Thumb Drive Security: Snowden 1, NSA 0
Thumb drives helped NSA whistle-blower Edward Snowden transport top-secret data from the agency. If the NSA can’t keep a lid on thumb drives, can you?
By Mathew J. Schwartz, InformationWeek
June 14, 2013
URL: http://www.informationweek.com/security/storage/thumb-drive-security-snowden-1-nsa-0/240156720
Pity the poor USB thumb drive.
The humble storage device is again under fire after reports surfaced that National Security Agency (NSA) whistle-blower Edward Snowden, 29, used a removable USB storage device to exfiltrate top-secret information from the agency, reported the Los Angeles Times.
NSA investigators now “know how many documents he downloaded and what server he took them from,” a government official — speaking on condition of anonymity — told the paper.
In general, the use of removable USB storage devices is prohibited inside the agency. “Of course, there are always exceptions” to that rule, said the official. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”
One job role that would require using removable storage, however, would be that of IT or systems administrator, which was Snowden’s job at the NSA, although he was a contractor employed by Booz Allen Hamilton.
[ Is Snowden an altruistic whistleblower, reckless criminal, outright traitor or somewhere in between? Read NSA Prism Whistleblower Snowden Deserves A Medal. ]
The Department of Defense restrictions on using removable storage devices isn’t unique. “At Huawei, my understanding is, plugging in a drive [equals] get fired,” tweeted the Bangkok-based vulnerability buyer and seller known as the Grugq.
But as Snowden’s leak shows, at a certain level, even the most advanced security measures or defensive systems rely on trust — whether or not thumb drives, iPods, smartphones with cameras, photocopiers, or telephones with outside access are available to employees inside the corporate perimeter.
“As we’ve seen with WikiLeaks and Snowden, if one person sets their mind to it, they will grab information and find a way to disseminate it,” James C. Foster, founder and CEO of Riskive, and a past Booz Allen employee, told Dark Reading.
Historically speaking, people haven’t only used thumb drives to remove secret data stored in digital format from secure environments. In 2009, Britain’s MI6 intelligence agency caught Daniel Houghton, one of its computer programmers, trying to sell advanced email interception technology — as well as lists of MI6 and domestic intelligence agency MI5 staff members, including full contact details — to another country, after having downloaded the information onto a secure digital memory card. (Memo to European spooks: Don’t attempt to tempt the Dutch.)
Removable media has long posed an information security risk to government networks. In 2008, the Department of Defense banned all flash drives and other removable media, although that ban was subsequently relaxed. But it wasn’t until 2010 that William J. Lynn, then the U.S. deputy secretary of defense, said that a malware-infected USB drive had breached government systems and led to the ban.
“The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command,” Lynn wrote in Foreign Affairs. “That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.
In Feb. 2010, however, the Defense Department “decided to make this [thumb drive] technology available again on a strictly controlled basis,” then vice admiral Carl Mauney, deputy commander of the U.S. Strategic Command, told GCN. “Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.” But those requirements were likely designed to prevent a repeat of the devices being used to distribute malware, rather than to combat insider attacks.
Calls for removable media to be more tightly monitored or restricted in U.S. government facilities soon resurged in the wake of WikiLeaks publishing — largely between April and November 2010 — redacted and then full versions of 251,000 State Department cables.
Pfc. Bradley Manning, who was arrested in June 2010, is currently standing trial at Fort Meade, Md., on charges of leaking the cables, U.S. helicopter gunship footage and other sensitive material. He allegedly copied information from the Department of Defense’s classified SIPRNet network onto rewritable CDs that he hid inside a Lady Gaga CD case.
Since then, the Defense Department had been evaluating monitoring tools to help military and defense agencies more quickly spot insider attacks. Obviously, that technology either wasn’t in place inside the Hawaii NSA satellite facility where Snowden worked, or the technology failed to spot his suspicious behavior before he flew to Hong Kong.