Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
I currently work for a major defense contractor. I am permitted and practically encouraged to bring a 1GB USB Flash drive to work with me every day and I am allowed to use my iPod to my hearts content. However, my cell phone is required to stay in my car all day simply because it has an integrated camera. Mind you, the desktop computer I work on daily is equipped with a writable cd drive, blank cds are readily available in the supply cabinet, and I have fairly unrestricted access to the internet. With all of this data transfer potential, why is my camera phone considered such a threat. Personally, I forego the use of the integrated camera for the simple reason that it takes horrible, unrecognizable pictures. I have the phone that I have because it had the right combinations of features (and unfortunately a couple of extras I could do without).
There are really two issues here: 1) Is IT Security as effective as the IT organization thinks it is? 2) Who are corporations protecting themselves against, hackers/thieves or their employees?
will escort the escorters? It's the blind leading the blind! Not much different from the present state of affairs, I suppose.
...hackers found writing down sensitive information on paper and putting it in their pocket.
401 - Attention span not found
How arrogant of $INDUSTRY_GROUP to think that they can actually solve $SECURITY_HOLE by pushing this $TECHNICAL_FIX fix down our throats! All they'll ever catch with this are the really casual users, who aren't capable of anything worse than annnoyance; any *real* villain would get around $TECHNICAL_FIX in heartbeat by just $10_SEC_CIRCUMVENTION. Why does /. keep shilling 2-bit press releases from $INDUSTRY_GROUP, anyway?
$INDUSTRY_GROUP="Icomm"
$SECURITY_HOLE="data smuggling"
$TECHNICAL_FIX="camera ban"
$10_SEC_CIRCUMVENTION="SFTP'ing the whole damn corporate database to a home SSH server set up on port 80"
If I was female and famous and on a topless beach and there was a boat out there a mile away with somebody taking my picture, are they a peeping tom? (How can you be a peeping tom to someone on a topless beach?) Or am I an idiot for being topless in public and thinking I'm safe just because I don't see anybody with a camera?
If I was indoors and topless with the drapes open, and somebody was not on my property, and looked in the window, are they a peeping tom? Or am I an idiot for not closing the drapes?
If I was a business, and somebody was not on my property, but was taking a picture of my property, could I stop them legally? This has come up with things like refineries, IIRC, and the answer is no, the business cannot stop someone from taking a picture. Once the photons leave your property, they are fair game. You don't want people to take the picture? Don't let the photons leave your property - put up a fence, plant a hedge, or whatever. (Now, if the photographer comes onto your property, that's tresspassing, and you can stop them or have them arrested.)
If somebody sneeks a skin pic of somebody famous because they're being stupid, I don't think that means that they should be able to publish it in some tabloid rag. I'm with Jennifer Anniston on this one - she should be able to block publication.
But if you're a business, and you think that you can get the corporate secrets back - forget it. You may be able to keep them from being published in a publication. You'll never be able to get it off of the net.
Parent comment is taken verbatim from this submission.
Every post he makes is a sham lifted directly from other posts. Please mod appropriately.
People with "photographic memory" must have their mind's cleansed and their thoughts erased. I agree with the folks that said instead of stupid paranoia how about you focus on securing your data. Trust and people are the problem here, not technology.
-Xen
Wow. This is a terrible article.
From all the grammar mistakes, to the pointless buzzwords ("camsnuffling", "podslurping"), to the mention of how USB devices instantly give anyone access to any data on a computer, to the fact that "hackers" and "computer attackers" are mentioned several times when the data being taken is clearly being taken by employees who have access to it in the first place.
And "Bluetooth" is apparently a USB storage device. Way to go.
But in all seriousness, companies do have security issues regarding sensitive data leaving their computers in the hand of employees. How can these companies be sure that their data is secure while still maintaining access for the people who need it and not treating their employees like criminals?
If I were Dell, or some other prebuilt Windows box company, I would offer a desktop computer with no external ports at all. No USB, no serial port, no floppy disk, no CD writer, no nothing. Just a hard drive and a network connection, and a DVD/CD-ROM drive. That way, companies can make all their data available over the internal network (c'mon, is setting up shared server space really *that* difficult?) and it's much harder to get the data out of the company. If the company is truly paranoid about people taking hard drives out of their desktops to take home with them, set up the computer with an encrypted file system which asks the main server for the passphrase every time the computer boots. If you're worried about people sending themselves things as attachments, then don't allow emails with attachments from your servers. If outside companies need access to sensitive data in order to do business with you, then set up a secure server for data exchange. No sweat.
