No one would dispute how convenient thumb drives are, or how theyve made the transfer of files form one machine to another so easy. These drives offer numerous advantages over other portable storage devices. They are more compact, and operate much faster. The new thumb drives using USB 2.0 operate faster than an optical disc drive, while storing a larger amount of data in a much smaller space.
They also have no moving parts, making them more robust than mechanical hard drives. These types of drives use the USB mass storage standard, supported by modern operating systems such as Windows, Mac OS X, Linux, and other Unix-like systems. However, that convenience comes with risk.
FACT: The flash-memory market was until recently one of the fastest-growing segments of the global semiconductor industry. The total worldwide revenue of the market in 2008 is estimated to be about $12 billion.
The recent news of this significant cyber incident at the Pentagon has called into question the use of thumb drives. According to one report, senior military leaders said the malware infection incident affected the U.S. Central Command networks. This incident included systems both in the headquarters and in the combat zones. Thumb drives are reportedly banned within the U.S. Department of Defense. The ban comes after they were identified as the most likely point of compromise that transferred what has been termed a global virus according to Pentagon spokesman Bryan Whitman. Inside sources leaked a message distributed to employees saying that all flash drives, whether purchased or provided by the Department of Defense, would be confiscated.
This is a problem not just for DoD, but for all computer users, so tell us about your use of thumb drives.
...
As a defense contractor, at my office USB drives, in addition to all recordable media and camera phones are banned on the premises. Every workstation has read/write ability through the USB ports and CDRW drives disabled. I’m thoroughly shocked to learn that similar security provisions were not in place at the Pentagon of all places.
If I am not mistaken, a network compromise via a USB drive “snuck” into Langley was used in the movie “The Recruit”.
They also used a memory card, similar to what you use in your digital cameras and phones in Transformers for a little “good natured” espionage at the crypto department.
The point should not be “banning” a certain technology. Thumb drives, just like floppy drives, can be rendered safe using the proper procautions. For instance, for high sensitivity environments, either have no USB ports on your terminals, or have them locked out except for maintinence work by authorized personnell. I have NEVER gotten a virus through one of my own thumb drives because I always sweep the drives, as well as my own computer. For an environment such as the Pentagon, they should be using firewalled ports even if they DO use thumb drives, not to mention physical security logging of drives inserted and removed from the system.
They got sloppy, and now they are banning a very useful data storage and transfer device over a knee jerk reation to their incompetance. Blame the tool, not the Tard using it…just like they do with firearms laws…instead of focusing on the idiots and criminals, they focus on the tool they used.
An AF sysop basically blew me off back on ’02 when I pointed out that a USB port was a gun aimed at the network waiting for a thumb drive bullet…
We recommend that the USB ports be epoxied shut. Can’t ignore that one!
This type of problem dates back to floppy disks and has pretty much the same answer.
Our security software is set to scan any portable media on access. Firewalls are configured to prevent outgoing messaging without permission from the user.
This doesn’t seem like that hard a problem to contain. Why can’t Dod get a grip on it without something as draconian as banning jump drives?
Other important context for this story is that in DoD right now nobody, I mean nobody, is going to get their budget increased or their profile raised by saying “look, calm down, the sky is not falling, this is an education and policy issue. This is too big and dumb to solve technically.” Everybody is after as big a piece of the cyber-defense pie as they can grab.
Not surprised thumb drives are banned. They should’ve been banned years ago. Thumbdrives are an IAM’s worst nightmare. How many incidents involving personal thumb drive accidentally stuck into the siprnet have gone unreported? How many thumb drives get lost? and end up in Baghdad pawn shops. Granted, there is technology available to protect our networks fm thumbdrives and the data they contain, until this technology is implements, it was a smart descision to ban them.
Reminds me of this story… tis funny.
“USB Thumbdrive from China“
http://www.gadget9.com/2007/06/17/usb-thumdrive-from-china/
There is no such thing as 100% security.If someone wants something bad enough they will find a way to get it.they can steal it,buy it,or what ever and there is always someone there with less than perfect ethical morals to take them up on it.The smarter we think get the dumber we really are.
Solid state data storage is the future. The pace and momentum for this shift in preferences in the the commercial marketplace is inexorable. There is no way the DoD or any other organization can bury its head in the sand on this one. Banning USB drive use can, at best, be a temporary solution.
The more permanent solution is to disable all data drive access through normal USB ports in DoD and other secure computing systems, and have single, highly secure point of access for portable storage media whether that be USB, firewire, etc. This should not be hard and the costs are shared by the wide commercial market needing secure computing.
And I can remember the day when 4 function / square-square root calculators were banned from classroom test taking.
The answer is NOT to ban them, but allow the use of them only on specific machines in the network. Thumbdrives can be configured to utilize public / private key functions that will only allow a thumbdrive to work in a machine that has the matching keyset. The real concern within DoD and industry is about industrial espionage, which is why they frown upon them. They are small easily hidden and can contain a lot of data.
So we have banned thumb drives in computers. Great, but now external hard drives are authorized again. Here is a tip for the DOD. If someone is dumb enough to bring a virus in on a 2gb thumb drive, they sure as heck will do the same, if not more on their 120gb external hd.
