Slashdot Mirror
Sensitive Data Stolen Via Digital Cameras
Jack writes "ITO is running an interesting story on a new security threat connecting digital cameras and hackers." From the article: "Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. 'Camsnuffling', the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera." We've previously discussed this problem.
I always log in as anonymous coward.
Since the article seems to be more concerned about using cameras to store information, rather than taking pictures of sensitive documents, how long until USB Memmory sticks are targeted? Floppies? Geez, if they're that worried about security they need to be concerned about anything that stores info, not just what appears to be everyday items.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
when you can just buy a thumb drive and plug it in to any machine and get almost whatever you want.
Like the computers in a cabinet, and only allow bonded techs to get in to install peripherals :)
I know its not realistic, but alot of security problems can be fixed if we give up convenience.
Not sure if I understood the problem completely, but don't most companies disallow cameras in the workplace anyways? I used to work with Intel and we were supposed to declare even camera phones at the entrance, let alone digicams.
You'd think a publication called the "IT Observer" could get the hacker vs "malicious hacker" or "cracker" wording right.
If you or your company, is truly serious, then the steps to limit these sorts of things are pretty straightforward (no iPods/cameras in the workplace, locking the bios to prevent new usb, no admin rights on your machine, etc...).
:)
The problem starts when the copmpany talks the talke, but doesn't back it up with action, leaving IT staff with a mixed message.
A clear, well-written security policy that has been bought off by and supported by exec mgmt is the only way to go. Sarbox is a great tool for scaring mgmt into line here.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Sensitive data should not be in plain view. Camera phones, then, are not a problem.
Since when has this country used intellectual elite as a pejorative term?
Why not just repeat this article on a regular basis, updating a list of things with some sort of commonly used comm port/interface and simple file-system storage? Right now it's phones, PDAs, pens, music widgets, camerads, fobs... but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex. This article is mostly about how you can't trust people you can't trust. Cameras don't have much to do with it, per se. If cameras provided a way around an established lack of trust, then we'd have an article to read.
Don't disappoint your bird dog. Go to the range.
Most of us must have read the story about a crow wanting to drink from a jug of water, but the water being too low, the crow could not drink it. So it dropped some pebbles/stones in it and then the water rose so that the crow could drink it. If a crow can be resourceful like this applying its brain (however small), so can humans. And "hackers" (why lord why! it is crackers) are resourceful and how much ever technology progresses, there will be people who will defeat the technology by sheer brainpower and kludges. So, such things are inevitable and in fact extremely necessary to spinoff the growth of new better technology.
From the article
----
If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission.
----
This guy needs a solid whack with a clue-by-four. I work with a lot of people who use their iPods at work to.... SURPRISE listen to music.
duh.
A friend of mine has one of the big zoom cameras, an 18x canon, and has often found the info revealed in one of them is insanely high. zooming in to take a photo of an aged guy on a park bench reading a newspaper brought out a picture that revealed every word on the front page of it. I found myself zoomed in and reading that article before realising how simple it was, and that we were more than a hundred feet from him.
Anyone here run a business with a display visible from a window, even one half a city block from the next window?
Disallow pen and paper, and blind-fold visitors until they are escorted to where they are supposed to go.
When I left my previous job I had agreement from the firm to copy some personal files off the laptop I was using (kids pictures, etc.)
My son had been begging me for an MP3 player especially a 1GB model that was on sale.
Now, an MP3 player isn't much more than a memory stick with some extra intelligence to recognize music files.
So, I buy the MP3 player, copy the files off to the player then offload those to my home PC.
My son will get the MP3 player he wanted for Christmas.
Having proven that this is possible, will companies now have to ban MP3 players from being used in their offices?
If you don't want to repeat the past, stop living in it.
The Camera Phone, they must all be disallowed in the work place. That is going to be difficult, since most phones have a camera, and people are going to want them in case the kids get sick.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
I thought 'camsnuffling' was breathing heavily through the nose while taking a picture?
He who knows best knows how little he knows. - Thomas Jefferson
Let's consult the Oracle:
"Your search - camsnuffling - did not match any documents.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords."
Someone will get in, if they have access to your local intranet. It's that simple.
I'd bet everyone here has seen a picture of the USB flash drive disguised as a PEZ(tm) dispenser. What about the new Swiss Army Knife that has one built in? Heck, you could mod a USB drive to look like a Zippo or a Bic lighter. As others have said, I can't even see why camera phones are such a hot deal other than for their ability to take pictures; storing documents can be done in a far less noticeable way when there's access to USB ports.
Never look down your nose at others. Someday, someone is bound to see your boogers.
