Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NSA Develops USB Storage Device Detector

kdawson posted more than 4 years ago | from the don't-bogart-that-thumb-drive dept.

Security 233

Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."

cancel ×

233 comments

Sorry! There are no comments related to the filter you selected.

In other news... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31838316)

The NSA also developed a detector strong enough to detect CmdrTaco's micropenis. Even the strongest of electron microscopes had been previously unable to resolve it.

Re:In other news... (1)

MobileTatsu-NJG (946591) | more than 4 years ago | (#31838788)

I suppose it's a coincidence that you posted that around lunch-time.

Re:In other news... (1)

PsyciatricHelp (951182) | more than 4 years ago | (#31839210)

Um. esata? Firewire?

Wow. (4, Funny)

jgreco (1542031) | more than 4 years ago | (#31838332)

Wow. Clever. Nobody ever thought of that before.

Re:Wow. (4, Insightful)

Itninja (937614) | more than 4 years ago | (#31838424)

No kidding. I seem to remember using some open-source utility that did exactly this like 5 years ago.

Re:Wow. (0)

Crudely_Indecent (739699) | more than 4 years ago | (#31838930)

Why would the government spend a few of their citizens dollars for an existing tool when they can take and spend millions of their citizens dollars. They're not playing with their own money.

Remember, if they don't use all of their budget, it'll be reduced next year. They need to show budget shortfalls in order to justify a request for budget increase.

Re:Wow. (2, Insightful)

Darkinspiration (901976) | more than 4 years ago | (#31839028)

Because they want to integrate it with theyre security suite or theyre logging solution, because they have over 9000 machine using it. If they want to spend the budget they could buy fancy new chair instead of wasting programmer and consulting time coding a app. Don't forget that gouvernement is big and app deployement, monitoring and security is not free.

-1 Troll (2, Insightful)

c++0xFF (1758032) | more than 4 years ago | (#31839424)

Oh, please. Like nobody else has ever created duplicate software before.

Yes, there are probably other utilities that do this. Maybe the NSA was unaware of them. Maybe they were incompatible with their legacy tools or infrastrcture. Maybe they didn't do what the NSA needed.

And even then, sometimes it's worth a rewrite, just to make things better.

Re:Wow. (2)

BJ_Covert_Action (1499847) | more than 4 years ago | (#31838798)

Seriously, I just dropped Puppy Linux on an old laptop of mine and one of the first packages I installed, that was freely available in the repositories, did exactly this. Hell, I could pipe the output from that utility into a perl script that popped up a big red box on the network admins display if the state changes.

For that matter, you could probably homebrew a shell script that monitors the /dev files on your systems and reports usb usage. I like how some of our tax dollars fund bloated agencies to come up with solutions that unshaven hackers in their mom's basements figured out years ago.

Re:Wow. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31838874)

I like how some of our tax dollars fund bloated agencies to come up with solutions that unshaven hackers in their mom's basements figured out years ago.

Because clearly the NSA started numbering this program at 3.0 just for the hell of it.

Re:Wow. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31839230)

Wow.

You're a goddamn faggot.

That's a storm of fucking insight you've got right there.

Arms race anyone? (3, Insightful)

TheCarp (96830) | more than 4 years ago | (#31838346)

"USB Detect detects the use of removable drives"
"Shadow Drive evades detection by the following products"
"Latest USB Detect detects Shadow Drive use!"
"New ShadowDrive 2.0!"

Shit, the parent company of both products could make a killing! Hey wait a minute, is this another lame
attempt to bring money in off the books for illegal ops?

-Steve

Re:Arms race anyone? (5, Funny)

swanzilla (1458281) | more than 4 years ago | (#31838522)

"USB Detect detects the use of removable drives" "Shadow Drive evades detection by the following products" "Latest USB Detect detects Shadow Drive use!" "New ShadowDrive 2.0!"

A strange game. The only winning move is not to boot Windows.

Re:Arms race anyone? (2, Informative)

tomhudson (43916) | more than 4 years ago | (#31838854)

A strange game. The only winning move is not to boot Windows.

