NSA Develops USB Storage Device Detector

Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."

Why only USB?

[Anonymous Coward]

Is there some weakness associated with USB that I'm not aware of? Shouldn't this instead be for all removable storage devices? What about Firewire flash/HD drives & et cetera?

Re:Flaw?

[HarrySquatter]

The problem is that now if you want to get into NSA's network (being an employee, I mean), you will HAVE to run Windows.

Says who?

Linux and OSX will be seen as security flaws because their program doesn't run in them.

By whom? And with what evidence do you say so?

Now you have the NSA forcing all its employees that want access to the network to run Windows.

Really? Care to cite the exact policy where they have done so? And by "the network" what network are you referring to? If you say the Internet then you are really highlighting that you know jack and shit what you are talking about.

Re:Arms race anyone?

[fuzzyfuzzyfungus]

It'll be a pretty short race, for all but a fairly dedicated hard-core.

In order for the USB device to do anything, the host OS has to load the appropriate driver. Until it does so, you aren't getting anything other than 100ma at 5V(higher amperages quite possible, depending on the situation).

Getting the OS to load a driver without noticing that it has loaded a driver(and without the benefit of exploit code, since you don't get to access that until the drive is mounted) would be quite a trick. Assuming this monitoring software isn't completely braindead, the fact that a USB mass storage device has been inserted, along with any interesting ID strings, will have already be sent to a monitoring server before your filesystem is even mounted. Any tampering you do at that point will just introduce suspicious discrepancies.

Now, there is(for instance, I'm sure the suitably creative can think of others) nothing stopping a truly dedicated exfiltrator from obtaining the USB device and vendor IDs and so forth for the brand of keyboard used at that particular establishment, then building a USB device(using one of the common and inexpensive USB-capable microcontrollers) that presents exactly those IDs, and is thus detected as a USB-HID keyboard, rather than a USB-MSC device. They could then use the fact that the keyboard LEDs are under software control as a method of getting data off the system. At least on a unixlike, anybody with some basic script-fu could probably be piping arbitrary files off the system with xset led [computerhope.com] in about 10 minutes. Your custom USB device would have a slab of flash, which it would fill according to the LED commands it received. I don't know if there is anything equivalent on Windows.

Using tricks like that, you could probably get something of an arms race going(though, still, anything that involves doing suspicious program/script execution is going to get your ass busted in any reasonably paranoid environment); but for USB MSC stuff, it is only the pure apathy of the administration, or the fact that they recognize that mass storage devices are extremely convenient and beloved by users, that lets you get away with it.

Re:Useless Tool...

[captaindomon]

That's not the point. The reason for this software is to add one more layer of security to an already extremely secure network, and mostly to detect friendly accidental use by tech-clueless intelligence analysts (yes, most intelligence analysts are experts on geopolitics or military tactics and not Windows). This is not designed to prevent true espionage attacks by insiders who are technology experts, there are a lot of other layers of security for that.

Re:Why only USB?

[fuzzyfuzzyfungus]

If anything, USB is less dangerous because it is less capable. Firewire can do DMA. Which, unless you are on modern, high-end hardware(where the I/OMMU will stop you) or on a 64 bit system(where the fact that Firewire DMA is only 32 bit will limit you some) a malicious firewire device can snarf or modify your memory space at its pleasure.

USB just makes it easy to copy files off the system(assuming your environment hasn't already disabled that). Most modern corporate-issue computers let you shut off USB ports at the BIOS level, if you want, and you can block the loading of Mass Storage drivers or the mounting of unauthorized filesystems in any modern OS.

Everyone is missing the point here...

[vrmlguy]

If you work for the government and you want to get a co-worker in trouble, go buy an iPod and plug it into his computer whenever he's away from his desk. The next time there's a security audit, he be taken to some windowless office, denying everything and not being believed.

Re:Too easy to circumvent

[fatalwall]

I looked into making a viable product like this a while back. You run into too many issues.

First you have to set up the bios on all machines to prevent booting off any device other then the hard disk.

Then you have to password the bios

Then you need to put a physical lock on the computer to prevent some one from opening the case and resetting the bios.

If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.

Your best bet is controlling the hardware. Making sure the machines do not have USB ports or cdroms. if you cant get them without the usb port then you could insert locks into them of some sort that to remove requires specialized equipment and a code.

Re:Useless Tool...

[IndustrialComplex]

Well, since they are in the espionage business, maybe they want to trap whomever does it by making it possible to mount the drive but triggering a silent alarm.

Not quite, the NSA can really be seen as two groups. The Data Processing NSA and the Anti-Network-Intrusion/Espionage & Policy NSA. But you are correct that they probably want the ability to determine and track before simply blocking all access.

I'm quite sure on the computer I'm at right now I could go hog-wild and do all sorts of things. Things that would be logged and flag my account/use as one to watch.

Re:Too easy to circumvent

[Bakkster]

If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.

This is almost certainly aimed at preventing classified information leaks. Machines with classified information are not connected to any network containing unclassified machines, and definitely not the internet. Even if it were connected, sending that e-mail leaves a record of the transmission, meaning the spy can be easily identified.

USB drives are the most likely way to get info off a classified machine, which is precisely why they're forbidden. There is no legitimate occasion where a USB drive is needed in this case.

Re:Arms race anyone?

[ArsonSmith]

boot from USB drive with hypervisor that then boots the standard OS. Hypervisor presents the USB as a real hard drive or some other read/write non-removable device.

Re:Arms race anyone?

[Rantastic]

Why not just do what we did? Create some udev rules so that anytime someone inserts a USB, instead of mounting it, the system silently logs the event and sends an alert. As far as the user can tell, the USB key just won't mount. And no, the users do not have root access to change this.

