Dripping Data: Understanding and Reducing Insider Threat (Part VIII) - Phone Home + The Power of the PMP!

"Hey IT Guy, check out my cool phone! I can use it as a modem for my laptop! " Ever heard that from one of those end users? I'm sure you have. Sounds much better than "Check out my cool wireless bridge I've been using to exfil sensitive data out of our company! " No matter if you've got the latest sexy new phone or not....they should be considered dangerous. Let's look at some of the risks that cell phones present.

image Nice Phone?

  • Camera Ready: Most phones today have a built in camera. James Bond didn't even have that. He had to carry that ridiculous little camera with him. Not only will these new phones take some pretty decent pictures, they can also shoot video. We can certainly recall a certain blonde socialite's "party photos" being released to the public...but what about photos of your confidential docs? Or video of you at the Christmas Party.
  • Network Bridge: Some phones double as a cell modem, thus allowing you to bridge from your LAN to the Internet, all via a cell tower. There are some great solutions out there to prevent Rogue Wireless Access Points within a business, but what about Rogue Cell Networks? How the heck do you (legally) block cell traffic in your area? Now before I get 100 replies about using cellular network jammers.....which cost less than $200 and are available if you Google.....I mean Live Search....for them on the Internet, remember that deploying them within the U.S. is absolutely illegal according to the FCC. (Too bad....I see a need for them in movie theaters.)
  • Social Engineering tool: If someone approaches your building, talking on a cell phone, how many people in your company will interrupt them to ask for a badge? No one wants to interrupt the "VIP" on his cell. You need too!!! Remember, most people don't want to create any waves in the workplace. That shouldn't apply to you. If we didn't want you to create a stink for your workers, we never would have invented Group Policy Objects and Software Restriction Policies.
  • Blended Device: Is it a phone or a Portable Media Player (PMP)? Or a storage device? Or a small laptop? Today we can carry pictures, docs, music, and even applications on our phones. Phones are increasing their capacity to store data. Look at the storage capacity that exists in a SD Card!! Those things are really tiny and can easily be used to steal data.
  • Detonator: Sadly, many of the IEDs being seen in combat are being set off by cellular devices. This really is beyond the scope of addressing corporate espionage, but just remember that not everybody out there loves you or what it is you do.

Of course, as security folks, we need to think about these things. You could just mandate a "no cell phone on premises" policy....which would go over really well with your Sales team. However, that's exactly what a lot of government facilities do. Takes us back to one of the earliest questions: Does Risk = Reward? If the answer is No, then ban cell phones on site. You do still have landlines for dialing out, correct? If you think there is some value in having them (mobile workers, no phones in the server room, etc.) then modify the cell phone policy. Maybe only certain areas are to be dubbed as "No Cell Phone" areas. Think about your R&D Dept. Probably a good place to limit what and who goes in. Just a word to the wise: YOU CAN'T BAN CAMERAS AND STILL ALLOW CAMERA PHONES!! Makes sense, right? Remember also that many of the newer laptops are building cellular modems directly into the hardware. I know my Dell D820 has one. Might want to look at restricting those devices as well.

The Case of Mr. Bond's and Acme Inc.

I read a great story the other day about someone using a cell phone in a very confidential business negotiation. Mr. Bond (not his real name) was in the market to purchase and takeover a failing Acme Inc. Acme's Board of Directors realized that this was probably a good solution to their declining revenues. They decided to sell. They brought Mr. Bond into the Acme conference room to discuss the details of the merger. Things like what percentage would be sold, price per share, etc. After several long hours, they couldn't come up with a price. Mr. Bond asked if he could call his wife to cancel his dinner plans, since it appeared the discussion was going to take awhile: "Hi honey...talks are good, but running long. I'll be home late again. Love you....goodbye." He hangs up and sets his phone down on the conference table. He then asks that the Acme Board of Directors decide on an acceptable sale price, while he excuses himself to use the restroom. He gets up and leaves.

The directors argue amongst themselves and decide that they absolute LEAST price they can accept is $3.5 million, but they'll be asking for about $8.4 million. They agree and Mr. Bond comes back in and he immediately offers $3.58 million. HOW IN THE HECK DID HE KNOW?!? Did he have Acme bugged?! The short answer is: Yes. He did.

You see, Mr. Bond is a shrewd man. While he pretended to call his wife, he actually called his co-worker and he never shut off his phone, leaving the connection open instead. (Of course, he first ensured that call waiting and sounds were disabled! You learn this things at Secret Squirrel School). He left his cell phone, with the open connection to his co-worker, Mr. Q, sitting quietly on the table transmitting every word. But how does Mr. Bond get the info? Simple, he carries a second cell phone...and he calls his co-worker on Mr. Q's office phone , and Mr. Q simply relays the entire conversation to him over the second cell phone!!! (Do not try this at home!)

That Slurping Sound You Don't Hear is Your Career Going Down the Toilet

"Pod Slurping". You've heard the term and can probably guess what it means. Portable Media Players (PMP). Zune. iPod. We all have one (or sadly......multiple ones). iPod launched in 2001. By 2006, over 60 million units have sold. IDC forecasts that by 2009, over 124 million portable players will be sold. They are great for keeping every CD I've ever owned available to listen to. With the advent of podcasts, like on TechNet Radio, we can also get audio tracks that specifically interest us. But is there a threat with these devices? Inherently, all PMPs are nothing more than a storage device.....and I'm talking a BIG storage device. The newest Zunes and iPod have a capacity of 80GB. Some of you don't even have that much room on the PC in your home. 80GB is a lot of data, as you can guess, but how much data is that in real terms?

The Filing Cabinet Analogy

image Do you remember the old, gray 4-drawer filing cabinets? I came from the U.S. Army and they had them everywhere. File after file, drawer after drawer. (Contrary to what Napoleon said, the Army runs on it's filing system....). A A single gigabyte is equal to ten, 4-drawer filing cabinets. That’s 40 drawers!! Time for some math....

Assume: A filing cabinet has four drawers, each 2 ½ feet long. A single file drawer holds 70 lbs, or about 7,000 docs/drawer. That’s 1,000 feet of filing drawers per Gigabyte (GB).......or 280,000 documents.

  • A 4GB USB thumbdrive = 4,000 feet of drawers….or 1.1 Million documents
  • The new iPod can hold 160GB…which is 160,000 feet of storage… or 44 Million documents! (That’s 30.3 miles of file drawers!)

Let's look at transfer rates...how long will it take to move that data in a perfect world? More and more data moving in shorter and shorter times.

  • 5.25” Floppy - 1.2 MB, Transfer Rate – 30 Kb /sec
  • 3.5” Floppy - 1.4 MB, Transfer Rate – 62.5 Kb /sec
  • Zip Disk - 100MB, Transfer Rate – 1 MB /sec
  • CD-ROM - 750MB, Transfer Rate – 7.62 MB /sec
  • USB 2.0 - 1 GB+, Transfer Rate – 60 MB /sec
  • Firewire 800 - 250GB+, Transfer Rate – 100 MB /sec

So if my math is correct (and it might not be....), then assuming perfect network conditions, and the LAN operating with minimal traffic, high spindle speeds for my hard disks, etc. Let's see how long it will take to fill my 160GB USB 2.0 iPod with your classified data:clip_image006[1]

  • 160 GB PMP = 163,840 MB
  • ….transferring data over USB 2.0 @ 60 MB /sec
  • ….it might potentially take just over 45 minutes to walk out with 44 Million company documents!!! Nice!

Mitigating the Risk of Windows Portable Devices (WPD)

So how do we shut this nuisance down? We use the aforementioned GPOs that exist today. Have you seen the new GPO in Windows Vista which allows you to shutdown the connection of various devices, including the WPD devices? Now the GPO explanation doesn't really tell you that WPD stands for Windows Portable Devices....but I'm telling you now. PMP = WPD. Simply turn it on and shut them down. Nice! Unfortunately, I've not heard or seen any easy mechanisms to shutdown a cellular network card that lives on a machine, short of disabling the hardware or using an illegal cell jammer. I'd love to hear some suggestions if anyone has any experience in this area.

image

NEXT TIME: Insider Threat continues with: "Oldies but Goodies... "