Precautions can be taken on the server side that make it very difficult for employees to steal sensitive data, but that still allow for efficient data flow within the company. And, of course, none of these ways will prevent anyone who is truly determined to get your data, but it will stop the casual stealers, and your chances of sensitive data getting out are much lower.
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
The brilliant thing about the shitty mod system is that during m2, anybody who sees this being modded redundant will be marked unfair, because it his insightful even if he didn't write it himself.
So the idiot mods who mods Redundant, will be punished, and he will be rewarded. The jihad has successfully wreaked havoc on the mod system.
You lose. Stop fighting it, and just enjoy the ride.
I love the advanced technology and don't miss the days when I had to explain why I had a floppy in my pants.
If companies are so concerned about data theft from the desktop access points go back to client/server and give people nothing more than a keyboard and monitor.
What does this have to do with cameras, or ipods, or anything of the sort? This is a security issue that has existed since the dawn of the idea of computer security.
Whether it's taking a reel of paper tape out the door with you, or bluetooth copying data to your cell phone what's the freaking difference?
This article reads like a writer just discovered that you can put data other than music on a camera and thinks he's found some kind of espionage loophole. I thought the article was going to be about taking pictures of sensitive data, but it turned out to be even dumber than that.
By lowering the rights for all users on win2k/xp sp2 across a network, I am able to disable usage of the floppy and the cd-rom. A USB device will install on the OS of a restricted user with no reservation. Has MS figured out a schema to allow for USB monitors, keyboard and mice, but disallow any other USB devices in Vista? Or are we going to have this discussion through 2009?
ceci n'est pas un sig
You can't beat the security where I work. All computers have had their harddrives, network cards, and power supplies removed. All peripherial ports have been welded shut. In the more vulnerable computers, the security people have glued all the keys down, and filled the computer chassis with concrete. Mouse balls are removed. Before each session with the computer, each programmer has to endure a full cavity search and provide a urinalysis. We also are forced to work naked to ensure we don't hide any data in our clothing.
What those who want activist courts fear is rule by the people.
My IT shop installed faux USB ports, when USB devices are connected a very loud fart sound is issued.
'Verbgorphing', the ongoing practice of coming up with cute-sounding verbs to describe any activity that has been going on forever and for which a related technology has just taken some kind of step forward.
- First they ignore you, then they laugh at you, then ???, then profit.
What? Sorry then, I'll have to let everyone in my company here know that all of them are not the norm. Since they all just listen to music on their devices.
this is really a nontopic. If you can't trust the people that handles the information, you will never be 100% (or sure enough) that no data is stolen. When I worked at a place with graded material I had to be checked by the police, and then I had to go through with an extended interview with the superior. As said so many times that no one should ever have to be reminded: If the people with access to classified information is not "secure", there is no point in having a super secure computer network. Security is as strong as the weakest link, and in most cases that is the user/operator.
Doolittle :
Bomb no.20 : To explode of course.
While I agree with previous posters that all the camera is is just a glorified memory card holder for stealing data, there's a better use for cameras that just "lay around". Much like the old "photocopy your butt and stick it in the paper tray" trick.
Download some pr0n in JPG format (preferably the gross amatuer kind). If we have a Sony camera (as in my case) name the file DSCXXXXX.JPG (where XXXXX is some integer w/leading zeros). Copy the file to the camera's photo directory. There will be no thumbnail file, so the photo takes a bit longer than normal to appear.
The next time the owner flips through the pics on the camera, he'll be in for a big surprise. (He - because if the victim's a guy, it's a joke. If it's a woman, it's sexual harassment).
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Whether this policy is good or not depends on the intent of the security policy. If the policy is meant to mitigate the accidental exposure of confidential information, the policy may a good one. I have found that no amout of education and/or training will prevent user stupidity. Most average users think that a specific situation will no happen to them. They will use programs, attachments, or files from any source that they think is trustworthy. I have found that unplugging USB ports from the motherboard as well as disabling them in BIOS and via the operating system is the most effective way of dealing with user stupidity. I also make sure CD-ROM drives are disabled as well. Only people who need to copy data and remove it from the building for legitimate purposes get access to these devices. While this type of policy will go a long way to preventing accidental compromise of security (provided that network security is adaquate as well), it will do little to stop the deliberate theft of information. While many buildings are guarded and monitored at the main entrance, there are usually other doors that employees and visitors can use to leave the building. These doors can be held open or a small package hidden near this door can be picked up. I have even seen an instance where a wireless router was smuggled into a facility and was connnected to the network. Keylogger devices and camera phone are small and easily smuggled. Both can be used to purloin a lot of information. I have also seen a device that is small as a cigarette pack that can be plugged into the ethernet port on a computer. This kind of device can be used in a manner that will allow a person to store data on it by using ftp (Of course, a proper login setup will identify the fake network). Technology will do little to thwart a determined spy. Keeping employees happy will go a longer way to weeding out undesirables. A loyal employee happy to be at the company will report any suspicious activity.
