Slashdot Mirror
Beware the iPod 'slurping' Employee
Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive
business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."
Nothing for you to see here. Please move along. Sorry, my iPod slurped the story.
503 Sig Unavailable
The Signature could not be accessed. Please try again later or contact the administrator
Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.
.avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...
..., if I used an iPod.
What I would consider much more useful is an application that can hunt
Optimist: The thumb drive is half empty! Pessimist: The thumb drive is half full...
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive. And your access will be logged (or not logged) just the same as if you'd just run some normal program. What's the big deal that an iPod can do it?
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before. Treat your employees well and they won't feel the need to screw you.
We can all give Abe Usher the bird for offering management a reason to prohibit iPods a work. Thanks Abe--you're off my Christmas Card list.
iSpy
Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.
An insider threat would only need to plug the iPod into a computer's USB port. ...not only that, the threat would have to have access to said files. Granted, it's an insider threat, but I fail to see the significance here.
Isn't this just:
1. Search for files containing "Confidential" or "sensitive" or "budget" or "payroll"
2. Copy to iPod
? Because I can do that pretty easily and more accurately than software.
Also, why the hell does everything have to have "pod" in the name? Now it's cool? Why can't people coin cool terms anymore??
iSuck
Thank you, I'll be here all week!
Jds
/. the download site!!! If we crush the site and burnup the download bandwidth, I'll be able to keep using my iPod at work! Oh wait....
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive [...] What's the big deal that an iPod can do it?
Because an iPod is a hard drive disguised as a music player, which may help you get past less-than-competent physical security in ways that you couldn't with a pure hard drive.
I work in a ... large... company (one of the top Fortune ones) and there was a global mandate last year to lock all USB access for data storage devices unless users can make a special case.
That means that USB keys, iPods, plug-in hard drives and so on not only fail to work here, but they generate a little message to the IT department.
Some users, like our media guys, need this access for their work (in this case, digital camera images), and they have an exemption.
This lockdown removes the possibility for portable storage device-based data copying.
Of course, I can always stay late, take the PC apart, remove the hard drive, take it home and copy it, come in early the next day and re-install it. But that's just naughty.
My point is that IT security policies can easily stop this sort of issue, and most large companies are already doing this.
This is nothing new whatsoever.
.pwl files off the Windows 98 boxes for cracking at home.
Back in high school, I used a floppy and a couple batch files to grab
Man, I wish I knew it was called "pod-slurping" back then, I would have been WAYYYY cooler.
CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."
Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."
Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?
It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"
"Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...
Please help metamoderate.
The REAL story here is that he has created an APPLICATION for the iPod, according to the FA. How did he do that? Apple closely guards the iPod SDKs and as far as I know have never released them to third party developers.
Maybe he went into Apple and "slurped" the SDKs using his application.... oh wait.
Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.
Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.
I bet their IT security guys would've had a fit, if they'd known!
Eyeballs and a brain work too.
Sooner you're going to have to trust your employees with your sensitive or confidential information, otherwise they're not going to be able to do their jobs. So maybe employers should...oh I don't know...hire employees that are trustworthy? Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!
I worry more about users losing their damn USB drives than using them to steal.
You're using her as bait, Master!
I can use more disk space so I can watch Ashlee Simpson videos while I slurp data off the corporate network.
It's actually pretty easy for a company to prevent employees from writing to mass storage devices with XP SP2: Change one registry key on every machine... simple stuff with an Active Directory environment.
More significantly though, this kind of thing really makes a case for Microsoft's Rights Management Services technology... even if you were able to copy the physical documents onto an iPod, they'd be completely useless to you outside the organization because they're encrypted, and only by talking to the RMS server (located internally) can they be unlocked.
Most USB keys max out at 1GB. However, if you want to steal more than 1GB at time, a 60GB iPod is the way to go.
One video game company that I worked for banned all portable storage devices since they didn't want any files appearing on the internet. The smallest file was 4MB for Gameboy Advance titles and the largest was 4.5GB PS2/XBox titles. I had to get special permission for my 32MB flash card since I was using that to store homework files for the programming classes I was taking at the time. Since half of the projects that I did was for the Gameboy Advance, I was always under suspicion that I might steal a file.
...from work...But *I* have created an application that prevents sensationalist articles by CNET and applications written by Abe Usher from being run or seen on my employers network! SO THERE!
"Love is like pi - natural, irrational, and very important." (Lisa Hoffman)
USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:
1. Can be attached to a computer without being suspect
2. Can run Linux with programs of your choice
3. Has a built-in mass storage system
Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html, you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).
Fill those ports with cement!
Try Corewar @ www.koth.org - rec.games.corewar
Dual proc machine, with vast amounts of storage and an innocent ubiquity is used as a corporate weapon. Next they'll be telling me that personal laptops can be used to sniff corporate networks, or that viruses can be transfered on floppy disk, and that restricted documents have been printed out, and 'sneaked' through the front door.
