Beware the 'pod slurping' employee
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Beware the 'pod slurping' employee

  1. #1
    Senior Member
    Join Date
    Mar 2005
    Posts
    175

    Beware the 'pod slurping' employee

    A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft.
    Read more here
    \"And life is what we make it. Always has been, always will be.\"

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    That's a breach of policy in this organization.

    You are not allowed to connect any device to any part of the network without the prior permission of the IT department.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Good point Tiger~

    That is a reasonably common policy over here, and in more sensitive locations you are not even allowed to bring the devices on site (mobile phones, cameras as well!)

    But I do sense a bit of FUD here? OK so I bring said device on site. Don't we have a policy which only allows access on a needs to basis? So, I should not even be able to see sensitive data, unless it is my job.

    All this ties in with HR and your recruitment policy as well?

    This has actually been a risk since CD/DVD burners and USB drives became common. Also, someone listening to an i-Pod isn't concentrating on their work...............that would actually attract attention in a professional environment, and where it does not they probably haven't anything worth stealing anyway? What is OK for goods inwards isn't the same in finance

  4. #4
    Senior Member ShippMA's Avatar
    Join Date
    Oct 2002
    Posts
    165
    Well, its good that your organisation actually has a policy, however does that include USB sticks. I would be willing to bet even if it does you will still have employees connecting there USB sticks.

    However lets be honest here, if an employee is out to steal business critical files from a company i don't think they'll be concerned whether or not the company policy allows them to connect an external device or not.

    Plus even if they were caught, what is the punishment for a breach of policy. For example to install anything on my work PC i need IT to do it because of restrictions, not an uncommon policy and actually quite sensible, however for some reason Firefox installed fine for me, so i never bothered telling IT. Yesterday an IT technician came down and said he noticed Firefox while doing an 'update' the other day. I said that yes i had installed it myself and he said 'thats cool, just thought i'd remind you the policy prohibits this, but don't worry'

    I wonder, how would a company proove they had stuff stolen by user X. Surely to proove that they would need to log, which user performed the search AND copied the files to an external drive, is that something that is generally logged?

    EDIT: He he posting at the same time nihil.

    Actually you make a good point that i forgot, the company that i currently work for does only give users access to folders that there manager identified they need access to, however i know that my last company just gave you full access!!!

    Plus although that helps, it doesn't stop the user copying sensitive work that they are working on...
    www.simpleits.co.uk
    www.tazforum.**********.com
    Google is god ....... of the Internet

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If I walk around any of my facilities and find a device, any device - thumb drives included, I will know whether the user is authorized because my staff are directed to forward all requests to me. If they aren't authorised I will look on the device to see what is there - I have the right to, per policy since they attached it to the work computer - and the policy states that breaches of policy may result in disciplinary action up to and including termination.

    Can they sneak it by me... Maybe, but most users don't have the rights to allow the thumb drive to be installed so it's not a huge issue.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    IIRC there's a GPO on windows that can be used to prevent access to USB mass storage devices...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    We had this discussion at work (more than once) and we considered specifically implementing policies to stop thumb drives etc. We came to the conclusion that they posed no more of a risk for malware entry than floppy disks and no greater a risk to loss of data than existing CDRW drives or pen and paper even. Anyone who is going to steal data will almost certainly have legitimate business access to it anyway and they could print it and walk out with it under their arm.
    Removal of personal or protectively marked materials is covered under all circumstances by other policies.

    We considered this to be a people problem rather than a technological problem.

    A lot of these reports seem to be FUD released by companies selling solutions to that particular 'problem'.

    ShippMA - I wonder, how would a company proove they had stuff stolen by user X. Surely to proove that they would need to log, which user performed the search AND copied the files to an external drive, is that something that is generally logged?
    No. I asked the same question when this first came up.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hey Aspman , I just love the Official Secrets Acts..................legislation with teeth not like this namby pamby "Homeland Insecurity" or "Data Protection" crap?


  9. #9
    Senior Member Raion's Avatar
    Join Date
    Dec 2003
    Location
    New York, New York
    Posts
    1,299
    Well, I've never worked at an IT company before but why not just glue the USB ports shut and make someone who needs to use the USB port go to an administrator computer and send whatever data they need to their computer.

    But really, this seems like a one step foward two steps back kinda thing. The more advanced technology gets, the easier it becomes for people to do malicious things with them...
    WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Raion
    Well, I've never worked at an IT company before but why not just glue the USB ports shut and make someone who needs to use the USB port go to an administrator computer and send whatever data they need to their computer.
    This is going to be difficult..... Please note that a lot of the newer keyboards/mice are usb only.. It's kind of hard to connect a keyboard when the ports are glued shut.. Gluing the keyboard isn't an option either.. We all know that users, keyboards and coffee don't mix
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •