IAP in VSJ
Archive
July 2005

Sounding Board

Robin Jones frets about security threats from apparently innocent sources.

Apple’s iPod has been causing a stir in numerous forums lately. There are the obvious concerns regarding P2P and DRM issues of course. But a more interesting question (to me, anyway) concerns its potential use in business espionage. iPods – and most other USB devices – are just, at root, more forms of external storage, so any quantity of unsecured data can be drained from organisations’ databases unless there are explicit mechanisms in place to stop it.

A recent report from Centennial Software suggests that almost 9 in 10 companies in the UK do not prevent such devices being connected to the corporate network. About a third do not think it’s a problem. Well, let’s consider an example drawn, so far as I know, from my imagination not from real life.

Joe Flake works for Solid Homes Estate Agents. Fly-by-Night Estates has offered him a job at an inflated salary so long as he provides them with Solid Homes’ client list. Solid Homes uses digital cameras to snap houses for sale, so no one thinks it strange when Joe puts his, employer provided, camera into the USB cradle. What they do not notice is that he is not uploading photos but downloading client data. He slips the memory card into his pocket and replaces it with a new one. Unfortunately, there is a hole in his pocket. As luck would have it, when it falls out, a client of Solid Homes picks it up. On discovering its contents, he is outraged to find his personal details available to all and sundry. He complains to the Information Commissioner. So what started as a piece of industrial espionage that probably would not have harmed Solid Homes much, given that its clients sign contracts that limit their future actions, has become, at the very least, a public relations disaster.

Yes, I know, the data could have been encrypted and, in an ideal world, would have been. But even then it only makes things a bit more difficult for Joe. He would have access to the data, if only record by record. So a few nights of ‘working late’ and feverish cutting and pasting would probably do the job for him. Ah, you say, plus ça change, 20 years ago he would have ‘worked late’ photocopying what he needed. True, but 20 years ago Solid Homes would not have had the Information Commissioner to deal with.

So… is it a problem? And if so what do we do about it? Answers on a postcard, please…

 
[Got an activity or event coming up? Email Robin Jones with the details.]