Slashdot Mirror

← Back to Stories (view on slashdot.org)

Beware the iPod 'slurping' Employee

Posted by ryuzaki0 on from the someone-out-there-is-going-to-outlaw-ipods-now dept.

Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."

15 of 390 comments (clear)

  1. Oops by Luigi30 · · Score: 5, Funny

    Nothing for you to see here. Please move along. Sorry, my iPod slurped the story.

    --
    503 Sig Unavailable

    The Signature could not be accessed. Please try again later or contact the administrator
  2. Business data? by PC-PHIX · · Score: 5, Insightful

    Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.

    What I would consider much more useful is an application that can hunt .avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...

    ..., if I used an iPod.

    --
    Optimist: The thumb drive is half empty! Pessimist: The thumb drive is half full...
  3. Thanks Abe by Mrs.+Grundy · · Score: 5, Funny

    We can all give Abe Usher the bird for offering management a reason to prohibit iPods a work. Thanks Abe--you're off my Christmas Card list.

  4. a "program" isn't needed by Barbarian · · Score: 5, Insightful

    Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.

  5. Unofficially called... by Oyume · · Score: 5, Funny

    iSuck

    Thank you, I'll be here all week!
    Jds

  6. Re:Just plug it in? by AngryMuppet · · Score: 5, Funny
    Also, why the hell does everything have to have "pod" in the name? Now it's cool? Why can't people coin cool terms anymore??
    We're being overrun by pod people!
  7. Yay sensationalist headlines on non-issues! by SuperBanana · · Score: 5, Insightful

    CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."

    Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."

    Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?

    It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"

    "Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...

    --
    Please help metamoderate.
  8. Physical access by ian_mackereth · · Score: 5, Interesting
    At one time, I'd've pointed out the difficulty of getting unauthorised physical access to a PC's USB port in any sort of secured environment.

    Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.

    Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.

    I bet their IT security guys would've had a fit, if they'd known!

    1. Re:Physical access by Anonymous Coward · · Score: 5, Interesting

      As an IT guy in a bank, I have to say that if you thought that banks somehow had better security than the grocery store across the street, you were merely fooling yourself.

      Fact 1: for the system to work, people have have to have access to the core financial applications.
      Fact 2: people are stupid.
      Fact 3: much (most?) hacking involves social hacking as opposed to trying to "break in" to a financial institution.

      Connect the dots.

      'Course, there is no way you could get anywhere trying to break into our organization through the front door, but sadly, a low-tech backdoor approach like this would probably work great.

  9. My iPod Christmas miracle by VampireByte · · Score: 5, Funny

    Two employers ago, the company's president walked by my desk and noticed I was listening to an iPod. The song playing at that moment was "Cake and Sodomy" by Marilyn Manson, which was unfortunate because the gentleman picked up my iPod to look at it before I had a chance to change to a song with a less offensive title. As he picked it up he said "I just bought one of these for my son for Christmas" and then I noticed the shock in his eyes when he saw the words on the LCD screen... then he said "Hmmm" and sat the iPod back on my desk and walked away without saying another word.

    A few weeks later, after the Christmas holiday, I saw the president and asked if his son liked his iPod. He said "I decided to return it and got him something else." At first I felt like a heel because I probably caused him to go home and dig through his children's CD collections, confiscate those not meeting his approval and give them a stern lecture. But then it occurred to me that his kids are rich brats and I might have caused them some grief! Buwah hahaha! I felt so happy when I chose to Think Different.

    Thanks Apple, your iPod filled me with holiday cheer.

    --

    Run and catch, run and catch, the lamb is caught in the blackberry patch.

  10. In other news... by Anonymous Coward · · Score: 5, Insightful

    In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!

  11. Re:Send it out as a ternary attachment by JanneM · · Score: 5, Insightful

    Then send it out as a ternary attachment ;-) Seriously, for every filter there is a tunnel, even if it consists of pasting some uuencode variant into the body text instead of using MIME.

    Of course there is. Or you can hide an mp3 player in a bodily orifice. Or a concealed keylogger to grab your coworkers' passwords. Or break in from the roof, lowering yourself down a ventilation shaft, subduing the guarddogs with sleeping darts and finding the laser beams with cigar smoke.

    But once you do any of these things, you are willingly and deliberately breaking your company's security policies. And a malicious employee is a different kettle of fish from someone not excercizing their judgement in what data to bring home for overtime work, or not thinking through that while their uncle sure would get a chuckle out of the boneheaded design of next years' model, perhaps taking the data out of the building to show him isn't a good idea.

    A wordy, fuzzy data security policy can be misunderstood, its main points forgotten and its admonishments mentally filed under "it doesn't really apply to this case". A clear, unambigious, 'All devices need preapproval' and 'No attachements. No, not even of your newborn. No, no even if he really is the cutest thing anybody in the building has ever seen.' is clearer and easier to follow.

    It's all a matter of what kind of thing you want to stop. A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside. And chances are, you usually have far more problems with the latter kinds than the former.

    --
    Trust the Computer. The Computer is your friend.
  12. Re:Store analogy was terribly naive ... by grolschie · · Score: 5, Funny

    Way to ruin a good joke dude. Who brought you along?

  13. Re:I don't get it. by v1 · · Score: 5, Insightful

    How about a 4gb USB flash drive? Flash drives are becoming more popular than iPods, and are a heck of a lot easier to palm out of sight. They also look a lot less dangerous to most uneducated users, plugged into a USB keyboard rather than an ipod with its firewire/usb cable snaking over to the computer. As far as "sensitive data" goes, it's rarely related to its size. Anything capable of holding even a megabyte of data could easily be considered a major risk for sensitive information loss.

    The iPod is just one of the many ways for data to walk out the door. PDAs are just as bad, and are probably the most commonly accepted data storage device let in the building short of cell phones.

    All the technology does is make theft easier. It's just like the argument of guns.. it isn't the object that's dangerous, the object is only the enabler. It's the person using the object that makes it dangerous. ("guns don't kill people, people kill peope" -- "ipods don't steal company secrets, people steal company secrets")

    In other words, if you are paranoid about your employees taking an iPod into work, why on earth did you hire them for a sensitive position? Them bringing that iPod in is, for the most part, completely beyond your control. (and the iPod is just one of many dozens of vectors to worry about) Whether or not you hire them (and let them, with or without their iPod, in the door) is totally within your control. Pick your battles wisely.

    --
    I work for the Department of Redundancy Department.
  14. Re:Oh! by The+Ultimate+Fartkno · · Score: 5, Funny

    "Sir? I think Johnson's up to something."

    "Johnson? That weirdo down in IT? I *knew* he was trouble when he brought that shiny, new iPod in here! What's he doing? Slurping our corporate data?!"

    "Erm, no. He put on a cloak and wizard hat, and now he's chasing Shelley the intern around the server room yelling 'lightning bolt! lightning bolt!'"

    "Sweet Jesus... this is worse than the time we found out we had a furry in accounting. Fetch my pith helmet and tranquilizer gun."