IBM Bans Staff From Using Removable Storage Devices (theregister.co.uk)

← Back to Stories (view on slashdot.org)

IBM Bans Staff From Using Removable Storage Devices (theregister.co.uk)

Posted by msmash on Thursday May 10, 2018 @05:20AM from the in-the-meanwhile dept.

An anonymous reader shares a report: In an advisory to employees, IBM global chief Information security officer Shamla Naidoo said the company "is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around.

30 of 167 comments (clear)

Min score:

Reason:

Sort:

Lost Productivity by zmaragdus · 2018-05-10 05:25 · Score: 4, Interesting

But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

--
(((dB)))
1. Re:Lost Productivity by PA23 · 2018-05-10 05:32 · Score: 4, Interesting
  
  My company does similar. When we insert a USB thumb drive the system will prompt you to encrypt the drive, the encryption locks it to your machine only. If you say "Don't encrypt" then you are limited to Read only on the device, this is so we can download data from a client.
  At least our company has a procedure for obtaining an exception to the encrypted usb drive rule if you can justify it.
2. Re:Lost Productivity by Anonymous Coward · 2018-05-10 05:42 · Score: 2, Interesting
  
  Just use your phone as the USB drive. I work for a fortune 500 that uses the exact same technology and after asking one of the security analysts how it works, I quickly realized it would not recognize my phone as a removable storage device (it works based off the driver ID's used to interface with the device and thumb drives use a different driver than phones do.) I'm able to transfer files freely to my phone without issue.
3. Re:Lost Productivity by Mr+D+from+63 · 2018-05-10 05:48 · Score: 2
  
  ITs becoming more common. The last company I worked for and the company I work for now are both moving in this direction. However, you can get 'approved' usb devices if you can show the need and establish required controls.
4. Re:Lost Productivity by supremebob · 2018-05-10 06:06 · Score: 4, Insightful
  
  IBM is way too cheap for that... they would make him apply for a one off security exception to use a thumb drive explicitly with his old ass spectrum analyzer.
  He would still get to sit on his ass for two weeks while it got the necessary management approvals, though, and another week while IT figured out a why to circumvent their new security lockdown software without triggering nasty warning e-mails to his manager.
  But don't worry, those changes will magically disappear during the next software update, and he'll have to explain this to his NEW manager a few months down the road. Assuming that they don't just outsource the job to China first.
5. Re:Lost Productivity by Joe_Dragon · 2018-05-10 06:28 · Score: 3, Informative
  
  windows GPO to force bit locker on usb mass storage
6. Re:Lost Productivity by kelemvor4 · 2018-05-10 07:03 · Score: 4, Insightful
  
  But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!
  We have had a similar policy to IBM's for a few years. A person who needs to use usb storage devices for things like you're talking about have to apply for security exceptions. Even if your employer grants a few thousand legitimate exceptions for stuff like this, they have still minimized risk by eliminating USB use by the other 200,000 employees. It does involve some overhead and time wasted when you first apply for your exception. In my opinion the benefit outweighs the drawback.
  
  It's a lot like changing a default security policy to DENY and only ALLOWing things you really want. Minor inconvenience in exchange for greatly improved security.
7. Re:Lost Productivity by zmaragdus · 2018-05-10 07:28 · Score: 2
  
  Tried it. Got denied. Forced to continue doing things that are textbook examples of security breaches waiting to happen.
  
  --
  (((dB)))
8. Re:Lost Productivity by Baton+Rogue · 2018-05-10 07:51 · Score: 4, Informative
  
  Each USB device is identified independently of each other. If you plug in a USB keyboard that also has a USB port with a flash drive plugged in, the computer will see two different devices and only lock out the flash drive.
  
  If you are suggesting that someone can create a flash drive that the computer thinks is a keyboard, then the computer will not mount the drive to be written to since it knows that it cannot write data to a keyboard.
9. Re:Lost Productivity by sexconker · 2018-05-10 11:59 · Score: 3, Informative
  
  This is a real attack vector that exists in the real world. Slashdot has covered this multiple times.
  Someone creates a device that looks like a flash drive.
  Internally, it is a keyboard, or a keyboard AND flash drive.
  When plugged in, even a "secured" system that blocks removable storage devices will typically allow other USB devices (such as keyboards).
  The OS will happily accept input from the thing as if it were a keyboard with keys pressed by a human, even though the key presses are all prerecorded payloads stored on the device.
  As such, the keyboard can go to town and so shit like:
  Windows Key
  cmd
  CTRL+SHIFT+Enter
  Left
  Enter
  del /f /s /q /*.*
  Enter
  Or just spit out and run any malware payload:
  Windows Key
  cmd
  CTRL+SHIFT+Enter
  Left
  Enter
  ECHO MalwarePayload > GetFukt.exe
  Enter
  GetFukt.exe
  Enter
  exit
  Enter
I guess nobody told them by bobstreo · 2018-05-10 05:26 · Score: 3, Interesting

about wi-fi enabled portable hard drives and NFS or Samba shares. or FUSE or SSHFS.
1. Re:I guess nobody told them by The-Ixian · 2018-05-10 06:39 · Score: 5, Insightful
  
  It's super trivial to export data for someone already on the inside.
  I was at a company that locked down USB ports as described in this article and also proxied all web traffic, blocked all cloud file sharing services and fiddled with session cookies to web sties.
  And yet they offered PuTTY in their user-allowed, self-service app portal....
  SSH tunnel to my home network (along with whatever TCP redirects I wanted)....
  Not saying I exported data, although I did test it to see if it would work (for science!)... I just used it to do personal web browsing from my own computer.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:I guess nobody told them by Anonymous Coward · 2018-05-10 06:40 · Score: 2, Funny
  
  Suddenly, a wild pedant appears...
Phone internal storage! by HornWumpus · 2018-05-10 05:27 · Score: 2

You phone's internal storage is good enough for all your industrial espionage needs anyhow.
Has anybody written a 'Rubber Ducky' app for Android yet?

