[New breed of security risks? There's stories dating back to 2002 on
InfoSec News of this threat: http://www.infosecnews.org/hypermail/0203/5524.html
but nevertheless there's good information here. - WK]
By Neil Sheppard
Nov 3, 2006
Podslurpers and Camsnufflers sound like products of JJ Tolkiens
imagination in Lord of the Rings but if they were, then they would
almost certainly inhabit Mordor rather than The Shire with the Hobbits.
In fact these are all names given to a new breed of security risks that
have derived from the existence of USB and Firewire ports.
USB ports in particular have transformed the connectivity of external
hardware and PCs with a key part of their design being the ease of use
and universal operation across many types of hardware. However these
strengths also contribute to the vulnerability regarding data security.
So what is podslurping and camsnuffling?
Basically podslurping and camsnuffling are two variations on the same
theme using highly memory intensive mobile devices to connect into a USB
or firewire port and remove large amounts of data from the machine or
In the case of podslurping it is the use of iPod type devices normally
through USB ports which could also include mobile phones, PDAs or even
flash drives which are commonly 2GB now with 32GB drives on the horizon.
Camsnuffling refers to the use of digital cameras or camcorders through
either firewire ports or USB ports. Use of these devices is on the safe
side of normal security systems and so it is a very real threat for many
businesses. The threat can be in a number of forms;
* Employees who decide to download information to either take home to
work on or for more sinister purposes. Taking work home could mean
that the data is then transferred to an insecure device and therefore,
at increased risk - whereas the removal of data for more sinister
purposes represents a real threat to the wellbeing of the
organisation. For publicly quoted organisations the requirements of
Turnbull for reporting risk include data security and so any possible
routes that could leak information need to be reported. In a recent
survey 29% of company directors admitted downloading company
information into insecure environments for various reasons so it is
not just disgruntled employees that are of concern!
* Non-employees who gain access to the workplace and download
information either to blackmail the organisation of simply to do
commercial damage to it. People leaving workstations logged on at
night pose a particular risk here but the speed that data can now be
transferred means that any unlocked workstation left unattended could
be a risk a firewire connected media player can download 6 GB of
information in less than 2 minutes!
* Non-employees who use information mobility to access information on
laptops while remote from the office. Downloading or holding large
amounts of sensitive data on laptops is normally one of the reasons
for having such a device but it does represent a potential security
breach. Apart from the obvious physical risk of having it stolen there
is now the risk of podslurping for the trusting imagine the scenario:
You are in a hotel foyer quietly working on your laptop when someone
approaches you and says that their iPod is low on power and could they
just plug it into one of your USB ports for 10 minutes for a quick
recharge whilst they get you a cup of coffee. Being a trusting person
in need of a free cup of coffee you agree, but while you are sitting
there chatting over coffee a self activating worm on the iPod is
scooping up GBs of data off your laptop with iPods now having 60GB
hard drive capacity a lot of data could be harvested without leaving
any trace industrial espionage just became a lot easier!
* There is one further threat from these devices and that is their
potential to carry some sort of damaging programme such as a worm or
virus that is then introduced into the system. Whilst proper intrusion
detection systems should give some protection against this, the virus
may have done its work before it is detected. In one test a security
company left old flash drives scattered around the company car park
early one morning. Each of these drives had a lot of innocuous data
and pictures so as not to arouse suspicion - but they also had a
self-activating Trojan that harvested sensitive information and then
used the e-mail client to send the information to the security
company. They watched as employees found the devices as they arrived
in the morning within an hour or so the first emails started arriving
as the employees plugged the flash drives into their unguarded USB
ports! No matter how good your security is the weakest link is
normally human fallibility!
So what can be done to stop the unrelenting march of Podslurpers and
Camsnufflers? Some companies have taken the extreme step of filling all
USB and firewire ports with superglue! However this is not the favoured
solution as Andy Beesley of Wired IT Services explains: The problem here
is that the security issues are being caused by the very reason that USB
ports have developed their ease of use and user friendliness. Sealing
them up with Superglue might fix the problem but it will also inhibit
the productive use of these devices which is not in the best interests
of the organisation.
We need to find a sensible combination of measures that educate and
prevent without unduly inhibiting peoples everyday lives. A typical
process would be as follows:
* Education employees need to understand the risks and implications of
security breaches to the wellbeing of the organisation. This
particularly the case for laptop users who use them away from secure
areas such as the workplace or the home.
* Understand the current security risks how many employees use USB
sticks, iPods, PDAs, digital cameras etc and how often are they
connected to the network.
* Review the business requirements what is really required by employees
as a part of their daily work patterns which may lead to some
interesting discussions and indeed revelations!
* Create a clear AUP (acceptable use policy) that governs what is and
what is not permitted regarding removable devices including
restrictions on them being brought into the workplace. This policy
needs a clear and comprehensive communication procedure with employees
signing off that they accept its governance.
* Policy enforcement through intelligent lockdown this can be physical
(such as Superglue!) but can also be technology based:
* Inhibit autorun although normally only associated with CD drives,
other removable devices can be made to look like a CD drive and
inhibiting autorun will prevent programmes from running without the
* Disable USB connections in system BIOS for machines where there is no
requirement for external devices
* Use software that allows policy to be defined so that only agreed
users can use devices that are authorised on ports that are authorised
all other usage is blocked.
* Use software to create document policies that restrict the way that
files can be copied or used.
* Use encryption on all sensitive data
* Keep all data on secure central network servers and restrict the
amount that can be held on desktops or laptops.
* Iterate more education, review the operation of the policy and repeat
There can never be 100% security but hardware lockdown is an
increasingly important issue because of the advances in removable device
technology. With this technology advancing at an ever increasing pace
the time to act is now.
Visit the InfoSec News store!