Slashdot Mirror
NSA Develops USB Storage Device Detector
Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."
Wow. Clever. Nobody ever thought of that before.
"USB Detect detects the use of removable drives"
"Shadow Drive evades detection by the following products"
"Latest USB Detect detects Shadow Drive use!"
"New ShadowDrive 2.0!"
Shit, the parent company of both products could make a killing! Hey wait a minute, is this another lame
attempt to bring money in off the books for illegal ops?
-Steve
"I opened my eyes, and everything went dark again"
"The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool"
So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
It relies on information from the OS. The OS is too easy to circumuvent. For example, it doesn't report on whether or not the system has been booted from a USB device. Given that they are the NSA, maybe they have the luxury of making the assumption that USB boot is disabled and the BIOS is password protected?
...because the Windows Registry is a secure source of information...
Won't it work with Linux or OSX? Or does the NSA run completely on -gulp- windows?
Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.
Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.
Is there some weakness associated with USB that I'm not aware of? Shouldn't this instead be for all removable storage devices? What about Firewire flash/HD drives & et cetera?
So you're one of those "network is the computer" guys or you misread/didn't read either of the first two sentences of the summary... I'm gonna go with "didn't read" on this one.
Don't get me wrong but this allows you to detect after the device has been and gone. Is this not a little late in finding this out? So exactly what security hole has it plugged? Though i guess it could prove possible useful in a court where you can then link the usb hardware id and unique id to a pen drive with sensitive information to prove what / when / where it plugged into.
5 or so meeeliionnns of well spent money....our brilliant govt at work.
Got Code?
Does this software only detect USB mass storage device (MSD) modules? A simple workaround would be to implement a USB-connected character device. You could simply dump a binary file via "cat" or some similar tool to the device, presto - data acquired. I would know this because I've built similar ones in the past while playing around with PICs.
At some of the more "security oriented" offices I've visited, the easiest way to prevent data from leaving the office was:
-implementing proper network security (blocked sites, restricted sent-to abilities for e-mail)
-customizing the Linux kernel for slim-boxes so there was next to no driver support for anything not already connected to the box
-disabling MSDs in the kernel altogether
The only other way (ie: in the case of my little USB data logger) is to completely disable un-used USB ports, etc. If you have the computing resources for it, you could just have most slim boxes log in to VMs that are pretty much locked down and obliviously to external H/W anyways. This approach seems to be useful for detecting attempts to make unauthorized copies of data, etc, but it seems far from a fool-proof way to prevent it.
The "geniuses" at the NSA couldn't even come up with a filter driver to detect the connection in real time (and block access)? I worked at a company years ago that had such a tool commercially available. Sweeping the registry is sort of "after the fact".
On Linux, you could control users' (not "root", but if they've got local "root" access ...) ability to mount USB/Firewire/... removable storage with a simple change to the udev rules.
And there are 100's of ways to monitor/report on windows activities as they happen.
---- Booth was a patriot ----
I suppose it's a coincidence that you posted that around lunch-time.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
... is bait meant to lure out Slashdotters who can't be bothered to RTFA. The article does not mention anything about how the device works. The mention of the registry comes from a footnote in a DHS report (you know, the guys who can't find bombs if they're in your underwear). It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.
If you work for the government and you want to get a co-worker in trouble, go buy an iPod and plug it into his computer whenever he's away from his desk. The next time there's a security audit, he be taken to some windowless office, denying everything and not being believed.
Nothing for 6-digit uids?
Is that what the government is wasting our tax dollars on these days? Detecting thumbdrives on networks? Come on, it shouldn't take the NSA to come up with something like this. I'll bet money that somebody has already written a piece of software to do just this. Even if they haven't there are loads of ways within Windows to watch and report stuff like this. I guess if they could upgrade it to work remotely on computers outside a network it might be useful (and if and only if, it gives specific details on the media and extends to other types beyond USB), but I don't really see the point on a network.
My jumpdrive happily fits into that internet hole on the HP swatch thing... never could get it to read though.