Any company with a decent security model will be able to recognise a user who's file browsing habits are irregular, and classified documents shouldn't be kept in a public repository on a LAN anyway.
Scared of flying, pointy things snce 1979!
Two employers ago, the company's president walked by my desk and noticed I was listening to an iPod. The song playing at that moment was "Cake and Sodomy" by Marilyn Manson, which was unfortunate because the gentleman picked up my iPod to look at it before I had a chance to change to a song with a less offensive title. As he picked it up he said "I just bought one of these for my son for Christmas" and then I noticed the shock in his eyes when he saw the words on the LCD screen... then he said "Hmmm" and sat the iPod back on my desk and walked away without saying another word.
A few weeks later, after the Christmas holiday, I saw the president and asked if his son liked his iPod. He said "I decided to return it and got him something else." At first I felt like a heel because I probably caused him to go home and dig through his children's CD collections, confiscate those not meeting his approval and give them a stern lecture. But then it occurred to me that his kids are rich brats and I might have caused them some grief! Buwah hahaha! I felt so happy when I chose to Think Different.
Thanks Apple, your iPod filled me with holiday cheer.
Run and catch, run and catch, the lamb is caught in the blackberry patch.
If your network is so insecure, you ought to fix that. It isn't the applications (or hardware) that we should be upset about, but the flaws which they highlight.
-Tim Louden
http://www.sharp-ideas.net.nyud.net:8080/download/ slurp.zip
^- The Coralized version of the software.
as has already been pointed out, any flash drive or external hard drive could be used.
Or a thieving employee could burn a CD or DVD.
Or use a cellphone to store sensitive info, transferred from a PC via the Bluetooth connection used to support a wireless mouse.
The only real defense against employee theft is restricting access to sensitive data and minimizing the number of untrustworthy employees. That's the best that can be done.
Which totally defeats the point of banning USB keys/external HDD's/iPod. I mean it is brain-dead easy to copy files on to a Palm or PocketPC, and with an CF or SD card(I believe they are up to the 2 or 4 GB range now-days) you could get a ton of stuff out of work. Hell, you could even hide the card in your shoe or something afterwards if you weren't allowed to take your PDA home or something. And even without their USB ports, there's Bluetooth(for some phones/PDAs and a few computers). There is no way that a company can absolutely prevent someone from taking home files that they have access to, unless they're like the CIA/NSA or something(And haven't there been a few cases of people getting computer files out of those places?). There are too many ways to get the data out, and too many ways to get around security.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
That's what your IT guys are paid to monitor. If someone is sucking down 60 GB of files at a time, that should ring some sort of alarm bell. Most sites I've worked at would raise eyebrows at a 500MB download.
In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!
Then send it out as a ternary attachment ;-) Seriously, for every filter there is a tunnel, even if it consists of pasting some uuencode variant into the body text instead of using MIME.
Of course there is. Or you can hide an mp3 player in a bodily orifice. Or a concealed keylogger to grab your coworkers' passwords. Or break in from the roof, lowering yourself down a ventilation shaft, subduing the guarddogs with sleeping darts and finding the laser beams with cigar smoke.
But once you do any of these things, you are willingly and deliberately breaking your company's security policies. And a malicious employee is a different kettle of fish from someone not excercizing their judgement in what data to bring home for overtime work, or not thinking through that while their uncle sure would get a chuckle out of the boneheaded design of next years' model, perhaps taking the data out of the building to show him isn't a good idea.
A wordy, fuzzy data security policy can be misunderstood, its main points forgotten and its admonishments mentally filed under "it doesn't really apply to this case". A clear, unambigious, 'All devices need preapproval' and 'No attachements. No, not even of your newborn. No, no even if he really is the cutest thing anybody in the building has ever seen.' is clearer and easier to follow.
It's all a matter of what kind of thing you want to stop. A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside. And chances are, you usually have far more problems with the latter kinds than the former.
Trust the Computer. The Computer is your friend.
It may be that their computers don't have any special access in particular. I work for a university and, of course, we have detailed financial and personal information on employees and students. Most people don't have access to it (including me) but of course people like our finance people need it. So you get at their computer, you get the info right? No, it's all stored on a mainframe over in the computer centre. They access it via a very archaic text interface over an encrypted link. Their computers aren't special for this access, you just need the right software, username, and password.
I don't know how banks work, I'd bet they are all different, but just because a computer is on their network doesn't necessiarly mean it has any special kind of access. All the important data may be stored on another system to which they have to log in. If they then lack admin access on their desktop, there's no real way to put a keylogger or anything on there. I would be more worried about someone getting a password via social engineering than getting anything useful off the computers themselves.
A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside.
Gosh no..heaven forbid!! Your neighbour could actually come in and say 'Hi!' to your kids! Your kids could actually go outside and see for themselves what Nature really looks like instead of watching Cartoon Channel. The horror!
