Slashdot Mirror
Sensitive Data Stolen Via Digital Cameras
Jack writes "ITO is running an interesting story on a new security threat connecting digital cameras and hackers." From the article: "Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. 'Camsnuffling', the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera." We've previously discussed this problem.
Since the article seems to be more concerned about using cameras to store information, rather than taking pictures of sensitive documents, how long until USB Memmory sticks are targeted? Floppies? Geez, if they're that worried about security they need to be concerned about anything that stores info, not just what appears to be everyday items.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
when you can just buy a thumb drive and plug it in to any machine and get almost whatever you want.
Like the computers in a cabinet, and only allow bonded techs to get in to install peripherals :)
I know its not realistic, but alot of security problems can be fixed if we give up convenience.
If you or your company, is truly serious, then the steps to limit these sorts of things are pretty straightforward (no iPods/cameras in the workplace, locking the bios to prevent new usb, no admin rights on your machine, etc...).
:)
The problem starts when the copmpany talks the talke, but doesn't back it up with action, leaving IT staff with a mixed message.
A clear, well-written security policy that has been bought off by and supported by exec mgmt is the only way to go. Sarbox is a great tool for scaring mgmt into line here.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Why not just repeat this article on a regular basis, updating a list of things with some sort of commonly used comm port/interface and simple file-system storage? Right now it's phones, PDAs, pens, music widgets, camerads, fobs... but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex. This article is mostly about how you can't trust people you can't trust. Cameras don't have much to do with it, per se. If cameras provided a way around an established lack of trust, then we'd have an article to read.
Don't disappoint your bird dog. Go to the range.
Most of us must have read the story about a crow wanting to drink from a jug of water, but the water being too low, the crow could not drink it. So it dropped some pebbles/stones in it and then the water rose so that the crow could drink it. If a crow can be resourceful like this applying its brain (however small), so can humans. And "hackers" (why lord why! it is crackers) are resourceful and how much ever technology progresses, there will be people who will defeat the technology by sheer brainpower and kludges. So, such things are inevitable and in fact extremely necessary to spinoff the growth of new better technology.
A friend of mine has one of the big zoom cameras, an 18x canon, and has often found the info revealed in one of them is insanely high. zooming in to take a photo of an aged guy on a park bench reading a newspaper brought out a picture that revealed every word on the front page of it. I found myself zoomed in and reading that article before realising how simple it was, and that we were more than a hundred feet from him.
Anyone here run a business with a display visible from a window, even one half a city block from the next window?
Disallow pen and paper, and blind-fold visitors until they are escorted to where they are supposed to go.
I thought 'camsnuffling' was breathing heavily through the nose while taking a picture?
He who knows best knows how little he knows. - Thomas Jefferson
Someone will get in, if they have access to your local intranet. It's that simple.
I'd bet everyone here has seen a picture of the USB flash drive disguised as a PEZ(tm) dispenser. What about the new Swiss Army Knife that has one built in? Heck, you could mod a USB drive to look like a Zippo or a Bic lighter. As others have said, I can't even see why camera phones are such a hot deal other than for their ability to take pictures; storing documents can be done in a far less noticeable way when there's access to USB ports.
Never look down your nose at others. Someday, someone is bound to see your boogers.
They check everyone who enters, no cameras are allowed. Everyone needs a special Id issued by them to eneter. No jackets are allowed. No loose sweaters are allowed. They have lockers where any banned item can be kept, outside the secure area. Once you make it to the guards station, they stamp every sheet of paper you take in. When you leave, you can only take out papers they stamped. They check EVERYTHING. And they have a ton of security cameras in the building, and employees that keep track of who comes and goes. I needed papers which were in a secure area. They made me wear an ID tied around my neck, and I was escorted by an employee.
They also make it a crime to try and decieve them (for example, sneak a camera in). People can go to jail, and there are heavy penalties. They have multiple checks. The first one is a metal detector and a police officer who is more than willing to use the hand wand. The next step is the security officer who checks you in.
If companies want security, it is not hard to ban everything, hire 20 or 30 police officers, make it a crime to violate their policy, and treat everyone as dishonest liars who are more likely to steal.
A chain is only as strong as the weakest link. That is the mentality these institutions have, so they don't trust anyone, not even thier own guards.
But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space.
Employees don't need to be treated like criminals, but they shouldn't have more access than they need. For instance USB storage devices should be disallowed as a matter of security policy (not as a lame "leave what you tell us about at the door", but as an actual OS enforced system policy). I care about this from a user and customer perspective, where random employees of banks, insurance companies, and other businesses have access to an enormous amount of my data: I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
Yo, there was this guy long time ago, you know, called C.J. Caesar MC, and he was, like, worried that the Man would steal his secretz, 'namean?, so he came up with this gimmick where he wrote something on a piece of dead skin, how gross is that?, man, but if you had read it it wouldn't have made no sense, but if you had known HOW to read it, then hell yeah, lotsa sense there... than his buddy later called this thingamajig ROT-13 or some such nerdy word, and then lotsa other guys did the same, but more powerful...
