Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Develops USB Storage Device Detector

Posted by kdawson on from the don't-bogart-that-thumb-drive dept.

Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."

43 of 233 comments (clear)

  1. Wow. by jgreco · · Score: 4, Funny

    Wow. Clever. Nobody ever thought of that before.

    1. Re:Wow. by Itninja · · Score: 4, Insightful

      No kidding. I seem to remember using some open-source utility that did exactly this like 5 years ago.

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    2. Re:Wow. by BJ_Covert_Action · · Score: 2

      Seriously, I just dropped Puppy Linux on an old laptop of mine and one of the first packages I installed, that was freely available in the repositories, did exactly this. Hell, I could pipe the output from that utility into a perl script that popped up a big red box on the network admins display if the state changes.

      For that matter, you could probably homebrew a shell script that monitors the /dev files on your systems and reports usb usage. I like how some of our tax dollars fund bloated agencies to come up with solutions that unshaven hackers in their mom's basements figured out years ago.

      --
      Motorcycles, Robots, Space Gossip and More!
    3. Re:Wow. by Anonymous Coward · · Score: 5, Insightful

      I like how some of our tax dollars fund bloated agencies to come up with solutions that unshaven hackers in their mom's basements figured out years ago.

      Because clearly the NSA started numbering this program at 3.0 just for the hell of it.

    4. Re:Wow. by Darkinspiration · · Score: 2, Insightful

      Because they want to integrate it with theyre security suite or theyre logging solution, because they have over 9000 machine using it. If they want to spend the budget they could buy fancy new chair instead of wasting programmer and consulting time coding a app. Don't forget that gouvernement is big and app deployement, monitoring and security is not free.

    5. Re:Wow. by somenickname · · Score: 2, Interesting

      $ ls -l /etc/udev/rules.d/99-mail-on-usb.rules
      -rwxr-xr-x 1 root root 159 2010-04-13 21:23 /etc/udev/rules.d/99-mail-on-usb.rules
      $ cat /etc/udev/rules.d/99-mail-on-usb.rules
      ACTION=="add",SUBSYSTEMS=="usb",RUN+="/bin/sh -c 'who | mail root -s Insert'"
      ACTION=="remove",SUBSYSTEMS=="usb",RUN+="/bin/sh -c 'who | mail root -s Remove'"

      That's my version 1.0 and took almost 30 seconds to create. I don't live in my moms basement though. :(

  2. Arms race anyone? by TheCarp · · Score: 3, Insightful

    "USB Detect detects the use of removable drives"
    "Shadow Drive evades detection by the following products"
    "Latest USB Detect detects Shadow Drive use!"
    "New ShadowDrive 2.0!"

    Shit, the parent company of both products could make a killing! Hey wait a minute, is this another lame
    attempt to bring money in off the books for illegal ops?

    -Steve

    --
    "I opened my eyes, and everything went dark again"
    1. Re:Arms race anyone? by swanzilla · · Score: 5, Funny

      "USB Detect detects the use of removable drives" "Shadow Drive evades detection by the following products" "Latest USB Detect detects Shadow Drive use!" "New ShadowDrive 2.0!"

      A strange game. The only winning move is not to boot Windows.

      --
      0 = 1 + e^(Alt something)
    2. Re:Arms race anyone? by fuzzyfuzzyfungus · · Score: 5, Interesting

      It'll be a pretty short race, for all but a fairly dedicated hard-core.

      In order for the USB device to do anything, the host OS has to load the appropriate driver. Until it does so, you aren't getting anything other than 100ma at 5V(higher amperages quite possible, depending on the situation).

      Getting the OS to load a driver without noticing that it has loaded a driver(and without the benefit of exploit code, since you don't get to access that until the drive is mounted) would be quite a trick. Assuming this monitoring software isn't completely braindead, the fact that a USB mass storage device has been inserted, along with any interesting ID strings, will have already be sent to a monitoring server before your filesystem is even mounted. Any tampering you do at that point will just introduce suspicious discrepancies.