Or plug it in before booting ... since it detects drives as they are plugged in and unplugged.

Or boot linux off it, and load Windows in a vm if you really really need windows.

Re:Arms race anyone? (4, Insightful)

History's Coming To (1059484) | more than 4 years ago | (#31839234)

Or tinker with a soldering iron and $20 of components so a big flashing light goes off as soon as a USB device is detected? Or monitor the power supply on the motherboard (software independent)? Or do what my workplace does....if you're that worried, don't have USB ports or fill them with epoxy and/or physically cut the connections.

Re:Arms race anyone? (0)

Anonymous Coward | more than 4 years ago | (#31838950)

More like: Hey EVERYONE! We discovered the command: dmesg | less !!!

Re:Arms race anyone? (1)

jaavaaguru (261551) | more than 4 years ago | (#31839034)

We did that. Now where's my Linux version of USB Detect please?

Re:Arms race anyone? (1)

neonv (803374) | more than 4 years ago | (#31838626)

"NSA Slashdotter Develops USB Storage Device Detector Trigger"

Runs as a service to drive you local network admin nuts!

Re:Arms race anyone? (1)

poena.dare (306891) | more than 4 years ago | (#31839316)

I've seen a number of PCs with a universal flash card/stick reader that is itself a USB device similar to a flash drive. I'll bet those things are gonna set off all the alarms.

You can send a ton of data to a device mimicking a Logitech G15 Keyboard, I would think.

Kinda silly I think, but I'm sure this will get very serious treatment in all sorts of pseudo-IT-security mags and blogs. Once again, I'm in the wrong goddammed business!

Re:Arms race anyone? (5, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31838730)

It'll be a pretty short race, for all but a fairly dedicated hard-core.

In order for the USB device to do anything, the host OS has to load the appropriate driver. Until it does so, you aren't getting anything other than 100ma at 5V(higher amperages quite possible, depending on the situation).

Getting the OS to load a driver without noticing that it has loaded a driver(and without the benefit of exploit code, since you don't get to access that until the drive is mounted) would be quite a trick. Assuming this monitoring software isn't completely braindead, the fact that a USB mass storage device has been inserted, along with any interesting ID strings, will have already be sent to a monitoring server before your filesystem is even mounted. Any tampering you do at that point will just introduce suspicious discrepancies.

Now, there is(for instance, I'm sure the suitably creative can think of others) nothing stopping a truly dedicated exfiltrator from obtaining the USB device and vendor IDs and so forth for the brand of keyboard used at that particular establishment, then building a USB device(using one of the common and inexpensive USB-capable microcontrollers) that presents exactly those IDs, and is thus detected as a USB-HID keyboard, rather than a USB-MSC device. They could then use the fact that the keyboard LEDs are under software control as a method of getting data off the system. At least on a unixlike, anybody with some basic script-fu could probably be piping arbitrary files off the system with xset led [computerhope.com] in about 10 minutes. Your custom USB device would have a slab of flash, which it would fill according to the LED commands it received. I don't know if there is anything equivalent on Windows.

Using tricks like that, you could probably get something of an arms race going(though, still, anything that involves doing suspicious program/script execution is going to get your ass busted in any reasonably paranoid environment); but for USB MSC stuff, it is only the pure apathy of the administration, or the fact that they recognize that mass storage devices are extremely convenient and beloved by users, that lets you get away with it.

3.0? (2, Insightful)

Itninja (937614) | more than 4 years ago | (#31838356)

"The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool"
So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?

Re:3.0? (1)

batquux (323697) | more than 4 years ago | (#31838390)

They aren't. Someone leaked it.

Re:3.0? (3, Funny)

Hognoxious (631665) | more than 4 years ago | (#31838470)

They're actully running version 4.0, but don't tell anyo!7*0 ,.;
lno carrier

Re:3.0? (2, Insightful)

CorporateSuit (1319461) | more than 4 years ago | (#31838962)

So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?

Check out the comments on this article. They just need a quick dredger to go through and find out what additional security measures need to be programmed into 4.0. No need to do their own research, since they have a million know-it-alls at slashdot happy to tell them how they'd hack the NSA if they were to do it via thumbdrive.

Too easy to circumvent (3, Insightful)

dave562 (969951) | more than 4 years ago | (#31838374)

It relies on information from the OS. The OS is too easy to circumuvent. For example, it doesn't report on whether or not the system has been booted from a USB device. Given that they are the NSA, maybe they have the luxury of making the assumption that USB boot is disabled and the BIOS is password protected?

Re:Too easy to circumvent (2, Interesting)

fatalwall (873645) | more than 4 years ago | (#31838824)

I looked into making a viable product like this a while back. You run into too many issues.

First you have to set up the bios on all machines to prevent booting off any device other then the hard disk.

Then you have to password the bios

Then you need to put a physical lock on the computer to prevent some one from opening the case and resetting the bios.

If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.

Your best bet is controlling the hardware. Making sure the machines do not have USB ports or cdroms. if you cant get them without the usb port then you could insert locks into them of some sort that to remove requires specialized equipment and a code.

Re:Too easy to circumvent (1)

armanox (826486) | more than 4 years ago | (#31839078)

Or just bend the pins on the USB ports...

Re:Too easy to circumvent (1)

daremonai (859175) | more than 4 years ago | (#31839456)

Or just shoot all the users and get it over with.

Re:Too easy to circumvent (3, Interesting)

Bakkster (1529253) | more than 4 years ago | (#31839360)

If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.

This is almost certainly aimed at preventing classified information leaks. Machines with classified information are not connected to any network containing unclassified machines, and definitely not the internet. Even if it were connected, sending that e-mail leaves a record of the transmission, meaning the spy can be easily identified.

USB drives are the most likely way to get info off a classified machine, which is precisely why they're forbidden. There is no legitimate occasion where a USB drive is needed in this case.

Impervious (2, Insightful)

blair1q (305137) | more than 4 years ago | (#31838376)

...because the Windows Registry is a secure source of information...

Re:Impervious (1)

HarrySquatter (1698416) | more than 4 years ago | (#31838608)

Because it's not trivially easy to prevent people from modifying the registry? Oh wait it is.

Re:Impervious (1)

nurb432 (527695) | more than 4 years ago | (#31838680)

But if you monitor in real time, then by the time you can edit the registry you have already been busted.

Re:Impervious (1)

MobyDisk (75490) | more than 4 years ago | (#31839290)

A non-administrative user could not delete those registry keys.

lsusb (0)

Anonymous Coward | more than 4 years ago | (#31838378)

Hi. I seem to have that installed on my computer already. I just typed lsusb (and then I pressed the return key) and up popped:
Bus 008 Device 003: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Bus 008 Device 002: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive ....Those CIA/NSA guys are trickey, aren't they?

Re:lsusb (1)

jdunn14 (455930) | more than 4 years ago | (#31838518)

So you're one of those "network is the computer" guys or you misread/didn't read either of the first two sentences of the summary... I'm gonna go with "didn't read" on this one.

Flaw? (1)

Superdarion (1286310) | more than 4 years ago | (#31838380)

Won't it work with Linux or OSX? Or does the NSA run completely on -gulp- windows?

Re:Flaw? (1)

Mojo66 (1131579) | more than 4 years ago | (#31838458)

The title should read "NSA Develops USB Storage Device Detector for Windows"

Or even better:

"NSA Develops USB Storage Device Detector for declining Operating System"

Re:Flaw? (0, Troll)

HarrySquatter (1698416) | more than 4 years ago | (#31838492)

"NSA Develops USB Storage Device Detector for declining Operating System"

I thought the story was about Windows not Linux.

Re:Flaw? (1)

Superdarion (1286310) | more than 4 years ago | (#31838594)

I thought the story was about Windows not Linux.

The problem is that now if you want to get into NSA's network (being an employee, I mean), you will HAVE to run Windows. Linux and OSX will be seen as security flaws because their program doesn't run in them. Now you have the NSA forcing all its employees that want access to the network to run Windows.