...then I read TFA, and the OP copied verbatim the first couple of the article's grammatical blunders. There used to be editors, fact checking...it's sad when this kind of article is called journalism.
They check everyone who enters, no cameras are allowed. Everyone needs a special Id issued by them to eneter. No jackets are allowed. No loose sweaters are allowed. They have lockers where any banned item can be kept, outside the secure area. Once you make it to the guards station, they stamp every sheet of paper you take in. When you leave, you can only take out papers they stamped. They check EVERYTHING. And they have a ton of security cameras in the building, and employees that keep track of who comes and goes. I needed papers which were in a secure area. They made me wear an ID tied around my neck, and I was escorted by an employee.
They also make it a crime to try and decieve them (for example, sneak a camera in). People can go to jail, and there are heavy penalties. They have multiple checks. The first one is a metal detector and a police officer who is more than willing to use the hand wand. The next step is the security officer who checks you in.
If companies want security, it is not hard to ban everything, hire 20 or 30 police officers, make it a crime to violate their policy, and treat everyone as dishonest liars who are more likely to steal.
A chain is only as strong as the weakest link. That is the mentality these institutions have, so they don't trust anyone, not even thier own guards.
But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space.
Employees don't need to be treated like criminals, but they shouldn't have more access than they need. For instance USB storage devices should be disallowed as a matter of security policy (not as a lame "leave what you tell us about at the door", but as an actual OS enforced system policy). I care about this from a user and customer perspective, where random employees of banks, insurance companies, and other businesses have access to an enormous amount of my data: I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
What are they doing? Taking pictures with the camera of the data on the screen? Sending video over the net?
/. already covered data loss via USB ports before.
I read TFA, and both the article and the title would lead a nontech savvy person to believe that's how they were being used. I think
I am Bennett Haselton! I am Bennett Haselton!
How am I supposed to smuggle jokes for Mike into the computer complex if you instate a policy like that?!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
If stuff is really sensitive, cameras should have been kept out long before. Lock up the USB ports but allow camera? People will just print and snap.
Didn't anyone learn anything from watching old James Bond Movies? http://www.mwbrooks.com/submini/flicks/ Those old Minox camera even had the lanyard marked to let you know the proper focus distance for shooting a document.
If they're too lazy to disable the USB ports on machines they think may be security risks, then yes. MP3 players really are nothing more than glorified thumb drives.
Yo, there was this guy long time ago, you know, called C.J. Caesar MC, and he was, like, worried that the Man would steal his secretz, 'namean?, so he came up with this gimmick where he wrote something on a piece of dead skin, how gross is that?, man, but if you had read it it wouldn't have made no sense, but if you had known HOW to read it, then hell yeah, lotsa sense there... than his buddy later called this thingamajig ROT-13 or some such nerdy word, and then lotsa other guys did the same, but more powerful...
I hope you liked this short intro to ENCRYPTION and understand how it can solve some of your problems. Thank you and goodnight.
Global warming is a cube.
I can't bring a camera to work, so this isn't a big deal to me at all. Considering how small flash drives are getting, and how much storage can be kept in phones/PDAs today, how does anyone expect this to work?
Someone has a PDA that can store 2 GB of data in a SD card. If they want, they can have as many of these as they need.
2.5" drives are very discret, and are normally powered by USB.
Don't give anyone access to USB/Bluetooth/WiFi.
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
If you're a HAL9000, you do it from across the room.
I suggest you read Slashdot
The human larynx is the biggest security risk. It's a ubiquitous device that can broadcast via sound waves any proprietary information a knowledge-worker has been exposed to.
Of course this description is (intended to be) humorous, but the serious point is one we've heard often enough: you can't solve a human problem with a technological solution.
org.slashdot.post.SignatureNotFoundException: ewg
I have heard of a company that does a good job of plugging these types of 'holes' through effective management of the desktop environment... (the guy I know complains that he can't attach *anything* USB to his machine). The funny thing is, after all that, they let him and other people (sales team, managers, etc) walk out of the front door with their laptops
This article is just the latest in a never-ending trend of "danger ! these devices can be used in bad ways" that seem to come out of the security INDUSTRY (go figure). Anyone remember back when email, or even printers were the prime danger ?
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I think one important step that an IT department could take would be to prohibit connecting a USB removable drive, or at least keep a log when a device is attached and what files were transferred. Is this even possible?
Their cash registers were the old fashioned ones where you have to hand your card to the cashier. Naturally, the cashier loves to wave your card around and expose your numbers to everyone. Not a big hassle, except the really poor looking couple behind me WAS AIMING THEIR PHONE RIGHT AT MY CARD AND CONTINUOUSLY TAKING PICTURES!