      Now, there is(for instance, I'm sure the suitably creative can think of others) nothing stopping a truly dedicated exfiltrator from obtaining the USB device and vendor IDs and so forth for the brand of keyboard used at that particular establishment, then building a USB device(using one of the common and inexpensive USB-capable microcontrollers) that presents exactly those IDs, and is thus detected as a USB-HID keyboard, rather than a USB-MSC device. They could then use the fact that the keyboard LEDs are under software control as a method of getting data off the system. At least on a unixlike, anybody with some basic script-fu could probably be piping arbitrary files off the system with xset led in about 10 minutes. Your custom USB device would have a slab of flash, which it would fill according to the LED commands it received. I don't know if there is anything equivalent on Windows.

      Using tricks like that, you could probably get something of an arms race going(though, still, anything that involves doing suspicious program/script execution is going to get your ass busted in any reasonably paranoid environment); but for USB MSC stuff, it is only the pure apathy of the administration, or the fact that they recognize that mass storage devices are extremely convenient and beloved by users, that lets you get away with it.

    3. Re:Arms race anyone? by tomhudson · · Score: 2, Informative

      A strange game. The only winning move is not to boot Windows.

      Or plug it in before booting ... since it detects drives as they are plugged in and unplugged.

      Or boot linux off it, and load Windows in a vm if you really really need windows.

    4. Re:Arms race anyone? by History's+Coming+To · · Score: 4, Insightful

      Or tinker with a soldering iron and $20 of components so a big flashing light goes off as soon as a USB device is detected? Or monitor the power supply on the motherboard (software independent)? Or do what my workplace does....if you're that worried, don't have USB ports or fill them with epoxy and/or physically cut the connections.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    5. Re:Arms race anyone? by ArsonSmith · · Score: 2, Interesting

      boot from USB drive with hypervisor that then boots the standard OS. Hypervisor presents the USB as a real hard drive or some other read/write non-removable device.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    6. Re:Arms race anyone? by Rantastic · · Score: 2, Interesting

      Why not just do what we did? Create some udev rules so that anytime someone inserts a USB, instead of mounting it, the system silently logs the event and sends an alert. As far as the user can tell, the USB key just won't mount. And no, the users do not have root access to change this.

      With some clever udev rules and a shell script, you can even record the make, model, and serial number of the USB key that was inserted.

      --
      Ask Slashdot: Where bad ideas meet poor googling skills.
    7. Re:Arms race anyone? by tomhudson · · Score: 3, Insightful

      .if you're that worried, don't have USB ports or fill them with epoxy and/or physically cut the connections.

      It must suck to be stuck using that old dot-matix printer hanging off the Centronix parallel port. And that serial mouse - a null-modem cable will let me suck the data out of your box just fine. That old-style keyboard plug? Hate to have to buy a new keyboard ... and not be able to plug it in.

    8. Re:Arms race anyone? by networkBoy · · Score: 2, Informative

      or you can actually get data off the PS2 keyboard port if you really need to. you can send two bits with parity per transaction just by usage of the caps/num/scroll lock LEDs.

      Might be a bit slow, but certainly is an interesting sideband attack...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    9. Re:Arms race anyone? by fuzzyfuzzyfungus · · Score: 2, Interesting

      I would sincerely hope(though, if "thumb drives connected to a network" is anything other than clueless journalist distortion, that hope may be unjustified) that the network in any NSA building would refuse to talk to an unknown device, and probably ping somebody angry to come and take a look. 802.1X is kind of a pain, so I can understand why lots of low security wired LANs aren't doing it; but I'd hope that the NSA would suck it up and do it right.

      If they aren't, in fact, doing it right(and quite possibly even if they are), I'd take a look at the printers. Your modern workgroup printer is generally a powerful beast, running some embedded OS on a fairly serious little board(half dozen services listening on various ports, if nobody shut them off, sometimes with multiple authentication mechanisms, one of which somebody always forgets to set. If it's a multifunction printer/scanner unit, you might even find a hard drive full of the last few hundred scans...) If you are dealing with the competent-but-fatally-Windows-centric, a printer makes an excellent target. It is supposed to be there, so the network guys won't catch you trivially; but it doesn't respond to Group Policy, so the Microsofties won't even think about it.

      (That said, the NSLU2 is a great toy. Arguably obsolete now that you can get a SheevaPlug with a hell of a lot more RAM and some extra peripherals for the same money; but if you can do it in debian ARM and 32MB of RAM, the NSLU2 is great.)

    10. Re:Arms race anyone? by Minwee · · Score: 2, Informative

      It must suck to be stuck using that old dot-matix printer hanging off the Centronix parallel port.

