State Agency to Destroy Unauthorized USB Drives

Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."

Misleading summary

[jlowery]

The article states that the previous drives were "independently purchased" by employees, which likely means they got permission to buy a drive, went to Staples to get it, and then were reimbursed by the state. That would mean that they are not "personal" USB drives.

I know... I apologize for reading the article.

Re:Misleading summary

[damsa]

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

Re:Misleading summary

[warprin]

I agree, they probably got a supervisor's (at least one) ok on buying their own usb drive, it caught on, and then everyone started using them. Who knows if it was management that first decided to use non-approved drives. All we know is that the drives were not "coorrectly/officially" approved by the right department with the mandatory 100-page approval document.

Re:Misleading summary

If you were really that interested in knowing, you would RTFA.

The flash drives they are providing for their employees have 256-bit AES encryption and a user-defined password. After 10 (presumably consecutive) failed attempts, the drive deletes its data. It also comes with remote management software, "which relies on a Web connection to directly communicate with agents on the tiny flash drives, [and] can also remotely monitor and flush any lost drives."

Sounds a lot better than the generic memory stick you buy cheap at Sam's Club, doesn't it? (At least from a data-security perspective.)

Accuracy of Story?

[sepluv]

It doesn't say in TFA that they have confiscated and destroyed existing drives (and, if they have, it may only be state-owned drives).

Although, it does say in the quote from the manager that they will "manage and back up the new drives using SanDisk's Central Management & Control server software...which relies on a Web connection to directly communicate with agents on the tiny flash drives [and can] remotely monitor and flush any lost drives" so they could read and delete files on the disks remotely.

It also says that they chose the disks for their MSW Vista compatibility which suggests that the "agents" really are (as previously quoted) on the disk rather than the PCs (one assumes so they can track what their employees do with the disks while not using their PCs, which really doesn't seem necessary to me). Hopefully they do have software on the PCs too to ensure that non-authorised disks are not used and to monitor activity if the "agents" are removed from the disk by intrepid employees.

Although, I suppose, in principal, the right to privacy of their clients (which could be breached by data being transferred out of the building) overrides the right to privacy the government employees have while in the office.

Sensible policy

[MosesJones]

Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.

This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.

Misleading Comments...

[Khue]

I think that they are actually being fairly reasonable about the whole issue. USB keys are a severe security risk as far as controlling access to data leaving a business. People leave with Excel sheets full of database information, confidential email, and sometimes text pads containing passwords to various systems. We've already begun the process of completely disabling all computers company wide from their ability to write to removable drives which essentially takes away the threat a USB key poses. Here we see that the state spent a reasonable amount of money (cost of the usb key itself + enterprise management software which probably has some sort of CAL) just so employees could still use USB keys. In my environment, employees just straight up would never have access to USB resources to begin with... Can you imagine the consequences of a disgruntled employee walking out of the office with a spreadsheet of 65k+ credit card records or other customer records? Hello Fidelity Insurance scandal...

Re:Waste

[ajs318]

dd if=/dev/zero of=/dev/sda1 will write zeros to /dev/sda1 until interrupted (which will happen of its own accord as soon as /dev/sda1 is full).

/dev/zero is a virtual device that whenever you read a character from it, comes out with a stream of zeros; it is always ready to read and never shows end-of-file. /dev/sda1 is a device that represents the first partition of the first SCSI, SATA or USB disk drive, treated as one huge file (which happens to contain all the files and pointers to them) rather than a file system.

Simpler version: I know, because that's just the way computers work. (And I've read the Source Code.)

Re:What a waste

[SharpFang]

especially that due to wear protection flashdrives are pretty hard to zero. Overwriting files is not guaranteed to delete the data because the 'overwrite' may (and likely will) happen elsewhere than original data was. You can still fill the whole drive with zeros (or better - random noise) but the science concerning recovery of overwritten data from flash memory is nonexistent - nobody knows if whether it can or can't be done.

Re:Misleading Summary leads to Misleading Tags

[CTachyon]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

RTFA. The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords. They're doing this whole switch because of privacy, because the thumb drives contain the private, personal case files of hundreds/thousands of citizens.

There are security concerns

[JoeD]

I remember reading an article from a security consultant awhile back. One of his clients, a bank, had hired him to try to break into their systems, and were quite cocky about how they'd sealed off external access.

So he took a bunch of thumb drives, put a Windows autorun backdoor installer on them, and scattered them around the entrances and outdoor smoking areas.

Hey, presto, instant access.

They are not alone

[uspsguy]

All government agencies have information that needs to be protected. Like Washington, we (my nick will give you a clue who we are) are safeguarding portable information. Our facility has moved to encrypted usb drives to reduce inadvertant disclosure of information. There is a huge list of information managers may need and use that could violate confidentiallity, provide the competition with stratigic data, and damage all kinds of legal processes. With the potential costs, an agency would be stupid to not just gather up unsecure drives and destroy them. The real cost is tiny and the potential cost of not doing so is enormous.