Slashdot Mirror
Military Bans Removable Media After WikiLeaks Disclosures
cgriffin21 writes "The Pentagon is taking matters into its own hands to prevent the occurrence of another WikiLeaks breach with removable media ban, preventing soldiers from using USB sticks, CDs or DVDs on any systems or servers. The directive prohibiting removable media followed the recent publication of more than 250,000 diplomatic cables, which were leaked to whistleblower Web site WikiLeaks at the end of last month by a military insider."
barn
Equine Mammals Are Considerably Smaller
Thank god they didn't ban floppy disks.
I knew these bad boys would come in handy one day!
liqbase
This applies to SIPRNET machines, and specifically personal CDs, DVD, etc. The thing is, this has always been the rule. At least everywhere I've worked with SIPRNET access (Air Force).
If you want news from today, you have to come back tomorrow.
It is really hard to ban removable media given that you can attach a phone and it becomes a USB drive.
Using Windows Terminal Server, or Aqua Connect on the Mac
you can prevent anyone from using a USB device, as the data will be on a server, presumably locked away from users.
Fight Spammers!
It's used to be the case that some companies would squirt epoxy into the USB ports on devices - Doesn't really work any more as many devices no longer have PS2 mouse and keyboard ports.
According to TFA (which I just read) it WAS part of policy (after a bunch of worms) then it got dropped because it was hard to move data around (duh) and now it's back again with the acknowledgment that it's going to be harder to move data around. (duh).
So I still don't get it - somebody finds something on SIPRNET. The copy it to a USB drive and give it to somebody else off the secured network, then plug it back into the 'secured' network again next week when the newest bunch of porn shows up? Sounds most secure.
Maybe they just ought tweet everything. At least the 140 character limit should slow people down a bit.
Faster! Faster! Faster would be better!
I've worked in classified areas in aerospace, and USBs have been disabled since the first USB equipped PCs showed up. In then early days I think they actually removed the USB interface chip. Now it's disabled in software.
Here's a little story from back when I was the "IT security guy" (they didn't want to shell out the wage for a CISO, I guess) of a large, very security conscious company.
Of course, no machine had USB ports or CD drives (not that CD drives could have allowed any software to leave the machine, but hey), nothing you could plug on parallel ports or serial ones, no floppy drives, no nothing. No way to plug anything into those machines that could remotely be used to transfer any data out of them.
But of course, some people are more important than others, and some people have privileges. Needed or not. One department head needed to be able to use USB drives. It was actually a fairly level headed person and he was quite security conscious, was aware of the risks and able to handle it, and given enough pressure on the CEO he was finally allowed to use USB drives. This was actually still a fairly acceptable move. It was necessary for him and did increase his ability to work well and efficiently, and he could handle the additional responsibility and the risk was manageable and low enough to be acceptable.
But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't. I guess it's not hard to guess what happened next. Of course, all managers on this level had to be allowed to use USB drives, need them or not. And this was NOT acceptable anymore. Some of them were too dumb to actually plug an USB drive into their machine without causing a repair incident. But they had to get it, need it or not, but it's simply impossible that one of them gets a privilege and the others don't.
So do not fear, people. Sooner or later this rule will be softened up and erode away because some people will have to have "privileges". Without being able to handle them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The port may be universal; but the drivers aren't. Nor is automatically mounting a volume as r/w on insertion. Physical disabling is crude and only for the most absolutely paranoid of situations; but software based disabling of all but the really clever covert channel stuff should be relatively simple...
The Pentagon had to ban USB sticks, et al, internally after the biggest single security breach caused by a virus passed around and brought onto the secure SIPRNET within the Pentagon itself. It's unclear to me if the problem was the virus relaying secret information off the secure network, or what, but apparently it was labelled the single biggest security breach by the Pentagon and they're unlikely to be overplaying security holes.
Mind you, NASA has just released secret information into the public domain by selling hard drives known in advance to contain secret information. These are drives that FAILED in-house auditing for such stuff. And prior to that, disk drives containing blueprints for the current generation of super stealth fighters were sold by Lockheed-Martin to Iran. (And people think Wikileaks did bad stuff?!?!?!?! How the hell does a bunch of personal opinions compare with giving a terrorist-funding nation plans for the top US fighters? Internal to Iran, there's the possibility they will find a weakness. Think Death Star plans. Think the Stealth Fighter shot down in Serbia. Yes, the Serbians blew up one of America's best planes, and with a cruddy cheap missile at that. On an international level, the Russians will doubtless use the plans to improve on their own airfoils and may be able to exploit the design to improve on whatever shape-based stealth they've developed so far.)
Add to that that NASA servers have been hacked in the past to turn them into file-sharing sites. Which means that whatever classified files were in those exposed directories have been shared as well. Quite plausibly these files were protected by DES only, not triple DES or AES, as "commercially sensitive" data is classified below secret and certainly only used basic DES up until a couple of years before that breech was discovered.
