Military Bans Removable Media After WikiLeaks Disclosures 346
cgriffin21 writes "The Pentagon is taking matters into its own hands to prevent the occurrence of another WikiLeaks breach with removable media ban, preventing soldiers from using USB sticks, CDs or DVDs on any systems or servers. The directive prohibiting removable media followed the recent publication of more than 250,000 diplomatic cables, which were leaked to whistleblower Web site WikiLeaks at the end of last month by a military insider."
Nothing to see... (Score:5, Informative)
A sure way to prevent it. (Score:5, Informative)
It is really hard to ban removable media given that you can attach a phone and it becomes a USB drive.
Using Windows Terminal Server, or Aqua Connect [aquaconnect.net] on the Mac
you can prevent anyone from using a USB device, as the data will be on a server, presumably locked away from users.
Re:Nothing to see... (Score:5, Informative)
Back in the day when Microsoft was advertising Windows NT 3.51 was C2-certified, we looked into the docs and one of the requirements on whatever PS/2 it was that was certified was that the floppy disk drive be removed. And off the network.
The thing here is Manning brought a RW cd inside his CD player, and only then snuck it into his PC. Then, he snuck it out in his CD player. I suppose if he was smart he burned track 1 with music so he could 'prove' it was a music CD.
The problem here is that a random private in Iraq had access to State Department cables from (e.g.) Honduras. Need-to-know-basis isn't a new idea, this was a major FU by the governing security body.
Re:Nothing to see... (Score:5, Informative)
This applies to SIPRNET machines, and specifically personal CDs, DVD, etc. The thing is, this has always been the rule. At least everywhere I've worked with SIPRNET access (Air Force).
Close. It applies to SIPRNET and ALL removable media. If you have a legitimate requirement to use removable media it now must be authorized by your commanding officer in writing and you must have a procedure in place that uses two-person integrity.
Re:horse (Score:5, Informative)
Except that long ago there was a directive from the Pentagon not to allow removable media to be used for secure systems.
My guess is that they relaxed that for field units because some deployed systems have no networking attached and sneakernet is all they could use. And somehow that idea ended up meaning you could use removable media on network-attached systems, and eventually nobody even noticed when someone slipped a CD-RW into a machine with access to the entire database of classified information relating to the Iraqi and Afghani theaters of operation.
That someone is currently in jail, because, physical means or no, it was still illegal to take the information from the secure area without authorization, and to give it to uncleared people.
Don't worry, it's never the "small guy's" machine (Score:5, Informative)
Here's a little story from back when I was the "IT security guy" (they didn't want to shell out the wage for a CISO, I guess) of a large, very security conscious company.
Of course, no machine had USB ports or CD drives (not that CD drives could have allowed any software to leave the machine, but hey), nothing you could plug on parallel ports or serial ones, no floppy drives, no nothing. No way to plug anything into those machines that could remotely be used to transfer any data out of them.
But of course, some people are more important than others, and some people have privileges. Needed or not. One department head needed to be able to use USB drives. It was actually a fairly level headed person and he was quite security conscious, was aware of the risks and able to handle it, and given enough pressure on the CEO he was finally allowed to use USB drives. This was actually still a fairly acceptable move. It was necessary for him and did increase his ability to work well and efficiently, and he could handle the additional responsibility and the risk was manageable and low enough to be acceptable.
But then the invariable laws of the office privilege and status bullshittery set in. Because it is impossible that Department Head A gets something and Dufus B doesn't. I guess it's not hard to guess what happened next. Of course, all managers on this level had to be allowed to use USB drives, need them or not. And this was NOT acceptable anymore. Some of them were too dumb to actually plug an USB drive into their machine without causing a repair incident. But they had to get it, need it or not, but it's simply impossible that one of them gets a privilege and the others don't.
So do not fear, people. Sooner or later this rule will be softened up and erode away because some people will have to have "privileges". Without being able to handle them.
Re:Nothing to see... (Score:3, Informative)
SIPRnet is US Federal Agency wide. It isn't limited to any one organization, and they each have their own policies on who gets to use it, how they use it, what systems are allowed access, and what software is allowed on those systems. You will frequently find situations where one agency (say NGIA) has setup, for example, a Google Earth server with classified imagery, but another agency (say the US Army) won't allow the Google Earth client on their machines and forces their personnel to use their own "approved" servers, clients, and data. Coordination of policy on the SIPRnet is about the same as you see elsewhere in the Federal Government... which is to say, nearly non-existant.
Anyway, the vast majority of info on SIPRnet is on normal websites without any particular extra security beyond being on a secure network. In my time on the network, I never went looking for any diplomatic cables or large archives of anything in particular, but I suppose they might be out there, from what I've seen of various agencies setups. There
I think a lot of the problem with private Manning's case is many SIPR site admin's reliance on the network being "secure" and not further protecting their data. As far as need to know... yes, in theory that's the situation everywhere, but in most cases, it isn't practiced on SECRET classified material nearly as often as TOP SECRET.
1989 calling - already solved. (Score:4, Informative)
I worked in a defense contractor in 1989. Even back then we were forbidden to:
- bring a camera to work.
- have floppy drives working on any computer
- have printers connected to any PC - printouts had to be sent to a special room.
- use any kind of portable media (parallel port tape drives, etc).
Of course, all our systems were on a private network - no internet access at all. Part of my job was to introduce software and tools into the network when formally requested - lots of paperwork. That's how compilers and 3rd party libraries were brought inside.
IBM made desktops with locked sliders to prevent access to the floppy drives. I'd be shocked if those weren't still manufactured.
Anyway - this has been solved, just forgotten.
BTW, have you ever wondered why at least 1 Blackberry didn't have a camera? DoD users.
Re:horse (Score:2, Informative)
Security is a tough business. The government needs tens of thousands of people in the intelligence community across all four branches of the military and civilians in various DOD organizations
There's five branches of the military. Coast Guard ships larger than 110' have SIPRNET access just as Navy vessels do.