Re:Flaw? (1, Interesting)

HarrySquatter (1698416) | more than 4 years ago | (#31838726)

The problem is that now if you want to get into NSA's network (being an employee, I mean), you will HAVE to run Windows.

Says who?

Linux and OSX will be seen as security flaws because their program doesn't run in them.

By whom? And with what evidence do you say so?

Now you have the NSA forcing all its employees that want access to the network to run Windows.

Really? Care to cite the exact policy where they have done so? And by "the network" what network are you referring to? If you say the Internet then you are really highlighting that you know jack and shit what you are talking about.

Re:Flaw? (1)

grub (11606) | more than 4 years ago | (#31838750)


I thought the story was about Windows not Linux.

Didn't you hear? This is the year of Linux on the desktop with thumb drives!

Re:Flaw? (1)

HarrySquatter (1698416) | more than 4 years ago | (#31838806)

My bad. The many announcements that 20xx is the Year of the Linux Desktop just sort of run together anymore.

Re:Flaw? (1)

tomhudson (43916) | more than 4 years ago | (#31839004)

My bad. The many announcements that 20xx is the Year of the Linux Desktop just sort of run together anymore.

Ignore them, Unfortunately, it will never happen, for the simple reason that the average user is lazy, brain-dead, and thinks Windows is the computer.

And her boss is even worse.

It's not even a question of there being "too much choice". The vast majority don't care. They're used to crap. Take it away from them and they're lost. They'd rather click through 10 screens to hit-or-miss change some setting rather than type a command. That's "too complicated."

And don't believe that devs are any different. The majority of users on slashdot run windows.

People looking for an alternative already have one - another proprietary system, even MORE locked-in.

The only thing that will happen is that linux will continue to make inroads where the consumer doesn't see it as an operating system, or just doesn't see it - smart phones, servers, data appliances, controllers, etc. The desktop - the desktop is lost. People aren't goingto switch from the "free" copy of windows that came with their computer.

Re:Flaw? (0)

Anonymous Coward | more than 4 years ago | (#31839466)

People looking for an alternative already have one - another proprietary system, even MORE locked-in.

Presumably this is supposed to be a swipe at OS X. When will you slashtards realize that OS X is way less locked down than windows? Yes, iPhone and iPad are locked down -- but Macs running OS X are much more free than anything Microsoft offers. And no, it won't change anytime soon. I understand that some of you people find knee-jerk bashing to be "witty" and "satisfying", but believe me -- you just make yourselves look like the uninformed lusers you really are.

/rant

Re:Flaw? (0)

Anonymous Coward | more than 4 years ago | (#31839394)

"NSA Develops USB Storage Device Detector for declining Operating System"

I thought the story was about Windows not Linux.

You apparently didn't get the memo that 2010 is the Year of Desktop Linux

Re:Flaw? (0)

Anonymous Coward | more than 4 years ago | (#31838526)

Why does it matter? Most of their computers aren't even connected to the internet.

Re:Flaw? (0)

Anonymous Coward | more than 4 years ago | (#31838634)

^This.

Re:Flaw? (0)

Anonymous Coward | more than 4 years ago | (#31838642)

You'd think if the entire NSA ran on Windows that /.'ers could withhold their pride for once. But nope, they would only think themselves smarter than NSA employees.

Re:Flaw? (1)

Superdarion (1286310) | more than 4 years ago | (#31838686)

Fool! You thought you could insult /.'ers and not be modded down?

You can't fight the system, man.

Re:Flaw? (0)

Anonymous Coward | more than 4 years ago | (#31838974)

That's what you think. If you mod me down, I shall become more powerful than you could possibly imagine. -AC

Re:Flaw? (1, Troll)

WindowlessView (703773) | more than 4 years ago | (#31838860)

does the NSA run completely on -gulp- windows?

You can rest assured that of all of the organizations on the planet this is one that will never be using Windows for its core mission. The tool is for the defense department dweebs, contractors, secretaries, suits, etc., where you expect to find Windows.

