Whether you believe Edward Snowden is a traitor or a hero, one thing is clear: the federal government is still apparently clueless when it comes to thumb drive security.
Word is that Snowden — as well as Bradley Manning before him, three years ago — downloaded information onto a thumb drive that he’d smuggled in. “Apparently he’s got a thumb drive,” Sen. Saxby Chambliss (R-Ga.) said Tuesday in the New York Daily News. “He’s already exposed part of it and I guess he’s going to expose the rest of it.”
The thing is, what Snowden allegedly did could have been done just as easily by many other people. “You can walk out of a building with a Zip drive or a USB stick on the end of your keychain with all of the information that’s in that building and walk right out without sweating a bit or anybody noticing what you’re doing,” says Joel Brenner, former inspector for the National Security Agency, on NPR.
This is nothing new. As far back as Stuxnet, thumb drives have been implicated in all sorts of security issues, both bringing malware in and taking legitimate data out. A 2011 Ponemon study found all sorts of security issues around thumb drives.
Thumb drives have been banned from the Pentagon, including the NSA, since October, 2008, according to the LA Times. Oh goody. That should have solved the problem, because of course everyone obeys regulations, especially people who are about to blow the whistle on the country’s security agency, right?
Aside from the fact that there were always “exceptions” to the bans, especially for network administrators, look at it this way: there is no way that the NSA, or any other organization (including yours) is going to be able to keep people from smuggling in thumb drives. Even if they set off metal detectors (and I’m not sure they do), for someone dedicated enough, they’re going to find a way. (Let’s just say it’s a new meaning for “dark fiber” and leave it at that, shall we?)
Investigators are now saying they know how many documents Snowden allegedly downloaded and what server they came from,” according to an official who would not be named while speaking about the ongoing investigation. Well, that’s very nice, but why didn’t they know that before he left the building?
“The federal government uses a variety of tools that could identify the activities of employees,” writes Eric Chabrow in BankInfoSecurity. “Those include keylogging software and computer logs that pinpoint staff members’ whereabouts and actions within federal IT systems and networks, sources familiar with the federal government’s security clearance systems say. But having the tools in place — and not all tools are used by all agencies at all times — doesn’t mean that the proper authorities are alerted in a timely manner to activities that could jeopardize the nation’s security.”
Chabrow went on to quote Robert Bigman, who retired last year after 15 years as the CIA’s CISO, who said the Defense Department and the intelligence community continually rejected the idea of using digital rights management tools to restrict access to specified content in order to secure intelligence reporting. “They need to re-evaluate that decision,” he says in the article. You think?
So the question is, what is it you can do to keep someone from using this smuggled-in thumb drives?
- Do your computers have functioning USB slots?
- Can someone plug something into one of these USB slots without being detected?
- To what sort of data do people have access?
- Can someone download that data onto a thumb drive without being detected?
- Is that downloaded data unencrypted?
If any of these things are true in your organization, you, too, are vulnerable. And whistleblower, traitor, or run-of-the-mill thief, it won’t make a difference.