Then, back in the 90s, there was a breech at the Pentagon due to computers containing classified information being on the public Internet and having .hosts files. (NASA used .hosts files and rsh well into the current millenium and may well still do so.)
That's four Bloody Obvious horses, with gold bridles and gem-encrusted saddles, that have walked out and were only noticed after they kicked the door down at the stablemaster's house. There may be others.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Has there ever been an explanation of what all the diplomatic traffic was doing going through the pentagon? Wouldn't separate channels, and perhaps distinct cryptology, whose individual security is checked and tested by the NSA be more secure in any-case?
In the aftermath of 9/11, lack of information sharing was cited as a critical flaw that allowed the attacks to happen. So they responded with information oversharing...
Don't tell me to get a life. I had one once. It sucked.
As someone who really was once an Intelligence officer, I'd like to point out that Bradley Manning was ranked Specialist 4, which is neither an NCO or commissioned rank. Until he made at least Sergeant, his need to know on anything besides possibly technical equipment specs was probably somewhere between nothing and Sgt. Schultz's "Nuuthink! Nuuthink!".
Who is John Cabal?
It's great that they finally figured out that letting employees write secret data to a storage device is a security risk, but are they also auditing outbound communication? Will they notice if an employee emails the data to his Gmail account? Or deposits it on some hacked server somewhere? Will they notice it if he uses steganography to hide it in other data?
Or maybe he'll use a program that converts the data to visible data that can be recorded by a camera (sure sure, cameras are against regulations, but stealing data is against regulations too...if he's a determined data thief, cameras can be hidden in all sorts of objects and body cavities). For example, a QR code can hold 4KB of alphanumeric data. If someone writes a program that displays 15 frames/second of QR encoded data and records it with a camera, that's 200MB of data every hour.
If he's patient, he can record it as a 2400 baud data stream and record it on his MP3 player - he can steal around 10MB/hour using this method.
Or maybe he can record it as a bit patter on a laser printer - if he can write at 100dpi reliably, thats around 100KB per piece of paper. If that can be stretched to 500dpi he'll get around 2MB per piece of paper, and will look like a grey piece of paper to the naked eye so security won't pay any attention "Oh that, it's scrap paper I'm taking home to my kids".
How will he get such a data theft program onto the computer? Simple -- if he can't download it off the internet (perhaps a "gif" that just needs the first 128 bytes stripped off to make it an executable), he can plug in a USB keyboard dongle that acts as a keyboard and then let it type in the program for him.
How secure *is* our secret data? Hopefully banning USB drives is just one layer and they are taking greater steps to securing who has access to such data.
The other possibility is that the whole institution will become increasingly paralyzed and unable to accomplish anything. Unlike a company, the armed forces can't actually go bankrupt. The USB ban and similar issues are already a problem for the Air Force.
The military slaughtered innocent people and covered it up. That was the reason for the leak, to shine a light on wrong doing. To prevent a future leak the military should also own up to it's mistakes and not cover up innocent accidental deaths in future. That would do more to prevent future leaks than any amount of security.
This action by the US Government is a clear win for Wikileaks. It is EXACTLY what Wikileaks intends for its targets to do. Wikileaks's clear publicly-stated goal is for secretive corporate and government "conspiracies" to react to leaking by restricting internal communications. http://zunguzungu.wordpress.com/2010/11/29/julian-assange-and-the-computer-conspiracy-%E2%80%9Cto-destroy-this-invisible-government%E2%80%9D/
Just under 1300 cables have been published; all 250,000 have most definitely NOT been published. They're being released in dribs and drabs. Source: http://213.251.145.96/cablegate.html
I worked in a defense contractor in 1989. Even back then we were forbidden to:
- bring a camera to work.
- have floppy drives working on any computer
- have printers connected to any PC - printouts had to be sent to a special room.
- use any kind of portable media (parallel port tape drives, etc).
Of course, all our systems were on a private network - no internet access at all. Part of my job was to introduce software and tools into the network when formally requested - lots of paperwork. That's how compilers and 3rd party libraries were brought inside.
IBM made desktops with locked sliders to prevent access to the floppy drives. I'd be shocked if those weren't still manufactured.
Anyway - this has been solved, just forgotten.
BTW, have you ever wondered why at least 1 Blackberry didn't have a camera? DoD users.
1. Your monitor is at 60 hz, so flash your text or encoded bits on the screen at 30fps, and record it with your iphone HD recorder. High quality mode, or use someother small HD camera that uses little compression.
2. Encode your documents into an audio streamed 6bit/sample with ECC. Hit play and record using your analgoue or no compression digital recorder via the Audio Out jack. This will require some small code in VB you can type in either by memory or from paper/iphone.
If you have a monitor or audio out jack, theres your output jacks.
Liberty freedom are no1, not dicks in suits.
But yeah, banning removable media is also good...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?