Slashdot Mirror
Sensitive Data Stolen Via Digital Cameras
Jack writes "ITO is running an interesting story on a new security threat connecting digital cameras and hackers." From the article: "Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. 'Camsnuffling', the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera." We've previously discussed this problem.
Since the article seems to be more concerned about using cameras to store information, rather than taking pictures of sensitive documents, how long until USB Memmory sticks are targeted? Floppies? Geez, if they're that worried about security they need to be concerned about anything that stores info, not just what appears to be everyday items.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
when you can just buy a thumb drive and plug it in to any machine and get almost whatever you want.
Like the computers in a cabinet, and only allow bonded techs to get in to install peripherals :)
I know its not realistic, but alot of security problems can be fixed if we give up convenience.
If you or your company, is truly serious, then the steps to limit these sorts of things are pretty straightforward (no iPods/cameras in the workplace, locking the bios to prevent new usb, no admin rights on your machine, etc...).
:)
The problem starts when the copmpany talks the talke, but doesn't back it up with action, leaving IT staff with a mixed message.
A clear, well-written security policy that has been bought off by and supported by exec mgmt is the only way to go. Sarbox is a great tool for scaring mgmt into line here.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Sensitive data should not be in plain view. Camera phones, then, are not a problem.
Since when has this country used intellectual elite as a pejorative term?
Why not just repeat this article on a regular basis, updating a list of things with some sort of commonly used comm port/interface and simple file-system storage? Right now it's phones, PDAs, pens, music widgets, camerads, fobs... but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex. This article is mostly about how you can't trust people you can't trust. Cameras don't have much to do with it, per se. If cameras provided a way around an established lack of trust, then we'd have an article to read.
Don't disappoint your bird dog. Go to the range.
Most of us must have read the story about a crow wanting to drink from a jug of water, but the water being too low, the crow could not drink it. So it dropped some pebbles/stones in it and then the water rose so that the crow could drink it. If a crow can be resourceful like this applying its brain (however small), so can humans. And "hackers" (why lord why! it is crackers) are resourceful and how much ever technology progresses, there will be people who will defeat the technology by sheer brainpower and kludges. So, such things are inevitable and in fact extremely necessary to spinoff the growth of new better technology.
A friend of mine has one of the big zoom cameras, an 18x canon, and has often found the info revealed in one of them is insanely high. zooming in to take a photo of an aged guy on a park bench reading a newspaper brought out a picture that revealed every word on the front page of it. I found myself zoomed in and reading that article before realising how simple it was, and that we were more than a hundred feet from him.
Anyone here run a business with a display visible from a window, even one half a city block from the next window?
Forget it. That ship sailed long ago. People were complaining about the misnomer since the Morris Worm (and probably before that too). The media has coopted the word hacker whether you want them to or not. While you can continue to use it "correctly" in certain small circles, the general public equates hacker with malice.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Disallow pen and paper, and blind-fold visitors until they are escorted to where they are supposed to go.
The Camera Phone, they must all be disallowed in the work place. That is going to be difficult, since most phones have a camera, and people are going to want them in case the kids get sick.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
I thought 'camsnuffling' was breathing heavily through the nose while taking a picture?
He who knows best knows how little he knows. - Thomas Jefferson
Not only that, but I imagine many of them are playing music they bought legally -- on their own time -- either in round plastic form or from iTMS, on their home computer.
Let's consult the Oracle:
"Your search - camsnuffling - did not match any documents.
Suggestions:
* Make sure all words are spelled correctly.
* Try different keywords.
* Try more general keywords."
Someone will get in, if they have access to your local intranet. It's that simple.
I'd bet everyone here has seen a picture of the USB flash drive disguised as a PEZ(tm) dispenser. What about the new Swiss Army Knife that has one built in? Heck, you could mod a USB drive to look like a Zippo or a Bic lighter. As others have said, I can't even see why camera phones are such a hot deal other than for their ability to take pictures; storing documents can be done in a far less noticeable way when there's access to USB ports.
Never look down your nose at others. Someday, someone is bound to see your boogers.
They check everyone who enters, no cameras are allowed. Everyone needs a special Id issued by them to eneter. No jackets are allowed. No loose sweaters are allowed. They have lockers where any banned item can be kept, outside the secure area. Once you make it to the guards station, they stamp every sheet of paper you take in. When you leave, you can only take out papers they stamped. They check EVERYTHING. And they have a ton of security cameras in the building, and employees that keep track of who comes and goes. I needed papers which were in a secure area. They made me wear an ID tied around my neck, and I was escorted by an employee.
They also make it a crime to try and decieve them (for example, sneak a camera in). People can go to jail, and there are heavy penalties. They have multiple checks. The first one is a metal detector and a police officer who is more than willing to use the hand wand. The next step is the security officer who checks you in.