I was a DOD IT contractor back in the early 1990’s. Back then, server system upgrades were often done by tape (very slow). One evening, an Air Force officer, tossed me the key to the office in which I was working, and said “Lock it when you leave, and put the key under the door.” Apparently her car-pool was ready to leave, but our tape restore was still in-progress. At the time, I had NO clearance whatsoever, and even needed an escort to get into the Pentagon.
If you needed a password for a system, just look on the underside of a colonel’s keyboard, and it was usually written on a Post-It note.
You can’t fix stupid (or unwilling).
JP
Where there is a will there is a way. There can be all gripes and complaints in the world but the guys at the top make the big decisions. They are just assuming the rest of us are to stupid to care. What is even more ridicelous is turning off the USB ports. Hope these guys calling the shots get a clue and are not working for the big 3!
Putting a ban on all types of removable media would grind any kind of contracting to a halt, and it is not a realistic solution.
Most of the DoD contractors I work with have been under this ban for some time now, and as far as I can tell it has just equated to a lot more use of CDRs. In terms of security, I’m not sure if there’s any difference between the two, aside from the reduced convenience of the CDR and, ultimately, the inability of a CDR to take on advanced security features. In contrast, there are already thumb drives with built-in FIPS-140-compliant crypto technology, which the DoD deems is good enough for all other types of data exchange. The blanket ban on thumb drives is a typical, bureaucratic maneuver made in place of a real solution, and it’s a mistake. Instead, why not stock up on FIPS-140 thumb drives and implement a security protocol? Even the biggest, slowest, most bureaucratic players in the private sector have been able to implement crypto technologies in their IT without too much trouble.
To all out there with nothing to do but write your negative opinions about something as unchangable as the speed in which technology advances, shame on you. Get with the program. Some of you are actually writing ridiculous comments like the one by Mr.Dale Swanson. RIDICULOUS !!
We all know this is how agents will attack the Defense network when the real fighting starts. Or, just before.
Our directive (USAF/Edwards AFB) is no removable media. Period. No iPods, no thumbdrives, no CDRs, no nothing.
Unless it was government issued and scanned by IT. Essentially this means no thumbdrives for the peons.
Kalroy
Just get rid of all the computers. Problem solved.
Thumb drives are a no go yet external HDs are OK. This makes no sense and is just plain counterproductive for our DoD workforce. The Navy is crippled with NMCI which is in itself crippled by the most insecure operating system available: Windows. I’ve sat in meetings with IT “professionals” who don’t have any certifications, let alone a degree, who don’t have the faintest clue as to the vulnerabilities that really ail our networks.
Like many government organizations and policies, security is rooted in significantly inconveniencing those involved. See TSA. This is no different.
Thumbdrives, by themeselves, should not be the point of focus here. It is the USB Port not being protected in having scan capability prior to the reading of the data device. Hardware data intake for all computer puposes in Government should have protection built into them.
My recommendations are these:
–Fix the USB Ports or add/hard connect another piece of hardware to these ports to plug the Thumb or other data storage into. This interface allows for scanning and encryption recognition of the Thumb or other pre-authorized date storage device. This interface iteself has a crptyic code only working for government computers by IM security and can be recoded as needed, so if lost or stolen it is not easily used with another computer system.
–Thumb drives now come with some encryption capability. Government used thumbdrives should have a code identifier that can be tied to a password of the user. This same identifier would be ID’d into the government computer system for that employees function/area. So, if the government employee tries to use it on a non-government computer it will not work, and if the employee looses it it cannot be opened on any other computer. The ID code is loaded into the interface mentioned above and the interface can also lock out the thumb drive should the employee be terminated or removed from authorization from that access area.
–If necessary the USB/Thumb interface device can also be programmed to recognized unauthorized downlads from non-government sources to reduce piracy of copywrited materials.
Overall, Government Computers should not be off-the-shelf models, but cusomized for security. We keep trying to use off-the-shelf and continue to have off-the-shelf problems. Establish a system of closed-house computers and have closed-house problems which enable security to identify faster the breaches and weaknesses of the system, allowing it to work faster and more secure.
Kevin MW Hughes
Why can’t we all just get along?
How about banning pencils and pens, so we can only compromise security to the point that we can remember anything? This is the same organization that had bunches of us making paper airplanes in order to show us how an assembly line worked (no kidding-Lean Sigma 6-right?) and has an Acquisitions Course that starts out teaching arithametic (“what does the “+” sign mean?-no kiddding) The only solution is for the DoD to get a little bit smart or just go back to technology they are comfortable with-like the flintlock musket. And why, to begin with, are all teh DoD systems hooked into one system? Why can’t we have local cell networks that handle low security traffic without al the BS? If that gets breched, so what? By the time we find out about it, the Russians will find out about it, too-“Who cares about this?’ sort of thing. Let teh Top Secret boys have their own network and ban anything they want from it.
So, Russian or Chinese hackers manage to breach the Pentagon and so they ban thumbdrives for all DoD? Ever occur tothem, that their firewalls just ain’t that good?
Problem is that folks use thumb drives to transfer files from unclassified computers to classified computers (against the rules but folks do it anyway) and they carry virus upstream with the files. Until scanners can be modifed to scan USB devices before allowing a connection they will be a hazard.