      Actually the printers are plugged in to _ethernet_ ports. On network switches, where their MAC addresses have been registered to prevent gangs of street kids from sneaking in their own bulky laser printers and connecting them to the office network because that's the kind of thing that they do now.

      a null-modem cable will let me suck the data out of your box just fine

      Not when the serial port has been disabled in the BIOS, and the BIOS locked with an unremovable admin password. You can suck on your null-modem cable all you want, but you're not going to get anything but chapped lips.

      And that serial mouse [...] That old-style keyboard plug? Hate to have to buy a new keyboard ... and not be able to plug it in.

      The keyboard and mouse are connected to the USB ports on the back of the case, inside the wire cage where users can't get at them. If it's a notebook computer then they're built in and don't need to plug in anywhere. People have thought of this kind of thing before, you know. It's not a new concept that just popped up today on Slashdot.

    11. Re:Arms race anyone? by tomhudson · · Score: 3, Interesting

      It's trivial to re-enable a serial port that has been disabled in the bios. You can use debug to write to the bios data area under windows, or you can write a small program to do it for you. I used to reassign serial ports on the fly that way - 4 ports and 2 interrupts is not a good situation, but 4 ports and 1 shared interrupt IS good.

      Your "bios blocked with an unremovable admin password" is also bs - while you sometimes have to open the cover and short out a couple of pins for a few seconds, sometimes it's possible to do it entirely in software as well - but you miss the point - the bios is read at startup, but I can monkey with it as much as I want afterwards.

      also, serial cards are cheap. So are ethernet cards. So plug all the ports you want with epoxy, and people will still get the data out. Or they can just take a picture with their cell phone.

      The keyboard and mouse are connected to the USB ports on the back of the case, inside the wire cage where users can't get at them. If it's a notebook computer then they're built in and don't need to plug in anywhere. People have thought of this kind of thing before, you know. It's not a new concept that just popped up today on Slashdot.

      ... and a pair of wire cutters fixes that. snip, splice, done. Or just take the keyboard apart and the wires are nicely exposed (if you've ever tried to wash a keyboard, you've taken it apart to see how munged up you ended up making it, so you know the wiring is dead simple where it connects).

      A notebook - even if you plug all the usb AND the card reader, my mini philips screwdriver will have the hd out in seconds - it's a LOT easier to remove and replace than a desktop. I'll also reconnect the wireless (it's just one wire, after all, and nowadays even if you rip it out it's field-serviceable and replacements are cheap). Pop the hd into the second drive bay on my laptop, make an image of it with dd, and I'm good :-)

      If someone has physical access, you cannot stop them from getting the data if they really want it.

  3. 3.0? by Itninja · · Score: 2, Insightful

    "The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool"
    So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    1. Re:3.0? by Hognoxious · · Score: 3, Funny

      They're actully running version 4.0, but don't tell anyo!7*0 ,.;
      lno carrier

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:3.0? by CorporateSuit · · Score: 2, Insightful

      So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?

      Check out the comments on this article. They just need a quick dredger to go through and find out what additional security measures need to be programmed into 4.0. No need to do their own research, since they have a million know-it-alls at slashdot happy to tell them how they'd hack the NSA if they were to do it via thumbdrive.

      --
      I am the richest astronaut ever to win the superbowl.
  4. Too easy to circumvent by dave562 · · Score: 3, Insightful

    It relies on information from the OS. The OS is too easy to circumuvent. For example, it doesn't report on whether or not the system has been booted from a USB device. Given that they are the NSA, maybe they have the luxury of making the assumption that USB boot is disabled and the BIOS is password protected?

    1. Re:Too easy to circumvent by fatalwall · · Score: 2, Interesting

      I looked into making a viable product like this a while back. You run into too many issues.

      First you have to set up the bios on all machines to prevent booting off any device other then the hard disk.

      Then you have to password the bios

      Then you need to put a physical lock on the computer to prevent some one from opening the case and resetting the bios.

      If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.

      Your best bet is controlling the hardware. Making sure the machines do not have USB ports or cdroms. if you cant get them without the usb port then you could insert locks into them of some sort that to remove requires specialized equipment and a code.

    2. Re:Too easy to circumvent by Bakkster · · Score: 3, Interesting

      If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.

      This is almost certainly aimed at preventing classified information leaks. Machines with classified information are not connected to any network containing unclassified machines, and definitely not the internet. Even if it were connected, sending that e-mail leaves a record of the transmission, meaning the spy can be easily identified.

