IPods frighten Abe Usher.
It's not that he has anything against Apple's portable media player, exactly, -- he even owns one, and is quick to extol its virtues. But where most of us see an iPod as a repository for hours of musical entertainment, Mr. Usher sees a hiding place for thousands of company files, with which a smart thief can walk out of a building completely undetected.
Security consultants like Mr. Usher use the term "PodSlurping" to describe the way in which devices such as MP3 players, USB Flash drives or Sony Memory Sticks pose a risk to businesses and government agencies. Data theft tends to conjure up images of rogue programmers hacking into databases through the Internet, but PodSlurping suggests it can be much simpler and scarier than that.
With little technical expertise, almost anyone can plug one of these portable storage systems into a PC in an office, find what they're looking for on the network and download it while nobody's looking.
PodSlurping is the modus operandi for the inside job.
"Over the past 10 years, the majority of the people working in information security have had backgrounds in networking. As everyone got plugged into the Internet, when people thought of security, they thought of firewalls and access controls," says Mr. Usher, who is based in Arlington, Va. "Not all of these threats to companies exist outside of the corporate network."
Smaller businesses, which may not devote as many resources to IT security as their larger counterparts, could be particularly vulnerable to PodSlurping. It's not easy to keep track of who walks into an office building with an MP3 player, and most USB Flash drives are pretty small (they don't call them "thumb drives" or "keychain drives" for nothing).
Last year, Mr. Usher created a proof-of-concept software application called Slurp.exe that shows how easy it is to put PC files on an iPod. He recently followed it up with Slurp Audit, a tool that runs on portable storage devices and shows, once it has been plugged into a desktop, what kind of files could have been downloaded had a theft occurred.
Part of the problem, according to Mr. Usher, is that these devices plug into computers in a standard way. This makes them highly useful for connecting with each other (most laptops and PCs, for example, have a USB port), but it also raises the risk of PodSlurping that much higher.
"There are dishonest people in the world -- many of them work at many companies -- and these USB devices make it rather trivial to steal huge amounts of data," Mr. Usher says.
The threat of PodSlurping has opened up a new market for vendors around what's called "endpoint security." The products are usually software that makes sure users adhere to their company IT security policies. One such product, DeviceWall from Centennial Software of Portland, Ore., is designed to prevent the connection of unauthorized removable media devices to corporate PCs and laptops. It can block read/write access, for example, for anyone who does not have predefined authorization to download data. Securewave, of Luxembourg, offers a similar product called Sanctuary Device Control, designed to manage portable device access to desktops, tablets and laptops.
Although it's taking some time for awareness of the problem to spread to corporate decision makers, Centennial's vice-president of marketing, Brian McCarthy, says businesses are starting to earmark money for endpoint security in their annual budget cycles. "They're realizing they've pretty much covered the perimeter," he says. "I think 2005 was an educational year. It was the year they realized this is an issue."
