Beware the iPod 'slurping' Employee

Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."

The REAL story here is that...

[GrahamCox]

The REAL story here is that he has created an APPLICATION for the iPod, according to the FA. How did he do that? Apple closely guards the iPod SDKs and as far as I know have never released them to third party developers.

Maybe he went into Apple and "slurped" the SDKs using his application.... oh wait.

Physical access

[ian_mackereth]

At one time, I'd've pointed out the difficulty of getting unauthorised physical access to a PC's USB port in any sort of secured environment.

Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.

Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.

I bet their IT security guys would've had a fit, if they'd known!

Re:So what's the difference...

[__aaclcg7560]

Most USB keys max out at 1GB. However, if you want to steal more than 1GB at time, a 60GB iPod is the way to go.

One video game company that I worked for banned all portable storage devices since they didn't want any files appearing on the internet. The smallest file was 4MB for Gameboy Advance titles and the largest was 4.5GB PS2/XBox titles. I had to get special permission for my 32MB flash card since I was using that to store homework files for the programming classes I was taking at the time. Since half of the projects that I did was for the Gameboy Advance, I was always under suspicion that I might steal a file.

Re:Physical access

[Anonymous Coward]

As an IT guy in a bank, I have to say that if you thought that banks somehow had better security than the grocery store across the street, you were merely fooling yourself.

Fact 1: for the system to work, people have have to have access to the core financial applications.
Fact 2: people are stupid.
Fact 3: much (most?) hacking involves social hacking as opposed to trying to "break in" to a financial institution.

Connect the dots.

'Course, there is no way you could get anywhere trying to break into our organization through the front door, but sadly, a low-tech backdoor approach like this would probably work great.

Re:The REAL story here is that...

[Durandal64]

Here's what I'm betting actually happened. This guy wrote a program that does some basic and not-very-remarkable parsing of Word files on C: and copies whatever it finds to the iPod. Then he used Windows Auto-run to automatically execute it when the iPod was plugged in. Ooooh, wow, impressive.

Even if you were able to create a program that actually ran on the iPod's operating system, which by all indications, you can't, that program certainly wouldn't have access to the files of a computer it was connected to. The iPod OS can't even read or write NTFS, for Christ's sake. It's HFS+ or FAT32, period. Either way, this guy did not write a program "for the iPod". He wrote a program (probably in VisualBasic or something like that) that any first-year computer science program could write and then used a not-too-clever trick to get it to launch automatically. That method won't even work on Mac OS X, since there is no auto-run "feature" for removable media.

The only reason no one ever did it before was because it's not a scenario people would take seriously. Simple security measures like disabling auto-run and limiting executable permissions to a specific set of programs would nip this "vulnerability" in the bud.

Re:Why not block the USB port?

[imemyself]

Which totally defeats the point of banning USB keys/external HDD's/iPod. I mean it is brain-dead easy to copy files on to a Palm or PocketPC, and with an CF or SD card(I believe they are up to the 2 or 4 GB range now-days) you could get a ton of stuff out of work. Hell, you could even hide the card in your shoe or something afterwards if you weren't allowed to take your PDA home or something. And even without their USB ports, there's Bluetooth(for some phones/PDAs and a few computers). There is no way that a company can absolutely prevent someone from taking home files that they have access to, unless they're like the CIA/NSA or something(And haven't there been a few cases of people getting computer files out of those places?). There are too many ways to get the data out, and too many ways to get around security.

Re:So what's the difference...

[BrokenHalo]

Most USB keys max out at 1GB. However, if you want to steal more than 1GB at time, a 60GB iPod is the way to go.

That's what your IT guys are paid to monitor. If someone is sucking down 60 GB of files at a time, that should ring some sort of alarm bell. Most sites I've worked at would raise eyebrows at a 500MB download.

