NSA Develops USB Storage Device Detector

Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."

Useless Tool...

[Manip]

Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.

Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.

Re:Useless Tool...

[ironicsky]

Agreed. You can either change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and/or deny anyone who is not an admin access to the following files in the NTFS %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf and they wont be able to mount a US drive... Password protect the bios and disable the USB storage there too.

Of course this only works for Windows, linux users and Mac users can simply be denied access to the device chain in /dev/

This post...

[danwesnor]

... is bait meant to lure out Slashdotters who can't be bothered to RTFA. The article does not mention anything about how the device works. The mention of the registry comes from a footnote in a DHS report (you know, the guys who can't find bombs if they're in your underwear). It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.

Re:Arms race anyone?

[tomhudson]

A strange game. The only winning move is not to boot Windows.

Or plug it in before booting ... since it detects drives as they are plugged in and unplugged.

Or boot linux off it, and load Windows in a vm if you really really need windows.

Re:Useless Tool...

[fatalwall]

password protecting the bios does nothing unless you put a lock on the computer case. password resets are really easy to do on a bios

Re:Useless Tool...

[Bacon Bits]

I tested this extensively on WinXP SP2 for a hospital worried about HIPAA. These methods only work if the UsbStor key hasn't already been created. Once it's there you can keep plugging devices in and they will all install normally (new or old).

Under Vista and 7 there's supposed to be a new Group Policy that will prevent USB drives, but I'm not sure how it works.

+1 Insightful

[Itninja]

Indeed. It's even more irritating when you see it in action. I used to work a half-block away from the County seat building in a decent sized city on WA State. Every year we would see a lot of County employees milling around our building after they would normally have gone home. Once I asked one of them about it and he said they had to 'meet their annual overtime budget' or they would lose it the next year. So they just 'made' overtime once a year. Tax dollars at work.

Re:Flaw?

[tomhudson]

"I sense the force has a strong hold on this one, master!"

When will you slashtards realize that OS X is way less locked down than windows?

I see the Steve Jobs Reality Distortion Field claims another victim. Call me when I can buy a copy and install it on the hardware of my choice without Apple claiming I'm violating their license, even though I bought a full retail copy off the shelf.

Apple OSX is even more locked in than Microsoft Windows. Get over it, or I'll throw another chair at you!

Re:Arms race anyone?

[networkBoy]

or you can actually get data off the PS2 keyboard port if you really need to. you can send two bits with parity per transaction just by usage of the caps/num/scroll lock LEDs.

Might be a bit slow, but certainly is an interesting sideband attack...

Re:Arms race anyone?

[Minwee]

It must suck to be stuck using that old dot-matix printer hanging off the Centronix parallel port.

Actually the printers are plugged in to _ethernet_ ports. On network switches, where their MAC addresses have been registered to prevent gangs of street kids from sneaking in their own bulky laser printers and connecting them to the office network because that's the kind of thing that they do now.

a null-modem cable will let me suck the data out of your box just fine

Not when the serial port has been disabled in the BIOS, and the BIOS locked with an unremovable admin password. You can suck on your null-modem cable all you want, but you're not going to get anything but chapped lips.

And that serial mouse [...] That old-style keyboard plug? Hate to have to buy a new keyboard ... and not be able to plug it in.

The keyboard and mouse are connected to the USB ports on the back of the case, inside the wire cage where users can't get at them. If it's a notebook computer then they're built in and don't need to plug in anywhere. People have thought of this kind of thing before, you know. It's not a new concept that just popped up today on Slashdot.

USB != 100% of Removable Media

[davecason]

The government forgot iSCSI, Firewire, and eSATA? Really? And, unless they have locked down new hardware discovery, you could add these in with a PC Card or Express Card slot on any laptop. iSCSI only requires a source system and rights to set up the drive. Even easier: map a network share on an unmanaged asset that you brought along to take advantage of DHCP.

And you don't need any magic or special software to trap a drive connection event, just use WMI. It works for any drive type: just listen for a drive connection event... like ten lines of code, max. You could set up an agent or script to watch for these on any Windows computer with almost zero effort... you could even do it remotely with the proper rights.

Plenty of vendors have software to help, too. Off the top of my head, McAfee, Symantec, and Cisco all have something. The catalog of features they offer attempt to manage the DLP idea a little more completely any one USB drive solution... although I admit none of the vendors have it absolutely right yet.

I will ask a question I always ask about something like this: What's the goal? If it is Data Loss Prevention (DLP) then I believe they have failed. If it is to prevent virus installations then could start with disabling autorun.inf and supplementing that effort with a little drive connection detection using WMI.