As if 60GB of pocket-sized storage wasn’t enough of a threat to the senstive data on your network, Seagate has announced that it plans to ship a 120GB hard-drive, suitable for use in iPod-style devices, by the end of the year.
Seagate’s CEO, William Watkins, reckons they have the market for 1.8in drives sewn up - and sees the iPod as only one of a range of new handheld devices that will benefit from the additional storage capacity.
News to bring tears to an IT security manager’s eyes.
“Hey can I charge my iPod on your laptop for a few minutes? Hey thanks man, have a free USB stick, a friend gave it to me and I already have a ton of these things, oh check out the photo he put on there it’s hillarious!”
Bruce Schneier discusses an article recently published in the Spring issue of 2600 titled “iPod Sneakiness” where the author mixes a combination of social engineering with an iPod running a podslurping application. Imagine if you (or your employees) were at a Starbuck’s with your laptop and someone came up to you and innocently asked if they could plug their iPod into your computer to power it up. If that iPod has a podslurping application installed on that iPod they would be sucking more than power from your laptop, they would also be sucking down files and passwords from your system.
I used to work for a large public technology company that actually has a Starbucks on campus. Since the Starbucks is not company owned, anyone can sit in the coffee shop without security badges. The amount of potential information that could be compromised from an attack such as this is beyond comprehension, as engineers, IT staff and top level executives all visit this “hub” with their laptops.
In an further discussion of the Dark Reading article discussing a recent penetration test on a credit union, using USB sticks and a Trojan; it appears that Autorun was not used to run the application. Instead the application was masked as a JPEG image using Windows ability to mask extensions, and embed an icon into the executable, so the credit union employees thought they were opening an image, not executing an application.
A “hacker” is responsible for another data theft affecting a federal agency. The data theft at a National Nuclear Security Administration center in Albuquerque, involved names, Social Security numbers, birth dates and information on where 1, 500 people worked and their security clearances.
The theft actually occured in September and only recently have the individuals affected, or high level officials been told of the data breach.
Very little information has been made public regarding the actual “hack,” however from the description it appears that the individual had physical access to the system and had to circumvent a few security measures on the system before gaining access to the file.
Although the data stolen did not contain any sort of nuclear secrets; there is concern that when personal data such as this is stolen with details on security clearances, someone may use the information for a social engineer attack to try and get people do do things thay shouldn’t through threats or blackmail. The state of endpoint security in federal agencies is obviosly a serious problem that should be investigated, as we know this is not an isolated incident.
This also leads me to wonder how many data thefts such as this have gone unreported.
In a recent article on darkreading.com, Steve Stasiukonis VP and founder of Secure Network Technologies Inc. discusses a recent client:
We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
Slowly data started appearing in their inbox collected from the systems where the thumb drives were inserted. Human fallability will always be your greatest endpoint security threat.
According to this article on CNET and reports from the SOCA (Serious Organised Crime Agency) the mafia has been infiltrating companies using “plants” to attack internal systems and steal pertinent data. The biggest threat they claim is from trusted “insiders” who cause damage or steal data from internal systems.
Organized crime has changed their tactics quite a bit, by learning to compromise employees and contractors. We have heard this quite a bit, sometimes your greatest security threat may not be the genius hacker living the his parents’ basement trying to find ways into your network from the outside, but instead the pub across the street from your company where all of the companies dirty laundry is aired. It is not difficult to find a disgruntled employee who is unhappy with the company he/she works for and would be willing to earn a few extra bucks simply downloading data. Simply plug in a USB flash drive and upload malicious code, or download important company data. In most cases even low level employees and contractors have access to information that would prove valuable to competitors, even if the data is as simple as a list of engineers who work in product development, or a marketing email list.