The iPod is the top-selling portable media player on the market today. The largest iPod model can currently store more than 80 gigabytes of data, and as technology advances its storage capacity will only increase. While this may benefit practitioners who use such devices to transfer and store corporate data, enterprises can't ignore the risks iPods pose to the network, especially now that malicious users have started "pod slurping" to gain access to confidential corporate information.
How does pod slurping work? Pod slurping is a method that illegally uploads gigabytes of confidential information from an organization's computer systems to an iPod or any other removable storage device. Those engaging in the practice often utilize programs like slurp.exe, which make it easier to search relevant directories on a computer system for typical business documents in Word and Excel format. The Slurp.exe program is capable of copying 100 MB worth of data from the Windows "Documents and Settings" directory in a matter of minutes. Once the information is slurped it can be downloaded, analyzed and even sold.
Pod slurping is the latest weapon in the hacker's arsenal. And it's not only a method that sophisticated hackers can use.
For example, an employee who's unhappy with his annual performance review and his lack of a pay increase can decide to "strike back" by testing his access to the human resources server, which stores an Excel spreadsheet of all
While some may believe this could never happen, it did. A few years ago I audited the network of an international marketing company where an employee did what's described above, but used a USB key, not an iPod. In this case, the employee quit before anyone noticed the breach and emailed the Excel spreadsheet to every individual in the company. As you can imagine, the consequences were devastating.
Pod Slurping: Preventative measures
So, what can be done to prevent pod slurping?
- Restrict access to the USB port(s) on a computer system.
- Implement and enforce policies. No USB devices in the office means, no USB devices in the office for ANYONE (including technical staff, managers, etc.).
- Implement the principle of least privilege. Doing so will ensure a user can't access files which they do not need to access.
Again, before allowing employees to listen to their portable music players at the office, consider the risks. Most organizations have spent thousands of dollars on mitigating risks to their information by implementing firewalls, antivirus and intrusion prevention systems (IPSes), only to have it come crashing down by a disgruntled employee armed with an iPod.
About the Author:
Peter Giannoulis, GSEC, GCIH, GCIA, CISSP, is an information security consultant in Toronto, Ontario, Canada, as well as a Technical Director for the GIAC family of certifications.
|Sound off opportunity: Do you think is it reasonable to ban iPods from the office? We'd like to hear from you. Email us and let us know why or why not.|
This was first published in February 2009