Beware the Podslurpers...

[InfoSec News <alerts () infosecnews org>]

http://www.contractoruk.com/news/002936.html

[New breed of security risks? There's stories dating back to 2002 on 
InfoSec News of this threat: http://www.infosecnews.org/hypermail/0203/5524.html
but nevertheless there's good information here.  - WK]


By Neil Sheppard 
Nov 3, 2006

Podslurpers and Camsnufflers sound like products of JJ Tolkiens 
imagination in Lord of the Rings but if they were, then they would 
almost certainly inhabit Mordor rather than The Shire with the Hobbits.

In fact these are all names given to a new breed of security risks that 
have derived from the existence of USB and Firewire ports.

USB ports in particular have transformed the connectivity of external 
hardware and PCs with a key part of their design being the ease of use 
and universal operation across many types of hardware. However these 
strengths also contribute to the vulnerability regarding data security. 
So what is podslurping and camsnuffling?

Basically podslurping and camsnuffling are two variations on the same 
theme using highly memory intensive mobile devices to connect into a USB 
or firewire port and remove large amounts of data from the machine or 
system.

In the case of podslurping it is the use of iPod type devices normally 
through USB ports which could also include mobile phones, PDAs or even 
flash drives which are commonly 2GB now with 32GB drives on the horizon.

Camsnuffling refers to the use of digital cameras or camcorders through 
either firewire ports or USB ports. Use of these devices is on the safe 
side of normal security systems and so it is a very real threat for many 
businesses. The threat can be in a number of forms;

* Employees who decide to download information to either take home to 
  work on or for more sinister purposes. Taking work home could mean 
  that the data is then transferred to an insecure device and therefore, 
  at increased risk - whereas the removal of data for more sinister 
  purposes represents a real threat to the wellbeing of the 
  organisation. For publicly quoted organisations the requirements of 
  Turnbull for reporting risk include data security and so any possible 
  routes that could leak information need to be reported. In a recent 
  survey 29% of company directors admitted downloading company 
  information into insecure environments for various reasons so it is 
  not just disgruntled employees that are of concern!

* Non-employees who gain access to the workplace and download 
  information either to blackmail the organisation of simply to do 
  commercial damage to it. People leaving workstations logged on at 
  night pose a particular risk here but the speed that data can now be 
  transferred means that any unlocked workstation left unattended could 
  be a risk a firewire connected media player can download 6 GB of 
  information in less than 2 minutes!

* Non-employees who use information mobility to access information on 
  laptops while remote from the office. Downloading or holding large 
  amounts of sensitive data on laptops is normally one of the reasons 
  for having such a device but it does represent a potential security 
  breach. Apart from the obvious physical risk of having it stolen there 
  is now the risk of podslurping for the trusting imagine the scenario: 
  You are in a hotel foyer quietly working on your laptop when someone 
  approaches you and says that their iPod is low on power and could they 
  just plug it into one of your USB ports for 10 minutes for a quick 
  recharge whilst they get you a cup of coffee. Being a trusting person 
  in need of a free cup of coffee you agree, but while you are sitting 
  there chatting over coffee a self activating worm on the iPod is 
  scooping up GBs of data off your laptop with iPods now having 60GB 
  hard drive capacity a lot of data could be harvested without leaving 
  any trace industrial espionage just became a lot easier!

* There is one further threat from these devices and that is their 
  potential to carry some sort of damaging programme such as a worm or 
  virus that is then introduced into the system. Whilst proper intrusion 
  detection systems should give some protection against this, the virus 
  may have done its work before it is detected. In one test a security 
  company left old flash drives scattered around the company car park 
  early one morning. Each of these drives had a lot of innocuous data 
  and pictures so as not to arouse suspicion - but they also had a 
  self-activating Trojan that harvested sensitive information and then 
  used the e-mail client to send the information to the security 
  company. They watched as employees found the devices as they arrived 
  in the morning within an hour or so the first emails started arriving 
  as the employees plugged the flash drives into their unguarded USB 
  ports! No matter how good your security is the weakest link is 
  normally human fallibility!

So what can be done to stop the unrelenting march of Podslurpers and 
Camsnufflers? Some companies have taken the extreme step of filling all 
USB and firewire ports with superglue! However this is not the favoured 
solution as Andy Beesley of Wired IT Services explains: The problem here 
is that the security issues are being caused by the very reason that USB 
ports have developed their ease of use and user friendliness. Sealing 
them up with Superglue might fix the problem but it will also inhibit 
the productive use of these devices which is not in the best interests 
of the organisation.

We need to find a sensible combination of measures that educate and 
prevent without unduly inhibiting peoples everyday lives. A typical 
process would be as follows:

* Education employees need to understand the risks and implications of 
  security breaches to the wellbeing of the organisation. This 
  particularly the case for laptop users who use them away from secure 
  areas such as the workplace or the home.

* Understand the current security risks how many employees use USB 
  sticks, iPods, PDAs, digital cameras etc and how often are they 
  connected to the network.

* Review the business requirements what is really required by employees 
  as a part of their daily work patterns which may lead to some 
  interesting discussions and indeed revelations!

* Create a clear AUP (acceptable use policy) that governs what is and 
  what is not permitted regarding removable devices including 
  restrictions on them being brought into the workplace. This policy 
  needs a clear and comprehensive communication procedure with employees 
  signing off that they accept its governance.

* Policy enforcement through intelligent lockdown this can be physical 
  (such as Superglue!) but can also be technology based:

* Inhibit autorun although normally only associated with CD drives, 
  other removable devices can be made to look like a CD drive and 
  inhibiting autorun will prevent programmes from running without the 
  users knowledge

* Disable USB connections in system BIOS for machines where there is no 
  requirement for external devices

* Use software that allows policy to be defined so that only agreed 
  users can use devices that are authorised on ports that are authorised 
  all other usage is blocked.

* Use software to create document policies that restrict the way that 
  files can be copied or used.

* Use encryption on all sensitive data

* Keep all data on secure central network servers and restrict the 
  amount that can be held on desktops or laptops.

* Iterate more education, review the operation of the policy and repeat 
  the process

There can never be 100% security but hardware lockdown is an 
increasingly important issue because of the advances in removable device 
technology. With this technology advancing at an ever increasing pace 
the time to act is now.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org