People have been using cameras to sneak around for dozens of years.... Be it as a data storage medium, or going through someone's secret files and taking pictures of them (ala TV spies), it'll always be a threat....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Guns don't kill people, per se. People do.
Personally, where I work, personal mp3 players and cameras are banned (we obviously have cameras for business use, not mp3 players). We also have our USB ports locked out. You can't just plug in a flash drive or anything without prior admin approval, so even if you brought your mp3 player in from home, it wouldn't work. Companies simply need to implement this to solve this problem. I know there are always ways around it, but this would simply be a step in the right direction.
..you told him it was a USB watch? Hmmn. And what if a data thief has a Sandisk combo SD/USB stamp-sized card in his belt buckle? Ah, but *he* lied about having it.
Great security. Relies on thieves being honest enough to confess. About as smart as the DHS asking whether you are a terrorist or not (yes, they really do: read form I-94W).
K.
This is becoming more of a problem for me too... I'm an amateur photographer. I have enjoyed photography for about 10 years, but over the last 3 years or so, businesses have become much more paranoid about cameras. Concert venues have cracked down, and many stores will kick you out for walking around with a camera, let alone taking pictures. Personally, I have always thought that (for the most part) you should be able to photograph anything that you are allowed to freely look at, but because of abuses, that isn't usually the case. It's sad really.
12345?
That's the kind of combination an idiot would have on his luggage!
Photocopiers can be used to copy sensitive data. Please dispose of all photocopiers in your company...
Okay, I did RTFA, but I'm not entirely sure "how" a digital camera is a threat other than being used to take snapshots of sensitive data. Sure, you can plug it into a USB slot, but for a lot of cameras, they're little more than thumbdrives when they're connected via USB, so a thumbdrive would certainly be less conspicuous, but then you have to ask how this is much different from say, floppy disks, which until recently, were pretty ubiquitous.
The article mistakenly states: "Hence, simply plugging it into a computer's USB can allow hackers to obtain sensitive data." How? Does plugging in a camera suddenyl disable all security in a computer? Suddenly all your encrypted data is decrypted? Suddenly the camera has access to everything? This is a completely unqualified statement that means nothing. It's a thumb drive and you have no more access to sensitive data than the person at the keyboard which is presumably the same person with the camera.
Sorry, maybe I'm missing something, but this seems like a pretty stupid article.
1. The NA can afford to spend a lot on the security, while a company has to watch the bottom line.
2. It's acceptable for the NA to annoy or even "piss off" some visitors with an overly stringent security proecess, whereas a company usually wouldn't want to offend guests or employees.
3. A company needs to balance between productivity and security.
Tyranny isn't the worst enemy of a democracy. Cynicism is.
"just slip one in your pocket."
I could've been hiding it in my POCKET? Oh shit...
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
No they are not. The stuff I that I saw go on in the insurance industry would scare the living daylights out of people.
The biggest one I can think of would be the offsite tape backups at the agency I worked for. These were run every business day. How do you think they were offsite? Safe deposit box? Fire proof safe at the owners house? Nope! They gave the chief CSR the tapes and made her responsible for them. She took them home in her purse. More then once she lost a tape or forgot to bring it back in.
Despite that glaring amount of stupidity they refused to give me (the in-house IT) administrative access to the network or servers. I was supposed to talk to my boss if I needed him to log in for me. They trusted nobody but they let this woman take the companies entire database and image archive home with her every night. They justified this because "Tape drives are expensive and nobody else is likely to have one or know what's on the tape if she loses it."
I wonder how many of those tapes are floating around out there.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
That is to say that the conveniece of plug-n-play mass storage (whether it be usb stick, camera, iPod) can be a major security risk. Add that to unsecured systems running as administrator (or root, etc.) in the workplace or showroom, and you have a great potential for mischief.
I worked at a government installation about 15 years ago where we were required to flip the venetian blinds such that a satellite overhead couldn't take a picture of what was on your desk. To have good security you have to look at what's possible and try to prevent it. If you can't afford for the data to leak you have to close off the leaks, even if it seems ridiculous at the time. There are companies where you can't enter the premises with your cell phone (or any other electronic device for that matter). If they are really serious about it, they'd have you go through a metal detector before entering (I've had to do that). We have a mix of security here. Our PCs have firewall and security software, but nothing prevents use of the USB port. Granted, you have to login, but if somebody were to fail to logout... We run a Wifi network here, but it only goes as far as the public side of a VPN router - you have to establish a tunnel to go any further, but if you've got a laptop and ethernet cable you can plug right in and use DHCP to get an ip address and you're good to go. My point is that there will always be holes, some of them glaring. Removing a threat like a camera would require banning them at the gate - anything else is useless.
