DOD, in 2015, after Next Big Leak: No More Removable Media

In 2008, DOD’s computers in Iraq were infected with malware introduced via a thumb drive.

The order went out: no more removable media.

In 2009-10, Bradley Manning downloaded entire databased onto a Lady Gaga CD.

The order went out: no more removable media.

And now this:

Former National Security Agency contract employee Edward Snowden used a computer thumb drive to smuggle highly classified documents out of an NSA facility in Hawaii, using a portable digital device supposedly barred inside the cyber spying agency, U.S. officials said.

Investigators “know how many documents he downloaded and what server he took them from,” said one official who would not be named while speaking about the ongoing investigation.

Snowden worked as a system administrator, a technical job that gave him wide access to NSA computer networks and presumably a keen understanding of how those networks are monitored for unauthorized downloads.

“Of course, there are always exceptions” to the thumb drive ban, a former NSA official said, particularly for network administrators. “There are people who need to use a thumb drive and they have special permission. But when you use one, people always look at you funny.”

There are always exceptions to the removable media ban, it seems.

21 replies
  1. Rayne says:

    The exceptions are the ones they have in their possession today — smartphones and tablets, both of which have removable storage media yet allow access to networks as if they were PCs.

    Wonder how long it will take for the DOD to figure out these devices are problematic?

  2. lefty665 says:

    @Rayne: Real issue is ports. Remove USB, bluetooth, firewire, cd/dvd, etc, and media doesn’t matter.

    Like EW says, “there’s always an exception”. One exception is always going to be the wizards who keep it all running for everybody else.

    Bet they all have gotten a thorough going over and more ongoing scrutiny. There’s no joy in Mudville after they figured out what happened. Big Brother does not take kindly to being had the same way the service dorks have. It’s professionally embarrassing. They are going to get needled for a long time.

    NSA might reasonably decide to bring net admin back in house. Several people have to be big time ripped that a dropout kid (any bets where his dad works?) they’d hired as a security guard cycled through CIA and came back via a contractor in a very sensitive position with wide access.

  3. Garrett says:

    “Of course, there are always exceptions” to the thumb drive ban, a former NSA official said, particularly for network administrators. “There are people who need to use a thumb drive and they have special permission.”

    Properly, no removable drives on any machine. Meaning, no hardware slot for them. And no operating system support.

    But that’s a pain for administration.

    There’s banning removable media for real, despite the hassle it causes administrators. Or there’s looking at people funny.

  4. P J Evans says:

    Usually it’s the guys who have to fix the computers who get the thumb-drives. It’s so they can copy the drive (make an image of it) before they do things to the machine.

  5. scribe says:

    @lefty665: His dad lives in a Pennsylvania suburb near … not much of interest NSA-wise. He appears to be a retired Coast Guard officer.

    And, just because he lived in Maryland near the NSA (mentioned in the paper) doesn’t necessarily mean anything – the Coast Guard also does regular Coast Guardy things saving boaters and such in the Chesapeake and Potomac.

  6. lefty665 says:

    Thanks, all I’d seen was that they’d moved to Laurel. Didn’t seem likely it was to watch the trotters run, but convenient to a job at Meade or a contractor. The Bay is a place the CG likes to practice boarding small craft.

  7. greengiant says:

    Snowden’s two broken legs in SF training may have won him a disability lottery ticket. Rare perhaps, but it does happen.

  8. P J Evans says:

    A lot of people seem to assume that dropout means stupid or incompetent. He could have been an underachiever, bored stiff in HS.

  9. lefty665 says:

    @P J Evans: Expect you are right. Clearly he’s a very bright bulb. My dropout comment was only that NSA took someone with no credentials in a low level position. His path from there through CIA and back to a very sensitive position at NSA via a contractor has to give NSA fits. OTOH, he was very damn good at what he did.

  10. eh says:

    I should hope they know how much he took and from what servers!

    If the NSA and/or their contractors don’t have the kind of auditing facilities that tells them every single file someone has accessed, I would question their committment to high security. If they couldn’t say this, more heads than Clapper and Johnson’s would be rolling and by this token, I doubt we are the audience for this announcement and it’s pointed more at their potential executioners at DoD & FBI.

  11. BeccaM says:

    Having worked on the IT side of the wall, I can say with near certainty: It is not possible to have a totally isolated system anymore.