(No... I really don't miss late 90's tech support)
The Geek in Black
I know my BCD's (when I'm Sober)
Well, I'm no expert, but at least since 2007 or so. Although if you were right, I'd have to admit that it's hard to detect a USB key without a USB port.
I prefer rogues to imbeciles because they sometimes take a rest.
Congrats NSA! Novell has been performing this miraculous feat of software wizardry for a few years now... http://www.novell.com/products/zenworks/endpointsecuritymanagement/
"All those moments, will be lost in time...like tears in rain..."
Halfway to completing the suite, and offering a tool to detect and READ USB storage devices on networks.
NSA is nothing if not ambitious. Good job, guys!
deleting the extra space after periods so i can stay relevant, yeah.
The security game has already been lost.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Um. esata? Firewire?
Management eventually figured out that if you couldn't trust the guys you hired, you were screwed from go. More effective to treat your employees fairly in the first place. We stopped installing the service on new machines.
Fun to write though.
Please do not read this sig. Thank you.
Some places fill the USB connectors with hot glue.
I prefer 3 inch drywall screws.
They're system agnostic...
Using Windows machines to hold Top Secret documents.
Oh, please. Like nobody else has ever created duplicate software before.
Yes, there are probably other utilities that do this. Maybe the NSA was unaware of them. Maybe they were incompatible with their legacy tools or infrastrcture. Maybe they didn't do what the NSA needed.
And even then, sometimes it's worth a rewrite, just to make things better.
Use the VGA output and an A to D converter. If the system is running at 1280x1024, 24-bit color and 72 Hz, you can capture a bit over 2 GiBits/sec. Sure, you lose some speed using bits for error detection/correction, but you can turn the screen resolution up a little and it doesn't matter if the monitor can sync it. The hard part is installing a client program on the system to turn data into pixels. I'd use a keyboard simulator to input the binary into debug.exe, if it's still included with Windows. If not, there's notepad.
How is that different from group policy now?
(kick off usb storage drivers towards the stairwells, disable usb hubs)
I formatted it with a bootable Ubuntu installation image!
No sig for you!!
Indeed. It's even more irritating when you see it in action. I used to work a half-block away from the County seat building in a decent sized city on WA State. Every year we would see a lot of County employees milling around our building after they would normally have gone home. Once I asked one of them about it and he said they had to 'meet their annual overtime budget' or they would lose it the next year. So they just 'made' overtime once a year. Tax dollars at work.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Obligatory xkcd reference
http://xkcd.com/463/
But... the future refused to change.
The company I work for makes to different pieces of security/monitoring software that can both detect this.
It's not exactly a new thing...
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Method 1
0) Put on some gloves
1) Copy sensative info from network onto the C: (maybe need to take screenshots)
2) Shut down the computer, unplug the network cable
3) Open the computer case
4) Reset the BIOS password (move the jumper on the motherboard)
5) Boot up the computer
6) Go into the BIOS
7) Configure the PC to boot off external device
8) Connect the external device then boot off it
9) Copy all the stuff from the C: to your removable microSD card.
10) Hide the microSD card inside your hollowed out nickle, put it up your butt, conceal it in your hair, badge, keychain, etc.
11) Reboot PC, clear the BIOS logs (if applicable), and reconnect network cable.
12) Change boot sequence back to how it used to be. Leave work.
13) Find some random open wireless network.
14) Upload data to Wikileaks
15) If anyone ever asks you why the BIOS password was reset, just say "BIOS?" whats that.
Method 2:
0) Bring the data up on the screen
1) Exploit the "analog hole" by taking screenshots with your 2M pixel spy pen you bought off ebay for $5 + $25 shipping.
2) Copy screenshots onto your laptop
3) Modify screenshots to remove any identifying information.
4) Find some random wireless network.
5) Upload data to Wikileaks.
I'd think anyone'd see the clear security flaw having one of those easily accessible...
The US mil has had many people walk out with their data in hard copy and digital form.
Their "John May Lives" moments.
Some have been low level, some from good trusted families.
