Sensitive Data Stolen Via Digital Cameras

Jack writes "ITO is running an interesting story on a new security threat connecting digital cameras and hackers." From the article: "Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures. 'Camsnuffling', the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera." We've previously discussed this problem.

Memmory Sticks next?

[Ironsides]

Since the article seems to be more concerned about using cameras to store information, rather than taking pictures of sensitive documents, how long until USB Memmory sticks are targeted? Floppies? Geez, if they're that worried about security they need to be concerned about anything that stores info, not just what appears to be everyday items.

Why go to all that trouble...

[greyfeld]

when you can just buy a thumb drive and plug it in to any machine and get almost whatever you want.

Easy fix, remove access to the usb ports

[psyon1]

Like the computers in a cabinet, and only allow bonded techs to get in to install peripherals :)

I know its not realistic, but alot of security problems can be fixed if we give up convenience.

How serious are you about security?

[winkydink]

If you or your company, is truly serious, then the steps to limit these sorts of things are pretty straightforward (no iPods/cameras in the workplace, locking the bios to prevent new usb, no admin rights on your machine, etc...).

The problem starts when the copmpany talks the talke, but doesn't back it up with action, leaving IT staff with a mixed message.

A clear, well-written security policy that has been bought off by and supported by exec mgmt is the only way to go. Sarbox is a great tool for scaring mgmt into line here. :)

Let's start with the obvious...

[c0dedude]

Sensitive data should not be in plain view. Camera phones, then, are not a problem.

"Cameras" is a little misleading/shortsighted...

[ScentCone]

Why not just repeat this article on a regular basis, updating a list of things with some sort of commonly used comm port/interface and simple file-system storage? Right now it's phones, PDAs, pens, music widgets, camerads, fobs... but next it will be eyeglasses, shoes, student ID cards, car keys, fake fingernails, or someday your pre-frontal cortex. This article is mostly about how you can't trust people you can't trust. Cameras don't have much to do with it, per se. If cameras provided a way around an established lack of trust, then we'd have an article to read.

cannot be helped

[middlemen]

Most of us must have read the story about a crow wanting to drink from a jug of water, but the water being too low, the crow could not drink it. So it dropped some pebbles/stones in it and then the water rose so that the crow could drink it. If a crow can be resourceful like this applying its brain (however small), so can humans. And "hackers" (why lord why! it is crackers) are resourceful and how much ever technology progresses, there will be people who will defeat the technology by sheer brainpower and kludges. So, such things are inevitable and in fact extremely necessary to spinoff the growth of new better technology.

Re:Memmory Sticks next?

[ergo98]

Since the article seems to be more concerned about using cameras to store information, rather than taking pictures of sensitive documents, how long until USB Memmory sticks are targeted? Floppies? Geez, if they're that worried about security they need to be concerned about anything that stores info, not just what appears to be everyday items.

Removable storage devices are the problem, and the invention of "camstuffing" seems like a lame gimmick to try to spin more news out of it. The article ridiculously claims that "many employees use digital cameras in their day to day work" - Maybe at a photojournalism shop, but in most real businesses you'd look pretty odd connecting your camera to the PC. It's vastly lower on the threat scale than PDAs, cell phones, burnable media, or flash cards/keys.

While I think the whole hacker vs cracker thing is a lame debate, in this case they're talking about people simply stealing or misappropriating data that they rightfully have access to. There is nothing (h|cr)ackeresque about that.

Re:You know...

[winkydink]

Forget it. That ship sailed long ago. People were complaining about the misnomer since the Morris Worm (and probably before that too). The media has coopted the word hacker whether you want them to or not. While you can continue to use it "correctly" in certain small circles, the general public equates hacker with malice.

Oh no

[varmittang]

The Camera Phone, they must all be disallowed in the work place. That is going to be difficult, since most phones have a camera, and people are going to want them in case the kids get sick.

Re:iPods only for illegal use?

[Kelson]

Not only that, but I imagine many of them are playing music they bought legally -- on their own time -- either in round plastic form or from iTMS, on their home computer.

Re:Top-Secret Information Leaking

[ergo98]

But if you work for a company like mine, where the data is the company's life-blood I can completely understand why they'd want to keep your USB and other storage devices (like iPods) out of their space.

Employees don't need to be treated like criminals, but they shouldn't have more access than they need. For instance USB storage devices should be disallowed as a matter of security policy (not as a lame "leave what you tell us about at the door", but as an actual OS enforced system policy [microsoft.com]). I care about this from a user and customer perspective, where random employees of banks, insurance companies, and other businesses have access to an enormous amount of my data: I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.

Re:Big zoom cameras are something too.

[manifoldronin]

Anyone here run a business with a display visible from a window, even one half a city block from the next window?

Yeah, especially considering the more senior an exec becomes the bigger/more windows his office gets to have...

Human larynx as security risk

[ewg]

The human larynx is the biggest security risk. It's a ubiquitous device that can broadcast via sound waves any proprietary information a knowledge-worker has been exposed to.

Of course this description is (intended to be) humorous, but the serious point is one we've heard often enough: you can't solve a human problem with a technological solution.

Re:"Guns" is a little misleading/shortsighted..

[Pantero Blanco]

You missed the point. They only listed a single device capable of causing the problems they listed, when there are many more that would be more likely to. He wasn't saying that the employees were the only factor.

To use your analogy, it would be like someone writing an article on why a pocket knife could be dangerous in a criminal's hands.

Re:Top-Secret Information Leaking

[Shakrai]

I've worked at a large bank and a large insurance company, and the controls aren't anything like most people imagine.

No they are not. The stuff I that I saw go on in the insurance industry would scare the living daylights out of people.

The biggest one I can think of would be the offsite tape backups at the agency I worked for. These were run every business day. How do you think they were offsite? Safe deposit box? Fire proof safe at the owners house? Nope! They gave the chief CSR the tapes and made her responsible for them. She took them home in her purse. More then once she lost a tape or forgot to bring it back in.

Despite that glaring amount of stupidity they refused to give me (the in-house IT) administrative access to the network or servers. I was supposed to talk to my boss if I needed him to log in for me. They trusted nobody but they let this woman take the companies entire database and image archive home with her every night. They justified this because "Tape drives are expensive and nobody else is likely to have one or know what's on the tape if she loses it."

I wonder how many of those tapes are floating around out there.

Re:Memmory Sticks next?

[ergo98]

Worrying about IPods and usb-drives just seems like this decade's nod to a B-movie scenario that was just as tired last decade.

iPod 60GB - $460
USB cable - $8
Misappropriating the financial database because you're the DBA - Priceless

Well, maybe not priceless. Billions of dollars in actual and capitalization damage, destroyed market image, thousands or tens of thousands who'll have issues for years.

It isn't tired - it's a very, very real risk. Too much data is being treated sloppily, and while this is only one of many steps that need to be taken to secure data, it is a concern.

Information Classification

[Ferment]

Classification of information and treating that information accordingly is at the heart of the issue. It is impracticle to have to protect all information. Organisations need to decide what needs to be protect and to what extent and then implement policies based on those decisions. If you have highly senstive information, clearly classify it so, limit who has acesses it and how they access it.

When I did defense work, classisfied systems sat on seperate networks behind locked doors. Only those who knew the combinations to the locks and had electronic key cards with the right pins could access the rooms. There were no connections from the machines to the outside world and in fact many rooms were RF sheilded to prevent EM snooping. Cameras, IPods, Thumb-drives and USB watches were certainly not allowed in these rooms.

I am not suggesting that all organisations need this kind of security but using seperate physical networks, limiting physical access, and disallowing the presence of certain devices around these machines is not beyond the pale.

Bluetooth != storage device

[AeroIllini]

Wow. This is a terrible article.

From all the grammar mistakes, to the pointless buzzwords ("camsnuffling", "podslurping"), to the mention of how USB devices instantly give anyone access to any data on a computer, to the fact that "hackers" and "computer attackers" are mentioned several times when the data being taken is clearly being taken by employees who have access to it in the first place.

And "Bluetooth" is apparently a USB storage device. Way to go.

But in all seriousness, companies do have security issues regarding sensitive data leaving their computers in the hand of employees. How can these companies be sure that their data is secure while still maintaining access for the people who need it and not treating their employees like criminals?

If I were Dell, or some other prebuilt Windows box company, I would offer a desktop computer with no external ports at all. No USB, no serial port, no floppy disk, no CD writer, no nothing. Just a hard drive and a network connection, and a DVD/CD-ROM drive. That way, companies can make all their data available over the internal network (c'mon, is setting up shared server space really *that* difficult?) and it's much harder to get the data out of the company. If the company is truly paranoid about people taking hard drives out of their desktops to take home with them, set up the computer with an encrypted file system which asks the main server for the passphrase every time the computer boots. If you're worried about people sending themselves things as attachments, then don't allow emails with attachments from your servers. If outside companies need access to sensitive data in order to do business with you, then set up a secure server for data exchange. No sweat.

Precautions can be taken on the server side that make it very difficult for employees to steal sensitive data, but that still allow for efficient data flow within the company. And, of course, none of these ways will prevent anyone who is truly determined to get your data, but it will stop the casual stealers, and your chances of sensitive data getting out are much lower.

Re:collateral damage

[Ph33r th3 g(O)at]

Cameras are potentially accountability, and thus potentially liability. They don't like anything taking pictures that could be evidence (except for their own cameras--with those, evidence could be "lost" or "inadvertently destroyed").

Back to Dumb Terminals

[xoip]

If companies are so concerned about data theft from the desktop access points go back to client/server and give people nothing more than a keyboard and monitor.

Re:What the USA National Archives do...

[databyss]

The company I work at has much the same policy, except for the stamping of papers and clothing requirements (I think anyway, they don't bother employees as much as guests). All the employees here wear ID's around our necks, guests have the same thing. We don't feel like we're being treated as criminals. It makes us feel empowered.

We understand that the work we do has a potential for security risks that need to be handled. You'd be a fool, in this industry, to have lax security. In the long run it's in the employees interest to have very strict security. My job depends on it.

Re:Let's start with the obvious...

[harbichidian]

Military working facilities don't have janitors, they have people with less rank. ::withering smile::

PostIt now!

[mlush]

From TFA
"Firstly, regularly change system passwords that employ both letters and numerals."

...resulting in a new security breach know as PostIt snatching

Enough with the Neologisms Already!

[Millard Fillmore]

Anybody else agree that they're tired of flavor-of-the-moment words coined to describe this kind of thing. From the article, we get "camsnuffling" and my favorite: "podslurping." The recent "splogs" also comes to mind.