    Someone will always need to have physical access to the data infrastructure. If there’s no Internet or network connection, then the usual means of performing installations and updates is via removable drive, flash card, or thumb drive.

    As for further down the line, if a system has a USB port for a keyboard or mouse, that same port can usually be used for a mountable file system.

    I’m not saying it’s impossible to mostly-secure a system and an internal network. Just that it’s usually both difficult and expensive. Off-the-shelf computer hardware these days is designed for maximum connectivity, not security.

  12. scribe says:

    @eh: Maybe he just imaged the whole operation, save some or most of the downloads.

    That would give the NSA serious fits….

  13. P J Evans says:

    That’s how he got that job. Most businesses are more interested in whether you can do the work than whether you have diplomas. If you’re really good, you can get promoted up to your level of incompetence.
    (One of the sharpest people I’ve worked with was a history major who took to the job like he was intended for it. He was so good that we were telling our boss to hire him within two months of him starting as a contractor.)

  14. lefty665 says:

    @P J Evans: Hey, even if we’re not really good, we can get promoted to our levels of incompetence, they are just lower levels. The Peter Principle lives, as my postings on this blog prove.

    I am a little surprised that NSA appears to have given pretty much full faith and credit to Booz Allen and CIA clearances.

  15. Rayne says:

    @lefty665: the issue *has been* USB ports. DOD could have developed and dispatched a script that disabled ports unless a passkey typed into system, which in turn launched monitoring of system activity. Further, they could limit external devices to those that are DOD-issued with a two-step authentication on use. It would be best to ask why DOD has not done this in the absence of budget adequate to physically eliminate ports.

    The *current* and ongoing problem with DOD is that it fails to use OODA on cyber risk matrix, let alone think proactively toward future threats.

    The smartphones and tablets are a current threat; intelligence and military personnel have been clamoring for years to be allowed to use the same technology in work place that they use in personal lives, with little push back from upper echelons. These devices pose the same risk to US gov’t as they post to the terrorists NSA claims it is monitoring. They already contain ports more than a generation newer than USB and are designed to connect to the network with ease.

    It’s just a matter of time before that shoe drops. Tick-tock.

  16. P J Evans says:

    That’s certainly what I did. HS diploma, AA, 300 quarter-units of college credit (but no degree besides that AA – in Engineering, mind you), and there were times when I was the one person who was doing certain kinds of QC, in a company of 11000. As a contractor. (I was probably more familiar with some of the stuff than any of the regular employees. About 20 years of experience with it.)

  17. posaune says:

    @P J Evans: Not having a degree makes for an interesting psychology. There’s a certain amount of psychic baggage that one doesn’t carry for not having a degree — i.e. student loans, of course, sense of indebtedness to parents who pay for it, investment of time, investment in “the system,” and finally an aspect of being “foot-loose” and unencumbered, a reliance on innate talents. Independence, more for a bright bulb. And, remember, this is the generation that owes an employer absolutely nothing.

  18. lefty665 says:

    @RayneI hear you. Scripts and policies are software, they’re essentially free, so why the hell not clean up the act? But, it’s a good bet NSA’s been brighter than DoD in general. Snowden was in the right place to have too much access, technical support rather than job based. Sounds like they did have good audit trails once they figured out what to look for, or at least that’s what everybody’s swearing.

    Phones and tablets scare me. The list of accesses we sign off on with each app is appalling. Many do not seem all that related to the function. I take your comments there too. Tick, tick, tick…

    @pj Evans – There’s no substitute for brains and experience. Sounds like you did well. Old J. Paul Getty used to preach that if you knew what you wanted to do, in most cases you’d get further by getting a job in your chosen field than spending four or more years in college. Obviously not always the case, but Snowden’s a good example. He went from broken legs to security guard to $200k+ a year in pretty short order. Not too shabby.

  19. P J Evans says:

    I’d describe them as giving employers as much loyalty as they’re given. A good company can keep people around. (Decent pay helps, but interesting work that makes you feel like you’re doing something important is best.)

  20. Duncan Hare says:

    I had a contract with a large medical provider. All USB ports were filled with superglue.

    That was in 2001.

  21. Rayne says:

    @Duncan Hare: Well, that’s far too simple for DOD, apparently. Shocked that the mega-sized IT consultant with massive DOD contract for whom I worked for at the time didn’t think of selling this as a service.

    The hell with that…I could have sold it and won a huge award for upselling IT security services. ~kicking my own ass now~

Comments are closed.