NSA Develops USB Storage Device Detector

Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."

Re:Arms race anyone?

[swanzilla]

"USB Detect detects the use of removable drives" "Shadow Drive evades detection by the following products" "Latest USB Detect detects Shadow Drive use!" "New ShadowDrive 2.0!"

A strange game. The only winning move is not to boot Windows.

Re:Useless Tool...

[ironicsky]

Agreed. You can either change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and/or deny anyone who is not an admin access to the following files in the NTFS %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf and they wont be able to mount a US drive... Password protect the bios and disable the USB storage there too.

Of course this only works for Windows, linux users and Mac users can simply be denied access to the device chain in /dev/

Re:Arms race anyone?

[fuzzyfuzzyfungus]

It'll be a pretty short race, for all but a fairly dedicated hard-core.

In order for the USB device to do anything, the host OS has to load the appropriate driver. Until it does so, you aren't getting anything other than 100ma at 5V(higher amperages quite possible, depending on the situation).

Getting the OS to load a driver without noticing that it has loaded a driver(and without the benefit of exploit code, since you don't get to access that until the drive is mounted) would be quite a trick. Assuming this monitoring software isn't completely braindead, the fact that a USB mass storage device has been inserted, along with any interesting ID strings, will have already be sent to a monitoring server before your filesystem is even mounted. Any tampering you do at that point will just introduce suspicious discrepancies.

Now, there is(for instance, I'm sure the suitably creative can think of others) nothing stopping a truly dedicated exfiltrator from obtaining the USB device and vendor IDs and so forth for the brand of keyboard used at that particular establishment, then building a USB device(using one of the common and inexpensive USB-capable microcontrollers) that presents exactly those IDs, and is thus detected as a USB-HID keyboard, rather than a USB-MSC device. They could then use the fact that the keyboard LEDs are under software control as a method of getting data off the system. At least on a unixlike, anybody with some basic script-fu could probably be piping arbitrary files off the system with xset led in about 10 minutes. Your custom USB device would have a slab of flash, which it would fill according to the LED commands it received. I don't know if there is anything equivalent on Windows.

Using tricks like that, you could probably get something of an arms race going(though, still, anything that involves doing suspicious program/script execution is going to get your ass busted in any reasonably paranoid environment); but for USB MSC stuff, it is only the pure apathy of the administration, or the fact that they recognize that mass storage devices are extremely convenient and beloved by users, that lets you get away with it.

Re:Wow.

I like how some of our tax dollars fund bloated agencies to come up with solutions that unshaven hackers in their mom's basements figured out years ago.

Because clearly the NSA started numbering this program at 3.0 just for the hell of it.