Slashdot Mirror
NSA Develops USB Storage Device Detector
Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."
Wow. Clever. Nobody ever thought of that before.
"USB Detect detects the use of removable drives"
"Shadow Drive evades detection by the following products"
"Latest USB Detect detects Shadow Drive use!"
"New ShadowDrive 2.0!"
Shit, the parent company of both products could make a killing! Hey wait a minute, is this another lame
attempt to bring money in off the books for illegal ops?
-Steve
"I opened my eyes, and everything went dark again"
"The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool"
So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
It relies on information from the OS. The OS is too easy to circumuvent. For example, it doesn't report on whether or not the system has been booted from a USB device. Given that they are the NSA, maybe they have the luxury of making the assumption that USB boot is disabled and the BIOS is password protected?
...because the Windows Registry is a secure source of information...
Hi. I seem to have that installed on my computer already. I just typed lsusb (and then I pressed the return key) and up popped: ....Those CIA/NSA guys are trickey, aren't they?
Bus 008 Device 003: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Bus 008 Device 002: ID 1307:0165 Transcend Information, Inc. 2GB/4GB Flash Drive
Won't it work with Linux or OSX? Or does the NSA run completely on -gulp- windows?
it detects WINDOWS-connected USB storage. If I plug my USB storage key into my Cisco router or HP Procurve switch's USB plug, it won't detect it.
If I plug my USB key into my Linux box... it won't detect it. If I plug my USB key into my OS X box, it won't detect it.
what's the point?
Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.
Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.
Is there some weakness associated with USB that I'm not aware of? Shouldn't this instead be for all removable storage devices? What about Firewire flash/HD drives & et cetera?
Hopefully the tool checks the vendor and product IDs of the device and doesn't just rely on what windows thinks the device is. It's not that hard to make windows think that a flash drive is something else, but it's harder to mess around with the vendor and product ID that are detected from the device.
Don't get me wrong but this allows you to detect after the device has been and gone. Is this not a little late in finding this out? So exactly what security hole has it plugged? Though i guess it could prove possible useful in a court where you can then link the usb hardware id and unique id to a pen drive with sensitive information to prove what / when / where it plugged into.
5 or so meeeliionnns of well spent money....our brilliant govt at work.
Got Code?
Does this software only detect USB mass storage device (MSD) modules? A simple workaround would be to implement a USB-connected character device. You could simply dump a binary file via "cat" or some similar tool to the device, presto - data acquired. I would know this because I've built similar ones in the past while playing around with PICs.
At some of the more "security oriented" offices I've visited, the easiest way to prevent data from leaving the office was:
-implementing proper network security (blocked sites, restricted sent-to abilities for e-mail)
-customizing the Linux kernel for slim-boxes so there was next to no driver support for anything not already connected to the box
-disabling MSDs in the kernel altogether
The only other way (ie: in the case of my little USB data logger) is to completely disable un-used USB ports, etc. If you have the computing resources for it, you could just have most slim boxes log in to VMs that are pretty much locked down and obliviously to external H/W anyways. This approach seems to be useful for detecting attempts to make unauthorized copies of data, etc, but it seems far from a fool-proof way to prevent it.
The "geniuses" at the NSA couldn't even come up with a filter driver to detect the connection in real time (and block access)? I worked at a company years ago that had such a tool commercially available. Sweeping the registry is sort of "after the fact".
On Linux, you could control users' (not "root", but if they've got local "root" access ...) ability to mount USB/Firewire/... removable storage with a simple change to the udev rules.
Who are these network admins that are worried about USB usage on only Winodws machines, but will not deny USB usage (which Microsoft actually makes fairly easy to do), but wants to stealthy detect USB usage?
And there are 100's of ways to monitor/report on windows activities as they happen.
---- Booth was a patriot ----
a bit of epoxy in the usb ports of all the computers that are connected to the network would be 10x as secure. (And it would run on Linux!)
considered to be a USB Storage Device?
Yours In Novosibirsk,
Kilgore Trout.
Shouldn't OSs provide an option to disable auto-mounting of USB devices? It makes more sense than requiring admin access to "safely remove" usb storage devices.
I suppose it's a coincidence that you posted that around lunch-time.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
... is bait meant to lure out Slashdotters who can't be bothered to RTFA. The article does not mention anything about how the device works. The mention of the registry comes from a footnote in a DHS report (you know, the guys who can't find bombs if they're in your underwear). It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.
If you work for the government and you want to get a co-worker in trouble, go buy an iPod and plug it into his computer whenever he's away from his desk. The next time there's a security audit, he be taken to some windowless office, denying everything and not being believed.
Nothing for 6-digit uids?
