iPod Slurping
-
What a cool name, pod slurping. I have to give it to Apple, besides building a cool OS, incredibly cool machines with innovative designs, and one of the neatest companies in Silicon Valley, they also give us a new vocabulary. 5 years ago would a "pod" have meant anything besides a cheap Japanese hotel or a bad science fiction movie? We now have iPods, iLife, iMac, eMac, and more. A "i" something now associates it with a cool new Internet/Apple thing.
But the article has some good points. One of the cool things about USB and Firewire is that you can unhook devices and rehook new ones up easily. Without rebooting, no covers to take off, etc. But this very ease causes security nightmares.
New devices with large capacities can quickly drain lots of data from a computer, or a network, and result in breeches of security. Glue the USB ports on the front shut? What about your USB keyboard or monitor? Someone might plug in there. There's everything=>USB and back these days, a few connectors wouldn't matter. And the small size of these devices is insane.
It still seems that most breeches of security are a result of physical breeches. Bad employees, pay a janitor, etc. So having them able to bring a small iPod-like device in and steal your data is a concern. As much as we try to automate and move things forward, I can see that day that we return to the airport like corporate security desk where everyone checks in and out and is searched.
Or maybe we'll all get those clear purses the retail establishments give to their employees to carry our stuff in and out so the security guys can see what we have.
Steve Jones
-
This has been an issue for years. Portable CD/DVD burners? It just comes down to properly securing data. If you give your janitor a network account and permission to view the financials then you deserve to get taken to the cleaners as well as going to jail. Yes, you can go to jail if you do not attempt to secure data that could lead to insider trading. You are considered just as guilty as if you peered at the data yourself and made a trade based on that information.
[font="Tahoma"]Bryant E. Byrd, BSSE MCDBA MCAD[/font]
Business Intelligence Administrator
MSBI Administration Blog -
While it's true that portable burners have been around for awhile, their size and expense at least made them somewhat less available and harder to conceal. It's those very 2 things, size and expense, that is troublesome about the new devices. A determined individual with bad intentions could easliy conceal a very affordable 2 gig memory stick about their person and it would be next to impossible to detect during a casual search.
Shoot, I remember years ago doing consulting work for a shop where the owner was so paranoid his employees were going to steal his clients, he had us disable all of the diskette drives. That's only 1 1/2 megs. Now with portable storage running in the 1 to 4 gig range being very affordable, and with most PC's having several USB ports those concerns seem laughable.
And Steve? I'll take a clear backpack like lots of kids are carrying to school now over a clear purse, thank you very much.
My hovercraft is full of eels.
-
And as if the devices themselves weren't enough to cause alarm, there's also this to worry about (link courtesy of databasedaily.com):
http://www.eweek.com/article2/0,1895,1840141,00.asp
That does it. If I'm not here, I'll be busy wrapping my PC in aluminum foil after clogging the USB ports with super glue.
My hovercraft is full of eels.
-
Yikes! I stand corrected. I also noticed that some people were using USB drives to back up data. What dummies! Those devices are soooo unreliable. Do not trust them for backups!!
It's also interesting to note that when I browsed to that page on eweek that I got a banner ad for Kingston's DataTraveler Elite USB drive.
[font="Tahoma"]Bryant E. Byrd, BSSE MCDBA MCAD[/font]
Business Intelligence Administrator
MSBI Administration Blog -
For what it's worth, IMHO the e-week article should have been more properly titled:
"USB Devices Can Crack Systems"
and it was somewhat unfair of them to single out Windows. This is because (and it's even spelled out in the article) the vulnerability exists with USB, not just Windows. Therefore any USB compliant system is potentially at risk. With this being the case it also stands to reason that data theft isn't the only concern here. What if a device were programmed not to steal data, but to delete or damage it by launching a new virus worm from inside the company firewall? It doesn't take a lot of imagination to see that the implications are pretty far reaching. Yet another case of technology growing at a faster pace than our ability to secure it.
I also concur completely with your comments regarding USB backups. Why that organization is doing this with their local drives is a complete mystery to me.
My hovercraft is full of eels.
-
SSwords said: "What if a device were programmed not to steal data, but to delete or damage it by launching a new virus worm from inside the company firewall?"
Though this is not in universal deployment, companies that are serious about security do not limit their security scanning to the perimeter. They have intrusion detection both inside the network and at the firewall, if something like a worm launches from inside the net, there is theoretical capability to shut off the port from which the attack is taking place.
A virus, unless it's a zero day exploit, would be stopped by a/v software on the servers and workstations, assuming they are running and updated.
But targeted malware -- that's a different story. If it is an intentional attack and the company is using signature-based detection, they could be in trouble if the intruder hand-crafted his nasties.
The capability to resist this exists, it's a question as to whether or not it is deployed.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font] -
This is an old problem, it's enhanced now that people have started programming their iPods, but it's been around since iPod #1 came out.
Probably within a month of their retail debut, I read an article there the author watched someone walk into a CompUselessA, plug an iPod into a Mac, and made himself a copy of Microsoft Office, which goes for around $500 retail for a new copy IIRC.
I'm guessing, not being a Mac expert, that most Mac software installs are pretty much self-contained and that you can copy the entire software directory and have it run on another machine, as opposed to the half a million registry entries and DLL proliferation that takes place on a Windoze machine.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font] -
I'll bet that back in the late mainframe days they were bemoaning laser printers because someone could print out client lists and they wouldn't look like output from a system, just ordinary paper.
I think this kind of thing just reinforces the need for good security. Also, no one should have access to any data that they do not have a work-related NEED to see. Just giving everyone in the office FULL access to a directory is asking for someone to make a copy, on CD, USB, iPod, Paper, Wireless networking, etc.
Viewing 9 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply