Sharp Ideas

Innovation, R&D, Future Technology

Sharp Ideas header image 1
Pod slurping

Buy the full (unrestricted) version of Slurp

Executive Summary This brief article explores an idea that has been known by the security community for decades: physical security is important to information system security. A year ago a report was published by the Gartner Group warning that iPods (and other multi-gigabyte portable storage devices) pose a security risk for enterprises.
I've created an application (slurp.exe) that demonstrates this concept. When the program is run from an iPod, it can very quickly copy data files off of a PC and on to an iPod. If you'd like to try slurp.exe for yourself, there is a reduced functionality version* available in the download section and some instructions on the howto page.

Background: the importance of information
In historical periods of the past the precious commodities used for trade included food, land, oil, and gold. The currency of the information age is the bit.** Of course a single bit of information may have no implicit value by itself. However, a collection of bits combined together forms a byte (8 bits), and bytes are the building block for all digital information that is stored, transmitted, and processed.

Information economies such as the United States gain competitive advantage in the global marketplace through their methods of creating, analyzing, and distributing information. Organizations that fail to protect their information resources do so at great peril. (An organization without a security plan isn't worth two bits!)
Digital music players: portable information storage
iPods and other portable storage devices are gaining popularity within the United States. More than 15 million iPods have been sold since Apple introduced its hip line of portable music players. According to the Apple Web site: "the original iPod remains the archetypical digital music player for Mac and PC. " The iPod and similar devices are essentially small hard-drives that can play music. Why focus on the iPod? (1) It has tons (30 Gigabytes) of storage space and (2) I have one and absolutely love it.

Case study: Pod slurping
The scenario
An unauthorized visitor shows up after work hours disguised as a janitor and carrying an iPod (or similar portable storage device). He walks from computer to computer and "slurps" up all of the Microsoft Office files from each system. Within an hour he has acquired 20,000 files from over a dozen workstations. He returns home and uploads the files from his iPod to his PC. Using his handy desktop search program, he quickly finds the proprietary information that he was looking for.***

Sound far fetched?

An experiment
I conducted an experiment to quantify approximately how long it takes to copy files from a PC to a removable storage device (iPod, thumbdrive, et cetera) if you have physical access. The quick answer: not very long.

I wrote a quick python application (slurp) to help automate the file copy process. Slurp searches for the "C:Documents and Settings" directory on local hard drives, recurses through all of the subdirectories, and copies all document files.

Using slurp.exe on my iPod, it took me 65 seconds to copy all document files (*.doc, *.xls, *.htm, *.url, *.xml, *.txt, etc.) off of my computer as a logged in user. Without a username and password I was able to use a boot CDROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds.

Countermeasures to portable storage devices
Security professionals that want to reduce risk of data theft by physical security breach have two general categories of options: policy based countermeasures and technology based countermeasures.

Policy based:
*Restrict removable storage devices in the workplace.
*Enforce strong physical security that prevents intruders from gaining access to information systems.

Technology based:
*Disable USB connections in system BIOS
* Use third party software to protect against unauthorized data disclosure
* Use encryption (such as Microsoft's encrypted file system) to maintain data confidentiality
* Keep corporate data on protected network shares rather than individual desktops.

Digital music players are great for playing music; however, they can also be used for other purposes. As widespread adoption of portable storage devices (iPods, thumbdrives, pendrives, et cetera) continues, organizations must have specific plans for protecting their digital assets.

* DO NOT use this application for nefarious purposes. Slurp.exe is my attempt to take the abstract notion that physical security is important and demonstrate it in a concrete manner. The version of slurplite.exe that is on this Web site is "crippleware" - it only works when a user is actively logged on to a computer and does not copy files, but rather creates a report of how many files it found and how long it would take to copy them.

** An old joke among computer scientists: there are 10 types of people in the world; those that understand binary math and those that do not.

*** Desktop search
In the past year several companies have produced free and low cost "desktop search" utilities to help users sift through large quantities of files. dtSearch, Google desktop search, copernic search, Yahoo search are just a few of an expanding class of Windows file search utilities.

**** The Register had an interesting story on a similar topic a while ago.