|
|
|
iPods -- A New Threat to Office Security?
The Apple iPod has been one of the biggest product success stories of
the past few years. It stores up to 5000 music tracks in its small case
(it weighs only 5.6 ounces) and can play up to twelve hours of music on
a single charge.
As the apple.com/ipod website tells us: “Imagine: you could fly from New
York to Paris and still have hours of listening time left over as you
stroll the Champs Elysées.”
That’s all very well if it’s only music stored on the iPod’s 20GB hard
drive, but what if it’s data stolen from your company that’s just made a
transatlantic hop to your biggest competitor? The handy little iPod can
team up with James Bond and become a weapon of corporate espionage.
The UK’s NewScientist.com website has called the Apple iPod music player
“…the next headache for computer managers trying to protect confidential
data”, saying that it can easily be programmed to access and download
computer files in a process called “pod slurping”.
It looks innocent enough. Just a small case hung around a teenager’s
neck with a couple of earplugs to complete the user interface. But they
also interface with PCs through a USB (universal serial bus) port that’s
on just about every desktop and notebook these days and have the ability
to quickly download files from an unattended computer.
"Once an iPod is plugged into a
computer, (it) takes just 65 seconds to rifle through its hard drive,
home in on all Excel, pdf and Word files and copy them to the iPod hard
disk," New Scientist says.
The alarm was first raised in 2004 by the Gartner Group that noted the
Apple iPod and several similar portable storage devices including
portable FireWire hard drives, USB hard drives or keychain drives, and
disk-based MP3 players could be a security risk. Even digital cameras
with smart media cards, memory sticks and compact flash can be used to
copy files.
In a hypothetical situation an
unauthorized visitor enters your business premises after hours disguised
as a janitor. He’s wearing an iPod as he goes from computer to computer
and copies all Microsoft Office files from each PC. Within an hour he
has ‘slurped’ 20,000 files from over a dozen workstations. He later
transfers the stolen files from his iPod to his PC, burns them onto a CD
and sells your information to the highest bidder.
It remained a possibility but a risk that was more theoretical than
actual until a US security consultancy, SharpIdeas, in Centreville,
Virginia, recently created a proof-of-concept program it calls ‘slurp.exe.’
SharpIdeas’ Abe Usher, a security consultant who’s also a member of
Mensa, describes how he came up with ‘slurp’.
“I conducted an experiment to quantify approximately how long it takes
to copy files from a PC to a removable storage device (iPod, thumbdrive,
et cetera) if you have physical access. The quick answer: not very
long.”
Usher wrote a python application (slurp.exe) to help automate the file
copying process. The program searches for the "C:\Documents and
Settings\" directory on local hard drives, recurses through all of the
subdirectories, and copies all document files.
“Using slurp.exe on my iPod”
relates Usher, “it took me 65 seconds to copy all document files off of
my computer as a logged in user. Without a username and password I was
able to use a boot CD-ROM to bypass the login password and copy the
document files from my hard drive to my iPod in about 3 minutes 15
seconds.”
The Gartner Group advises companies to forbid employees and external
contractors with direct access to corporate networks from using
privately owned storage devices with corporate PCs. This is not an easy
thing to police and there are often legitimate uses for portable storage
devices.
Gartner also says that companies should consider a "desktop lockdown
policy," disabling universal plug and play functions after installing
desired drivers, to permit the use of only authorized devices. Another
defense against unauthorized copying of files from office PCs is to use
personal firewalls to limit what can be done on USB ports.
There are as yet no reported incidents of files being ‘pod-slurped’ for
the purpose of theft of intellectual property or for industrial
espionage, but just because we haven’t heard about it doesn’t mean it
hasn’t already happened. Take another look at your IT security policy
and amend it as required to remove this new risk from your list of
concerns.
|
|
