[ISN] Beware the 'pod slurping' employee

InfoSec News isn at c4i.org
Tue Feb 21 01:15:45 EST 2006


[InfoSec News covered iPod industrial espionage back in 2002, 
http://seclists.org/lists/isn/2002/Mar/0002.html  - WK]

By Will Sturgeon 
Special to CNET News.com
February 15, 2006

A U.S. security expert who devised an application that can fill an
iPod with business-critical data in a matter of minutes is urging
companies to address the very real threat of data theft.

Abe Usher, a 10-year veteran of the security industry, created an
application that runs on an iPod [1] and can search corporate networks
for files likely to contain business-critical data. At a rate of about
100MB every couple minutes, it can scan and download the files onto
the portable storage units in a process dubbed "pod slurping. [2]"

To the naked eye, somebody doing this would look like any other
employee listening to their iPod at their desk. Alternatively, the
person stealing data need not even have access to a keyboard but can
simply plug into a USB port on any active machine.

Usher denies that his creation is an irresponsible call to arms for
malicious employees and would-be data thieves, and instead insists
that his scare tactics are intended to stir companies into action to
protect themselves against the threat.

"This is a growing area of concern, and there's not a lot of awareness
about it," he said. "And yet in 2 minutes, it's possible to extract
about 100MB of Word, Excel, PDF files--basically anything which might
contain business data--and with a 60GB iPod, you could probably have
every business document in a medium-size firm."

Andy Burton, CEO of device management firm Centennial Software [3],
said Usher walks a fine line but believes that he is acting with the
best intentions and agrees that companies that still haven't
recognized the threat need to be given a wake-up call.

"Nobody wakes up in the morning worrying about antivirus or their
firewall because we all know we need those things, and we all have
them in place," Burton said. "Now the greatest threat is very much
inside the organization, but I'm not sure there are that many
businesses (that) have realized it's possible to plug in an iPod and
just walk away with the whole business in a matter of minutes."

Usher said companies shouldn't expect any help from their operating
system, the most popular of which lacks the granularity to manage this
threat effectively without impairing other functions.

"(Microsoft Windows) Vista looks like it's going to include some
capability for better managing USB devices [4], but with the time it's
going to take to test it and roll it out, we're probably two years
away from seeing a Microsoft operating system with the functionality
built in," Usher said. "So companies have to ask themselves, 'Can we
really wait two years?'"

Citing FBI figures that put the average cost of data theft at
$350,000, Usher argues that they can't.

"The cost of being proactive is less than the cost of reacting to an
incident," Usher said.

Will Sturgeon of Silicon.com reported from London.

[1] http://www.sharp-ideas.net/downloads.php
[2] http://www.sharp-ideas.net/pod_slurping.php
[3] http://www.centennial-software.com/
[4] http://news.com.com/Microsoft+launches+updated+Vista+preview/2100-1016_3-6001531.html

More information about the ISN mailing list