Slashdot Mirror
Beware the iPod 'slurping' Employee
Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive
business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."
Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.
.avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...
..., if I used an iPod.
What I would consider much more useful is an application that can hunt
Optimist: The thumb drive is half empty! Pessimist: The thumb drive is half full...
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive. And your access will be logged (or not logged) just the same as if you'd just run some normal program. What's the big deal that an iPod can do it?
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before. Treat your employees well and they won't feel the need to screw you.
with carrying a USB key around? it's not that tough to search the network for files containing "Confidential" or whatever keyword and copying them on your key. If you don't trust your employees, their network access shouldn't allow getting at sensitive documents anyways.
Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.
An insider threat would only need to plug the iPod into a computer's USB port. ...not only that, the threat would have to have access to said files. Granted, it's an insider threat, but I fail to see the significance here.
Isn't this just:
1. Search for files containing "Confidential" or "sensitive" or "budget" or "payroll"
2. Copy to iPod
? Because I can do that pretty easily and more accurately than software.
Also, why the hell does everything have to have "pod" in the name? Now it's cool? Why can't people coin cool terms anymore??
CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."
Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."
Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?
It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"
"Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...
Please help metamoderate.
Eyeballs and a brain work too.
Sooner you're going to have to trust your employees with your sensitive or confidential information, otherwise they're not going to be able to do their jobs. So maybe employers should...oh I don't know...hire employees that are trustworthy? Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!
I worry more about users losing their damn USB drives than using them to steal.
You're using her as bait, Master!
USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:
1. Can be attached to a computer without being suspect
2. Can run Linux with programs of your choice
3. Has a built-in mass storage system
Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html, you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).
Fill those ports with cement!
Try Corewar @ www.koth.org - rec.games.corewar
Dual proc machine, with vast amounts of storage and an innocent ubiquity is used as a corporate weapon. Next they'll be telling me that personal laptops can be used to sniff corporate networks, or that viruses can be transfered on floppy disk, and that restricted documents have been printed out, and 'sneaked' through the front door.
Any company with a decent security model will be able to recognise a user who's file browsing habits are irregular, and classified documents shouldn't be kept in a public repository on a LAN anyway.
Scared of flying, pointy things snce 1979!
If your network is so insecure, you ought to fix that. It isn't the applications (or hardware) that we should be upset about, but the flaws which they highlight.
-Tim Louden
as has already been pointed out, any flash drive or external hard drive could be used.
Or a thieving employee could burn a CD or DVD.
Or use a cellphone to store sensitive info, transferred from a PC via the Bluetooth connection used to support a wireless mouse.
The only real defense against employee theft is restricting access to sensitive data and minimizing the number of untrustworthy employees. That's the best that can be done.
Exactly. I could very easily backup hundreds of complete databases right off the SQL servers (and other sources, XML, etc) - including tons of sensitive data, the source for every app we've made, our entire intranet's contents, and burn it to DVDs or copy to a portable HD anytime I would want to (or copy ona corporate laptop's HD), right in direct view. No one would even question, comment or bother me in any way (it would be ridiculously easy to try to conceil things too).
I have total access to dozens and dozens of servers. Thing is, it's a question of ethics. I'm not a dirty thief scumbag that wants to sell personnal information. No need to treat me like one. As far as non-admins are concerned, their access to sensitive data is extremely limited anyways, they can't do much damage really. My employer pays me decently and treats me well, no reasons to be disgruntled either.
In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!
Then send it out as a ternary attachment ;-) Seriously, for every filter there is a tunnel, even if it consists of pasting some uuencode variant into the body text instead of using MIME.
Of course there is. Or you can hide an mp3 player in a bodily orifice. Or a concealed keylogger to grab your coworkers' passwords. Or break in from the roof, lowering yourself down a ventilation shaft, subduing the guarddogs with sleeping darts and finding the laser beams with cigar smoke.
But once you do any of these things, you are willingly and deliberately breaking your company's security policies. And a malicious employee is a different kettle of fish from someone not excercizing their judgement in what data to bring home for overtime work, or not thinking through that while their uncle sure would get a chuckle out of the boneheaded design of next years' model, perhaps taking the data out of the building to show him isn't a good idea.