It doesn't detect network-connected USB (0)

Anonymous Coward | more than 4 years ago | (#31838386)

it detects WINDOWS-connected USB storage. If I plug my USB storage key into my Cisco router or HP Procurve switch's USB plug, it won't detect it.
If I plug my USB key into my Linux box... it won't detect it. If I plug my USB key into my OS X box, it won't detect it.
what's the point?

Re:It doesn't detect network-connected USB (0)

Anonymous Coward | more than 4 years ago | (#31838710)

since when have procurve switches had usb ports?

Re:It doesn't detect network-connected USB (1)

EnigmaticSource (649695) | more than 4 years ago | (#31838912)

My jumpdrive happily fits into that internet hole on the HP swatch thing... never could get it to read though.
(No... I really don't miss late 90's tech support)

Re:It doesn't detect network-connected USB (1)

NotBornYesterday (1093817) | more than 4 years ago | (#31838952)

Well, I'm no expert, but at least since 2007 [google.com] or so. Although if you were right, I'd have to admit that it's hard to detect a USB key without a USB port.

Re:It doesn't detect network-connected USB (0)

Anonymous Coward | more than 4 years ago | (#31839090)

Well, no f'ing shit. As it's Windows only it kind of makes sense. But do you work for the NSA and have the ability to use a Linux or OSX client? Otherwise it's kind of pointless to comment like that. And "network-connected USB", as far as I know that isn't even a thing so I'm guessing that's Samba, HTTP, FTP or some other protocol, and I'd think anyone'd see the clear security flaw having one of those easily accessible...

Useless Tool... (4, Informative)

Manip (656104) | more than 4 years ago | (#31838430)

Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.

Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.

Re:Useless Tool... (5, Informative)

ironicsky (569792) | more than 4 years ago | (#31838524)

Agreed. You can either change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and/or deny anyone who is not an admin access to the following files in the NTFS %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf and they wont be able to mount a US drive... Password protect the bios and disable the USB storage there too.

Of course this only works for Windows, linux users and Mac users can simply be denied access to the device chain in /dev/

Re:Useless Tool... (1)

Luke has no name (1423139) | more than 4 years ago | (#31838618)

I think the point of this is to be used on computers where the users are not administrators, e.g. most corporate environments, in such case you couldn't edit the registry or install "USB Detection Blocker" software, etc.

I don't think there is anything wrong with this. Very useful for companies keeping data secure.

Re:Useless Tool... (0)

Anonymous Coward | more than 4 years ago | (#31838682)

...then why would you need the tool, as your users can't activate or mount a usb drive in the first place?

Re:Useless Tool... (1)

Khue (625846) | more than 4 years ago | (#31838704)

You can also do this through premade GPOs which already hit that same registry key plus others. If you google write_protect_removable_drives.adm or write_protect_removable_media.adm you may be able to find the same thing I have implemented across the board. The only difference is I did this back in 2002/2003 for PCI/DSS compliance.

Re:Useless Tool... (3, Interesting)

captaindomon (870655) | more than 4 years ago | (#31838760)

That's not the point. The reason for this software is to add one more layer of security to an already extremely secure network, and mostly to detect friendly accidental use by tech-clueless intelligence analysts (yes, most intelligence analysts are experts on geopolitics or military tactics and not Windows). This is not designed to prevent true espionage attacks by insiders who are technology experts, there are a lot of other layers of security for that.

Re:Useless Tool... (0)

Anonymous Coward | more than 4 years ago | (#31838804)

I think this tool still has uses, though not what one would initially think. For example, you could detect when a device is plugged in, then throw a tiny little virus on there that can infect the next host the usb drive is plugged into, and now all of a sudden you have easy access to a formerly "Secure" network. This could be very useful in cyber-warfare and spy games in general. Run something like this in every foreign embassy, and then you can detect leaks etc.

