User: Password:
Subscribe / Log in / New account


Attack of the killer iPods

June 22, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

Apparently, the latest security threat to the enterprise is Pod slurping. Gartner recommended banning portable storage devices, including iPods, last year, but Abe Usher has taken it a step farther by providing a proof-of-concept application called slurp that could run off of an iPod or other portable storage device. Usher paints a scary scenario to put the fear of iPods in all of us:

An unauthorized visitor shows up after work hours disguised as a janitor and carrying an iPod (or similar portable storage device). He walks from computer to computer and "slurps" up all of the Microsoft Office files from each system. Within an hour he has acquired 20,000 files from over a dozen workstations. He returns home and uploads the files from his iPod to his PC. Using his handy desktop search program, he quickly finds the proprietary information that he was looking for.

A scary scenario indeed. We put slurp to the test, to see if it is indeed that quick and easy. Usher's slurp.exe runs off of the portable storage device and copies documents (including *.doc, *.xml, *.xls, *.txt and others) from the "C:\Documents and Settings\" directory onto the portable storage device. Since we didn't have a Windows-compatible iPod handy, we used a 512MB USB flash drive instead.

Indeed, slurp.exe works as advertised, searching the target computer (a Windows XP machine) and copying all Office documents from the target directory to the USB drive in less than a minute. (Admittedly, there were only a dozen or so, so target computers with hundreds of documents may take more time.) While testing, it also occurred to us that slurp could also provide a valuable legitimate use by allowing users to back up their Office documents to work on them at home. Note that Usher's slurp.exe is "crippled" to only allow a user that's logged in to copy documents, and maxes out at 200 files.

Usher calls for organizations to put several technology- and policy-based countermeasures in place to reduce the risk of data theft with portable devices. We agree with Usher that organizations with sensitive data should have strong physical security to prevent intruders from gaining access to systems. Usher's scenario - an unauthorized visitor snooping through the office unsupervised - shouldn't be allowed in any workplace that needs to enforce data security.

Restricting removable storage devices, however, may be much more difficult -- and ultimately futile, since they're easy to conceal and users with physical access to machines also probably have access to other means for sending sensitive information off-site: e-mail or uploading files to web-based storage, for example. Keeping unauthorized users away from systems is one thing, preventing a disgruntled employee from removing documents is another.

Usher's technical suggestions are also interesting. He suggests disabling USB connections in the system's BIOS, using encryption, keeping corporate data on protected network shares and using third-party applications like DeviceLock to lock down access to USB and other removable devices.

Administrators who wish to disable USB connections in the system bios will also need to password-protect the BIOS to prevent a user from simply re-enabling it. Use of encryption for sensitive data is certainly recommended, though training average PC users to actually utilize encryption may be more easier said than done.

Keeping data on network shares only works if there's a way to prevent the user from copying the data to the local PC or sending it off-site via the network. Third party apps like DeviceLock are only useful while a PC is running -- so a user who reboots the PC and uses a live CD of some kind is going to be able to bypass DeviceLock rather easily.

The possible abuses of portable storage devices like the iPod should be taken seriously. The ability to copy tens of gigabytes of data onto a pocket-sized device is certainly a threat to organizations with sensitive data to protect. However, it wouldn't pay to focus on portable storage devices alone. There are many, many ways that someone with physical access would be able to compromise an organization's security. Banning iPods and other storage devices, without a comprehensive security policy that covers other possible attacks, is likely to do nothing more than annoy employees.

Comments (21 posted)

New vulnerabilities

cacti: SQL injection and PHP file inclusion

Package(s):cacti CVE #(s):
Created:June 22, 2005 Updated:July 21, 2005
Description: Cacti (prior to version 0.8.6e) suffers from vulnerabilities which can lead to SQL injection and (on some systems) execution of arbitrary PHP files.
Debian DSA-764-1 cacti 2005-07-21
Gentoo GLSA 200506-20:02 cacti 2005-06-22
Gentoo GLSA 200506-20:02 cacti 2005-06-22
Gentoo 200506-20:02 cacti 2005-06-22
Gentoo 200506-20 cacti 2005-06-22

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Mandriva MDKSA-2005:237 cpio 2005-12-23
Red Hat RHSA-2005:806-01 cpio 2005-11-10
Debian DSA-846-1 cpio 2005-10-07
Ubuntu USN-189-1 cpio 2005-09-29
Red Hat RHSA-2005:378-01 cpio 2005-07-21
Mandriva MDKSA-2005:116-1 cpio 2005-07-19
Mandriva MDKSA-2005:116 cpio 2005-07-11
Trustix TSLSA-2005-0030 cpio, 2005-06-24
Gentoo 200506-16 cpio 2005-06-20

Comments (1 posted)

Java: applet privilege escalation

Package(s):sun-jdk sun-jre blackdown-jdk blackdown-jre CVE #(s):
Created:June 20, 2005 Updated:June 22, 2005
Description: Both Sun's (v < and Blackdown's (v < JDK and JRE may allow untrusted applets to elevate privileges. A remote attacker could embed a malicious Java applet in a web page and entice a victim to view it. This applet can then bypass security restrictions and execute any command or access any file with the rights of the user running the web browser.
SuSE SUSE-SA:2005:032 java2 2005-06-22
Slackware SSA:2005-170-01 sun-jre 2005-06-19
Gentoo 200506-14 sun-jdk 2005-06-19

Comments (none posted)

PeerCast: format string vulnerability

Package(s):peercast CVE #(s):
Created:June 20, 2005 Updated:June 21, 2005
Description: James Bercegay of the GulfTech Security Research Team discovered that PeerCast (v < 0.1212) insecurely implements formatted printing when receiving a request with a malformed URL. A remote attacker could exploit this vulnerability by sending a request with a specially crafted URL to a PeerCast server to execute arbitrary code.
Gentoo 200506-15 peercast 2005-06-19

Comments (none posted)

ruby: arbitrary command execution

Package(s):ruby CVE #(s):CAN-2005-1992
Created:June 21, 2005 Updated:October 6, 2005
Description: Ruby (versions < 1.8.2) is vulnerable to arbitrary command execution on XMLRPC servers.
Gentoo 200510-05 ruby 2005-10-06
Red Hat RHSA-2005:543-01 ruby 2005-08-05
Mandriva MDKSA-2005:118 ruby 2005-07-12
Gentoo 200507-10 ruby 2005-07-11
Debian DSA-748-1 ruby 2005-07-10
Ubuntu USN-146-1 ruby1.8 2005-06-29
Fedora FEDORA-2005-475 ruby 2005-06-22
Fedora FEDORA-2005-474 ruby 2005-06-22

Comments (none posted)

SpamAssassin: denial of service

Package(s):spamassassin CVE #(s):CAN-2005-1266
Created:June 17, 2005 Updated:July 28, 2005
Description: SpamAssassin 3.0.4 was released to fix a denial of service vulnerability in versions 3.0.1, 3.0.2, and 3.0.3. The vulnerability allows certain mis-formatted long message headers to cause spam checking to take a very long time.
OpenPKG OpenPKG-SA-2005.015 spamassassin 2005-07-28
Debian DSA-736-2 spamassassin 2005-07-07
Gentoo 200506-17:02 spamassassin 2005-06-21
Debian DSA 736-1 spamassassin 2005-07-01
Mandriva MDKSA-2005:106 spamassassin 2005-06-28
Red Hat RHSA-2005:498-01 spamassassin 2005-06-23
SuSE SUSE-SA:2005:033 spamassassin 2005-06-22
Gentoo 200506-17 spamassassin 2005-06-21
Fedora FEDORA-2005-428 spamassassin 2005-06-16
Fedora FEDORA-2005-427 spamassassin 2005-06-16

Comments (none posted)

SquirrelMail: several XSS vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2005-1769
Created:June 21, 2005 Updated:September 16, 2005
Description: Several cross site scripting (XSS) vulnerabilities have been discovered in SquirrelMail versions 1.4.0 - 1.4.4.
Fedora-Legacy FLSA:163047 squirrelmail 2005-09-14
Fedora FEDORA-2005-780 squirrelmail 2005-08-22
Fedora FEDORA-2005-779 squirrelmail 2005-08-22
Red Hat RHSA-2005:595-02 squirrelmail 2005-08-05
Red Hat RHSA-2005:595-01 squirrelmail 2005-08-03
Debian DSA-756-1 squirrelmail 2005-07-13
Mandriva MDKSA-2005:108 squirrelmail 2005-06-30
Gentoo 200506-19 squirrelmail 2005-06-21

Comments (none posted)

sudo: race condition

Package(s):sudo CVE #(s):CAN-2005-1993
Created:June 21, 2005 Updated:February 24, 2006
Description: Charles Morris discovered a race condition in sudo which could lead to privilege escalation. If /etc/sudoers allowed a user the execution of selected programs, and this was followed by another line containing the pseudo-command "ALL", that user could execute arbitrary commands with sudo by creating symbolic links at a certain time.
Fedora-Legacy FLSA:162750 sudo 2006-02-23
Debian DSA-735-2 sudo 2005-07-07
Debian DSA 735-1 sudo 2005-07-01
Red Hat RHSA-2005:535-04 sudo 2005-06-29
SuSE SUSE-SA:2005:036 sudo 2005-06-24
OpenPKG OpenPKG-SA-2005.012 sudo 2005-06-23
Gentoo 200506-22 sudo 2005-06-23
Slackware SSA:2005-172-01 sudo 2005-06-22
Mandriva MDKSA-2005:103 sudo 2005-06-21
Fedora FEDORA-2005-473 sudo 2005-06-21
Fedora FEDORA-2005-472 sudo 2005-06-21
Ubuntu USN-142-1 sudo 2005-06-21

Comments (none posted)

Tor: information disclosure

Package(s):tor CVE #(s):
Created:June 21, 2005 Updated:August 25, 2005
Description: A bug in Tor allows attackers to view arbitrary memory contents from an exit server's process space. A remote attacker could exploit the memory disclosure to gain sensitive information and possibly even private keys.
Gentoo 200508-16 tor 2005-08-25
Gentoo 200506-18 tor 2005-06-21

Comments (none posted)

trac: file upload vulnerability

Package(s):trac CVE #(s):
Created:June 22, 2005 Updated:July 6, 2005
Description: Versions of trac prior to 0.8.4 suffer from an input validation error which can lead to the uploading of files to undesired locations on the host system.
Debian DSA-739-1 trac 2005-07-06
Gentoo 200506-21 trac 2005-06-22

Comments (none posted)

webapp-config: insecure temporary file handling

Package(s):webapp-config CVE #(s):
Created:June 17, 2005 Updated:June 21, 2005
Description: Eric Romang discovered webapp-config < 1.11 uses a predictable temporary filename while processing certain options, resulting in a race condition.
Gentoo 200506-13 webapp-config 2005-06-17

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds