NSA Develops USB Storage Device Detector 233
Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."
Useless Tool... (Score:5, Informative)
Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.
Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.
Re:Useless Tool... (Score:5, Informative)
Agreed. You can either change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and/or deny anyone who is not an admin access to the following files in the NTFS %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf and they wont be able to mount a US drive... Password protect the bios and disable the USB storage there too.
Of course this only works for Windows, linux users and Mac users can simply be denied access to the device chain in /dev/
This post... (Score:4, Informative)
Re:Arms race anyone? (Score:3, Informative)
Or plug it in before booting ... since it detects drives as they are plugged in and unplugged.
Or boot linux off it, and load Windows in a vm if you really really need windows.
Re:Useless Tool... (Score:2, Informative)
password protecting the bios does nothing unless you put a lock on the computer case. password resets are really easy to do on a bios
Re:Useless Tool... (Score:4, Informative)
I tested this extensively on WinXP SP2 for a hospital worried about HIPAA. These methods only work if the UsbStor key hasn't already been created. Once it's there you can keep plugging devices in and they will all install normally (new or old).
Under Vista and 7 there's supposed to be a new Group Policy that will prevent USB drives, but I'm not sure how it works.
+1 Insightful (Score:3, Informative)
Re:Flaw? (Score:3, Informative)
"I sense the force has a strong hold on this one, master!"
I see the Steve Jobs Reality Distortion Field claims another victim. Call me when I can buy a copy and install it on the hardware of my choice without Apple claiming I'm violating their license, even though I bought a full retail copy off the shelf.
Apple OSX is even more locked in than Microsoft Windows. Get over it, or I'll throw another chair at you!
Re:Arms race anyone? (Score:3, Informative)
or you can actually get data off the PS2 keyboard port if you really need to. you can send two bits with parity per transaction just by usage of the caps/num/scroll lock LEDs.
Might be a bit slow, but certainly is an interesting sideband attack...
Re:Arms race anyone? (Score:3, Informative)
Actually the printers are plugged in to _ethernet_ ports. On network switches, where their MAC addresses have been registered to prevent gangs of street kids from sneaking in their own bulky laser printers and connecting them to the office network because that's the kind of thing that they do now.
Not when the serial port has been disabled in the BIOS, and the BIOS locked with an unremovable admin password. You can suck on your null-modem cable all you want, but you're not going to get anything but chapped lips.
The keyboard and mouse are connected to the USB ports on the back of the case, inside the wire cage where users can't get at them. If it's a notebook computer then they're built in and don't need to plug in anywhere. People have thought of this kind of thing before, you know. It's not a new concept that just popped up today on Slashdot.
USB != 100% of Removable Media (Score:2, Informative)
And you don't need any magic or special software to trap a drive connection event, just use WMI. It works for any drive type: just listen for a drive connection event... like ten lines of code, max. You could set up an agent or script to watch for these on any Windows computer with almost zero effort... you could even do it remotely with the proper rights.
Plenty of vendors have software to help, too. Off the top of my head, McAfee, Symantec, and Cisco all have something. The catalog of features they offer attempt to manage the DLP idea a little more completely any one USB drive solution... although I admit none of the vendors have it absolutely right yet.
I will ask a question I always ask about something like this: What's the goal? If it is Data Loss Prevention (DLP) then I believe they have failed. If it is to prevent virus installations then could start with disabling autorun.inf and supplementing that effort with a little drive connection detection using WMI.