Yottabytes: Storage and Disaster Recovery

Jun 13 2013   2:18PM GMT

Snowden NSA Case Points Up Security Flaws in Thumb Drives

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Whether you believe Edward Snowden is a traitor or a hero, one thing is clear: the federal government is still apparently clueless when it comes to thumb drive security.

Word is that Snowden — as well as Bradley Manning before him, three years ago — downloaded information onto a thumb drive that he’d smuggled in. “Apparently he’s got a thumb drive,” Sen. Saxby Chambliss (R-Ga.) said Tuesday in the New York Daily News. “He’s already exposed part of it and I guess he’s going to expose the rest of it.”

The thing is, what Snowden allegedly did could have been done just as easily by many other people. “You can walk out of a building with a Zip drive or a USB stick on the end of your keychain with all of the information that’s in that building and walk right out without sweating a bit or anybody noticing what you’re doing,” says Joel Brenner, former inspector for the National Security Agency, on NPR.

This is nothing new. As far back as Stuxnet, thumb drives have been implicated in all sorts of security issues, both bringing malware in and taking legitimate data out. A 2011 Ponemon study found all sorts of security issues around thumb drives.

Thumb drives have been banned from the Pentagon, including the NSA, since October, 2008, according to the LA Times. Oh goody. That should have solved the problem, because of course everyone obeys regulations, especially people who are about to blow the whistle on the country’s security agency, right?

Aside from the fact that there were always “exceptions” to the bans, especially for network administrators, look at it this way:  there is no way that the NSA, or any other organization (including yours) is going to be able to keep people from smuggling in thumb drives. Even if they set off metal detectors (and I’m not sure they do), for someone dedicated enough, they’re going to find a way. (Let’s just say it’s a new meaning for “dark fiber” and leave it at that, shall we?)

Investigators are now saying they know how many documents Snowden allegedly downloaded and what server they came from,” according to an official who would not be named while speaking about the ongoing investigation. Well, that’s very nice, but why didn’t they know that before he left the building?

“The federal government uses a variety of tools that could identify the activities of employees,” writes Eric Chabrow in BankInfoSecurity. “Those include keylogging software and computer logs that pinpoint staff members’ whereabouts and actions within federal IT systems and networks, sources familiar with the federal government’s security clearance systems say. But having the tools in place — and not all tools are used by all agencies at all times — doesn’t mean that the proper authorities are alerted in a timely manner to activities that could jeopardize the nation’s security.”

Chabrow went on to quote Robert Bigman, who retired last year after 15 years as the CIA’s CISO, who said the Defense Department and the intelligence community continually rejected the idea of using digital rights management tools to restrict access to specified content in order to secure intelligence reporting. “They need to re-evaluate that decision,” he says in the article. You think?

So the question is, what is it you can do to keep someone from using this smuggled-in thumb drives?

  • Do your computers have functioning USB slots?
  • Can someone plug something into one of these USB slots without being detected?
  • To what sort of data do people have access?
  • Can someone download that data onto a thumb drive without being detected?
  • Is that downloaded data unencrypted?

If any of these things are true in your organization, you, too, are vulnerable. And whistleblower, traitor, or run-of-the-mill thief, it won’t make a difference.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • TomLiotta
    Any time a "download" is required, there must be a path between external storage and the PC/workstation device. A USB device wouldn't be required. By unplugging the Ethernet cable and plugging a network monitor 'in the middle', the result of a request could be recorded on one or more micro-SD cards. The traffic could be replayed later to determine what content came from a remote server. Even encrypted, there'd be a lot of potential time to decrypt, especially if the content was seen by the "user". Conceptual descriptions of content could give heuristic guidance to a decryption effort. In short, USB control isn't sufficient when other hardware can also be made to be very small and unobtrusive. (But USB clearly needs attention!) -- Tom
    125,585 pointsBadges:
  • Michelle Greenlee
    It's amazing how this ultra-portable consumer convenience can mean the undoing of an entire organization.
    670 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: