http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html [InfoSec News covered iPod industrial espionage back in 2002, http://seclists.org/lists/isn/2002/Mar/0002.html - WK] By Will Sturgeon Special to CNET News.com February 15, 2006 A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. Abe Usher, a 10-year veteran of the security industry, created an application that runs on an iPod [1] and can search corporate networks for files likely to contain business-critical data. At a rate of about 100MB every couple minutes, it can scan and download the files onto the portable storage units in a process dubbed "pod slurping. [2]" To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. Alternatively, the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine. Usher denies that his creation is an irresponsible call to arms for malicious employees and would-be data thieves, and instead insists that his scare tactics are intended to stir companies into action to protect themselves against the threat. "This is a growing area of concern, and there's not a lot of awareness about it," he said. "And yet in 2 minutes, it's possible to extract about 100MB of Word, Excel, PDF files--basically anything which might contain business data--and with a 60GB iPod, you could probably have every business document in a medium-size firm." Andy Burton, CEO of device management firm Centennial Software [3], said Usher walks a fine line but believes that he is acting with the best intentions and agrees that companies that still haven't recognized the threat need to be given a wake-up call. "Nobody wakes up in the morning worrying about antivirus or their firewall because we all know we need those things, and we all have them in place," Burton said. "Now the greatest threat is very much inside the organization, but I'm not sure there are that many businesses (that) have realized it's possible to plug in an iPod and just walk away with the whole business in a matter of minutes." Usher said companies shouldn't expect any help from their operating system, the most popular of which lacks the granularity to manage this threat effectively without impairing other functions. "(Microsoft Windows) Vista looks like it's going to include some capability for better managing USB devices [4], but with the time it's going to take to test it and roll it out, we're probably two years away from seeing a Microsoft operating system with the functionality built in," Usher said. "So companies have to ask themselves, 'Can we really wait two years?'" Citing FBI figures that put the average cost of data theft at $350,000, Usher argues that they can't. "The cost of being proactive is less than the cost of reacting to an incident," Usher said. Will Sturgeon of Silicon.com reported from London. [1] http://www.sharp-ideas.net/downloads.php [2] http://www.sharp-ideas.net/pod_slurping.php [3] http://www.centennial-software.com/ [4] http://news.com.com/Microsoft+launches+updated+Vista+preview/2100-1016_3-6001531.html _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Feb 20 2006 - 22:58:34 PST