Pod slurping threat to company data

Share this article:

A security researcher has warned how easy it is to copy vast amounts of confidential files using an iPod, a small copying program and some social engineering.

It means that an intruder with physical access to an office could connect their iPod to several workstations and could acquire 20,000 computer files in under an hour. The researcher dubs the technique "Pod slurping".

"I wrote a quick python application (called slurp) to help automate the file copy process," said Abe Usher at Centreville, VA-based security consultancy Sharp Ideas. "Slurp searches for the "C:\Documents and Settings\" directory on local hard drives, recurses through all of the subdirectories, and copies all document files."

He said he conducted experiments to test the viability of the program and it took 65 seconds to copy all document files from his computer as a logged-in user using Slurp and an iPod. Even without user details, it didn't take much longer to copy files.

"Without a username and password I was able to use a boot CD-ROM to bypass the login password and copy the document files from my hard drive to my iPod in about 3 minutes 15 seconds," Usher added.

Once the files are downloaded from their iPod onto a computer, the intruder can quickly scan through the files using a desktop search tool looking for confidential data.

He urged companies to restrict removable storage devices in the workplace and enforce strong physical security that prevents intruders from gaining access to information systems. He also said it was important to keep corporate data encrypted and on protected network shares rather than individual desktops.

Other experts warned that lax security policies could damage a company's reputation.

"Companies must wake up to the fact that allowing staff to use removable media devices in the workplace without adequate security and management can be a real security threat and this can impact massively on the integrity of the company and their business," said Martin Allen, MD of Pointsec UK.


Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.