Beware the iPod 'slurping' Employee

Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."

Business data?

[PC-PHIX]

Most of the time, as an IT employee with ties to the management/accounts/administration side of things I have always had full access to company data and know exactly where to look to find what I want. The only real restrictions have been my contract/confidentiality/non-disclosure agreement.

What I would consider much more useful is an application that can hunt .avi, .mpg and .mp3 files across the network and 'slurp' them back to my iPod...

..., if I used an iPod.

I don't get it.

[Al Dimond]

There's nothing you could do with the iPod that you couldn't do with your normal computer and any random external hard drive. And your access will be logged (or not logged) just the same as if you'd just run some normal program. What's the big deal that an iPod can do it?

In other news...

[Anonymous Coward]

Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before. Treat your employees well and they won't feel the need to screw you.

So what's the difference...

[Anonymous Coward]

with carrying a USB key around? it's not that tough to search the network for files containing "Confidential" or whatever keyword and copying them on your key. If you don't trust your employees, their network access shouldn't allow getting at sensitive documents anyways.

a "program" isn't needed

[Barbarian]

Despite what the article says, a special program isn't needed. All that is needed is for someone to mount the ipod as a disk drive and run a batch file. It could be as simple as one line calling xcopy for each file type (pdf, doc, etc.) running a loop from A to Z for the drives.

Just plug it in?

[ejdmoo]

An insider threat would only need to plug the iPod into a computer's USB port. ...not only that, the threat would have to have access to said files. Granted, it's an insider threat, but I fail to see the significance here.

Isn't this just:
1. Search for files containing "Confidential" or "sensitive" or "budget" or "payroll"
2. Copy to iPod

? Because I can do that pretty easily and more accurately than software.

Also, why the hell does everything have to have "pod" in the name? Now it's cool? Why can't people coin cool terms anymore??

Re:I don't get it.

[JanneM]

What's the big deal that an iPod can do it?

There's plenty of places where running around with an external harddive would seem very suspicious (or an outright violation), but a music player is, well, just a music player, right? There's many people out there that don't have the interest in technology to really reach the conclusions that seem obvious here.

With something like this, I'd expect to see quite a bit more attention being given not only to mp3-players, but things like cameras and mobile phones as well. "Wake-up call" is a trite, overused term, but perfectly apt.

Yay sensationalist headlines on non-issues!

[SuperBanana]

CNET: "Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod and can search corporate networks for files likely to contain business-critical data."

Actual article: "I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod."

Am I reading it correctly that CNet doesn't understand the difference between launching an executeable stored on an external media device, and somehow running it "on" the media device? Am I the only one who thinks Mr. Usher could have been clearer, but intentionally wasn't? Or that both are playing it as "plug an ipod in, instantly hack a machine", like in the movies where magical devices "hack" systems?

It's sensationalist bullshit- all admins would need to do is set up windows to not permit mounting removeable media drives/USB mass storage devices. Or control what executables are permitted to be launched. I'm sure an expert Windows sysadmin could name half a dozen MORE system/domain level ways to stop this dead in its tracks. It strikes me as a distinct non-issue for any company with a properly managed/secured windows network. But hey, that doesn't stop CNet from crying "the sky is falling, the sky is falling!"

"Security consultant releases overblown vulnerability with a confusing and/or misleading description to generate hits to his website, more at 11"...

Eyeballs and a brain...

[Robber Baron]

Eyeballs and a brain work too.
Sooner you're going to have to trust your employees with your sensitive or confidential information, otherwise they're not going to be able to do their jobs. So maybe employers should...oh I don't know...hire employees that are trustworthy? Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!

I worry more about users losing their damn USB drives than using them to steal.

Re:Yay sensationalist headlines on non-issues!

[Jeff DeMaagd]

In other words, business as usual for C|Net.

Potential threat through USB/Firewire

[pkhuong]

USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:

1. Can be attached to a computer without being suspect
2. Can run Linux with programs of your choice
3. Has a built-in mass storage system

Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html [cansecwest.com], you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).

Fill those ports with cement!

Anyone suprised?

[el_womble]

Dual proc machine, with vast amounts of storage and an innocent ubiquity is used as a corporate weapon. Next they'll be telling me that personal laptops can be used to sniff corporate networks, or that viruses can be transfered on floppy disk, and that restricted documents have been printed out, and 'sneaked' through the front door.

