Find White Papers
Home About Contact Help
Free Membership Member Login
Aug 20, 2008
View Popular Research Browse Topics Find Business Solutions RSS Feeds List Your Research
Search the Library                  Advanced Search

Pod Slurping: An Easy Technique for Stealing Data

GFI
By : GFI
INFORMATION
Published : Jan 02, 2007
Length : 7
Type : White Paper
 
Download Now
Save for Later
  Email This Page
Overview :

A common misconception is that perimeter security measures such as firewalls and anti-virus software are enough to secure corporate data residing on the corporate network.

In this white paper, we explore how the uncontrolled use of portable storage devices such as iPods, USB sticks, flash drives and PDAs, coupled with data theft techniques such as ‘pod slurping’, can lead to major security breaches.
View All Items By This Company
Browse Related Categories :

Access Control

,

Authentication

,

Identity Management

,

Security Policies

,

Storage Management
 
Developments in portable device and data storage technology are escalating. The latest versions of MP3 players and flash memory devices have huge storage capabilities; yet these gadgets are small enough to easily conceal and sneak in behind the corporate line of defence. Further to this, easy connectivity and high speed data transfer has become increasingly more widespread - a user may simply plug the device into a USB or FireWire port and they are up and running - no drivers or configuration required! In practice, this means that a data thief can get away with even more precious data, and a negligent employee can dump more viruses onto the corporate network even when connecting for only a short time.

iPod is just one example of such portable contraptions. At a glance it is an innocent-looking portable audio device. However under the hood it boasts up to 60 GB of portable storage space; practically large enough to store all the data found in a typical workstation. This means that a malicious insider can use an iPod to covertly take out (i.e. 'steal') proprietary data and millions of financial, consumer or otherwise sensitive corporate records at one go!

2006 Identity Fraud Survey

"In 2005, the costs and damages caused by identity theft reached $56.6 billion."

Gartner analysts Contu and Girard (2004) warned of the security risks associated with the uncontrolled use of portable storage devices within corporations. Today, information theft has become a plague on modern society; data leakage, data ciphering, and data disclosure incidents are all but some of the terms used by security experts to refer to information theft. However, the most original term so far is probably the term 'pod slurping' that was coined by US security expert Abe Usher (2005).

Pod slurping: An easy technique for stealing data

Usher uses the term 'pod slurping' to describe how MP3 players such as iPods and other USB mass storage devices can be easily used to steal sensitive corporate data. "There are dishonest people in the world", says Usher, "many of them work at many companies - and these USB devices make it rather trivial to steal huge amounts of data" (Schick, 2006).

To demonstrate the vulnerability of corporate security, Usher developed a "proof of concept" software application that can automatically search corporate networks and copy (or "slurp") business critical data on to an iPod. This software application runs directly from an iPod and when connected to a computer it can slurp (copy) large volumes of corporate data on to an iPod within minutes. What's more is that slurping is not limited to iPods and MP3 players alone. All portable storage devices can be used to slurp information; digital cameras, PDAs, thumb drives, mobile phones and any other plug-and-play devices which have storage capabilities!

Data slurping is a very simple automated process and does not require any technical expertise; a user may plug in the portable storage device to a corporate workstation and by the time it takes to listen to an MP3, all the sensitive corporate data on that workstation is copied to the portable storage device.

Pod Slurping Blog

"...in 2 minutes, it's possible to extract about 100 MB of Word, Excel, PDF files -basically anything which might contain business data..."

Insider information theft is a real problem

Information theft has now become a major concern for every organization and thus data leakage prevention is slowly taking up a bigger portion of the IT budget. This drive is attributed to two factors: The wave of malevolent threats that is hitting every industry and the increase in regulatory requirements which demand more protection and tighter controls over client records and other confidential information. More stringent controls and severe penalties are forcing organizations to address regulatory compliance more seriously. In January 2006, the Federal Trade Commission charged commercial data broker ChoicePoint Inc. a settlement fee of 15 million dollars for leaking consumer data and violating consumer privacy rights (Federal Trade Commission, 2006).

A misconception shared by many organizations is that security threats mostly originate from outside the corporation. In fact, countless dollars are being spent every year on firewalls and other solutions that secure the corporate perimeter from external threats.
Search the Library                  Advanced Search
Today's Popular Reports This Weeks Most Popular Reports Most Popular Topics Vendor Directory Home
About Us Contact Us List Your Papers Partner With Us Site Map