Classification of information and treating that information accordingly is at the heart of the issue. It is impracticle to have to protect all information. Organisations need to decide what needs to be protect and to what extent and then implement policies based on those decisions. If you have highly senstive information, clearly classify it so, limit who has acesses it and how they access it.
When I did defense work, classisfied systems sat on seperate networks behind locked doors. Only those who knew the combinations to the locks and had electronic key cards with the right pins could access the rooms. There were no connections from the machines to the outside world and in fact many rooms were RF sheilded to prevent EM snooping. Cameras, IPods, Thumb-drives and USB watches were certainly not allowed in these rooms.
I am not suggesting that all organisations need this kind of security but using seperate physical networks, limiting physical access, and disallowing the presence of certain devices around these machines is not beyond the pale.
A passion for apathy.
This is why cameras of any kind are banned from the Indian call center I work with.
In case of Emergency, Curl up in the Fetal position, and lick a Bible for comfort!
Ian Callens, Icomm Technologies, explains: "If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission."
Apparently the millions of people who listen to music on their iPods are "more than likely" criminals and spies.
Talk about sowing FUD -- I wonder how much the RIAA pays this guy?
My employer has insurance companies as clients, too. Almost universally they're penny wise and pound foolish.
It's so new, that I can't find one reference on Google about it!
Strange women lying in ponds distributing swords is no basis for a system of government.
Where I work (defense contractor), the emphasis is more that they don't want sensitive data stolen when you leave your ipod you used at work earlier that day in your friends car. USB sticks are fine to have, as long as it's approved by security (not too difficult). We're given memory sticks that use biometrics to use if the memory stick is going to leave the building. Regular storage mediums just aren't secure enough. Granted that goes for employees...if a visitor were to bring in something with a memory card, that's a whole different story. That they take quite a bit more seriously.
This guy simply cut and pasted several posts from this story: http://it.slashdot.org/article.pl?sid=04/07/06/125 0212&tid=172
Instead of banning cameras, then memory sticks (as one poster said, they can be potentially hidden to look like just about anything), then iPods...remove the capability from the computer itself! Make them more of a "dumb terminal", no floppy, no CD writer, no accessible USB.
Oh, and when the news reports came out, they did also briefly ban Furbies (remember when they were marketed as being able to mimic language? Security feared they'd be used as recording devices) and Coke cans (Coke was running that contest where prize cans had a GPS transmitter in them to lead in the prize team. This is more of the signal interference than a security thing, but people weren't hot on a GPS transmitter inside secured locations either).
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
so, what is new in this ?
there are companies that prohibit music recording devices, because they had cases when somebody was playing data (with special software) and recording it (through analog port), later reconstructing files.
so, if you are concerned about security at this level, you probably limit devices allowed and working components of computers.
now, most companies do not balance these measures - they get extensive security systems, restrict their users to the point where they can not perform their duties - and then the information is obtained by a cleaner (who gets $150 a month so it's not that hard to pay more than required...)
forgetting that the weakest point in your security is exactly what whole system is worth - it's not a common mistake, it seems to be a rule.
Rich
From TFA (My emphasis)
.. um let me think .. ah .. thats it .. LISTENING TO LEGALLY PURCHASED MUSIC??!?!?!?!?!
Ian Callens, Icomm Technologies, explains: "This is a very difficult issue to manage and a real threat to business continuity and data security. If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission. This is relatively easier to police.
So if you use an iPod at work you are assumed to be a criminal regardless of what you are doing with it? Like for instance
That sort of attitude really pisses me off.
I am all for security at work, but there comes a point where you have to trust your employees with some things.
I am Slashdot. Are you Slashdot as well?
In group policy, add/remove it to Computer Configuration -> Administrative Templates. Can also disable floppies, cdroms, etc. Oh yeah, right-click -> view -> filtering, uncheck "only show policy settings that can be fully managed". Look at Alexander Suhovey's post at this page.
Next up is cellsnuffling.
Two wrongs don't make a right, but three lefts do.
"The digital camera device, just like iPod and Bluetooth, is a simple digital storage devices."
Just like iPod? You mean an iPod?
Just like Bluetooth? When the hell did Bluetooth become a device?
Is a simple digital storage devices?
Where do these writers come from? College would be a good first stop. Maybe you should stop trying to sound like you know what you're talking about and do some background reading. I'll go check Internet for more stories, or maybe use the Google. Fucking morons.
Security doens't mater which buzz words you stick with it. Just becase todays cameras are digital doesn't mean anything, 20 years ago McDonalds had a 28mm the size of the film roll in there happy meal box, right next to there secret decoder rings. Recordables of any type can't be allowed near sensitive materials.
I think I just cashed out all my cool points.