People, if some of you really get off on living in a 'war zone' 24/7 where you can trust nobody, please do, but I'm outta here.
The Hacker's Guide To The Kernel: Don't panic()!
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before.
The problem is that given the iPod's popularity it does not draw any attention. Even if someone notices that it is plugged in the thief may be able to dodge suspicion with a simple "I need to charge it".
Treat your employees well and they won't feel the need to screw you.
That is naive. Industrial / Commercial espionage happens. Greedy, self-centered, immoral people exist at all levels of companies. "Good" companies get screwed just like "good" employees.
Way to ruin a good joke dude. Who brought you along?
Oh, SLURPing!
I thought the story was about LARPing. That would have been much more terrifying.
The ______ Agenda
This article is about as insightful as "Knives Can Stab People!"
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Are you trying to make my workplace ban my iPod? Cut it the hell out.
Why in the hell do people do shit like this and PUBLICIZE it? All it does is give geeks a bad name and make a 'threat' out of anyone who carries an iPod or other digital music player.
I'm all for the freedom to write software like this but shit, you have to be smart about it.
In my neighbourhood, "Nature" is standing on the corner having a private chat with some guy who just pulled up in a Lexus. There is a broken beer bottle on the sidewalk, something which could be a needle lying next to it, and two of the local dealers are having a shouting match right across the street.
If you _really_ think it is a good idea for your three year old to wander out into "Nature" unsupervised, just by walking out the open front door when your back is turned, then by all means, please get "outta here".
Where I work, most of the IT guys (myself included) run around with USB sticks attached to themselves (hanging around the neck, attached to a belt loop, etc.). Our main support guy has a Linux distro on one of them, and can boot desktop machines off the silly thing; comes in real handy when someone has REALLY hosed up their WinXP machine and he has to try to rebuild it without completely wiping their drive and losing their data. Each of us have a "personal" one which has .mp3's, etc. on them. In my case it's an old 128 MB Sandisk Cruzer. I got it free when we ordered a bunch of hardware from someplace. It's getting harder to buy something that small, these days. Even that little thing can easily haul 100 MB of files around.
Quite a few employees have iPods or other small, personal media players, with capacities that dwarf my Cruzer.
If we wanted to, I'm sure we could slurp a large amount of data and walk off with it. More than a few people have pointed out, though, that it would be unethical. For most people, that's enough of a reason not to do it. Probability of getting burned for doing so isn't really the motivating factor. Most people are ethical enough, without needing any kind of threats hanging over their heads.
On the other hand, my wife applied, at one point, for a position with a defense contractor. She wasn't allowed to bring any kind of personal media player, CD's, etc. into the premises. If she had a camera cellphone, she wouldn't be allowed to bring it in, either. A regular cellphone was allowed, but she couldn't turn it on or take/make calls inside the building; she'd have to be outside on break. She couldn't even bring a personal CD player into the place (no recording capability, at all). She had to go through a metal detector any time she entered the building; good luck sneaking an electronic device past that thing.
It all depends on the environment. Obviously, some places are "locked down" more than others.
... by the Dew of Mountains the thoughts acquire speed, the hands acquire shakes, the shakes become a warning
I tried to copy all your money to Steve Jobs, but his bank refused to, "fiddle with small change". Bastards. :(
Show me on the doll where his noodly appendage touched you.
There are always going to be stealthy removeable drive type devices out there that someone can sneak in and out of a company easily and copy files onto. The iPod is just a popular target because millions have been sold and most people are aware of them.
The *real* question is, why would employees have access to file shares on servers containing important documents they weren't supposed to have? If your business throws everything on shares that all users have read (or read/write) access to, they deserve what they get for not implementing some sort of security policy for the shares.
If you're an I.T. person who has full access anyway due to the nature of your job, again - so what? You're already able to burn the stuff off to DVDs at night and sneak them home or download them remotely over your corporate VPN or ??? The point is, companies have to place trust in their people to various extents. If they hired you as a sysadmin, they should have already done the background checking and everything else before hiring you - and believe you can be trusted. If you violate that trust - you screwed them, plain and simple. Implementing some sort of "no Ipod allowed!" policy won't prevent that.
How many times have you admins been told to use a non-administrator account for your day to day operations and to give users the least privleges possible? Don't make users local administrators to their machines. Don't give all of your user's domain admin access on a windows network. Don't give sensitive network shares full access to everyone. So many people focus on boundary security and leave their internal network absolutely open. Like others have said, it doesn't take software to do this. It also doesn't take an idiot with some clue of permissions to stop this sort of thing from happening in the first place.
Along the same lines, if you don't trust an employee having access to certain data, that employee should never have read access to that data. If you can't read it, you can't copy it to an iPod. If you can read it, you can steal it... via iPod, floppy disk, e-mail, or even by printing it. This software is just a tool, and the biggest lesson here is that corporate networks are often not secured properly.
LordBodak's journal.