Re:Useless Tool... (2, Informative)

fatalwall (873645) | more than 4 years ago | (#31838888)

password protecting the bios does nothing unless you put a lock on the computer case. password resets are really easy to do on a bios

Re:Useless Tool... (3, Informative)

Bacon Bits (926911) | more than 4 years ago | (#31839136)

I tested this extensively on WinXP SP2 for a hospital worried about HIPAA. These methods only work if the UsbStor key hasn't already been created. Once it's there you can keep plugging devices in and they will all install normally (new or old).

Under Vista and 7 there's supposed to be a new Group Policy that will prevent USB drives, but I'm not sure how it works.

Preventing USB use-- (1)

sillivalley (411349) | more than 4 years ago | (#31839270)

Some places fill the USB connectors with hot glue.

I prefer 3 inch drywall screws.

They're system agnostic...

Re:Useless Tool... (1)

Zironic (1112127) | more than 4 years ago | (#31838574)

Well, since they are in the espionage business, maybe they want to trap whomever does it by making it possible to mount the drive but triggering a silent alarm.

Re:Useless Tool... (3, Interesting)

IndustrialComplex (975015) | more than 4 years ago | (#31838900)

Well, since they are in the espionage business, maybe they want to trap whomever does it by making it possible to mount the drive but triggering a silent alarm.

Not quite, the NSA can really be seen as two groups. The Data Processing NSA and the Anti-Network-Intrusion/Espionage & Policy NSA. But you are correct that they probably want the ability to determine and track before simply blocking all access.

I'm quite sure on the computer I'm at right now I could go hog-wild and do all sorts of things. Things that would be logged and flag my account/use as one to watch.

Re:Useless Tool... (0)

Anonymous Coward | more than 4 years ago | (#31838658)

Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.

Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.

Nevermind that you can configure systems to ban USB devices. Nevermind that systems can be unplugged (and if you did this to a networked NSA system without prior approval I imagine you'd immediately raise all sorts of red flags.)

It is most likely intended to make sure no one plugs in a USB storage device after having been explicitly and repeatedly told that USB devices ARE! FUCKING! NOT! EVER! FUCKING! ALLOWED! ON! THE! FUCKING! NETWORK!

Re:Useless Tool... (1)

smbarbour (893880) | more than 4 years ago | (#31838976)

This is software being used by the NSA. It is much better in their opinion to detect espionage than prevent it.

If it is being done by a government employee, they can "execute" a "termination" of employment.

Re:Useless Tool... (0)

Anonymous Coward | more than 4 years ago | (#31839112)

What if you want to allow it but log it? Notice it says detects not prevents.

What if you want even the people who are logged in as admin to be logged?

Why only USB? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31838434)

Is there some weakness associated with USB that I'm not aware of? Shouldn't this instead be for all removable storage devices? What about Firewire flash/HD drives & et cetera?

Re:Why only USB? (3, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31838812)

If anything, USB is less dangerous because it is less capable. Firewire can do DMA. Which, unless you are on modern, high-end hardware(where the I/OMMU will stop you) or on a 64 bit system(where the fact that Firewire DMA is only 32 bit will limit you some) a malicious firewire device can snarf or modify your memory space at its pleasure.

USB just makes it easy to copy files off the system(assuming your environment hasn't already disabled that). Most modern corporate-issue computers let you shut off USB ports at the BIOS level, if you want, and you can block the loading of Mass Storage drivers or the mounting of unauthorized filesystems in any modern OS.

Re:Why only USB? (0)

Anonymous Coward | more than 4 years ago | (#31838828)

The weakness is the storage device itself since you can copy/steal/bring data onto host machines.
USB itself isn't the issue.

Re:Why only USB? (4, Insightful)

PhxBlue (562201) | more than 4 years ago | (#31839008)

Because DOD got pwned back in November 2008 when some schmuck used a thumbdrive to transfer files between the NIPR and SIPR networks, and they still haven't figured out how to fix the vulnerability.