Seriously, Has anyone bothered to read this article? Who is this guy, and what the hell is he talking about?
This sounds alot like someone blowing their own "I'm an IT God" horn, and making a much larger issue out of this than it really is. If your really concerned about downloading music, how about blocking specific port traffic at the firewall?
Either way, this is the kind of paraniod nonsense that propagates it's way up the food chain to the "Boss" and spoils it for everyone who likes to listen to music while working.
God forbid anyone use thier Ipod to listen to music while they work...
Get your Windows Malicious Software Removal Tool Here for FREE! - http://fedora.redhat.com
will escort the escorters? It's the blind leading the blind! Not much different from the present state of affairs, I suppose.
...hackers found writing down sensitive information on paper and putting it in their pocket.
401 - Attention span not found
How arrogant of $INDUSTRY_GROUP to think that they can actually solve $SECURITY_HOLE by pushing this $TECHNICAL_FIX fix down our throats! All they'll ever catch with this are the really casual users, who aren't capable of anything worse than annnoyance; any *real* villain would get around $TECHNICAL_FIX in heartbeat by just $10_SEC_CIRCUMVENTION. Why does /. keep shilling 2-bit press releases from $INDUSTRY_GROUP, anyway?
$INDUSTRY_GROUP="Icomm"
$SECURITY_HOLE="data smuggling"
$TECHNICAL_FIX="camera ban"
$10_SEC_CIRCUMVENTION="SFTP'ing the whole damn corporate database to a home SSH server set up on port 80"
If I was female and famous and on a topless beach and there was a boat out there a mile away with somebody taking my picture, are they a peeping tom? (How can you be a peeping tom to someone on a topless beach?) Or am I an idiot for being topless in public and thinking I'm safe just because I don't see anybody with a camera?
If I was indoors and topless with the drapes open, and somebody was not on my property, and looked in the window, are they a peeping tom? Or am I an idiot for not closing the drapes?
If I was a business, and somebody was not on my property, but was taking a picture of my property, could I stop them legally? This has come up with things like refineries, IIRC, and the answer is no, the business cannot stop someone from taking a picture. Once the photons leave your property, they are fair game. You don't want people to take the picture? Don't let the photons leave your property - put up a fence, plant a hedge, or whatever. (Now, if the photographer comes onto your property, that's tresspassing, and you can stop them or have them arrested.)
If somebody sneeks a skin pic of somebody famous because they're being stupid, I don't think that means that they should be able to publish it in some tabloid rag. I'm with Jennifer Anniston on this one - she should be able to block publication.
But if you're a business, and you think that you can get the corporate secrets back - forget it. You may be able to keep them from being published in a publication. You'll never be able to get it off of the net.
People with "photographic memory" must have their mind's cleansed and their thoughts erased. I agree with the folks that said instead of stupid paranoia how about you focus on securing your data. Trust and people are the problem here, not technology.
-Xen
Wow. This is a terrible article.
From all the grammar mistakes, to the pointless buzzwords ("camsnuffling", "podslurping"), to the mention of how USB devices instantly give anyone access to any data on a computer, to the fact that "hackers" and "computer attackers" are mentioned several times when the data being taken is clearly being taken by employees who have access to it in the first place.
And "Bluetooth" is apparently a USB storage device. Way to go.
But in all seriousness, companies do have security issues regarding sensitive data leaving their computers in the hand of employees. How can these companies be sure that their data is secure while still maintaining access for the people who need it and not treating their employees like criminals?
If I were Dell, or some other prebuilt Windows box company, I would offer a desktop computer with no external ports at all. No USB, no serial port, no floppy disk, no CD writer, no nothing. Just a hard drive and a network connection, and a DVD/CD-ROM drive. That way, companies can make all their data available over the internal network (c'mon, is setting up shared server space really *that* difficult?) and it's much harder to get the data out of the company. If the company is truly paranoid about people taking hard drives out of their desktops to take home with them, set up the computer with an encrypted file system which asks the main server for the passphrase every time the computer boots. If you're worried about people sending themselves things as attachments, then don't allow emails with attachments from your servers. If outside companies need access to sensitive data in order to do business with you, then set up a secure server for data exchange. No sweat.
Precautions can be taken on the server side that make it very difficult for employees to steal sensitive data, but that still allow for efficient data flow within the company. And, of course, none of these ways will prevent anyone who is truly determined to get your data, but it will stop the casual stealers, and your chances of sensitive data getting out are much lower.
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
If companies are so concerned about data theft from the desktop access points go back to client/server and give people nothing more than a keyboard and monitor.
What does this have to do with cameras, or ipods, or anything of the sort? This is a security issue that has existed since the dawn of the idea of computer security.
