Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Data Storage Windows IT

NSA Develops USB Storage Device Detector 233

Posted by kdawson
from the don't-bogart-that-thumb-drive dept.
Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."
This discussion has been archived. No new comments can be posted.

NSA Develops USB Storage Device Detector

Comments Filter:
  • Arms race anyone? (Score:4, Insightful)

    by TheCarp (96830) <sjc AT carpanet DOT net> on Tuesday April 13, 2010 @03:25PM (#31838346) Homepage

    "USB Detect detects the use of removable drives"
    "Shadow Drive evades detection by the following products"
    "Latest USB Detect detects Shadow Drive use!"
    "New ShadowDrive 2.0!"

    Shit, the parent company of both products could make a killing! Hey wait a minute, is this another lame
    attempt to bring money in off the books for illegal ops?

    -Steve

  • 3.0? (Score:3, Insightful)

    by Itninja (937614) on Tuesday April 13, 2010 @03:25PM (#31838356) Homepage
    "The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool"
    So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?
  • by dave562 (969951) on Tuesday April 13, 2010 @03:26PM (#31838374) Journal

    It relies on information from the OS. The OS is too easy to circumuvent. For example, it doesn't report on whether or not the system has been booted from a USB device. Given that they are the NSA, maybe they have the luxury of making the assumption that USB boot is disabled and the BIOS is password protected?

  • Impervious (Score:3, Insightful)

    by blair1q (305137) on Tuesday April 13, 2010 @03:26PM (#31838376) Journal

    ...because the Windows Registry is a secure source of information...

  • Re:Wow. (Score:5, Insightful)

    by Itninja (937614) on Tuesday April 13, 2010 @03:29PM (#31838424) Homepage
    No kidding. I seem to remember using some open-source utility that did exactly this like 5 years ago.
  • Re:Wow. (Score:5, Insightful)

    by Anonymous Coward on Tuesday April 13, 2010 @03:57PM (#31838874)
    I like how some of our tax dollars fund bloated agencies to come up with solutions that unshaven hackers in their mom's basements figured out years ago.

    Because clearly the NSA started numbering this program at 3.0 just for the hell of it.
  • Re:3.0? (Score:3, Insightful)

    by CorporateSuit (1319461) on Tuesday April 13, 2010 @04:04PM (#31838962)

    So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?

    Check out the comments on this article. They just need a quick dredger to go through and find out what additional security measures need to be programmed into 4.0. No need to do their own research, since they have a million know-it-alls at slashdot happy to tell them how they'd hack the NSA if they were to do it via thumbdrive.

  • Re:Why only USB? (Score:5, Insightful)

    by PhxBlue (562201) on Tuesday April 13, 2010 @04:08PM (#31839008) Homepage Journal

    Because DOD got pwned back in November 2008 when some schmuck used a thumbdrive to transfer files between the NIPR and SIPR networks, and they still haven't figured out how to fix the vulnerability.

  • Re:Wow. (Score:2, Insightful)

    by Darkinspiration (901976) on Tuesday April 13, 2010 @04:09PM (#31839028)
    Because they want to integrate it with theyre security suite or theyre logging solution, because they have over 9000 machine using it. If they want to spend the budget they could buy fancy new chair instead of wasting programmer and consulting time coding a app. Don't forget that gouvernement is big and app deployement, monitoring and security is not free.
  • by History's Coming To (1059484) on Tuesday April 13, 2010 @04:27PM (#31839234) Journal
    Or tinker with a soldering iron and $20 of components so a big flashing light goes off as soon as a USB device is detected? Or monitor the power supply on the motherboard (software independent)? Or do what my workplace does....if you're that worried, don't have USB ports or fill them with epoxy and/or physically cut the connections.
  • by gestalt_n_pepper (991155) on Tuesday April 13, 2010 @04:29PM (#31839258)

    Management eventually figured out that if you couldn't trust the guys you hired, you were screwed from go. More effective to treat your employees fairly in the first place. We stopped installing the service on new machines.

    Fun to write though.

  • -1 Troll (Score:3, Insightful)

    by c++0xFF (1758032) on Tuesday April 13, 2010 @04:47PM (#31839424)

    Oh, please. Like nobody else has ever created duplicate software before.

    Yes, there are probably other utilities that do this. Maybe the NSA was unaware of them. Maybe they were incompatible with their legacy tools or infrastrcture. Maybe they didn't do what the NSA needed.

    And even then, sometimes it's worth a rewrite, just to make things better.

  • by pclminion (145572) on Tuesday April 13, 2010 @05:25PM (#31839780)

    The intent here is to make it more difficult for insiders to surreptitiously export data without going through proper security controls. This kind of argument always puzzles me. It's like you're saying that because there is no perfect security, we should therefore do nothing.

    In a locked-down environment, a user with physical access to a machine may still have difficulty exporting large gobs of data. Transfer over the network may be difficult, and certainly is monitored. Data can be printed out, but this requires a printer, and a way to smuggle paper out of the facility without suspicion. A cell phone with a camera could be used to photograph a computer screen, but this is very low-bandwidth, and certainly looks strange to anyone happening to observe. A USB stick is easily hidden, easily plugged and unplugged, and can have a very large capacity. It's an important vector of attack.

    Even without malicious intent, a user might decide for some reason that transferring data via USB stick is more convenient than another method. They may have good intentions, but the data still leaks onto the USB stick and you lose control over it. Just because something could be defeated doesn't make it worthwhile. And software which monitors connected machines for insertion/removal of media is not exactly hard to design. It doesn't cost you a billion dollars.

  • by tomhudson (43916) <barbara.hudson@nOSpaM.barbara-hudson.com> on Tuesday April 13, 2010 @06:38PM (#31840320) Journal

    .if you're that worried, don't have USB ports or fill them with epoxy and/or physically cut the connections.

    It must suck to be stuck using that old dot-matix printer hanging off the Centronix parallel port. And that serial mouse - a null-modem cable will let me suck the data out of your box just fine. That old-style keyboard plug? Hate to have to buy a new keyboard ... and not be able to plug it in.

EARTH smog | bricks AIR -- mud -- FIRE soda water | tequila WATER

Working...