Re:Why only USB? (0)

Anonymous Coward | more than 4 years ago | (#31839428)

something something something opsec

Re:Why only USB? (1)

sheph (955019) | more than 4 years ago | (#31839084)

Other than users that download malware from the Internet and drop it on your private/critical LAN? No, not really. I'm assuming that it would detect any external storage that is USB based. Firewire usually isn't there unless it's required, and if it's not desirable to have, it can easily be disabled in the device manager. With USB you might have a mouse and a keyboard that you'd like to use, but you want to make sure no one plugs in a storage device. This can be accomplished with a GPO though. The tool is really not necessary. Even if you wanted to trap people, tripwire is far more functional, and can provide the same detection. It's a useless tool really.

Re:Why only USB? (0)

Anonymous Coward | more than 4 years ago | (#31839400)

Regarding firewire, I assume the designers didn't want to waste their time with a port used by a whopping 2 or 3 people on earth.

Hmmm.... (0)

Anonymous Coward | more than 4 years ago | (#31838498)

Hopefully the tool checks the vendor and product IDs of the device and doesn't just rely on what windows thinks the device is. It's not that hard to make windows think that a flash drive is something else, but it's harder to mess around with the vendor and product ID that are detected from the device.

Bit Late? (1)

mistralol (987952) | more than 4 years ago | (#31838554)

Don't get me wrong but this allows you to detect after the device has been and gone. Is this not a little late in finding this out? So exactly what security hole has it plugged? Though i guess it could prove possible useful in a court where you can then link the usb hardware id and unique id to a pen drive with sensitive information to prove what / when / where it plugged into.

Meeeeliionnns (4, Funny)

codepunk (167897) | more than 4 years ago | (#31838556)

5 or so meeeliionnns of well spent money....our brilliant govt at work.

Does it only detect USB MSDs? (1)

Dogbertius (1333565) | more than 4 years ago | (#31838558)

Does this software only detect USB mass storage device (MSD) modules? A simple workaround would be to implement a USB-connected character device. You could simply dump a binary file via "cat" or some similar tool to the device, presto - data acquired. I would know this because I've built similar ones in the past while playing around with PICs.

At some of the more "security oriented" offices I've visited, the easiest way to prevent data from leaving the office was:
-implementing proper network security (blocked sites, restricted sent-to abilities for e-mail)
-customizing the Linux kernel for slim-boxes so there was next to no driver support for anything not already connected to the box
-disabling MSDs in the kernel altogether

The only other way (ie: in the case of my little USB data logger) is to completely disable un-used USB ports, etc. If you have the computing resources for it, you could just have most slim boxes log in to VMs that are pretty much locked down and obliviously to external H/W anyways. This approach seems to be useful for detecting attempts to make unauthorized copies of data, etc, but it seems far from a fool-proof way to prevent it.

No USB, no problem. (1)

iwaybandit (1632765) | more than 4 years ago | (#31839464)

Use the VGA output and an A to D converter. If the system is running at 1280x1024, 24-bit color and 72 Hz, you can capture a bit over 2 GiBits/sec. Sure, you lose some speed using bits for error detection/correction, but you can turn the screen resolution up a little and it doesn't matter if the monitor can sync it. The hard part is installing a client program on the system to turn data into pixels. I'd use a keyboard simulator to input the binary into debug.exe, if it's still included with Windows. If not, there's notepad.

filter driver??? (1)

dltaylor (7510) | more than 4 years ago | (#31838590)

The "geniuses" at the NSA couldn't even come up with a filter driver to detect the connection in real time (and block access)? I worked at a company years ago that had such a tool commercially available. Sweeping the registry is sort of "after the fact".

On Linux, you could control users' (not "root", but if they've got local "root" access ...) ability to mount USB/Firewire/... removable storage with a simple change to the udev rules.

I don't see the point of this (0)

Anonymous Coward | more than 4 years ago | (#31838614)

Who are these network admins that are worried about USB usage on only Winodws machines, but will not deny USB usage (which Microsoft actually makes fairly easy to do), but wants to stealthy detect USB usage?

Windows already does this (1)

nurb432 (527695) | more than 4 years ago | (#31838622)

And there are 100's of ways to monitor/report on windows activities as they happen.