Whether it's taking a reel of paper tape out the door with you, or bluetooth copying data to your cell phone what's the freaking difference?
This article reads like a writer just discovered that you can put data other than music on a camera and thinks he's found some kind of espionage loophole. I thought the article was going to be about taking pictures of sensitive data, but it turned out to be even dumber than that.
My employer has insurance companies as clients, too. Almost universally they're penny wise and pound foolish.
And paranoid too. I wanted to replace the whole tape scheme with some sort of offsite service like LiveVault. He was completely convinced that they would steal our data and sell it to our competitors -- even though they dealt with banks and other companies hundreds of times our size. When he wouldn't go for that I suggested a server at his house backing up in real time across an encrypted VPN -- he didn't trust that either because somebody could "break" the encryption and sell it to our competitors.
The sad thing is that it would have solved a lot of problems. We could have stopped buying bigger tape drives every few years (they scanned everything that came into that office and retained the images forever) when our existing one was too small. It would have been about a million times more secure then the "send a tape home with the CSR method".
The funny thing is that I could never quite get it through to him that if our competitors were that smart/knowledgeable we'd already be out of business. Or that a CSR paid $7.00/hr is much more likely to betray you then a private company that you have a business agreement with.
Yeah, it was PHB hell.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
By lowering the rights for all users on win2k/xp sp2 across a network, I am able to disable usage of the floppy and the cd-rom. A USB device will install on the OS of a restricted user with no reservation. Has MS figured out a schema to allow for USB monitors, keyboard and mice, but disallow any other USB devices in Vista? Or are we going to have this discussion through 2009?
ceci n'est pas un sig
You can't beat the security where I work. All computers have had their harddrives, network cards, and power supplies removed. All peripherial ports have been welded shut. In the more vulnerable computers, the security people have glued all the keys down, and filled the computer chassis with concrete. Mouse balls are removed. Before each session with the computer, each programmer has to endure a full cavity search and provide a urinalysis. We also are forced to work naked to ensure we don't hide any data in our clothing.
What those who want activist courts fear is rule by the people.
My IT shop installed faux USB ports, when USB devices are connected a very loud fart sound is issued.
'Verbgorphing', the ongoing practice of coming up with cute-sounding verbs to describe any activity that has been going on forever and for which a related technology has just taken some kind of step forward.
- First they ignore you, then they laugh at you, then ???, then profit.
What? Sorry then, I'll have to let everyone in my company here know that all of them are not the norm. Since they all just listen to music on their devices.
this is really a nontopic. If you can't trust the people that handles the information, you will never be 100% (or sure enough) that no data is stolen. When I worked at a place with graded material I had to be checked by the police, and then I had to go through with an extended interview with the superior. As said so many times that no one should ever have to be reminded: If the people with access to classified information is not "secure", there is no point in having a super secure computer network. Security is as strong as the weakest link, and in most cases that is the user/operator.
Doolittle :
Bomb no.20 : To explode of course.
While I agree with previous posters that all the camera is is just a glorified memory card holder for stealing data, there's a better use for cameras that just "lay around". Much like the old "photocopy your butt and stick it in the paper tray" trick.
Download some pr0n in JPG format (preferably the gross amatuer kind). If we have a Sony camera (as in my case) name the file DSCXXXXX.JPG (where XXXXX is some integer w/leading zeros). Copy the file to the camera's photo directory. There will be no thumbnail file, so the photo takes a bit longer than normal to appear.
The next time the owner flips through the pics on the camera, he'll be in for a big surprise. (He - because if the victim's a guy, it's a joke. If it's a woman, it's sexual harassment).
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Whether this policy is good or not depends on the intent of the security policy. If the policy is meant to mitigate the accidental exposure of confidential information, the policy may a good one. I have found that no amout of education and/or training will prevent user stupidity. Most average users think that a specific situation will no happen to them. They will use programs, attachments, or files from any source that they think is trustworthy. I have found that unplugging USB ports from the motherboard as well as disabling them in BIOS and via the operating system is the most effective way of dealing with user stupidity. I also make sure CD-ROM drives are disabled as well. Only people who need to copy data and remove it from the building for legitimate purposes get access to these devices. While this type of policy will go a long way to preventing accidental compromise of security (provided that network security is adaquate as well), it will do little to stop the deliberate theft of information. While many buildings are guarded and monitored at the main entrance, there are usually other doors that employees and visitors can use to leave the building. These doors can be held open or a small package hidden near this door can be picked up. I have even seen an instance where a wireless router was smuggled into a facility and was connnected to the network. Keylogger devices and camera phone are small and easily smuggled. Both can be used to purloin a lot of information. I have also seen a device that is small as a cigarette pack that can be plugged into the ethernet port on a computer. This kind of device can be used in a manner that will allow a person to store data on it by using ftp (Of course, a proper login setup will identify the fake network). Technology will do little to thwart a determined spy. Keeping employees happy will go a longer way to weeding out undesirables. A loyal employee happy to be at the company will report any suspicious activity.