Is that what the government is wasting our tax dollars on these days? Detecting thumbdrives on networks? Come on, it shouldn't take the NSA to come up with something like this. I'll bet money that somebody has already written a piece of software to do just this. Even if they haven't there are loads of ways within Windows to watch and report stuff like this. I guess if they could upgrade it to work remotely on computers outside a network it might be useful (and if and only if, it gives specific details on the media and extends to other types beyond USB), but I don't really see the point on a network.
Congrats NSA! Novell has been performing this miraculous feat of software wizardry for a few years now... http://www.novell.com/products/zenworks/endpointsecuritymanagement/
"All those moments, will be lost in time...like tears in rain..."
Halfway to completing the suite, and offering a tool to detect and READ USB storage devices on networks.
NSA is nothing if not ambitious. Good job, guys!
deleting the extra space after periods so i can stay relevant, yeah.
http://www.sophos.com/sophos/docs/eng/supps/devctrl_10_aeng.pdf
Works like a charm :)
In a certain secure environment I worked in there was a complete ban on use of the USB ports. We could have paid a bazillion dollars to have machines delivered without USB ports, spent many hours investigating bullet-proof ways to stop the USB ports from functioning in the OS, or simply fill the connectors with two-part epoxy. In the end the KISS principle ruled - epoxy and simple software tweaks on the off chance someone managed to free a port. :)
Patent litigation: A doctrine of Mutually Assured Destruction... in which everyone seems willing to push the button
The security game has already been lost.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Um. esata? Firewire?
Management eventually figured out that if you couldn't trust the guys you hired, you were screwed from go. More effective to treat your employees fairly in the first place. We stopped installing the service on new machines.
Fun to write though.
Please do not read this sig. Thank you.
Some places fill the USB connectors with hot glue.
I prefer 3 inch drywall screws.
They're system agnostic...
Using Windows machines to hold Top Secret documents.
Oh, please. Like nobody else has ever created duplicate software before.
Yes, there are probably other utilities that do this. Maybe the NSA was unaware of them. Maybe they were incompatible with their legacy tools or infrastrcture. Maybe they didn't do what the NSA needed.
And even then, sometimes it's worth a rewrite, just to make things better.
Use the VGA output and an A to D converter. If the system is running at 1280x1024, 24-bit color and 72 Hz, you can capture a bit over 2 GiBits/sec. Sure, you lose some speed using bits for error detection/correction, but you can turn the screen resolution up a little and it doesn't matter if the monitor can sync it. The hard part is installing a client program on the system to turn data into pixels. I'd use a keyboard simulator to input the binary into debug.exe, if it's still included with Windows. If not, there's notepad.
How is that different from group policy now?
(kick off usb storage drivers towards the stairwells, disable usb hubs)
I formatted it with a bootable Ubuntu installation image!
No sig for you!!
Indeed. It's even more irritating when you see it in action. I used to work a half-block away from the County seat building in a decent sized city on WA State. Every year we would see a lot of County employees milling around our building after they would normally have gone home. Once I asked one of them about it and he said they had to 'meet their annual overtime budget' or they would lose it the next year. So they just 'made' overtime once a year. Tax dollars at work.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Obligatory xkcd reference
http://xkcd.com/463/
But... the future refused to change.
Why the heck is this filed under "hardware?"
The company I work for makes to different pieces of security/monitoring software that can both detect this.
It's not exactly a new thing...
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
I'm going to guess this is a windows equivalent of ssh root@foo 'fdisk -l'
Method 1
0) Put on some gloves
1) Copy sensative info from network onto the C: (maybe need to take screenshots)
2) Shut down the computer, unplug the network cable
3) Open the computer case
4) Reset the BIOS password (move the jumper on the motherboard)
5) Boot up the computer
6) Go into the BIOS
7) Configure the PC to boot off external device
8) Connect the external device then boot off it
9) Copy all the stuff from the C: to your removable microSD card.
10) Hide the microSD card inside your hollowed out nickle, put it up your butt, conceal it in your hair, badge, keychain, etc.
11) Reboot PC, clear the BIOS logs (if applicable), and reconnect network cable.
12) Change boot sequence back to how it used to be. Leave work.
13) Find some random open wireless network.
14) Upload data to Wikileaks
15) If anyone ever asks you why the BIOS password was reset, just say "BIOS?" whats that.
Method 2:
0) Bring the data up on the screen
1) Exploit the "analog hole" by taking screenshots with your 2M pixel spy pen you bought off ebay for $5 + $25 shipping.
2) Copy screenshots onto your laptop
3) Modify screenshots to remove any identifying information.
4) Find some random wireless network.
5) Upload data to Wikileaks.
The thing is, the software is useless to the NSA if they don't have full access to all of the source and no one else does. They have to make sure that there are no holes are security issues with the software and they have to make sure no one else has access to the software source to find potential security holes.