Depends on how their system works

[Sycraft-fu]

It may be that their computers don't have any special access in particular. I work for a university and, of course, we have detailed financial and personal information on employees and students. Most people don't have access to it (including me) but of course people like our finance people need it. So you get at their computer, you get the info right? No, it's all stored on a mainframe over in the computer centre. They access it via a very archaic text interface over an encrypted link. Their computers aren't special for this access, you just need the right software, username, and password.

I don't know how banks work, I'd bet they are all different, but just because a computer is on their network doesn't necessiarly mean it has any special kind of access. All the important data may be stored on another system to which they have to log in. If they then lack admin access on their desktop, there's no real way to put a keylogger or anything on there. I would be more worried about someone getting a password via social engineering than getting anything useful off the computers themselves.

not news

[Anonymous Coward]

Sorry to point to Hollywood as the rightful owner of the 'warning shot' but this type of access and data theft was pretty much central to the plot of 'The Recruit' starring Al Pacino , Colin Farrell, and Bridget Moynahan. Moynahan's character uses a USB Flashdrive to steal the source code for some dreamy virus from within the CIA headquarters at Langley... and the moral of the story is... the best hacks are always personell hacks, get someone from inside the organization to transport the sensitive info off campus.

Smart employers have policies in place controlling access to sensitive documents, keeps logs of all attempted access to such documents, and have binding agreements defining the civil and criminal ramifications of purposely violating those policies.

Not-so-smart employers serve as reminders to the rest of us when they demonstrate that Darwinian priciples apply to many facets of life besides goldfish and DIY backyard balloon enthusiasts.

Thanks

What a dumbass.

[kin_korn_karn]

Why in the hell do people do shit like this and PUBLICIZE it? All it does is give geeks a bad name and make a 'threat' out of anyone who carries an iPod or other digital music player.

I'm all for the freedom to write software like this but shit, you have to be smart about it.

Re:I don't get it.

[Lumpy]

???

Ok so what if I work for the cleaning service and watch one of your late-night employees get up and go to the bathroom. I simply get to his/her machine before the screensaver timeout and plug in. Boom in 2 minutes I have 60Gig of goodies that my employer hired me to gather from the competition.

It certianly looks like you do not think like a security specalist as that was the first thogh on my mind. Hell a good corperate harvester could easily talk the target into letting them plug in by asking in broken english... "Can I get a charge?"

Permissions and policies

[jascat]

This is why it's important to have good policies and proper seperation of permissions on your resources. Where I work, no personal storage devices, to include thumb drives, music players and external hard drives, are allowed to enter the building. Personal laptops must be signed in and they are forbidden from going on the network. If they do and we find out about it, the laptop is seized, thoroughly searched and then wiped. Too bad, so sad. They knew the policy when they walked through the door.

How many times have you admins been told to use a non-administrator account for your day to day operations and to give users the least privleges possible? Don't make users local administrators to their machines. Don't give all of your user's domain admin access on a windows network. Don't give sensitive network shares full access to everyone. So many people focus on boundary security and leave their internal network absolutely open. Like others have said, it doesn't take software to do this. It also doesn't take an idiot with some clue of permissions to stop this sort of thing from happening in the first place.

Re:Business data?

[Talennor]

Do you realize that files have a concept of "owner", as well as a creation date, and that when you authenticate against the domain, a DC logs that?

I believe the idea would be to use someone else's workstation. Have the autorun drop the files without making any visible signs of doing anything. Hell, you could probably do this while talking to the person, just ask if you can charge the ipod while you talk (try it, people are agreeable most of the time). Alternatively you could find an unlocked workstation, but what's the fun in that?

See how easy that was? And note how the large role ipods now play in our lives contributed to the success of this trick.

Re:Store analogy was terribly naive ...

[LordBodak]

The point is, if you don't trust your employees with cash, you won't have them working the cash register.

Along the same lines, if you don't trust an employee having access to certain data, that employee should never have read access to that data. If you can't read it, you can't copy it to an iPod. If you can read it, you can steal it... via iPod, floppy disk, e-mail, or even by printing it. This software is just a tool, and the biggest lesson here is that corporate networks are often not secured properly.