Any company with a decent security model will be able to recognise a user who's file browsing habits are irregular, and classified documents shouldn't be kept in a public repository on a LAN anyway.

Re:I don't get it.

[Anonymous Coward]

"Wake-up call" is a trite, overused term, but perfectly apt.

People like yourself are going to get all our music players, phones and every other damn thing confiscated by some personnel drone when we enter any corporate building.

Congratulations, I hope you're happy.

Re:I don't get it.

[Fnkmaster]

I see people running around with solid state USB keychain devices all the time. A large number of people at my university seem to have them. They are no more or less suspicion inducing than an iPod. A large, clunky external USB harddrive might be suspicious, but that's irrelevant.

The point is that any device that plugs into the USB port is a real threat, and this needs to be dealt with in corporate networks by assuming that any mounted USB drive of any sort is presumed to contain malicious code.

Re:I don't get it.

[Danse]

There's plenty of places where running around with an external harddive would seem very suspicious (or an outright violation), but a music player is, well, just a music player, right?

In every secure area I've been in, any sort of external data-storing device is banned, unless you are given explicit permission to bring it in, or you have the proper credentials to be allowed to bring them in on your own (which subject you to a higher level of scrutiny). So, unless the security people and system admins are completely retarded, then yes, this is a non-issue.

let them

[TLouden]

If your network is so insecure, you ought to fix that. It isn't the applications (or hardware) that we should be upset about, but the flaws which they highlight.

nothing special about using an iPod...

[constantnormal]

as has already been pointed out, any flash drive or external hard drive could be used.

Or a thieving employee could burn a CD or DVD.

Or use a cellphone to store sensitive info, transferred from a PC via the Bluetooth connection used to support a wireless mouse.

The only real defense against employee theft is restricting access to sensitive data and minimizing the number of untrustworthy employees. That's the best that can be done.

Indeed

[Anonymous Coward]

Exactly. I could very easily backup hundreds of complete databases right off the SQL servers (and other sources, XML, etc) - including tons of sensitive data, the source for every app we've made, our entire intranet's contents, and burn it to DVDs or copy to a portable HD anytime I would want to (or copy ona corporate laptop's HD), right in direct view. No one would even question, comment or bother me in any way (it would be ridiculously easy to try to conceil things too).

I have total access to dozens and dozens of servers. Thing is, it's a question of ethics. I'm not a dirty thief scumbag that wants to sell personnal information. No need to treat me like one. As far as non-admins are concerned, their access to sensitive data is extremely limited anyways, they can't do much damage really. My employer pays me decently and treats me well, no reasons to be disgruntled either.

In other news...

[Anonymous Coward]

In other news, a carefully conducted study has revealed that the majority of retail stores are COMPLETELY UNSECURE as the majority of employees have full access to the stockrooms, and many are able to access the cash contained in cash registers!

Re:Eyeballs and a brain...

[supermank17]

Unfortunately, not all employees come with a nice big sticker that say "I'm trustworthy" or "Don't touch me with a twenty foot pole" on them. But in general, I agree. At some point you have to acknowledge that no matter what you do, employees could steal information easily enough if they really wanted to, be it by memory, usb drive, or even "forgetting" to shred important documents. You just have to take precautions to discourage the bad ones, and trust the rest.

Re:Send it out as a ternary attachment

[JanneM]

Then send it out as a ternary attachment ;-) Seriously, for every filter there is a tunnel, even if it consists of pasting some uuencode variant into the body text instead of using MIME.

Of course there is. Or you can hide an mp3 player in a bodily orifice. Or a concealed keylogger to grab your coworkers' passwords. Or break in from the roof, lowering yourself down a ventilation shaft, subduing the guarddogs with sleeping darts and finding the laser beams with cigar smoke.

But once you do any of these things, you are willingly and deliberately breaking your company's security policies. And a malicious employee is a different kettle of fish from someone not excercizing their judgement in what data to bring home for overtime work, or not thinking through that while their uncle sure would get a chuckle out of the boneheaded design of next years' model, perhaps taking the data out of the building to show him isn't a good idea.

