• 06/14/2013
    11:58 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Thumb Drive Security: Snowden 1, NSA 0

Thumb drives helped NSA whistle-blower Edward Snowden transport top-secret data from the agency. If the NSA can't keep a lid on thumb drives, can you?
Pity the poor USB thumb drive.

The humble storage device is again under fire after reports surfaced that National Security Agency (NSA) whistle-blower Edward Snowden, 29, used a removable USB storage device to exfiltrate top-secret information from the agency, reported the Los Angeles Times.

NSA investigators now "know how many documents he downloaded and what server he took them from," a government official -- speaking on condition of anonymity -- told the paper.

In general, the use of removable USB storage devices is prohibited inside the agency. "Of course, there are always exceptions" to that rule, said the official. "There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny."

One job role that would require using removable storage, however, would be that of IT or systems administrator, which was Snowden's job at the NSA, although he was a contractor employed by Booz Allen Hamilton.

[ Is Snowden an altruistic whistleblower, reckless criminal, outright traitor or somewhere in between? Read NSA Prism Whistleblower Snowden Deserves A Medal. ]

The Department of Defense restrictions on using removable storage devices isn't unique. "At Huawei, my understanding is, plugging in a drive [equals] get fired," tweeted the Bangkok-based vulnerability buyer and seller known as the Grugq.

But as Snowden's leak shows, at a certain level, even the most advanced security measures or defensive systems rely on trust -- whether or not thumb drives, iPods, smartphones with cameras, photocopiers, or telephones with outside access are available to employees inside the corporate perimeter.

"As we've seen with WikiLeaks and Snowden, if one person sets their mind to it, they will grab information and find a way to disseminate it," James C. Foster, founder and CEO of Riskive, and a past Booz Allen employee, told Dark Reading.

Historically speaking, people haven't only used thumb drives to remove secret data stored in digital format from secure environments. In 2009, Britain's MI6 intelligence agency caught Daniel Houghton, one of its computer programmers, trying to sell advanced email interception technology -- as well as lists of MI6 and domestic intelligence agency MI5 staff members, including full contact details -- to another country, after having downloaded the information onto a secure digital memory card. (Memo to European spooks: Don't attempt to tempt the Dutch.)

Removable media has long posed an information security risk to government networks. In 2008, the Department of Defense banned all flash drives and other removable media, although that ban was subsequently relaxed. But it wasn't until 2010 that William J. Lynn, then the U.S. deputy secretary of defense, said that a malware-infected USB drive had breached government systems and led to the ban.

"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command," Lynn wrote in Foreign Affairs. "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.

In Feb. 2010, however, the Defense Department "decided to make this [thumb drive] technology available again on a strictly controlled basis," then vice admiral Carl Mauney, deputy commander of the U.S. Strategic Command, told GCN. "Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met." But those requirements were likely designed to prevent a repeat of the devices being used to distribute malware, rather than to combat insider attacks.

Calls for removable media to be more tightly monitored or restricted in U.S. government facilities soon resurged in the wake of WikiLeaks publishing -- largely between April and November 2010 -- redacted and then full versions of 251,000 State Department cables.

Pfc. Bradley Manning, who was arrested in June 2010, is currently standing trial at Fort Meade, Md., on charges of leaking the cables, U.S. helicopter gunship footage and other sensitive material. He allegedly copied information from the Department of Defense's classified SIPRNet network onto rewritable CDs that he hid inside a Lady Gaga CD case.

Since then, the Defense Department had been evaluating monitoring tools to help military and defense agencies more quickly spot insider attacks. Obviously, that technology either wasn't in place inside the Hawaii NSA satellite facility where Snowden worked, or the technology failed to spot his suspicious behavior before he flew to Hong Kong.


re: Thumb Drive Security: Snowden 1, NSA 0

Is there a way to keep thumb drives out of corporate systems? Sure - there are plenty of safeguards out there that can be put in place, from security models enforced at the desktop to notifications sent from machines that detect a non-corporate thumbdrive into the Network Security group. Things as simple as shutting down the USB ports and optical drives on a client system could effectively stop the majority of corporate data leaks. That isn't a new technology or idea - I've even seen organizations that put physical locks on the USB ports on systems to prevent their use.

It all comes down to how much effort an organization wants to put into policing this sort of issue and how much they trust their users. I've seen organizations that restrict users from carrying any form of data storage into secure locations for fear of data loss. Having to lock up your tablet, thumb drive... even your smart phone, in a locker before entering the facility can put a pretty serious dent in the idea of data loss via physical media.

In environments that I manage, I try to put as many of those pieces as possible in place, since they're relatively simple to do and have a major ROI when compared to the cost of a data breach. That said, I also take into consideration that if something is digital, it's as good as public (i.e. stolen) anyway - it's just a matter of time before your security envelope gets breached.

Andrew Hornback
InformationWeek Contributor

re: Thumb Drive Security: Snowden 1, NSA 0

While it is unsurprising that it was so easy for Snowden to use a thumb drive because of his title, I think, as Foster notes, people who are determined to leak information will find a way -- even if bans on thumb drives are implemented.

re: Thumb Drive Security: Snowden 1, NSA 0

USB monitoring tools works only with "Normal" to "Average" tech users. Most of the tools have weakness. Let us say that you have a third party solutions like Symantec end point security, or through Windows GP, all these work at application layer. Let us say for argument's sake, the Hard drive is encrypted by Bitlocker / Truecrypt or some third party software, still you could simply change your BIOS settings, boot using USB thumb drive, load the appropriate software, decrypt the HDD {Since you already know the password}, copy the required stuff to the Thumb drive. One third party solution ran as a service, all we had to do is to kill that service, it would enable USB drives!. This guy being "Above" average tech guy, he would have figured out a way to copy even if the USB accesses have been blocked. For places like this, the best solution would be to implement physical security. Eventhough it might be humiliating for the people who work there, simple physical pat down would've caught this leak, in my opinion.

@ubm_techweb_disqus_sso_-4fc2f376be2e1ff30a713c6d7462e08d:disqus - I agree with your physical security suggestions, but as I had mentioned, these 3rd party solutions doesn't work. Some of the places where I had worked as consultant, had disabled USB dirves using one of these products. Me being consultant, I needed to copy data back and forth for work, I had to use one of the above mentioned techniques to circumvent the protection for working from home. So far I was able to circumvent all the third party solutions, that I have encountered.