If companies want security, it is not hard to ban everything, hire 20 or 30 police officers, make it a crime to violate their policy, and treat everyone as dishonest liars who are more likely to steal.
A chain is only as strong as the weakest link. That is the mentality these institutions have, so they don't trust anyone, not even thier own guards.
But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space.
Employees don't need to be treated like criminals, but they shouldn't have more access than they need. For instance USB storage devices should be disallowed as a matter of security policy (not as a lame "leave what you tell us about at the door", but as an actual OS enforced system policy). I care about this from a user and customer perspective, where random employees of banks, insurance companies, and other businesses have access to an enormous amount of my data: I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
How am I supposed to smuggle jokes for Mike into the computer complex if you instate a policy like that?!!!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Yo, there was this guy long time ago, you know, called C.J. Caesar MC, and he was, like, worried that the Man would steal his secretz, 'namean?, so he came up with this gimmick where he wrote something on a piece of dead skin, how gross is that?, man, but if you had read it it wouldn't have made no sense, but if you had known HOW to read it, then hell yeah, lotsa sense there... than his buddy later called this thingamajig ROT-13 or some such nerdy word, and then lotsa other guys did the same, but more powerful...
I hope you liked this short intro to ENCRYPTION and understand how it can solve some of your problems. Thank you and goodnight.
Global warming is a cube.
The human larynx is the biggest security risk. It's a ubiquitous device that can broadcast via sound waves any proprietary information a knowledge-worker has been exposed to.
Of course this description is (intended to be) humorous, but the serious point is one we've heard often enough: you can't solve a human problem with a technological solution.
org.slashdot.post.SignatureNotFoundException: ewg
This is becoming more of a problem for me too... I'm an amateur photographer. I have enjoyed photography for about 10 years, but over the last 3 years or so, businesses have become much more paranoid about cameras. Concert venues have cracked down, and many stores will kick you out for walking around with a camera, let alone taking pictures. Personally, I have always thought that (for the most part) you should be able to photograph anything that you are allowed to freely look at, but because of abuses, that isn't usually the case. It's sad really.
Photocopiers can be used to copy sensitive data. Please dispose of all photocopiers in your company...
Okay, I did RTFA, but I'm not entirely sure "how" a digital camera is a threat other than being used to take snapshots of sensitive data. Sure, you can plug it into a USB slot, but for a lot of cameras, they're little more than thumbdrives when they're connected via USB, so a thumbdrive would certainly be less conspicuous, but then you have to ask how this is much different from say, floppy disks, which until recently, were pretty ubiquitous.
The article mistakenly states: "Hence, simply plugging it into a computer's USB can allow hackers to obtain sensitive data." How? Does plugging in a camera suddenyl disable all security in a computer? Suddenly all your encrypted data is decrypted? Suddenly the camera has access to everything? This is a completely unqualified statement that means nothing. It's a thumb drive and you have no more access to sensitive data than the person at the keyboard which is presumably the same person with the camera.
Sorry, maybe I'm missing something, but this seems like a pretty stupid article.
You missed the point. They only listed a single device capable of causing the problems they listed, when there are many more that would be more likely to. He wasn't saying that the employees were the only factor.
To use your analogy, it would be like someone writing an article on why a pocket knife could be dangerous in a criminal's hands.
"just slip one in your pocket."
I could've been hiding it in my POCKET? Oh shit...
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
No they are not. The stuff I that I saw go on in the insurance industry would scare the living daylights out of people.
The biggest one I can think of would be the offsite tape backups at the agency I worked for. These were run every business day. How do you think they were offsite? Safe deposit box? Fire proof safe at the owners house? Nope! They gave the chief CSR the tapes and made her responsible for them. She took them home in her purse. More then once she lost a tape or forgot to bring it back in.
Despite that glaring amount of stupidity they refused to give me (the in-house IT) administrative access to the network or servers. I was supposed to talk to my boss if I needed him to log in for me. They trusted nobody but they let this woman take the companies entire database and image archive home with her every night. They justified this because "Tape drives are expensive and nobody else is likely to have one or know what's on the tape if she loses it."
I wonder how many of those tapes are floating around out there.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
That is to say that the conveniece of plug-n-play mass storage (whether it be usb stick, camera, iPod) can be a major security risk. Add that to unsecured systems running as administrator (or root, etc.) in the workplace or showroom, and you have a great potential for mischief.
Classification of information and treating that information accordingly is at the heart of the issue. It is impracticle to have to protect all information. Organisations need to decide what needs to be protect and to what extent and then implement policies based on those decisions. If you have highly senstive information, clearly classify it so, limit who has acesses it and how they access it.