A wordy, fuzzy data security policy can be misunderstood, its main points forgotten and its admonishments mentally filed under "it doesn't really apply to this case". A clear, unambigious, 'All devices need preapproval' and 'No attachements. No, not even of your newborn. No, no even if he really is the cutest thing anybody in the building has ever seen.' is clearer and easier to follow.

It's all a matter of what kind of thing you want to stop. A locked screendoor will not stop a burglar - but it will stop your nosy neighbour just walking into your kitchen or your children to walk outside. And chances are, you usually have far more problems with the latter kinds than the former.

Re:Eyeballs and a brain...

[YrWrstNtmr]

Oh and quit treating them like felons...that way they won't be tempted to live up to your expectations!

True. But no matter WHAT you do, there will always be that one assclown whom you cannot please. And who may walk out with your stuff.

Naive to think treating people well protects ...

[AHumbleOpinion]

Your employees will steal information if they want to. This has nothing to do with the iPod. I have walked out of work with harddisks before.

The problem is that given the iPod's popularity it does not draw any attention. Even if someone notices that it is plugged in the thief may be able to dodge suspicion with a simple "I need to charge it".

Treat your employees well and they won't feel the need to screw you.

That is naive. Industrial / Commercial espionage happens. Greedy, self-centered, immoral people exist at all levels of companies. "Good" companies get screwed just like "good" employees.

Re:Business data?

[jbarr]

The only real restrictions have been my contract/confidentiality/non-disclosure agreement.

The only real restrictions have been my good character, ethics, and morals...

brilliant

[Lord Ender]

This article is about as insightful as "Knives Can Stab People!"

Re:I don't get it.

[v1]

How about a 4gb USB flash drive? Flash drives are becoming more popular than iPods, and are a heck of a lot easier to palm out of sight. They also look a lot less dangerous to most uneducated users, plugged into a USB keyboard rather than an ipod with its firewire/usb cable snaking over to the computer. As far as "sensitive data" goes, it's rarely related to its size. Anything capable of holding even a megabyte of data could easily be considered a major risk for sensitive information loss.

The iPod is just one of the many ways for data to walk out the door. PDAs are just as bad, and are probably the most commonly accepted data storage device let in the building short of cell phones.

All the technology does is make theft easier. It's just like the argument of guns.. it isn't the object that's dangerous, the object is only the enabler. It's the person using the object that makes it dangerous. ("guns don't kill people, people kill peope" -- "ipods don't steal company secrets, people steal company secrets")

In other words, if you are paranoid about your employees taking an iPod into work, why on earth did you hire them for a sensitive position? Them bringing that iPod in is, for the most part, completely beyond your control. (and the iPod is just one of many dozens of vectors to worry about) Whether or not you hire them (and let them, with or without their iPod, in the door) is totally within your control. Pick your battles wisely.

Re:Business data?

[pla]

transparently offloading illegal .avi, .mpg and .mp3 from the iPod to a specific computer. An anonymous phone call to the local authorities to take a look at the computer would finish the job.

Assuming you work in the US Windows-oriented world...

1) Where do you work that your IT guys gave you write access to administrative shares on the domain?
2) Do you realize that files have a concept of "owner", as well as a creation date, and that when you authenticate against the domain, a DC logs that?

Meaning that even if you could do it, which if you can your network admins need to "spend more time with their family", you'd leave tracks even an amateur could follow straight back to you.


Of course, similar ideas apply to the idea of an iPod sniffing around the network... Do most companies not limit "important" file access to people who actually have a reason to access those files?

Perhaps even more relevant - Would most people know what to do with something juicy? Unlike Hollywood's vision, you won't stumble across files named "fake_duplicate_set_of_books.xls" or "super_secret_corporate_takeover_plans.doc". "Real" juicy material takes a frickin' degree in accounting to make any use of... Just columns of account numbers, dates, and dollar amounts.

Re:Business data?

[hugzz]

An application that does the opposite would probably be better: transparently offloading illegal .avi, .mpg and .mp3 from the iPod to a specific computer. An anonymous phone call to the local authorities to take a look at the computer would finish the job. Wouldn't be the first time that some high-ranking company official got caught with kiddie porn on their computer.