And how exactly does a digital camera enable one to steal documents any better than a 10 year old film camera?
In fact with the high detail of film, wouldn't they have an advantage over digicams? Aren't we talking 1930's spy cam stuff here?
What we need is a camera detector like the Thunderbirds (1960's puppet show) had. Again a case of Sci-Fi leading the way to a future reality.
"but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex" Why use fake fingernails when you can use the real things. http://3quarksdaily.blogs.com/3quarksdaily/2005/08 /fingernails_sto.html
How odd... usually they make the distinction between active digital transmitters (which admittedly do include things like the keyfobs) and passive digital transmitters like the RFID tags in Speedpass and the badges.
Thing is, where they actually have a need for security, the "secret squirrel rooms" are generally very well built. There are no ports, the rooms are soundproof, and the room's built so that transmissions can't get in or out. You will be frisked if there's any suspicion that you could have a recording device and they do scanning to check for things like cell phones and pagers that people have forgotten are on their persons. The rest of the security measures are, as a prior poster stated, a form of pork.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Ian Callens, Icomm Technologies, explains: "This is a very difficult issue to manage and a real threat to business continuity and data security. If someone is seen in the workplace using an iPod it's more than likely that it's for the wrong reasons - either podslurping or downloading music without permission. This is relatively easier to police."
In the words of one of my favorite episodes: "Hey screw you clown!" Hmmm, Yes it is their network and their hardware. I asked if they minded me installing a podcasting client and hooking up my ipod occasionally to sync new shows and to charge it.
Here's a few thoughts to chew on: We as employees can assume no rights. Just ask permission. As employers, you guys have a responsibility to a)stop treating employees like criminals and possibly breeding the sort of feelings that would push one to steal in the first place. b)Do better research, spend a little more on background checks and an extra interview if you're hiring someone to work on such sensitive stuff. c)Pay more money to and take your time to hire and retain the higher quality people and ony allow them access to said data.
Yeah, yeah, call me off-topic but that little paragraph set me to rant mode. But my rant covers the overal issue of people possibly schleping sensitive data out of the workplace on customer electronics stuff. If you take away the cameras, PDAs, cellphones, ipods, laptops, etc, and mind you we now rely on many of those devices as tools of our trades, a determined theif will find other ways to mule it out. Use your fucking (lack of?) common sense, don't hire flakes and theives and treat your good people right so as to retain them. Any good manager will tell you that preventing employee turn-over is one of the more effective ways to keep costs down.
No, you don't need users to give up peripherals to lock down ports. All you need to do is provide the peripherals in a managed way, on YOUR terms. Put printers directly on the network, not at people's desks. Force people to stop using floppy disks and other removable storage, and to rely on the centrally managed and backed-up fileserver(s). Force people to synchronise their laptop/tablet/pocketpc/palmtop over the network with pre-approved scripts/software/settings, rather than linking to their PC and copying files. Have one non-desktop system that allows a camera to be plugged in, and will automatically extract the pictures from it, then place them on the fileserver, in a secure folder for that department/user's own stuff, if need be.
"Firstly, regularly change system passwords that employ both letters and numerals."
...resulting in a new security breach know as PostIt snatching
Ban all personal electronic devices and media in the work place. If someone wants to work from home, they can use a Citrix client to log onto a generic desktop and access their files that way. Configure client to not allow saves to outside computer. Monitor email attachments leaving the server.
I drank what? -- Socrates
Anybody else agree that they're tired of flavor-of-the-moment words coined to describe this kind of thing. From the article, we get "camsnuffling" and my favorite: "podslurping." The recent "splogs" also comes to mind.
If there's a will, there's a way to do it. The real thing here is that there is no such thing as unbreakable security. Even if you leave me no external ports, I can still use my camera phone to take snapshots of my screen as I display the sensitive data and then email it to anyone I choose. How do you stop that? Cavity search all employees every morning? C'mon! You have to pay me a *lot* more to put up with that.
s p. Or how about one of these babies - http://www.xybernaut.com/itemList.asp?categoryID=2 8. It's not much bigger than a pack of cigarettes and can be used to transmit data out of a data center via a cellular card. Hook up a hub and .... I know, because I've seen something similar at least twice already.