When I did defense work, classisfied systems sat on seperate networks behind locked doors. Only those who knew the combinations to the locks and had electronic key cards with the right pins could access the rooms. There were no connections from the machines to the outside world and in fact many rooms were RF sheilded to prevent EM snooping. Cameras, IPods, Thumb-drives and USB watches were certainly not allowed in these rooms.
I am not suggesting that all organisations need this kind of security but using seperate physical networks, limiting physical access, and disallowing the presence of certain devices around these machines is not beyond the pale.
A passion for apathy.
This guy simply cut and pasted several posts from this story: http://it.slashdot.org/article.pl?sid=04/07/06/125 0212&tid=172
Oh, and when the news reports came out, they did also briefly ban Furbies (remember when they were marketed as being able to mimic language? Security feared they'd be used as recording devices) and Coke cans (Coke was running that contest where prize cans had a GPS transmitter in them to lead in the prize team. This is more of the signal interference than a security thing, but people weren't hot on a GPS transmitter inside secured locations either).
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
How arrogant of $INDUSTRY_GROUP to think that they can actually solve $SECURITY_HOLE by pushing this $TECHNICAL_FIX fix down our throats! All they'll ever catch with this are the really casual users, who aren't capable of anything worse than annnoyance; any *real* villain would get around $TECHNICAL_FIX in heartbeat by just $10_SEC_CIRCUMVENTION. Why does /. keep shilling 2-bit press releases from $INDUSTRY_GROUP, anyway?
$INDUSTRY_GROUP="Icomm"
$SECURITY_HOLE="data smuggling"
$TECHNICAL_FIX="camera ban"
$10_SEC_CIRCUMVENTION="SFTP'ing the whole damn corporate database to a home SSH server set up on port 80"
Wow. This is a terrible article.
From all the grammar mistakes, to the pointless buzzwords ("camsnuffling", "podslurping"), to the mention of how USB devices instantly give anyone access to any data on a computer, to the fact that "hackers" and "computer attackers" are mentioned several times when the data being taken is clearly being taken by employees who have access to it in the first place.
And "Bluetooth" is apparently a USB storage device. Way to go.
But in all seriousness, companies do have security issues regarding sensitive data leaving their computers in the hand of employees. How can these companies be sure that their data is secure while still maintaining access for the people who need it and not treating their employees like criminals?
If I were Dell, or some other prebuilt Windows box company, I would offer a desktop computer with no external ports at all. No USB, no serial port, no floppy disk, no CD writer, no nothing. Just a hard drive and a network connection, and a DVD/CD-ROM drive. That way, companies can make all their data available over the internal network (c'mon, is setting up shared server space really *that* difficult?) and it's much harder to get the data out of the company. If the company is truly paranoid about people taking hard drives out of their desktops to take home with them, set up the computer with an encrypted file system which asks the main server for the passphrase every time the computer boots. If you're worried about people sending themselves things as attachments, then don't allow emails with attachments from your servers. If outside companies need access to sensitive data in order to do business with you, then set up a secure server for data exchange. No sweat.
Precautions can be taken on the server side that make it very difficult for employees to steal sensitive data, but that still allow for efficient data flow within the company. And, of course, none of these ways will prevent anyone who is truly determined to get your data, but it will stop the casual stealers, and your chances of sensitive data getting out are much lower.
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
If companies are so concerned about data theft from the desktop access points go back to client/server and give people nothing more than a keyboard and monitor.
My employer has insurance companies as clients, too. Almost universally they're penny wise and pound foolish.
And paranoid too. I wanted to replace the whole tape scheme with some sort of offsite service like LiveVault. He was completely convinced that they would steal our data and sell it to our competitors -- even though they dealt with banks and other companies hundreds of times our size. When he wouldn't go for that I suggested a server at his house backing up in real time across an encrypted VPN -- he didn't trust that either because somebody could "break" the encryption and sell it to our competitors.
The sad thing is that it would have solved a lot of problems. We could have stopped buying bigger tape drives every few years (they scanned everything that came into that office and retained the images forever) when our existing one was too small. It would have been about a million times more secure then the "send a tape home with the CSR method".
The funny thing is that I could never quite get it through to him that if our competitors were that smart/knowledgeable we'd already be out of business. Or that a CSR paid $7.00/hr is much more likely to betray you then a private company that you have a business agreement with.
Yeah, it was PHB hell.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
"but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex" Why use fake fingernails when you can use the real things. http://3quarksdaily.blogs.com/3quarksdaily/2005/08 /fingernails_sto.html
"Firstly, regularly change system passwords that employ both letters and numerals."
...resulting in a new security breach know as PostIt snatching
Anybody else agree that they're tired of flavor-of-the-moment words coined to describe this kind of thing. From the article, we get "camsnuffling" and my favorite: "podslurping." The recent "splogs" also comes to mind.