And you've got kiddie porn on your ipod, why exactly?

Re:Business data?

[nolife]

All it takes to have access to an administrative share on a PC (like c$) is be in the local administrator group or be a member of a group that is in the administrator group on that PC. Considering probably 95% of the users that use Windows desktops run as administrator, that idea is not such a major difference from normal and probably overlooked. In the corporate world, companies lock down desktops or at least put users in the power users or users group. In that situation, having the IT department support people as desktop machine administrators is very common. Different classes of machines are in different OUs and you can fine tune what people (including IT), are in what groups for what computers. You obviously do not put lower tech support in a group that has administrator access to your servers and you can remove your network engineers from admin access on the PCs that are not in the IT department.

Having joe blow in a security group that has administrator access is a little crazy but can be manageable if it is only a specific subset of PCs. It is not surprising that companies do not tune or even think about permissions to that level and may provide all or nothing. I blame that on a weak or small struggling IT department or a weak and/or clueless IT manager but there are many of them out there.

Re:Send it out as a ternary attachment

[Minwee]

Your kids could actually go outside and see for themselves what Nature really looks like instead of watching Cartoon Channel. The horror!

In my neighbourhood, "Nature" is standing on the corner having a private chat with some guy who just pulled up in a Lexus. There is a broken beer bottle on the sidewalk, something which could be a needle lying next to it, and two of the local dealers are having a shouting match right across the street.

If you _really_ think it is a good idea for your three year old to wander out into "Nature" unsupervised, just by walking out the open front door when your back is turned, then by all means, please get "outta here".

Depends on the environment

[DaChesserCat]

Where I work, most of the IT guys (myself included) run around with USB sticks attached to themselves (hanging around the neck, attached to a belt loop, etc.). Our main support guy has a Linux distro on one of them, and can boot desktop machines off the silly thing; comes in real handy when someone has REALLY hosed up their WinXP machine and he has to try to rebuild it without completely wiping their drive and losing their data. Each of us have a "personal" one which has .mp3's, etc. on them. In my case it's an old 128 MB Sandisk Cruzer. I got it free when we ordered a bunch of hardware from someplace. It's getting harder to buy something that small, these days. Even that little thing can easily haul 100 MB of files around.

Quite a few employees have iPods or other small, personal media players, with capacities that dwarf my Cruzer.

If we wanted to, I'm sure we could slurp a large amount of data and walk off with it. More than a few people have pointed out, though, that it would be unethical. For most people, that's enough of a reason not to do it. Probability of getting burned for doing so isn't really the motivating factor. Most people are ethical enough, without needing any kind of threats hanging over their heads.

On the other hand, my wife applied, at one point, for a position with a defense contractor. She wasn't allowed to bring any kind of personal media player, CD's, etc. into the premises. If she had a camera cellphone, she wouldn't be allowed to bring it in, either. A regular cellphone was allowed, but she couldn't turn it on or take/make calls inside the building; she'd have to be outside on break. She couldn't even bring a personal CD player into the place (no recording capability, at all). She had to go through a metal detector any time she entered the building; good luck sneaking an electronic device past that thing.

It all depends on the environment. Obviously, some places are "locked down" more than others.

This *should* be a non-issue....

[King_TJ]

There are always going to be stealthy removeable drive type devices out there that someone can sneak in and out of a company easily and copy files onto. The iPod is just a popular target because millions have been sold and most people are aware of them.

The *real* question is, why would employees have access to file shares on servers containing important documents they weren't supposed to have? If your business throws everything on shares that all users have read (or read/write) access to, they deserve what they get for not implementing some sort of security policy for the shares.

If you're an I.T. person who has full access anyway due to the nature of your job, again - so what? You're already able to burn the stuff off to DVDs at night and sneak them home or download them remotely over your corporate VPN or ??? The point is, companies have to place trust in their people to various extents. If they hired you as a sysadmin, they should have already done the background checking and everything else before hiring you - and believe you can be trusted. If you violate that trust - you screwed them, plain and simple. Implementing some sort of "no Ipod allowed!" policy won't prevent that.

Custom App?

[Anonymous Coward]

This is a custom app?

Can someone tell me how you write code for the iPod?
It thought it was a closed system...