Slashdot Mirror
Beware the iPod 'slurping' Employee
Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive
business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."
Nothing for you to see here. Please move along. Sorry, my iPod slurped the story.
503 Sig Unavailable
The Signature could not be accessed. Please try again later or contact the administrator
Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.
.avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...
..., if I used an iPod.
What I would consider much more useful is an application that can hunt
Optimist: The thumb drive is half empty! Pessimist: The thumb drive is half full...
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive. And your access will be logged (or not logged) just the same as if you'd just run some normal program. What's the big deal that an iPod can do it?
Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before. Treat your employees well and they won't feel the need to screw you.
We can all give Abe Usher the bird for offering management a reason to prohibit iPods a work. Thanks Abe--you're off my Christmas Card list.
Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.
iSuck
Thank you, I'll be here all week!
Jds
There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive [...] What's the big deal that an iPod can do it?
Because an iPod is a hard drive disguised as a music player, which may help you get past less-than-competent physical security in ways that you couldn't with a pure hard drive.
I work in a ... large... company (one of the top Fortune ones) and there was a global mandate last year to lock all USB access for data storage devices unless users can make a special case.
That means that USB keys, iPods, plug-in hard drives and so on not only fail to work here, but they generate a little message to the IT department.
Some users, like our media guys, need this access for their work (in this case, digital camera images), and they have an exemption.
This lockdown removes the possibility for portable storage device-based data copying.
Of course, I can always stay late, take the PC apart, remove the hard drive, take it home and copy it, come in early the next day and re-install it. But that's just naughty.
My point is that IT security policies can easily stop this sort of issue, and most large companies are already doing this.
This is nothing new whatsoever.
.pwl files off the Windows 98 boxes for cracking at home.
Back in high school, I used a floppy and a couple batch files to grab
Man, I wish I knew it was called "pod-slurping" back then, I would have been WAYYYY cooler.
CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."
Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."
Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?
It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"
"Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...
Please help metamoderate.
Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.
Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.
I bet their IT security guys would've had a fit, if they'd known!
Eyeballs and a brain work too.
Sooner you're going to have to trust your employees with your sensitive or confidential information, otherwise they're not going to be able to do their jobs. So maybe employers should...oh I don't know...hire employees that are trustworthy? Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!
I worry more about users losing their damn USB drives than using them to steal.
You're using her as bait, Master!
Most USB keys max out at 1GB. However, if you want to steal more than 1GB at time, a 60GB iPod is the way to go.
One video game company that I worked for banned all portable storage devices since they didn't want any files appearing on the internet. The smallest file was 4MB for Gameboy Advance titles and the largest was 4.5GB PS2/XBox titles. I had to get special permission for my 32MB flash card since I was using that to store homework files for the programming classes I was taking at the time. Since half of the projects that I did was for the Gameboy Advance, I was always under suspicion that I might steal a file.
USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:
1. Can be attached to a computer without being suspect
2. Can run Linux with programs of your choice
3. Has a built-in mass storage system
Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html, you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).
Fill those ports with cement!
Try Corewar @ www.koth.org - rec.games.corewar
Dual proc machine, with vast amounts of storage and an innocent ubiquity is used as a corporate weapon. Next they'll be telling me that personal laptops can be used to sniff corporate networks, or that viruses can be transfered on floppy disk, and that restricted documents have been printed out, and 'sneaked' through the front door.
Any company with a decent security model will be able to recognise a user who's file browsing habits are irregular, and classified documents shouldn't be kept in a public repository on a LAN anyway.
Scared of flying, pointy things snce 1979!
Two employers ago, the company's president walked by my desk and noticed I was listening to an iPod. The song playing at that moment was "Cake and Sodomy" by Marilyn Manson, which was unfortunate because the gentleman picked up my iPod to look at it before I had a chance to change to a song with a less offensive title. As he picked it up he said "I just bought one of these for my son for Christmas" and then I noticed the shock in his eyes when he saw the words on the LCD screen... then he said "Hmmm" and sat the iPod back on my desk and walked away without saying another word.
A few weeks later, after the Christmas holiday, I saw the president and asked if his son liked his iPod. He said "I decided to return it and got him something else." At first I felt like a heel because I probably caused him to go home and dig through his children's CD collections, confiscate those not meeting his approval and give them a stern lecture. But then it occurred to me that his kids are rich brats and I might have caused them some grief! Buwah hahaha! I felt so happy when I chose to Think Different.
Thanks Apple, your iPod filled me with holiday cheer.
Run and catch, run and catch, the lamb is caught in the blackberry patch.
Which totally defeats the point of banning USB keys/external HDD's/iPod. I mean it is brain-dead easy to copy files on to a Palm or PocketPC, and with an CF or SD card(I believe they are up to the 2 or 4 GB range now-days) you could get a ton of stuff out of work. Hell, you could even hide the card in your shoe or something afterwards if you weren't allowed to take your PDA home or something. And even without their USB ports, there's Bluetooth(for some phones/PDAs and a few computers). There is no way that a company can absolutely prevent someone from taking home files that they have access to, unless they're like the CIA/NSA or something(And haven't there been a few cases of people getting computer files out of those places?). There are too many ways to get the data out, and too many ways to get around security.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!
Then send it out as a ternary attachment ;-) Seriously, for every filter there is a tunnel, even if it consists of pasting some uuencode variant into the body text instead of using MIME.
Of course there is. Or you can hide an mp3 player in a bodily orifice. Or a concealed keylogger to grab your coworkers' passwords. Or break in from the roof, lowering yourself down a ventilation shaft, subduing the guarddogs with sleeping darts and finding the laser beams with cigar smoke.
But once you do any of these things, you are willingly and deliberately breaking your company's security policies. And a malicious employee is a different kettle of fish from someone not excercizing their judgement in what data to bring home for overtime work, or not thinking through that while their uncle sure would get a chuckle out of the boneheaded design of next years' model, perhaps taking the data out of the building to show him isn't a good idea.
A wordy, fuzzy data security policy can be misunderstood, its main points forgotten and its admonishments mentally filed under "it doesn't really apply to this case". A clear, unambigious, 'All devices need preapproval' and 'No attachements. No, not even of your newborn. No, no even if he really is the cutest thing anybody in the building has ever seen.' is clearer and easier to follow.
It's all a matter of what kind of thing you want to stop. A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside. And chances are, you usually have far more problems with the latter kinds than the former.
Trust the Computer. The Computer is your friend.
A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside.
Gosh no..heaven forbid!! Your neighbour could actually come in and say 'Hi!' to your kids! Your kids could actually go outside and see for themselves what Nature really looks like instead of watching Cartoon Channel. The horror!
People, if some of you really get off on living in a 'war zone' 24/7 where you can trust nobody, please do, but I'm outta here.
The Hacker's Guide To The Kernel: Don't panic()!
Way to ruin a good joke dude. Who brought you along?
Why in the hell do people do shit like this and PUBLICIZE it? All it does is give geeks a bad name and make a 'threat' out of anyone who carries an iPod or other digital music player.
I'm all for the freedom to write software like this but shit, you have to be smart about it.
"Sir? I think Johnson's up to something."
"Johnson? That weirdo down in IT? I *knew* he was trouble when he brought that shiny, new iPod in here! What's he doing? Slurping our corporate data?!"
"Erm, no. He put on a cloak and wizard hat, and now he's chasing Shelley the intern around the server room yelling 'lightning bolt! lightning bolt!'"
"Sweet Jesus... this is worse than the time we found out we had a furry in accounting. Fetch my pith helmet and tranquilizer gun."