I hope you liked this short intro to ENCRYPTION and understand how it can solve some of your problems. Thank you and goodnight.
Global warming is a cube.
The human larynx is the biggest security risk. It's a ubiquitous device that can broadcast via sound waves any proprietary information a knowledge-worker has been exposed to.
Of course this description is (intended to be) humorous, but the serious point is one we've heard often enough: you can't solve a human problem with a technological solution.
org.slashdot.post.SignatureNotFoundException: ewg
This is becoming more of a problem for me too... I'm an amateur photographer. I have enjoyed photography for about 10 years, but over the last 3 years or so, businesses have become much more paranoid about cameras. Concert venues have cracked down, and many stores will kick you out for walking around with a camera, let alone taking pictures. Personally, I have always thought that (for the most part) you should be able to photograph anything that you are allowed to freely look at, but because of abuses, that isn't usually the case. It's sad really.
Photocopiers can be used to copy sensitive data. Please dispose of all photocopiers in your company...
Okay, I did RTFA, but I'm not entirely sure "how" a digital camera is a threat other than being used to take snapshots of sensitive data. Sure, you can plug it into a USB slot, but for a lot of cameras, they're little more than thumbdrives when they're connected via USB, so a thumbdrive would certainly be less conspicuous, but then you have to ask how this is much different from say, floppy disks, which until recently, were pretty ubiquitous.
The article mistakenly states: "Hence, simply plugging it into a computer's USB can allow hackers to obtain sensitive data." How? Does plugging in a camera suddenyl disable all security in a computer? Suddenly all your encrypted data is decrypted? Suddenly the camera has access to everything? This is a completely unqualified statement that means nothing. It's a thumb drive and you have no more access to sensitive data than the person at the keyboard which is presumably the same person with the camera.
Sorry, maybe I'm missing something, but this seems like a pretty stupid article.
"just slip one in your pocket."
I could've been hiding it in my POCKET? Oh shit...
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Oh, and when the news reports came out, they did also briefly ban Furbies (remember when they were marketed as being able to mimic language? Security feared they'd be used as recording devices) and Coke cans (Coke was running that contest where prize cans had a GPS transmitter in them to lead in the prize team. This is more of the signal interference than a security thing, but people weren't hot on a GPS transmitter inside secured locations either).
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Wow. This is a terrible article.
From all the grammar mistakes, to the pointless buzzwords ("camsnuffling", "podslurping"), to the mention of how USB devices instantly give anyone access to any data on a computer, to the fact that "hackers" and "computer attackers" are mentioned several times when the data being taken is clearly being taken by employees who have access to it in the first place.
And "Bluetooth" is apparently a USB storage device. Way to go.
But in all seriousness, companies do have security issues regarding sensitive data leaving their computers in the hand of employees. How can these companies be sure that their data is secure while still maintaining access for the people who need it and not treating their employees like criminals?
If I were Dell, or some other prebuilt Windows box company, I would offer a desktop computer with no external ports at all. No USB, no serial port, no floppy disk, no CD writer, no nothing. Just a hard drive and a network connection, and a DVD/CD-ROM drive. That way, companies can make all their data available over the internal network (c'mon, is setting up shared server space really *that* difficult?) and it's much harder to get the data out of the company. If the company is truly paranoid about people taking hard drives out of their desktops to take home with them, set up the computer with an encrypted file system which asks the main server for the passphrase every time the computer boots. If you're worried about people sending themselves things as attachments, then don't allow emails with attachments from your servers. If outside companies need access to sensitive data in order to do business with you, then set up a secure server for data exchange. No sweat.
Precautions can be taken on the server side that make it very difficult for employees to steal sensitive data, but that still allow for efficient data flow within the company. And, of course, none of these ways will prevent anyone who is truly determined to get your data, but it will stop the casual stealers, and your chances of sensitive data getting out are much lower.
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
My employer has insurance companies as clients, too. Almost universally they're penny wise and pound foolish.
And paranoid too. I wanted to replace the whole tape scheme with some sort of offsite service like LiveVault. He was completely convinced that they would steal our data and sell it to our competitors -- even though they dealt with banks and other companies hundreds of times our size. When he wouldn't go for that I suggested a server at his house backing up in real time across an encrypted VPN -- he didn't trust that either because somebody could "break" the encryption and sell it to our competitors.
The sad thing is that it would have solved a lot of problems. We could have stopped buying bigger tape drives every few years (they scanned everything that came into that office and retained the images forever) when our existing one was too small. It would have been about a million times more secure then the "send a tape home with the CSR method".
The funny thing is that I could never quite get it through to him that if our competitors were that smart/knowledgeable we'd already be out of business. Or that a CSR paid $7.00/hr is much more likely to betray you then a private company that you have a business agreement with.
Yeah, it was PHB hell.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
"Firstly, regularly change system passwords that employ both letters and numerals."
...resulting in a new security breach know as PostIt snatching
If only someone could coin a catchy, pithy word for the phenomenon of coining pithy, catchy words for things.
It's true I tell you, feller at work's next door neighbour read it in the paper.