Military Bans Removable Media After WikiLeaks Disclosures

cgriffin21 writes "The Pentagon is taking matters into its own hands to prevent the occurrence of another WikiLeaks breach with removable media ban, preventing soldiers from using USB sticks, CDs or DVDs on any systems or servers. The directive prohibiting removable media followed the recent publication of more than 250,000 diplomatic cables, which were leaked to whistleblower Web site WikiLeaks at the end of last month by a military insider."

horse

[florescent_beige]

barn

Re:horse

[cytg.net]

Indeed.
I had a conversation with a high ranking officer a few years back who boldy calimed that their systems was 100% secure, nothing i could do.. When i explained my attack vector would be to phone in and pretend to be from support and ask him to stick in the usb-dongle (wich he had in his mail) and plug it into the secure line .. well he (or she) pretty much had a revelation ... omg is it that simple. no it is not. and yes it is. It is that simple to someone as hardcore to the art of data theft as you are to the art of war.

Re:horse

[DeadDecoy]

The problem is that security tends to be more of a human problem than a technical problem. A person can easily hide a usb stick somewhere on their person, and in the event that fails, take screenshots with a camera or write notes down. The first step is not to take away the usb stick, but to give the individual in question the training and incentive not to leak information in the first place. The training might include don't open any wierd attachments, browse to unauthorized sites, or use io devices from an unverified source. The incentives might include monitoring of sensitive material, legal repercussions, and, God-forbid, not implementing stupid policies that are morally questionable. Assenge noted in an interview that the purpose of Wikileaks wasn't to start a revolution but to make it easier for (morally)good companies to do business and to make it harder for (morally) bad companies to do business. The same could be said for government. Hire a trustworthy+competent staff don't be a jackass and you'll be less of a target, or at least implement fewer inane 'security' measures.

Re:horse

[jd]

The problem is not the decision, so much as that allowing insecure mechanisms (in violation of NSA Security Information notices, Common Criteria instructions for the levels required for secret information and Federal Information Processing Standards, I should add) was not only bloody stupid to begin with, it was in violation of US law regarding the handling of classified information.

Instead of prosecuting Manning, who at worst is guilty of far less than the Lockheed-Martin officials who publicly sold the plans for the current stealth fighters, one should ask why his actions were even possible in the first place. FIPS standards for secure platforms and NSA publications expressly prohibit the capability to transfer files to insecure formats. It is illegal, under US law, to install or use non-compliant systems for Government purposes. This means that giving Manning the computer violated US law. Do you see anyone charged with violating such US laws? I don't.

Re:horse

[Maxo-Texas]

And the next step is to not say "We are firmly for position X" in public while saying "We agree, we are against position X" in private.

The bald faced lies tend to make honest humans want to rat them out periodically.

Re:horse

[The+Snowman]

A person can easily hide a usb stick somewhere on their person, and in the event that fails, take screenshots with a camera or write notes down.

Removable media, cameras, or phones with cameras are not and have not been allowed in SCIFs for as long as I remember. Old fashioned paper and pencil is difficult to detect, as are meat memory devices.

The first step is not to take away the usb stick, but to give the individual in question the training and incentive not to leak information in the first place.

No, that does not work. You have to choose who you trust, which is why DSA performs investigations for all military personnel before granting clearances. Security managers interview personnel and ask questions, looking for warning signs. Someone could have a pristine history and list of contacts but still want to do harm: asking the right questions can tip off the people in charge of security. Also, as I saw on Dateline the other night with regards to corruption in the Iraqi police force, paying people a livable wage helps them not to betray you when given a carrot in the form of money, or the satisfaction of fucking with you (e.g. giving documents to Wikileaks).

Security is a tough business. The government needs tens of thousands of people in the intelligence community across all four branches of the military and civilians in various DOD organizations: people from all walks of life, all ages, ethnic groups, geographic locations, etc. No matter how careful they are, there will be leaks. Their goal is to detect internal threats early, and to minimize damage.

For example, when working in a classified environment, everyone is watching not only what they are doing, but keeping an eye on everyone else. Maybe someone left their SIPRNET terminal unlocked and left for the bathroom: probably just careless, but it is important to have coworkers keep an eye out for innocent errors and help correct them. Maybe someone really is trying to steal data: coworkers need to question that person why they are not following approved and document security procedures. Maybe there is a legitimate reason for putting data on removable media: couriers do exist even in the current era of high speed private networks such as SIPRNET.

Finally, by limiting the data each person has, a breach can be localized. For example, if an image analyst steals satellite imagery, odds are that person does not have access to lists of informants, even if it is classified at the same level. That lessens the impact of a leak.

The real failure with that kid that leaked to Wikileaks is the human factor: nobody paid attention, asking him why he was not following procedures. Someone gave him access to far more data than he needed to do his job. Forget the USB drive restrictions, the DOD needs to crack down on basic security training and protocol.

Revival of the floppy disk!

[LiquidCoooled]

Thank god they didn't ban floppy disks.

I knew these bad boys would come in handy one day!

Re:Nothing to see...