A wordy, fuzzy data security policy can be misunderstood, its main points forgotten and its admonishments mentally filed under "it doesn't really apply to this case". A clear, unambigious, 'All devices need preapproval' and 'No attachements. No, not even of your newborn. No, no even if he really is the cutest thing anybody in the building has ever seen.' is clearer and easier to follow.
It's all a matter of what kind of thing you want to stop. A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside. And chances are, you usually have far more problems with the latter kinds than the former.
Trust the Computer. The Computer is your friend.
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before.
The problem is that given the iPod's popularity it does not draw any attention. Even if someone notices that it is plugged in the thief may be able to dodge suspicion with a simple "I need to charge it".
Treat your employees well and they won't feel the need to screw you.
That is naive. Industrial / Commercial espionage happens. Greedy, self-centered, immoral people exist at all levels of companies. "Good" companies get screwed just like "good" employees.
This article is about as insightful as "Knives Can Stab People!"
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
In my neighbourhood, "Nature" is standing on the corner having a private chat with some guy who just pulled up in a Lexus. There is a broken beer bottle on the sidewalk, something which could be a needle lying next to it, and two of the local dealers are having a shouting match right across the street.
If you _really_ think it is a good idea for your three year old to wander out into "Nature" unsupervised, just by walking out the open front door when your back is turned, then by all means, please get "outta here".
Where I work, most of the IT guys (myself included) run around with USB sticks attached to themselves (hanging around the neck, attached to a belt loop, etc.). Our main support guy has a Linux distro on one of them, and can boot desktop machines off the silly thing; comes in real handy when someone has REALLY hosed up their WinXP machine and he has to try to rebuild it without completely wiping their drive and losing their data. Each of us have a "personal" one which has .mp3's, etc. on them. In my case it's an old 128 MB Sandisk Cruzer. I got it free when we ordered a bunch of hardware from someplace. It's getting harder to buy something that small, these days. Even that little thing can easily haul 100 MB of files around.
Quite a few employees have iPods or other small, personal media players, with capacities that dwarf my Cruzer.
If we wanted to, I'm sure we could slurp a large amount of data and walk off with it. More than a few people have pointed out, though, that it would be unethical. For most people, that's enough of a reason not to do it. Probability of getting burned for doing so isn't really the motivating factor. Most people are ethical enough, without needing any kind of threats hanging over their heads.
On the other hand, my wife applied, at one point, for a position with a defense contractor. She wasn't allowed to bring any kind of personal media player, CD's, etc. into the premises. If she had a camera cellphone, she wouldn't be allowed to bring it in, either. A regular cellphone was allowed, but she couldn't turn it on or take/make calls inside the building; she'd have to be outside on break. She couldn't even bring a personal CD player into the place (no recording capability, at all). She had to go through a metal detector any time she entered the building; good luck sneaking an electronic device past that thing.
It all depends on the environment. Obviously, some places are "locked down" more than others.
... by the Dew of Mountains the thoughts acquire speed, the hands acquire shakes, the shakes become a warning
There are always going to be stealthy removeable drive type devices out there that someone can sneak in and out of a company easily and copy files onto. The iPod is just a popular target because millions have been sold and most people are aware of them.
The *real* question is, why would employees have access to file shares on servers containing important documents they weren't supposed to have? If your business throws everything on shares that all users have read (or read/write) access to, they deserve what they get for not implementing some sort of security policy for the shares.
If you're an I.T. person who has full access anyway due to the nature of your job, again - so what? You're already able to burn the stuff off to DVDs at night and sneak them home or download them remotely over your corporate VPN or ??? The point is, companies have to place trust in their people to various extents. If they hired you as a sysadmin, they should have already done the background checking and everything else before hiring you - and believe you can be trusted. If you violate that trust - you screwed them, plain and simple. Implementing some sort of "no Ipod allowed!" policy won't prevent that.
This is a custom app?
Can someone tell me how you write code for the iPod?
It thought it was a closed system...