      USB drives are the most likely way to get info off a classified machine, which is precisely why they're forbidden. There is no legitimate occasion where a USB drive is needed in this case.

      --
      Write your representatives! Repeal the 2nd Law of Thermodynamics!
  5. Impervious by blair1q · · Score: 2, Insightful

    ...because the Windows Registry is a secure source of information...

  6. Useless Tool... by Manip · · Score: 4, Informative

    Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.

    Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.

    1. Re:Useless Tool... by ironicsky · · Score: 5, Informative

      Agreed. You can either change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and/or deny anyone who is not an admin access to the following files in the NTFS %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf and they wont be able to mount a US drive... Password protect the bios and disable the USB storage there too.

      Of course this only works for Windows, linux users and Mac users can simply be denied access to the device chain in /dev/

    2. Re:Useless Tool... by captaindomon · · Score: 3, Interesting

      That's not the point. The reason for this software is to add one more layer of security to an already extremely secure network, and mostly to detect friendly accidental use by tech-clueless intelligence analysts (yes, most intelligence analysts are experts on geopolitics or military tactics and not Windows). This is not designed to prevent true espionage attacks by insiders who are technology experts, there are a lot of other layers of security for that.

      --
      Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    3. Re:Useless Tool... by fatalwall · · Score: 2, Informative

      password protecting the bios does nothing unless you put a lock on the computer case. password resets are really easy to do on a bios

    4. Re:Useless Tool... by IndustrialComplex · · Score: 3, Interesting

      Well, since they are in the espionage business, maybe they want to trap whomever does it by making it possible to mount the drive but triggering a silent alarm.

      Not quite, the NSA can really be seen as two groups. The Data Processing NSA and the Anti-Network-Intrusion/Espionage & Policy NSA. But you are correct that they probably want the ability to determine and track before simply blocking all access.

      I'm quite sure on the computer I'm at right now I could go hog-wild and do all sorts of things. Things that would be logged and flag my account/use as one to watch.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    5. Re:Useless Tool... by Bacon+Bits · · Score: 3, Informative

      I tested this extensively on WinXP SP2 for a hospital worried about HIPAA. These methods only work if the UsbStor key hasn't already been created. Once it's there you can keep plugging devices in and they will all install normally (new or old).

      Under Vista and 7 there's supposed to be a new Group Policy that will prevent USB drives, but I'm not sure how it works.

      --
      The road to tyranny has always been paved with claims of necessity.
  7. Meeeeliionnns by codepunk · · Score: 4, Funny

    5 or so meeeliionnns of well spent money....our brilliant govt at work.

    --


    Got Code?
  8. This post... by danwesnor · · Score: 3, Informative

    ... is bait meant to lure out Slashdotters who can't be bothered to RTFA. The article does not mention anything about how the device works. The mention of the registry comes from a footnote in a DHS report (you know, the guys who can't find bombs if they're in your underwear). It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.

  9. Re:Why only USB? by fuzzyfuzzyfungus · · Score: 3, Interesting

    If anything, USB is less dangerous because it is less capable. Firewire can do DMA. Which, unless you are on modern, high-end hardware(where the I/OMMU will stop you) or on a 64 bit system(where the fact that Firewire DMA is only 32 bit will limit you some) a malicious firewire device can snarf or modify your memory space at its pleasure.

    USB just makes it easy to copy files off the system(assuming your environment hasn't already disabled that). Most modern corporate-issue computers let you shut off USB ports at the BIOS level, if you want, and you can block the loading of Mass Storage drivers or the mounting of unauthorized filesystems in any modern OS.

  10. Everyone is missing the point here... by vrmlguy · · Score: 2, Interesting

    If you work for the government and you want to get a co-worker in trouble, go buy an iPod and plug it into his computer whenever he's away from his desk. The next time there's a security audit, he be taken to some windowless office, denying everything and not being believed.

    --
    Nothing for 6-digit uids?
  11. Re:Why only USB? by PhxBlue · · Score: 4, Insightful

    Because DOD got pwned back in November 2008 when some schmuck used a thumbdrive to transfer files between the NIPR and SIPR networks, and they still haven't figured out how to fix the vulnerability.

