Beware the iPod 'slurping' Employee 390
Zoner12 writes "CNet is reporting that Abe Usher has created an application that allows an iPod to scan corporate networks for files likely to contain sensitive
business data and download them, potentially stealing 100 megabytes in a few minutes. An insider threat would only need to plug the iPod into a computer's USB port."
The REAL story here is that... (Score:3, Interesting)
Maybe he went into Apple and "slurped" the SDKs using his application.... oh wait.
Physical access (Score:5, Interesting)
Then a friend went to his local bank branch to get a personal loan. His salary records were all on his USB memory device (he works for an ISP who really try to avoid paper if they can)and he was allowed to plug his mempory card in to the loan officer's PC and run Acrobat to show her the documents.
Yep, on a bank PC, inside the firewall, with a USB stick of completely unkown provenance.
I bet their IT security guys would've had a fit, if they'd known!
Re:So what's the difference... (Score:5, Interesting)
One video game company that I worked for banned all portable storage devices since they didn't want any files appearing on the internet. The smallest file was 4MB for Gameboy Advance titles and the largest was 4.5GB PS2/XBox titles. I had to get special permission for my 32MB flash card since I was using that to store homework files for the programming classes I was taking at the time. Since half of the projects that I did was for the Gameboy Advance, I was always under suspicion that I might steal a file.
Re:Physical access (Score:5, Interesting)
Fact 1: for the system to work, people have have to have access to the core financial applications.
Fact 2: people are stupid.
Fact 3: much (most?) hacking involves social hacking as opposed to trying to "break in" to a financial institution.
Connect the dots.
'Course, there is no way you could get anywhere trying to break into our organization through the front door, but sadly, a low-tech backdoor approach like this would probably work great.
Re:The REAL story here is that... (Score:2, Interesting)
Even if you were able to create a program that actually ran on the iPod's operating system, which by all indications, you can't, that program certainly wouldn't have access to the files of a computer it was connected to. The iPod OS can't even read or write NTFS, for Christ's sake. It's HFS+ or FAT32, period. Either way, this guy did not write a program "for the iPod". He wrote a program (probably in VisualBasic or something like that) that any first-year computer science program could write and then used a not-too-clever trick to get it to launch automatically. That method won't even work on Mac OS X, since there is no auto-run "feature" for removable media.
The only reason no one ever did it before was because it's not a scenario people would take seriously. Simple security measures like disabling auto-run and limiting executable permissions to a specific set of programs would nip this "vulnerability" in the bud.
Re:Why not block the USB port? (Score:4, Interesting)
Re:So what's the difference... (Score:2, Interesting)
That's what your IT guys are paid to monitor. If someone is sucking down 60 GB of files at a time, that should ring some sort of alarm bell. Most sites I've worked at would raise eyebrows at a 500MB download.
Depends on how their system works (Score:3, Interesting)
I don't know how banks work, I'd bet they are all different, but just because a computer is on their network doesn't necessiarly mean it has any special kind of access. All the important data may be stored on another system to which they have to log in. If they then lack admin access on their desktop, there's no real way to put a keylogger or anything on there. I would be more worried about someone getting a password via social engineering than getting anything useful off the computers themselves.
not news (Score:1, Interesting)
Smart employers have policies in place controlling access to sensitive documents, keeps logs of all attempted access to such documents, and have binding agreements defining the civil and criminal ramifications of purposely violating those policies.
Not-so-smart employers serve as reminders to the rest of us when they demonstrate that Darwinian priciples apply to many facets of life besides goldfish and DIY backyard balloon enthusiasts.
Thanks
What a dumbass. (Score:4, Interesting)
I'm all for the freedom to write software like this but shit, you have to be smart about it.
Re:I don't get it. (Score:3, Interesting)
Ok so what if I work for the cleaning service and watch one of your late-night employees get up and go to the bathroom. I simply get to his/her machine before the screensaver timeout and plug in. Boom in 2 minutes I have 60Gig of goodies that my employer hired me to gather from the competition.
It certianly looks like you do not think like a security specalist as that was the first thogh on my mind. Hell a good corperate harvester could easily talk the target into letting them plug in by asking in broken english... "Can I get a charge?"
Permissions and policies (Score:2, Interesting)
How many times have you admins been told to use a non-administrator account for your day to day operations and to give users the least privleges possible? Don't make users local administrators to their machines. Don't give all of your user's domain admin access on a windows network. Don't give sensitive network shares full access to everyone. So many people focus on boundary security and leave their internal network absolutely open. Like others have said, it doesn't take software to do this. It also doesn't take an idiot with some clue of permissions to stop this sort of thing from happening in the first place.
Re:Business data? (Score:2, Interesting)
I believe the idea would be to use someone else's workstation. Have the autorun drop the files without making any visible signs of doing anything. Hell, you could probably do this while talking to the person, just ask if you can charge the ipod while you talk (try it, people are agreeable most of the time). Alternatively you could find an unlocked workstation, but what's the fun in that?
See how easy that was? And note how the large role ipods now play in our lives contributed to the success of this trick.
Re:Store analogy was terribly naive ... (Score:3, Interesting)
Along the same lines, if you don't trust an employee having access to certain data, that employee should never have read access to that data. If you can't read it, you can't copy it to an iPod. If you can read it, you can steal it... via iPod, floppy disk, e-mail, or even by printing it. This software is just a tool, and the biggest lesson here is that corporate networks are often not secured properly.