Domestic spying is now "Benign Information Gathering"
The thing is, the software is useless to the NSA if they don't have full access to all of the source and no one else does. They have to make sure that there are no holes are security issues with the software and they have to make sure no one else has access to the software source to find potential security holes.
The fact that this software exists isn't any big news....big whoop, it's not really any amazing feat that hasn't been done already. The fact that the NSA has software for this that is approved is big news. Security officers will let out a collective sigh of relief now as they don't have to worry about idiots trying to charge their cell phones/mp3 players via the USB port.
Wise men say, "Forgiveness is divine, but never pay full price for late pizza."
I could secure their entire network from USB thumb drives in a couple of hours with a flat-head screwdriver. This reminds me of the old story about NASA and the million dollar investment into pens that could write in a weightless environment while the soviets just used pencils.
Interesting. For years my computers have been telling me whenever I plug in a USB device. This little balloon in the lower right corner of the screen always pops up saying something like "Device detected." I guess the NSA has taken over my computer!
Not quite, but I've been able to use the registry in XP well enough to control USB devices by vendor ID, device class, and permissions etc, among a few more not to mentions. All it would take is a well written root kit, by oh say, Sony? and bingo, no detection. Further, I've done the proof of concept in setting the device as keyboard led, or some type of robotic device. And I'm not even a Sys Admin! I just read a book.
The company I currently work for implements a software solution akin to the one mentioned in the article (for security purposes). Another company that I am aware of simply used crazy glue in all the usb ports and headers.
Jaso
Version 3.0 in the name is probably not so new...
I guess they will have to have lobotomies each day before leaving work...
Tsukasa: All I really want, is to be left alone...
The government forgot iSCSI, Firewire, and eSATA? Really? And, unless they have locked down new hardware discovery, you could add these in with a PC Card or Express Card slot on any laptop. iSCSI only requires a source system and rights to set up the drive. Even easier: map a network share on an unmanaged asset that you brought along to take advantage of DHCP.
And you don't need any magic or special software to trap a drive connection event, just use WMI. It works for any drive type: just listen for a drive connection event... like ten lines of code, max. You could set up an agent or script to watch for these on any Windows computer with almost zero effort... you could even do it remotely with the proper rights.
Plenty of vendors have software to help, too. Off the top of my head, McAfee, Symantec, and Cisco all have something. The catalog of features they offer attempt to manage the DLP idea a little more completely any one USB drive solution... although I admit none of the vendors have it absolutely right yet.
I will ask a question I always ask about something like this: What's the goal? If it is Data Loss Prevention (DLP) then I believe they have failed. If it is to prevent virus installations then could start with disabling autorun.inf and supplementing that effort with a little drive connection detection using WMI.
It's keeping some of the users who shouldn't be on a computer in the first place from mucking it up with stuff they copied from their home systems. The biggest problem of a large installation is the users who think it's a great idea to try to install hacked software they downloaded from TPB, or that it's OK to try to load NES roms that they found somewhere. These are the kind of people who don't even scan the stuff they download on their own systems, and then they install it on a government system without a second thought.
You took a very simple idea (detecting USB) which can easily be cross-compiled for 32 and 64 bit using Microsoft's toolchain, and made it into a gigantic pile of crap, then dared someone to show it to you.
Most of that stuff is already in place, if they wanted it. Most business already have the reporting and alert infrastructure, so you just hook in to that and it takes care of everything you listed except for the 32/64 bit and MSI/SMS installation.
So, now we have a simple tool which has to plug in to an existing reporting and alert system, which explains why they wrote their own. They probably don't want to contact a vendor and give them an API into this thing, nor do they want to expose the API of their reporting thing, so they just write a simple app and the integration points with their configuration management database. Probably faster to do it that way than use whatever was availble 5 years ago, and explains why they didn't use a COTS solution. Simple, yes?
And I forgot the most important part - half of your requirements aren't even required, since this queries remotely. It doesn't have to run on the client, doesn't have to be 32 and 64 bit, doesn't have to be deployable. It runs remotely and captures data through remote WMI queries. Most of the "Linux already has this" replies are client-side tools, not server-side like this one.