High tech solution to a low tech problem (0)

Anonymous Coward | more than 4 years ago | (#31838638)

a bit of epoxy in the usb ports of all the computers that are connected to the network would be 10x as secure. (And it would run on Linux!)

Is A BotNet (0)

Anonymous Coward | more than 4 years ago | (#31838644)

considered to be a USB Storage Device?

Yours In Novosibirsk,
Kilgore Trout.

Necessary? (0)

Anonymous Coward | more than 4 years ago | (#31838758)

Shouldn't OSs provide an option to disable auto-mounting of USB devices? It makes more sense than requiring admin access to "safely remove" usb storage devices.

This post... (3, Informative)

danwesnor (896499) | more than 4 years ago | (#31838800)

... is bait meant to lure out Slashdotters who can't be bothered to RTFA. The article does not mention anything about how the device works. The mention of the registry comes from a footnote in a DHS report (you know, the guys who can't find bombs if they're in your underwear). It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.

Everyone is missing the point here... (2, Interesting)

vrmlguy (120854) | more than 4 years ago | (#31838822)

If you work for the government and you want to get a co-worker in trouble, go buy an iPod and plug it into his computer whenever he's away from his desk. The next time there's a security audit, he be taken to some windowless office, denying everything and not being believed.

Lame (1)

KriticKill (1502071) | more than 4 years ago | (#31838850)

Is that what the government is wasting our tax dollars on these days? Detecting thumbdrives on networks? Come on, it shouldn't take the NSA to come up with something like this. I'll bet money that somebody has already written a piece of software to do just this. Even if they haven't there are loads of ways within Windows to watch and report stuff like this. I guess if they could upgrade it to work remotely on computers outside a network it might be useful (and if and only if, it gives specific details on the media and extends to other types beyond USB), but I don't really see the point on a network.

Good plan (1)

rickb928 (945187) | more than 4 years ago | (#31839006)

Halfway to completing the suite, and offering a tool to detect and READ USB storage devices on networks.

NSA is nothing if not ambitious. Good job, guys!

Already is use... (0)

Anonymous Coward | more than 4 years ago | (#31839074)

http://www.sophos.com/sophos/docs/eng/supps/devctrl_10_aeng.pdf

Works like a charm :)

Two-part Epoxy (0, Redundant)

GumphMaster (772693) | more than 4 years ago | (#31839110)

In a certain secure environment I worked in there was a complete ban on use of the USB ports. We could have paid a bazillion dollars to have machines delivered without USB ports, spent many hours investigating bullet-proof ways to stop the USB ports from functioning in the OS, or simply fill the connectors with two-part epoxy. In the end the KISS principle ruled - epoxy and simple software tweaks on the off chance someone managed to free a port. :)

If you have physical access to a machine... (1)

TheSpoom (715771) | more than 4 years ago | (#31839134)

The security game has already been lost.

Re:If you have physical access to a machine... (1)

quiet_guy (681438) | more than 4 years ago | (#31839314)

At the moment, this is being used as a defense-against-the-user, not against intruders. Problem came up when malware got loaded onto a clean network via a USB drive, unknown to the user. Many of the military networks are set up to protect against intrusion from the outside, with decent firewalls/etc between the internet and the 'inside' network. The USB used by a stupid user obviously jumps the firewall....now the worm/trojan/whatever is loose on the inside. Network policies already say "don't use the same drive at home and at work"...but if everyone followed the rules, we wouldn't have malware....can't easily kill the USB ports since most of the keyboards/mice/etc are USB-only. Essentially, all this thing does is provide a way to sweep the networks and check for compliance. File transfers between classified and unclassified systems are a completely different problem.

Yeah, I wrote one of those once. (3, Insightful)

gestalt_n_pepper (991155) | more than 4 years ago | (#31839258)

Management eventually figured out that if you couldn't trust the guys you hired, you were screwed from go. More effective to treat your employees fairly in the first place. We stopped installing the service on new machines.

Fun to write though.

a definite FAIL story in the pursuit of the... (1)

exabrial (818005) | more than 4 years ago | (#31839312)

Using Windows machines to hold Top Secret documents.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?