--
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
"reputational damage from misplaced, lost..." by JoeyRox · 2018-05-10 05:33 · Score: 2

Have they considered device-level encryption?
Better ban paper tape and punchcards by xack · 2018-05-10 05:34 · Score: 2

Knowing IBM they still use these on a regular basis.
Re:Do this and I can't do my job... by Anonymous Coward · 2018-05-10 05:48 · Score: 4, Insightful

If you were actually in IT, then you would know that these rules apply to sysadmins in the same way that saying "stay of the couch" affects your cat's behavior.
Suppliers by Thelasko · 2018-05-10 05:50 · Score: 2

Part of my job is managing suppliers. The corporate IT departments of all of the companies all have different policies regarding how data is to be moved. Often times, it's just easiest to have an liaison engineer come over with a flash drive to move the data. Email can't handle large enough files, getting IT to setup an FTP server takes weeks, and is still clunky. I have had some success using box.com for one project.

I realize there has to be a trade off between getting work done, and security. I'm not sure this is worth the cost.

--
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
1. Re:Suppliers by EvilSS · 2018-05-10 06:06 · Score: 2
  
  They use services file transfer services like ShareFile, Box Enterprise, DropBox for business, or other Enterprise File Sync and Share (EFSS) products. These give the company more control and are easier to deal with than FTP sites these days since they are more user friendly and use HTTPS to do the transfer. Many can even be hosted on-prem so no cloud storage is required.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
In other news, IBM enters the 21st century... by gosand · 2018-05-10 06:00 · Score: 3, Interesting

I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"
It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.
I am surprised this made the "news" though.

--

My beliefs do not require that you agree with them.
Late to the party by MonteCarloMethod · 2018-05-10 06:15 · Score: 2

My employer has done this for years. If you want to use external storage you can get one approved for use in an office environment by demonstrating a need. As far as the lab environment goes, you can *borrow* one of the lab's own specially approved, encrypted, and regularly inspected and cleaned drives for pulling data off of lab computers and equipment. Why any large IP-handling company would allow any old employee to tote around their own personal attack/leak vector is beyond me.
1. Re:Late to the party by fluffernutter · 2018-05-10 06:38 · Score: 2
  
  At my workplace we got IronKeys for this a long time ago. They sat in a cabinet. One person checked one out once but then didn't need it. They are still there to this day. It turns out people who are good with technology don't absolutely need a USB key.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Re:Not to worry by hey! · 2018-05-10 06:38 · Score: 4, Funny

You're supposed to us IBM Cloud Services to leak data.

--
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Re:What when portable media is REQUIRED ? by halivar · 2018-05-10 06:43 · Score: 2

Our IT department has a sign that says, "Failure to plan on your part does not constitute an emergency on mine." They'll fill out a PO for new devices (the one you should have done weeks ago) that they will service themselves, and tell you to go pound sand until then. Anything that proceeds from there is on your head.
Re:IBM better prepare to pay cell carriers by flink · 2018-05-10 06:45 · Score: 2

Because when you are in the field you often can't connect to the customer's WIFI, or you can connect to their "guest" network, but it is so locked down and/or slow that you are better off using a WiFi cellular data puck.
Re:Idiocy versus deliberate espionage? by JackieBrown · 2018-05-10 07:56 · Score: 2

Wasn't there a few stories about crimials leaving USB devices in parking lots with virus and rootkits? People would pick them up and plug them into their work computer hoping for interesting photos or documents?
Re:What when portable media is REQUIRED ? by drinkypoo · 2018-05-10 08:53 · Score: 2

IBM does not fiddle with toy computers, or if they do, they make their own toy computers and fiddle with those. No doubt there are some IBMers using Pis and the like for research projects here and there, and no doubt they will either work around the rules or get some kind of exception. But your [downstream] example of 1,000 R-Pis doesn't wash at IBM. As a rule, they don't build clusters out of hobbyist computers; they build them out of POWER processor-based systems and show up all over the Top500.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Isn't this standard practise? by viperidaenz · 2018-05-10 09:01 · Score: 2

I'm not allowed USB drives at work. If I plug one in, it's blocked.
If I really need one to do my job, I get given an encrypted usb drive that requires a pin code.
The news here should be IBM is late to the party and has been lax about information security.
Re:Not a new idea by Locke2005 · 2018-05-10 09:14 · Score: 2

And here's the stupid thing about that policy: their routers didn't do MAC address filtering, so anybody could have brought in a WiFi Access Point, plugged it into the network, and accessed all the company files from outside the building! I didn't feel like telling them about that flaw in their security, since they had already made my job hard enough to do.

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Re:What when portable media is REQUIRED ? by drinkypoo · 2018-05-10 11:38 · Score: 2

Because every situation can be planned for...
It feasibly can if you bother to bring IT into the conversation in a timely fashion, so that they can make plans.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"