What about the USB storage devices that mimic other things? Like this - a watch - http://www.thinkgeek.com/gadgets/watches/7899/ or this - a pen - http://www.pcmag.com/article2/0,1759,1618595,00.a
Frankly, how crappy are you to your people that they're doing stuff like this? I think this is a real wake up call to the industry to look at how employees are treated and/or compenstated. If you think it's bad stateside, how bad do you think it is overseas where they're making $8/hour?
2 cents,
Queen B
HDGary secures my bank
How to prevent data from being stolen?
Luckily about three stories ago we were given the answer. Sure it's not glamorous, but your employees get to keep their dignity.
Try storing /files/ on your film camera... ;)
So you can't just hop on any computer with internet access, open up Gmail, Yahoo, etc. and mail the information out?
As long as it's not done with a camera, I guess it's okay.
http://www.theregister.co.uk/2004/07/14/your_datas _is_at_risk/
Seriously I'm as paranoid as anybody and more than most. But come on. Every new device that can store data is not a *new* threat. No matter how badly you want some press. Which is, of course, what this is all about.
Next week I'm going to go to the press with the "guy with stick" attack to launch my new firm.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
I never trusted that damn Snuffleupagus! Its obvious he's behind the whole thing. "Camsnuffling" indeed.
if you story ended with:
"Yeah, it was PHB hell; so I sold our data to the competitors."
The Kruger Dunning explains most post on
Who the hell is noone anyway?
noone is anyone's lover:
anyone lived in a pretty how town
.
.
.
children guessed(but only a few
and down they forgot as up they grew
autumn winter spring summer)
that noone loved him more by more
when by now and tree by leaf
she laughed his joy she cried his grief
bird by snow and stir by still
anyone's any was all to her
--ee cumings (http://www.americanpoems.com/poets/eecummings/118 80)
I work at a semi-large callcenter and up until a few months ago we were allowed to use usb pendrives to bring in things like portable firefox, spyware/virus tools, etc. And then some fucktard brought in a packet sniffer on one and got a ton of credit card numbers from callers. Now you can't bring in usb drives, iPods, PSPs; nothing. Damned if they can stop me from playing Liberty City Stories during lunch though...
I recall not long after the iPod release, came MS Office for the Mac and a C City
patron watching a teen with an iPod downloading all the software (MSO, especially) from the machine.
I recall playing with a digital camera and being able to take it home for a while, but before I left, I had a zip file too big for a floppy, and a Zip disk was not available to me, so I put it on the camera's flash memory.
It was a free utility, granted, but still I could snag anything I wanted that would fit on the mem card.
Heck, I worked at a SanaPonic plant for a bit, and they removed the floppy drives, but still had the computers networked...(snort).
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
...they're gonna tell you to stop using your company-furnished laptop while on the road and tell you telecommuting is no longer allowed. not to mention, they're gonna have to rip the phones out while they are at it, too.
All entrances to work have a sign that says, basically, "No recording devices such as cameras, voice, video recorders, etc...". Very strange because it is a disk drive company.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Nothing new under the sun.
In Japan the problem has been known for ages as keitai manbiki or degitaru manbiki, meaning "Cell phone shoplifting".
They go to a shop and when they find an interesting article on a magazine, instead of buying the dead tree they take a pic of the page and then walk away.
Everyone coming in is to leave his brain (if any) at the door with the guard. It will be returned to you when you leave.
We appreciate your cooperation in These Times Of Heightened Security (tm).
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex
"Please remove brain and leave at the door."
I do this most days when I go into work anyway so no problems there.
To err is human. To forgive is not company policy.
Back in 1980s my dad was working as an engineer, and he did his job on a 386SX with Autocad installed.
Well, one day he wrote some macro for Autocad in Lisp (something really simple and dumb) and then printed the sourcecode. He then hid the printout in his jeans pocket and the printed sourcecode was confiscated at the site exit. He also had LOTS of trouble afterwards. For what? Some simple 10-liner script printout.
Previous posters have addressed ad nauseam the fact that the "threat" discussed has nothing to do with the camera part of the digital camera, and everything to do with the USB-atttachable removable storage part. But did anybody read the article's list of "steps that can be taken to reduce rogue behaviour" in the last paragraph? "Passwords that employ both letters and numerals"? What's that got to do with anything? Total nonsense.
Memo to self: pay no attention to "iT Observer" in future.
Imagine someone working in their office at night with the light of their CRT based computer monitor lighting up their office. To our eye the light is a continuous glow, but it in fact changes as the CRT is scanning the image line by line on the computer screen. With a telescope and a sensor it is possible to 'read' this light and using software recreate the original screen by assembling the scanned lines much like a fax.
In other words you don't require a direct view of the monitor. LCD screens are more secure in this sense as they don't operate in the same way.