http://www.contractoruk.com/news/002936.html [New breed of security risks? There's stories dating back to 2002 on InfoSec News of this threat: http://www.infosecnews.org/hypermail/0203/5524.html but nevertheless there's good information here. - WK] By Neil Sheppard Nov 3, 2006 Podslurpers and Camsnufflers sound like products of JJ Tolkiens imagination in Lord of the Rings but if they were, then they would almost certainly inhabit Mordor rather than The Shire with the Hobbits. In fact these are all names given to a new breed of security risks that have derived from the existence of USB and Firewire ports. USB ports in particular have transformed the connectivity of external hardware and PCs with a key part of their design being the ease of use and universal operation across many types of hardware. However these strengths also contribute to the vulnerability regarding data security. So what is podslurping and camsnuffling? Basically podslurping and camsnuffling are two variations on the same theme using highly memory intensive mobile devices to connect into a USB or firewire port and remove large amounts of data from the machine or system. In the case of podslurping it is the use of iPod type devices normally through USB ports which could also include mobile phones, PDAs or even flash drives which are commonly 2GB now with 32GB drives on the horizon. Camsnuffling refers to the use of digital cameras or camcorders through either firewire ports or USB ports. Use of these devices is on the safe side of normal security systems and so it is a very real threat for many businesses. The threat can be in a number of forms; * Employees who decide to download information to either take home to work on or for more sinister purposes. Taking work home could mean that the data is then transferred to an insecure device and therefore, at increased risk - whereas the removal of data for more sinister purposes represents a real threat to the wellbeing of the organisation. For publicly quoted organisations the requirements of Turnbull for reporting risk include data security and so any possible routes that could leak information need to be reported. In a recent survey 29% of company directors admitted downloading company information into insecure environments for various reasons so it is not just disgruntled employees that are of concern! * Non-employees who gain access to the workplace and download information either to blackmail the organisation of simply to do commercial damage to it. People leaving workstations logged on at night pose a particular risk here but the speed that data can now be transferred means that any unlocked workstation left unattended could be a risk a firewire connected media player can download 6 GB of information in less than 2 minutes! * Non-employees who use information mobility to access information on laptops while remote from the office. Downloading or holding large amounts of sensitive data on laptops is normally one of the reasons for having such a device but it does represent a potential security breach. Apart from the obvious physical risk of having it stolen there is now the risk of podslurping for the trusting imagine the scenario: You are in a hotel foyer quietly working on your laptop when someone approaches you and says that their iPod is low on power and could they just plug it into one of your USB ports for 10 minutes for a quick recharge whilst they get you a cup of coffee. Being a trusting person in need of a free cup of coffee you agree, but while you are sitting there chatting over coffee a self activating worm on the iPod is scooping up GBs of data off your laptop with iPods now having 60GB hard drive capacity a lot of data could be harvested without leaving any trace industrial espionage just became a lot easier! * There is one further threat from these devices and that is their potential to carry some sort of damaging programme such as a worm or virus that is then introduced into the system. Whilst proper intrusion detection systems should give some protection against this, the virus may have done its work before it is detected. In one test a security company left old flash drives scattered around the company car park early one morning. Each of these drives had a lot of innocuous data and pictures so as not to arouse suspicion - but they also had a self-activating Trojan that harvested sensitive information and then used the e-mail client to send the information to the security company. They watched as employees found the devices as they arrived in the morning within an hour or so the first emails started arriving as the employees plugged the flash drives into their unguarded USB ports! No matter how good your security is the weakest link is normally human fallibility! So what can be done to stop the unrelenting march of Podslurpers and Camsnufflers? Some companies have taken the extreme step of filling all USB and firewire ports with superglue! However this is not the favoured solution as Andy Beesley of Wired IT Services explains: The problem here is that the security issues are being caused by the very reason that USB ports have developed their ease of use and user friendliness. Sealing them up with Superglue might fix the problem but it will also inhibit the productive use of these devices which is not in the best interests of the organisation. We need to find a sensible combination of measures that educate and prevent without unduly inhibiting peoples everyday lives. A typical process would be as follows: * Education employees need to understand the risks and implications of security breaches to the wellbeing of the organisation. This particularly the case for laptop users who use them away from secure areas such as the workplace or the home. * Understand the current security risks how many employees use USB sticks, iPods, PDAs, digital cameras etc and how often are they connected to the network. * Review the business requirements what is really required by employees as a part of their daily work patterns which may lead to some interesting discussions and indeed revelations! * Create a clear AUP (acceptable use policy) that governs what is and what is not permitted regarding removable devices including restrictions on them being brought into the workplace. This policy needs a clear and comprehensive communication procedure with employees signing off that they accept its governance. * Policy enforcement through intelligent lockdown this can be physical (such as Superglue!) but can also be technology based: * Inhibit autorun although normally only associated with CD drives, other removable devices can be made to look like a CD drive and inhibiting autorun will prevent programmes from running without the users knowledge * Disable USB connections in system BIOS for machines where there is no requirement for external devices * Use software that allows policy to be defined so that only agreed users can use devices that are authorised on ports that are authorised all other usage is blocked. * Use software to create document policies that restrict the way that files can be copied or used. * Use encryption on all sensitive data * Keep all data on secure central network servers and restrict the amount that can be held on desktops or laptops. * Iterate more education, review the operation of the policy and repeat the process There can never be 100% security but hardware lockdown is an increasingly important issue because of the advances in removable device technology. With this technology advancing at an ever increasing pace the time to act is now. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Nov 02 2006 - 22:46:10 PST