Sensitive Data Stolen Via Digital Cameras 318
Jack writes "ITO is running an interesting story on a new security threat connecting digital cameras and hackers." From the article: "Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. 'Camsnuffling', the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera." We've previously discussed this problem.
Memmory Sticks next? (Score:5, Insightful)
Why go to all that trouble... (Score:5, Insightful)
Easy fix, remove access to the usb ports (Score:5, Insightful)
I know its not realistic, but alot of security problems can be fixed if we give up convenience.
How serious are you about security? (Score:5, Insightful)
The problem starts when the copmpany talks the talke, but doesn't back it up with action, leaving IT staff with a mixed message.
A clear, well-written security policy that has been bought off by and supported by exec mgmt is the only way to go. Sarbox is a great tool for scaring mgmt into line here.
Let's start with the obvious... (Score:3, Insightful)
"Cameras" is a little misleading/shortsighted... (Score:5, Insightful)
cannot be helped (Score:4, Insightful)
Re:Memmory Sticks next? (Score:4, Insightful)
Removable storage devices are the problem, and the invention of "camstuffing" seems like a lame gimmick to try to spin more news out of it. The article ridiculously claims that "many employees use digital cameras in their day to day work" - Maybe at a photojournalism shop, but in most real businesses you'd look pretty odd connecting your camera to the PC. It's vastly lower on the threat scale than PDAs, cell phones, burnable media, or flash cards/keys.
While I think the whole hacker vs cracker thing is a lame debate, in this case they're talking about people simply stealing or misappropriating data that they rightfully have access to. There is nothing (h|cr)ackeresque about that.
Re:You know... (Score:3, Insightful)
Oh no (Score:3, Insightful)
Re:iPods only for illegal use? (Score:3, Insightful)
Re:Top-Secret Information Leaking (Score:4, Insightful)
Employees don't need to be treated like criminals, but they shouldn't have more access than they need. For instance USB storage devices should be disallowed as a matter of security policy (not as a lame "leave what you tell us about at the door", but as an actual OS enforced system policy [microsoft.com]). I care about this from a user and customer perspective, where random employees of banks, insurance companies, and other businesses have access to an enormous amount of my data: I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
Re:Big zoom cameras are something too. (Score:2, Insightful)
Human larynx as security risk (Score:5, Insightful)
Of course this description is (intended to be) humorous, but the serious point is one we've heard often enough: you can't solve a human problem with a technological solution.
Re:"Guns" is a little misleading/shortsighted.. (Score:3, Insightful)
To use your analogy, it would be like someone writing an article on why a pocket knife could be dangerous in a criminal's hands.
Re:Top-Secret Information Leaking (Score:3, Insightful)
I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.
No they are not. The stuff I that I saw go on in the insurance industry would scare the living daylights out of people.
The biggest one I can think of would be the offsite tape backups at the agency I worked for. These were run every business day. How do you think they were offsite? Safe deposit box? Fire proof safe at the owners house? Nope! They gave the chief CSR the tapes and made her responsible for them. She took them home in her purse. More then once she lost a tape or forgot to bring it back in.
Despite that glaring amount of stupidity they refused to give me (the in-house IT) administrative access to the network or servers. I was supposed to talk to my boss if I needed him to log in for me. They trusted nobody but they let this woman take the companies entire database and image archive home with her every night. They justified this because "Tape drives are expensive and nobody else is likely to have one or know what's on the tape if she loses it."
I wonder how many of those tapes are floating around out there.
Re:Memmory Sticks next? (Score:2, Insightful)
iPod 60GB - $460
USB cable - $8
Misappropriating the financial database because you're the DBA - Priceless
Well, maybe not priceless. Billions of dollars in actual and capitalization damage, destroyed market image, thousands or tens of thousands who'll have issues for years.
It isn't tired - it's a very, very real risk. Too much data is being treated sloppily, and while this is only one of many steps that need to be taken to secure data, it is a concern.
Information Classification (Score:2, Insightful)
When I did defense work, classisfied systems sat on seperate networks behind locked doors. Only those who knew the combinations to the locks and had electronic key cards with the right pins could access the rooms. There were no connections from the machines to the outside world and in fact many rooms were RF sheilded to prevent EM snooping. Cameras, IPods, Thumb-drives and USB watches were certainly not allowed in these rooms.
I am not suggesting that all organisations need this kind of security but using seperate physical networks, limiting physical access, and disallowing the presence of certain devices around these machines is not beyond the pale.
Bluetooth != storage device (Score:5, Insightful)
From all the grammar mistakes, to the pointless buzzwords ("camsnuffling", "podslurping"), to the mention of how USB devices instantly give anyone access to any data on a computer, to the fact that "hackers" and "computer attackers" are mentioned several times when the data being taken is clearly being taken by employees who have access to it in the first place.
And "Bluetooth" is apparently a USB storage device. Way to go.
But in all seriousness, companies do have security issues regarding sensitive data leaving their computers in the hand of employees. How can these companies be sure that their data is secure while still maintaining access for the people who need it and not treating their employees like criminals?
If I were Dell, or some other prebuilt Windows box company, I would offer a desktop computer with no external ports at all. No USB, no serial port, no floppy disk, no CD writer, no nothing. Just a hard drive and a network connection, and a DVD/CD-ROM drive. That way, companies can make all their data available over the internal network (c'mon, is setting up shared server space really *that* difficult?) and it's much harder to get the data out of the company. If the company is truly paranoid about people taking hard drives out of their desktops to take home with them, set up the computer with an encrypted file system which asks the main server for the passphrase every time the computer boots. If you're worried about people sending themselves things as attachments, then don't allow emails with attachments from your servers. If outside companies need access to sensitive data in order to do business with you, then set up a secure server for data exchange. No sweat.
Precautions can be taken on the server side that make it very difficult for employees to steal sensitive data, but that still allow for efficient data flow within the company. And, of course, none of these ways will prevent anyone who is truly determined to get your data, but it will stop the casual stealers, and your chances of sensitive data getting out are much lower.
Re:collateral damage (Score:2, Insightful)
Back to Dumb Terminals (Score:2, Insightful)
Re:What the USA National Archives do... (Score:2, Insightful)
We understand that the work we do has a potential for security risks that need to be handled. You'd be a fool, in this industry, to have lax security. In the long run it's in the employees interest to have very strict security. My job depends on it.
Re:Let's start with the obvious... (Score:2, Insightful)
PostIt now! (Score:5, Insightful)
"Firstly, regularly change system passwords that employ both letters and numerals."
...resulting in a new security breach know as PostIt snatching
Enough with the Neologisms Already! (Score:3, Insightful)