    --
    !#@%*)anks for hanging up the phone, dear.
  12. Yeah, I wrote one of those once. by gestalt_n_pepper · · Score: 3, Insightful

    Management eventually figured out that if you couldn't trust the guys you hired, you were screwed from go. More effective to treat your employees fairly in the first place. We stopped installing the service on new machines.

    Fun to write though.

    --
    Please do not read this sig. Thank you.
  13. -1 Troll by c++0xFF · · Score: 2, Insightful

    Oh, please. Like nobody else has ever created duplicate software before.

    Yes, there are probably other utilities that do this. Maybe the NSA was unaware of them. Maybe they were incompatible with their legacy tools or infrastrcture. Maybe they didn't do what the NSA needed.

    And even then, sometimes it's worth a rewrite, just to make things better.

  14. +1 Insightful by Itninja · · Score: 2, Informative

    Indeed. It's even more irritating when you see it in action. I used to work a half-block away from the County seat building in a decent sized city on WA State. Every year we would see a lot of County employees milling around our building after they would normally have gone home. Once I asked one of them about it and he said they had to 'meet their annual overtime budget' or they would lose it the next year. So they just 'made' overtime once a year. Tax dollars at work.

    --
    I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  15. Re:If you have physical access to a machine... by pclminion · · Score: 3, Insightful

    The intent here is to make it more difficult for insiders to surreptitiously export data without going through proper security controls. This kind of argument always puzzles me. It's like you're saying that because there is no perfect security, we should therefore do nothing.

    In a locked-down environment, a user with physical access to a machine may still have difficulty exporting large gobs of data. Transfer over the network may be difficult, and certainly is monitored. Data can be printed out, but this requires a printer, and a way to smuggle paper out of the facility without suspicion. A cell phone with a camera could be used to photograph a computer screen, but this is very low-bandwidth, and certainly looks strange to anyone happening to observe. A USB stick is easily hidden, easily plugged and unplugged, and can have a very large capacity. It's an important vector of attack.

    Even without malicious intent, a user might decide for some reason that transferring data via USB stick is more convenient than another method. They may have good intentions, but the data still leaks onto the USB stick and you lose control over it. Just because something could be defeated doesn't make it worthwhile. And software which monitors connected machines for insertion/removal of media is not exactly hard to design. It doesn't cost you a billion dollars.

  16. Re:Why only USB? by PhxBlue · · Score: 2, Interesting

    Yeah? Where's the OPSEC problem here? I didn't disclose specific details about how the network was compromised. Moreover, the incident took place 30 months ago, and it was strictly against regulations even then to use thumbdrives on the SIPRNet.

    I'm all for OPSEC, but it shouldn't be used as a cover for someone's moronic behavior.

    --
    !#@%*)anks for hanging up the phone, dear.
  17. Re:Flaw? by tomhudson · · Score: 2, Informative

    "I sense the force has a strong hold on this one, master!"

    When will you slashtards realize that OS X is way less locked down than windows?

    I see the Steve Jobs Reality Distortion Field claims another victim. Call me when I can buy a copy and install it on the hardware of my choice without Apple claiming I'm violating their license, even though I bought a full retail copy off the shelf.

    Apple OSX is even more locked in than Microsoft Windows. Get over it, or I'll throw another chair at you!

  18. USB != 100% of Removable Media by davecason · · Score: 2, Informative

    The government forgot iSCSI, Firewire, and eSATA? Really? And, unless they have locked down new hardware discovery, you could add these in with a PC Card or Express Card slot on any laptop. iSCSI only requires a source system and rights to set up the drive. Even easier: map a network share on an unmanaged asset that you brought along to take advantage of DHCP.

    And you don't need any magic or special software to trap a drive connection event, just use WMI. It works for any drive type: just listen for a drive connection event... like ten lines of code, max. You could set up an agent or script to watch for these on any Windows computer with almost zero effort... you could even do it remotely with the proper rights.

    Plenty of vendors have software to help, too. Off the top of my head, McAfee, Symantec, and Cisco all have something. The catalog of features they offer attempt to manage the DLP idea a little more completely any one USB drive solution... although I admit none of the vendors have it absolutely right yet.

    I will ask a question I always ask about something like this: What's the goal? If it is Data Loss Prevention (DLP) then I believe they have failed. If it is to prevent virus installations then could start with disabling autorun.inf and supplementing that effort with a little drive connection detection using WMI.