And how exactly does a digital camera enable one to steal documents any better than a 10 year old film camera?
In fact with the high detail of film, wouldn't they have an advantage over digicams? Aren't we talking 1930's spy cam stuff here?
: )
What we need is a camera detector like the Thunderbirds (1960's puppet show) had. Again a case of Sci-Fi leading the way to a future reality.
"but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex" Why use fake fingernails when you can use the real things. http://3quarksdaily.blogs.com/3quarksdaily/2005/08 /fingernails_sto.html
unfortunately, there is no way except physical blockage of the usb port on a mac to prevent freelance employees at our business from taking company assets home. we have a lot of interest in keeping the information here and not wandering around since it is what pays the bills.
How odd... usually they make the distinction between active digital transmitters (which admittedly do include things like the keyfobs) and passive digital transmitters like the RFID tags in Speedpass and the badges.
Thing is, where they actually have a need for security, the "secret squirrel rooms" are generally very well built. There are no ports, the rooms are soundproof, and the room's built so that transmissions can't get in or out. You will be frisked if there's any suspicion that you could have a recording device and they do scanning to check for things like cell phones and pagers that people have forgotten are on their persons. The rest of the security measures are, as a prior poster stated, a form of pork.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Ian Callens, Icomm Technologies, explains: "This is a very difficult issue to manage and a real threat to business continuity and data security. If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission. This is relatively easier to police."
In the words of one of my favorite episodes: "Hey screw you clown!" Hmmm, Yes it is their network and their hardware. I asked if they minded me installing a podcasting client and hooking up my ipod occasionally to sync new shows and to charge it.
Here's a few thoughts to chew on: We as employees can assume no rights. Just ask permission. As employers, you guys have a responsibility to a)stop treating employees like criminals and possibly breeding the sort of feelings that would push one to steal in the first place. b)Do better research, spend a little more on background checks and an extra interview if you're hiring someone to work on such sensitive stuff. c)Pay more money to and take your time to hire and retain the higher quality people and ony allow them access to said data.
Yeah, yeah, call me off-topic but that little paragraph set me to rant mode. But my rant covers the overal issue of people possibly schleping sensitive data out of the workplace on customer electronics stuff. If you take away the cameras, PDAs, cellphones, ipods, laptops, etc, and mind you we now rely on many of those devices as tools of our trades, a determined theif will find other ways to mule it out. Use your fucking (lack of?) common sense, don't hire flakes and theives and treat your good people right so as to retain them. Any good manager will tell you that preventing employee turn-over is one of the more effective ways to keep costs down.
No, you don't need users to give up peripherals to lock down ports. All you need to do is provide the peripherals in a managed way, on YOUR terms. Put printers directly on the network, not at people's desks. Force people to stop using floppy disks and other removable storage, and to rely on the centrally managed and backed-up fileserver(s). Force people to synchronise their laptop/tablet/pocketpc/palmtop over the network with pre-approved scripts/software/settings, rather than linking to their PC and copying files. Have one non-desktop system that allows a camera to be plugged in, and will automatically extract the pictures from it, then place them on the fileserver, in a secure folder for that department/user's own stuff, if need be.
"Firstly, regularly change system passwords that employ both letters and numerals."
...resulting in a new security breach know as PostIt snatching
Ban all personal electronic devices and media in the work place. If someone wants to work from home, they can use a Citrix client to log onto a generic desktop and access their files that way. Configure client to not allow saves to outside computer. Monitor email attachments leaving the server.
I drank what? -- Socrates
Anybody else agree that they're tired of flavor-of-the-moment words coined to describe this kind of thing. From the article, we get "camsnuffling" and my favorite: "podslurping." The recent "splogs" also comes to mind.