With some clever udev rules and a shell script, you can even record the make, model, and serial number of the USB key that was inserted.

Re:Why only USB?

[PhxBlue]

Yeah? Where's the OPSEC problem here? I didn't disclose specific details about how the network was compromised. Moreover, the incident took place 30 months ago, and it was strictly against regulations even then to use thumbdrives on the SIPRNet.

I'm all for OPSEC, but it shouldn't be used as a cover for someone's moronic behavior.

How to sneak data out of the NSA

[Anonymous Coward]

Method 1
0) Put on some gloves
1) Copy sensative info from network onto the C: (maybe need to take screenshots)
2) Shut down the computer, unplug the network cable
3) Open the computer case
4) Reset the BIOS password (move the jumper on the motherboard)
5) Boot up the computer
6) Go into the BIOS
7) Configure the PC to boot off external device
8) Connect the external device then boot off it
9) Copy all the stuff from the C: to your removable microSD card.
10) Hide the microSD card inside your hollowed out nickle, put it up your butt, conceal it in your hair, badge, keychain, etc.
11) Reboot PC, clear the BIOS logs (if applicable), and reconnect network cable.
12) Change boot sequence back to how it used to be. Leave work.
13) Find some random open wireless network.
14) Upload data to Wikileaks
15) If anyone ever asks you why the BIOS password was reset, just say "BIOS?" whats that.

Method 2:
0) Bring the data up on the screen
1) Exploit the "analog hole" by taking screenshots with your 2M pixel spy pen you bought off ebay for $5 + $25 shipping.
2) Copy screenshots onto your laptop
3) Modify screenshots to remove any identifying information.
4) Find some random wireless network.
5) Upload data to Wikileaks.

Re:Arms race anyone?

[fuzzyfuzzyfungus]

I would sincerely hope(though, if "thumb drives connected to a network" is anything other than clueless journalist distortion, that hope may be unjustified) that the network in any NSA building would refuse to talk to an unknown device, and probably ping somebody angry to come and take a look. 802.1X is kind of a pain, so I can understand why lots of low security wired LANs aren't doing it; but I'd hope that the NSA would suck it up and do it right.

If they aren't, in fact, doing it right(and quite possibly even if they are), I'd take a look at the printers. Your modern workgroup printer is generally a powerful beast, running some embedded OS on a fairly serious little board(half dozen services listening on various ports, if nobody shut them off, sometimes with multiple authentication mechanisms, one of which somebody always forgets to set. If it's a multifunction printer/scanner unit, you might even find a hard drive full of the last few hundred scans...) If you are dealing with the competent-but-fatally-Windows-centric, a printer makes an excellent target. It is supposed to be there, so the network guys won't catch you trivially; but it doesn't respond to Group Policy, so the Microsofties won't even think about it.

(That said, the NSLU2 is a great toy. Arguably obsolete now that you can get a SheevaPlug with a hell of a lot more RAM and some extra peripherals for the same money; but if you can do it in debian ARM and 32MB of RAM, the NSLU2 is great.)

Re:Wow.

[somenickname]

$ ls -l /etc/udev/rules.d/99-mail-on-usb.rules
-rwxr-xr-x 1 root root 159 2010-04-13 21:23 /etc/udev/rules.d/99-mail-on-usb.rules
$ cat /etc/udev/rules.d/99-mail-on-usb.rules
ACTION=="add",SUBSYSTEMS=="usb",RUN+="/bin/sh -c 'who | mail root -s Insert'"
ACTION=="remove",SUBSYSTEMS=="usb",RUN+="/bin/sh -c 'who | mail root -s Remove'"

That's my version 1.0 and took almost 30 seconds to create. I don't live in my moms basement though. :(

Re:Arms race anyone?

[tomhudson]

It's trivial to re-enable a serial port that has been disabled in the bios. You can use debug to write to the bios data area under windows, or you can write a small program to do it for you. I used to reassign serial ports on the fly that way - 4 ports and 2 interrupts is not a good situation, but 4 ports and 1 shared interrupt IS good.

Your "bios blocked with an unremovable admin password" is also bs - while you sometimes have to open the cover and short out a couple of pins for a few seconds, sometimes it's possible to do it entirely in software as well - but you miss the point - the bios is read at startup, but I can monkey with it as much as I want afterwards.

also, serial cards are cheap. So are ethernet cards. So plug all the ports you want with epoxy, and people will still get the data out. Or they can just take a picture with their cell phone.

The keyboard and mouse are connected to the USB ports on the back of the case, inside the wire cage where users can't get at them. If it's a notebook computer then they're built in and don't need to plug in anywhere. People have thought of this kind of thing before, you know. It's not a new concept that just popped up today on Slashdot.

... and a pair of wire cutters fixes that. snip, splice, done. Or just take the keyboard apart and the wires are nicely exposed (if you've ever tried to wash a keyboard, you've taken it apart to see how munged up you ended up making it, so you know the wiring is dead simple where it connects).

A notebook - even if you plug all the usb AND the card reader, my mini philips screwdriver will have the hd out in seconds - it's a LOT easier to remove and replace than a desktop. I'll also reconnect the wireless (it's just one wire, after all, and nowadays even if you rip it out it's field-serviceable and replacements are cheap). Pop the hd into the second drive bay on my laptop, make an image of it with dd, and I'm good :-)

If someone has physical access, you cannot stop them from getting the data if they really want it.

Re:Arms race anyone?

[Anonymous Coward]

It doesn't matter if you didn't tell users the root password.
With physical access, they OWN the system, and no silly runtime config stops anything, it's as far away as booting a rescue image or single user and changing whatever files they want on the system disk.

At which point, even the root user itself is just a few keyboard strokes away from being changed to whatever the hell they want.