By Will Sturgeon, 15 February 2006 16:25
NEWS
A US security expert who devised an application which can fill an iPod with business critical data in a matter of minutes is urging companies to address the very real threat of data theft.
Abe Usher, a 10-year veteran of the security industry, created an application which runs on an iPod and can search corporate networks for files likely to contain business critical data. At a rate of around 100MB every two minutes, it can scan and download the files onto the portable storage units in a process dubbed 'pod-slurping'.
To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. Alternatively the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine.
Usher denies his creation is an irresponsible 'call to arms' for malicious employees and would-be data thieves and instead insists his scare tactics are intended to stir companies into action to protect themselves against the threat.
He said: "This is a growing area of concern and there's not a lot of awareness about it. And yet in two minutes it's possible to extract about 100MB of Word, Excel, PDF files - basically anything which might contain business data - and with a 60GB iPod you could probably have every business document in a medium sized firm."
Andy Burton, founder of device management firm Centennial, said Usher walks a fine line but believes he is acting with the best intentions and agrees that companies who still haven't recognised the threat need to be given a wake-up call.
Burton said: "Nobody wakes up in the morning worrying about antivirus or their firewall because we all know we need those things and we all have them in place. Now the greatest threat is very much inside the organisation but I'm not sure there are that many businesses who have realised it's possible to plug in an iPod and just walk away with the whole business in a matter of minutes."
Usher said companies shouldn't expect any help from their operating system, the most popular of which lack the granularity to manage this threat effectively without impairing other functions.
He said: "Vista looks like it's going to include some capability for better managing USB devices but with the time it's going to take to test it and roll it out we're probably two years away from seeing a Microsoft operating system with the functionality built in.
"So companies have to ask themselves 'can we really wait two years?'"
Citing FBI figures which put the average cost of data theft at $350,000, Usher argues they can't.
He said: "The cost of being proactive is less than the cost of reacting to an incident."
Comments
There are 6 comments. Join the discussion
1. anonymous
How is an iPod any different than a USB flash drive, or a cellphone/PDA with SD cards and Bluetooth? If anything, a tiny USB drive would be less obtrusive, and a PDA with SD card storage would be less noticed in a business environment.
This article smacks of a personal bias on the part of the author in singling out a specific product or company, which significantly undercuts the argument.
2. anonymous
Same old security company scare tactics to drum up business.
This is nothing new. People could copy 'business data' since the days of floppy discs. CD writers and flash drives could do the same thing. An employee could even pinch a backup tape in a matter of seconds if they knew where they were.
There is no new threat from iPods that wasn't there already through other data storage media.
3. anonymous
Slurp-audit simply gives us an overview of the issue at hand - that sizeable portable has never been so cheap, and therefore accessible to the masses. That this article chooses to focus primarily on USB drives does not lessen its relevency.
It simply doesn't make sense that companies invest millions in firewalls, anti-virus and email content filtering solutions only to then leave the back door open on PCs.
Just look at the stories coming out of Marriot, Ford, the Dutch military and Cardystems. These types of thefts are both real and on the increase.
4. Ian Savell
If you want to do this - don't use an Ipod. Most other players are MUCH easier to use as mobile data storage.
You can see this from the fact that the source needed to write SOFTWARE for the Ipod, when all you should need is XP's built in support for USB storage.
5. anonymous
The only thing missing from this article was a plug for his anti-slurping software - surely a 'must have' for every PC in the enterprise...
Same old same old. Anti-virus companies invented the threat, then keep selling us the prevention.
Just how much longer are computer users going to be held to ransom by these companies?
6. anonymous
Surely the point being made is that the 'opportunity' for theft is greater as your average employee now has an ipod-type device, rather than a USB hard disc, in their pocket!
I agree with the previous comments - but think that employers need to be made aware of the danger that ipods mean to corporate security, let alone the hearing of their employees!