Banning devices is nothing short of a band-aid to the problem. Companies employing this passive method of prevention are always going to be one step behind technology. They would be wise to also employ an active method of prevention.
Related story: A friend works as a consultant to a defense contractor. Cellphones, memory sticks, etc are all banned from within the area in which he works. Well being the rocket scientist that he is (literally), he forgot this and plugged in a personal USB memory key he brought in from home to retrieve from it a file he needed. Guess what? The contents of the memory stick were immediately encrypted and unuseable. Damn effective method of prevention methinks...
I can only agree. I (and several co-workers) have access to pretty much all the data (documents, email, etc) of dozens of thousands of users without a single exception (I can get at ANYTHING I so please, be it the CEO's email, HR's records, you name it!). I also have unrestricted access to dozens of DB servers and and web servers, server rooms, tape drive archives and all. I can bring in USB drives or such no problem, just like I can burn CDs/DVDs and take 'em home no problem.
Yet, it has never been a problem. But we're reliable employees. We're well paid (and good bonuses too), treated well, good working environment and everything (nobody's disgruntled or needs money bad).
Although I doubt too many companies can afford to pay for some background checks like our employer does (none of us commited were found guilty of anything, none of us are in a bad financial status, things like that - and yes, we do get to do a pee/drug test - initially and anytime they so please). Some people might not like these, but I actually like it. I'm pretty much garanteed to work with someone "normal" - not some pothead or whatever. I'm a good, reliable employee that you can trust, and I have no problems to prove it.
If there's a will, there's a way to do it. The real thing here is that there is no such thing as unbreakable security. Even if you leave me no external ports, I can still use my camera phone to take snapshots of my screen as I display the sensitive data and then email it to anyone I choose. How do you stop that? Cavity search all employees every morning? C'mon! You have to pay me a *lot* more to put up with that.
s p. Or how about one of these babies - http://www.xybernaut.com/itemList.asp?categoryID=2 8. It's not much bigger than a pack of cigarettes and can be used to transmit data out of a data center via a cellular card. Hook up a hub and .... I know, because I've seen something similar at least twice already.
What about the USB storage devices that mimic other things? Like this - a watch - http://www.thinkgeek.com/gadgets/watches/7899/ or this - a pen - http://www.pcmag.com/article2/0,1759,1618595,00.a
Frankly, how crappy are you to your people that they're doing stuff like this? I think this is a real wake up call to the industry to look at how employees are treated and/or compenstated. If you think it's bad stateside, how bad do you think it is overseas where they're making $8/hour?
2 cents,
Queen B
HDGary secures my bank
How to prevent data from being stolen?
Luckily about three stories ago we were given the answer. Sure it's not glamorous, but your employees get to keep their dignity.
We don't need Ipods at work, everyone already has their music shared on a 1.5 TB RIAA inflaming music server. 'scuse me, while I use company time, and CDR's to pirate the music :P
Try storing /files/ on your film camera... ;)
So you can't just hop on any computer with internet access, open up Gmail, Yahoo, etc. and mail the information out?
As long as it's not done with a camera, I guess it's okay.
http://www.theregister.co.uk/2004/07/14/your_datas _is_at_risk/
Seriously I'm as paranoid as anybody and more than most. But come on. Every new device that can store data is not a *new* threat. No matter how badly you want some press. Which is, of course, what this is all about.
Next week I'm going to go to the press with the "guy with stick" attack to launch my new firm.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Why pay for epoxy. Frount case Ports. Remove or decable(big pair of wire cutters.
Back of Old At cases just cable and remove most of the unrequire parts. Now if its a new atx. Custom case it. Explosive die pack over the unrequired ports verry effective deterent. You do get one or two people covered in the stuff from time to time when moving cases(Yes it looks funny with people in protection suits when moving computers). Inside the case another explosive pack to deter case opening.
Epoxy the ports does not stop them from being used. I have cut epoxy out of a usb port and got it to work in under 2 mins. Explosive far more effective person will not even try. Heck even a cardbord box with the words explosive die pack do not touch will deter a lot.
I never trusted that damn Snuffleupagus! Its obvious he's behind the whole thing. "Camsnuffling" indeed.
Then don't have employees. Problem solved. Can I patent this business method?
if you story ended with:
"Yeah, it was PHB hell; so I sold our data to the competitors."
The Kruger Dunning explains most post on
Who the hell is noone anyway?
noone is anyone's lover:
anyone lived in a pretty how town
.
.