[bill_mcgonigle]

Back in the day when Microsoft was advertising Windows NT 3.51 was C2-certified, we looked into the docs and one of the requirements on whatever PS/2 it was that was certified was that the floppy disk drive be removed. And off the network.

The thing here is Manning brought a RW cd inside his CD player, and only then snuck it into his PC. Then, he snuck it out in his CD player. I suppose if he was smart he burned track 1 with music so he could 'prove' it was a music CD.

The problem here is that a random private in Iraq had access to State Department cables from (e.g.) Honduras. Need-to-know-basis isn't a new idea, this was a major FU by the governing security body.

Re:Nothing to see...

[fluffy99]

This applies to SIPRNET machines, and specifically personal CDs, DVD, etc. The thing is, this has always been the rule. At least everywhere I've worked with SIPRNET access (Air Force).

Close. It applies to SIPRNET and ALL removable media. If you have a legitimate requirement to use removable media it now must be authorized by your commanding officer in writing and you must have a procedure in place that uses two-person integrity.

Don't worry, it's never the "small guy's" machine

[Opportunist]

Here's a little story from back when I was the "IT security guy" (they didn't want to shell out the wage for a CISO, I guess) of a large, very security conscious company.

Of course, no machine had USB ports or CD drives (not that CD drives could have allowed any software to leave the machine, but hey), nothing you could plug on parallel ports or serial ones, no floppy drives, no nothing. No way to plug anything into those machines that could remotely be used to transfer any data out of them.

But of course, some people are more important than others, and some people have privileges. Needed or not. One department head needed to be able to use USB drives. It was actually a fairly level headed person and he was quite security conscious, was aware of the risks and able to handle it, and given enough pressure on the CEO he was finally allowed to use USB drives. This was actually still a fairly acceptable move. It was necessary for him and did increase his ability to work well and efficiently, and he could handle the additional responsibility and the risk was manageable and low enough to be acceptable.

But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't. I guess it's not hard to guess what happened next. Of course, all managers on this level had to be allowed to use USB drives, need them or not. And this was NOT acceptable anymore. Some of them were too dumb to actually plug an USB drive into their machine without causing a repair incident. But they had to get it, need it or not, but it's simply impossible that one of them gets a privilege and the others don't.

So do not fear, people. Sooner or later this rule will be softened up and erode away because some people will have to have "privileges". Without being able to handle them.

Which horse?

[jd]

The Pentagon had to ban USB sticks, et al, internally after the biggest single security breach caused by a virus passed around and brought onto the secure SIPRNET within the Pentagon itself. It's unclear to me if the problem was the virus relaying secret information off the secure network, or what, but apparently it was labelled the single biggest security breach by the Pentagon and they're unlikely to be overplaying security holes.

Mind you, NASA has just released secret information into the public domain by selling hard drives known in advance to contain secret information. These are drives that FAILED in-house auditing for such stuff. And prior to that, disk drives containing blueprints for the current generation of super stealth fighters were sold by Lockheed-Martin to Iran. (And people think Wikileaks did bad stuff?!?!?!?! How the hell does a bunch of personal opinions compare with giving a terrorist-funding nation plans for the top US fighters? Internal to Iran, there's the possibility they will find a weakness. Think Death Star plans. Think the Stealth Fighter shot down in Serbia. Yes, the Serbians blew up one of America's best planes, and with a cruddy cheap missile at that. On an international level, the Russians will doubtless use the plans to improve on their own airfoils and may be able to exploit the design to improve on whatever shape-based stealth they've developed so far.)

Add to that that NASA servers have been hacked in the past to turn them into file-sharing sites. Which means that whatever classified files were in those exposed directories have been shared as well. Quite plausibly these files were protected by DES only, not triple DES or AES, as "commercially sensitive" data is classified below secret and certainly only used basic DES up until a couple of years before that breech was discovered.

Then, back in the 90s, there was a breech at the Pentagon due to computers containing classified information being on the public Internet and having .hosts files. (NASA used .hosts files and rsh well into the current millenium and may well still do so.)

That's four Bloody Obvious horses, with gold bridles and gem-encrusted saddles, that have walked out and were only noticed after they kicked the door down at the stablemaster's house. There may be others.

Re:Nothing to see...

[Facegarden]

...The problem here is that a random private in Iraq had access to State Department cables from (e.g.) Honduras. Need-to-know-basis isn't a new idea, this was a major FU by the governing security body.

Apparently the reason they did that was that the 9/11 commission said it was *too much* secrecy that left us unable to prevent 9/11. They said that if more people had seen all the little signs, it would have been more likely that someone spoke up. So then the military responded by allowing more people in the military access to that information.

The real problem is that we keep doing a bunch of secret shit in private, and then tell the public "don't worry, everything is fine, the war is going great, things are totally cool." The public knows they were getting smoke blown up their ass, and they wanted the truth. So, they found it. The military is creating a market for the truth by keeping it from us.

In this day and age, if you deprive people of information, they're only going to want it more. The whole method of "damage control" that the US govt has been doing in the middle east is just flat out ineffective. I really wish they would just tell us the fucking truth. Then there'd be nothing interesting in these cables, and a lot fewer people would get away with fucked up behavior.
-Taylor