The fact that this software exists isn't any big news....big whoop, it's not really any amazing feat that hasn't been done already. The fact that the NSA has software for this that is approved is big news. Security officers will let out a collective sigh of relief now as they don't have to worry about idiots trying to charge their cell phones/mp3 players via the USB port.
Wise men say, "Forgiveness is divine, but never pay full price for late pizza."
I could secure their entire network from USB thumb drives in a couple of hours with a flat-head screwdriver. This reminds me of the old story about NASA and the million dollar investment into pens that could write in a weightless environment while the soviets just used pencils.
Interesting. For years my computers have been telling me whenever I plug in a USB device. This little balloon in the lower right corner of the screen always pops up saying something like "Device detected." I guess the NSA has taken over my computer!
Not quite, but I've been able to use the registry in XP well enough to control USB devices by vendor ID, device class, and permissions etc, among a few more not to mentions. All it would take is a well written root kit, by oh say, Sony? and bingo, no detection. Further, I've done the proof of concept in setting the device as keyboard led, or some type of robotic device. And I'm not even a Sys Admin! I just read a book.
The company I currently work for implements a software solution akin to the one mentioned in the article (for security purposes). Another company that I am aware of simply used crazy glue in all the usb ports and headers.
Jaso
Version 3.0 in the name is probably not so new...
I guess they will have to have lobotomies each day before leaving work...
Tsukasa: All I really want, is to be left alone...
The government forgot iSCSI, Firewire, and eSATA? Really? And, unless they have locked down new hardware discovery, you could add these in with a PC Card or Express Card slot on any laptop. iSCSI only requires a source system and rights to set up the drive. Even easier: map a network share on an unmanaged asset that you brought along to take advantage of DHCP.
And you don't need any magic or special software to trap a drive connection event, just use WMI. It works for any drive type: just listen for a drive connection event... like ten lines of code, max. You could set up an agent or script to watch for these on any Windows computer with almost zero effort... you could even do it remotely with the proper rights.
Plenty of vendors have software to help, too. Off the top of my head, McAfee, Symantec, and Cisco all have something. The catalog of features they offer attempt to manage the DLP idea a little more completely any one USB drive solution... although I admit none of the vendors have it absolutely right yet.
I will ask a question I always ask about something like this: What's the goal? If it is Data Loss Prevention (DLP) then I believe they have failed. If it is to prevent virus installations then could start with disabling autorun.inf and supplementing that effort with a little drive connection detection using WMI.
You people don't get it do you. This was designed so that it would trigger a "This system will self destruct in 5 seconds... 4... 3... 2... 1..." booom (insert Mission Impossible soundtrack here)
I'm a CSA in one of the AF units and I found this program in our software directory sometime last year. Around the time that the flash drive ban was initiated. It's funny that this is just making 'news' now.
I am seriously interested to see an open source equivalent. Basic requirements:
* It has to be mass deployable as MSI package (SMS etc)
* It has to contact centralized registry to report unauthorized USB mass storage devices
* There must be some sort of reporting functions that NON-technical security managers can use
* There should also be integration modules for emitting alerts to other systems (ticketing systems etc) about the incidents
* It has to support Windows Vista / 7, both 32 and 64 -bit
* There has to be whitelist system for authorized devices, ie. those that are using full disk encryption using approved application and keys, or those used by authorized technical personnel
-- The centrally managed full disc encryption suite and its compliance management itself are out of scope
* It probably has to be able to capture the activity performed with the unauthorized devices. User/time/filename/filesize at least are mandatory information.
If someone really did this like 5 years ago I am really stunned that the project isn't widely known. I searched sf.net and came out with nothing actually useful.
From the summary:
flash drives, jump drives, or thumb drives
To quote the borg queen: You imply disparity where none exists.
It's keeping some of the users who shouldn't be on a computer in the first place from mucking it up with stuff they copied from their home systems. The biggest problem of a large installation is the users who think it's a great idea to try to install hacked software they downloaded from TPB, or that it's OK to try to load NES roms that they found somewhere. These are the kind of people who don't even scan the stuff they download on their own systems, and then they install it on a government system without a second thought.
Is our government's most important and highly funded intelligence agency using Microsoft Operating systems and Windows Networking? Really? After DARPA came up with a secure networking system now recognized as THE INTERNET... and the obvious security benefits to ANY *NIX system over Wintendo... REALLY? Meanwhile the Chinese are working on their own *NIX system to remove the need of Wintendo and Microsoft Licensing Fees from their entire way of life we are letting a company run by Steve "BumbleFuck" Balmer to support the Operating System for the NSA's computers? Have none of them ever ran windows at home? Wow... All I gotta say is learn your Mandarin.