.
children guessed(but only a few
and down they forgot as up they grew
autumn winter spring summer)
that noone loved him more by more
when by now and tree by leaf
she laughed his joy she cried his grief
bird by snow and stir by still
anyone's any was all to her
--ee cumings (http://www.americanpoems.com/poets/eecummings/118 80)
I work at a semi-large callcenter and up until a few months ago we were allowed to use usb pendrives to bring in things like portable firefox, spyware/virus tools, etc. And then some fucktard brought in a packet sniffer on one and got a ton of credit card numbers from callers. Now you can't bring in usb drives, iPods, PSPs; nothing. Damned if they can stop me from playing Liberty City Stories during lunch though...
I recall not long after the iPod release, came MS Office for the Mac and a C City
patron watching a teen with an iPod downloading all the software (MSO, especially) from the machine.
I recall playing with a digital camera and being able to take it home for a while, but before I left, I had a zip file too big for a floppy, and a Zip disk was not available to me, so I put it on the camera's flash memory.
It was a free utility, granted, but still I could snag anything I wanted that would fit on the mem card.
Heck, I worked at a SanaPonic plant for a bit, and they removed the floppy drives, but still had the computers networked...(snort).
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
...they're gonna tell you to stop using your company-furnished laptop while on the road and tell you telecommuting is no longer allowed. not to mention, they're gonna have to rip the phones out while they are at it, too.
All entrances to work have a sign that says, basically, "No recording devices such as cameras, voice, video recorders, etc...". Very strange because it is a disk drive company.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Nothing new under the sun.
In Japan the problem has been known for ages as keitai manbiki or degitaru manbiki, meaning "Cell phone shoplifting".
They go to a shop and when they find an interesting article on a magazine, instead of buying the dead tree they take a pic of the page and then walk away.
Everyone coming in is to leave his brain (if any) at the door with the guard. It will be returned to you when you leave.
We appreciate your cooperation in These Times Of Heightened Security (tm).
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex
"Please remove brain and leave at the door."
I do this most days when I go into work anyway so no problems there.
To err is human. To forgive is not company policy.
Windows makes it easy to mount a remote WEBDAV directory. Most corporate firewalls will allow a HTTPS connection to be made. Set up a WEBDAV/s server on your home DSL machine, ..., profit!
.java files - great in a Java
The fact that Windows allows Joe User to easily mount storage is a problem. To stop this you'd have to fix it at the system level and have administrator managed mount points. Pity Linux is moving away from this model to try to make it nicer for Windows users to use!
Even without WEBDAV you can just put a web site up with an upload button and let Internet Explorer leak those secrets away.
How about these:
Plug small laptop or similar into company wired/wireless network?
Mount network drive. Profit! How many companies monitor their internal
networks for threats? How many would detect a new IP address, or a
change of MAC address for a known IP, or a new MAC address, or a machine
with a spoofed MAC and IP that doesn't behave like you expect?
Tunnel out through the firewall? Perhaps by asking the web proxy to
CONNECT for you which most allow as part of HTTP/s, but I expect a lot
of companies lack egress filtering in their firewalls.
Send an email. Even if the company does filter, these are easy to defeat.
So many people bypass these filters every day just to get on with their
work. The last place I worked blocked
development shop where people may want to email samples around.
Back in 1980s my dad was working as an engineer, and he did his job on a 386SX with Autocad installed.
Well, one day he wrote some macro for Autocad in Lisp (something really simple and dumb) and then printed the sourcecode. He then hid the printout in his jeans pocket and the printed sourcecode was confiscated at the site exit. He also had LOTS of trouble afterwards. For what? Some simple 10-liner script printout.
Previous posters have addressed ad nauseam the fact that the "threat" discussed has nothing to do with the camera part of the digital camera, and everything to do with the USB-atttachable removable storage part. But did anybody read the article's list of "steps that can be taken to reduce rogue behaviour" in the last paragraph? "Passwords that employ both letters and numerals"? What's that got to do with anything? Total nonsense.
Memo to self: pay no attention to "iT Observer" in future.
Imagine someone working in their office at night with the light of their CRT based computer monitor lighting up their office. To our eye the light is a continuous glow, but it in fact changes as the CRT is scanning the image line by line on the computer screen. With a telescope and a sensor it is possible to 'read' this light and using software recreate the original screen by assembling the scanned lines much like a fax.
In other words you don't require a direct view of the monitor. LCD screens are more secure in this sense as they don't operate in the same way.