Pulling the plug
The handy USB port is a gaping security hole. Can new software fill it?
- By William Jackson
- Jun 16, 2005
The Universal Serial Bus is a great technology. It replaces a confusion of legacy PC ports (remember parallel, serial, PS/2?) with a single, high-speed, compact port that accepts a growing number of peripheral devices.
But, with great technology come new challenges, said Fred Turner, information systems security officer for the Joint POW/MIA Accounting Command.
JPAC, based in Oahu, Hawaii, works to account for the more than 88,000 service men and women missing in action or held captive since World War II. It is made up of 425 soldiers, sailors, airmen and Marines and runs the world's largest forensic anthropology lab.
'Currently, USB will allow anything to connect,' Turner said. That is both the beauty and the problem. As USB becomes faster and the memory capacity in USB devices grows, Turner said, 'USB poses several challenges, such as thumb drives. We have to deal with unclassified and classified systems. You don't want the drives to be used in a classified/nonclassified environment.'
Users plugging such a thumb drive, also known as a key drive, into an agency computer could, for example, inadvertently introduce viruses. They could also make off with documents that shouldn't be living unsecured on a portable device.
And USB is not the only emerging security threat. IEEE 1394 FireWire ports, less widely adopted but faster and better suited for time-dependent traffic such as video, also offer a big pipe into and out of systems. And read/write CD drives present a simple way to move data in and out of a PC'and by extension, in and out of the network.
'And we are just starting to deal with PDAs,' Turner said. 'We need to be able to control PDAs in the same manner we control USB devices.'
It's enough to give network administrators fits. But technology to help ease the management burden is coming.A perfect storm
The most pressing input/output challenge, the port control problem, is a perfect storm of technological advances. First, today's USB Version 2 provides nominal speeds of 480Mbps. Second, devices with multigigabyte memory are available for a few hundred dollars (roomy 128M devices are often distributed like the floppy disks of old). Finally, Microsoft Windows XP automatically recognizes and loads drivers for USB devices, providing simple plug-and-play functionality with few restrictions.
This potent combination makes downloading huge amounts of data a trivial task for anybody with access to a networked PC.
'Windows plug-and-play is the bane of any director of security now,' said Bill Aubin, vice president of North American sales for SecureWave S.A., a Luxembourg-based security company.
And then there is the enormously popular iPod, which Trux Dole, American marketing manager for Centennial Software Ltd. of England, described as essentially 'a 40G hard drive.' Although XP is not particularly friendly to the iPod, the music player is capable of downloading 6G in two minutes over a FireWire port.
The threat from these devices is bidirectional. Not only can sensitive data be downloaded and removed from an agency facility, but malicious, illegal or otherwise inappropriate software also can be uploaded to a system.Good guys are the problem
'The problem is not just the bad guys trying to steal, but also the good guys doing stupid things,' said Vladimir Chernavsky, CEO of AdvancedForce Infosecurity Technologies Inc. of San Ramon, Calif. Stories of laptops with sensitive data being lost or stolen are widespread. 'The problem with USB devices will be a lot worse.'
That's what worries Jeff Flax, national technology and litigation support administrator for the Federal Defenders Program, which is run by the U.S. Courts. He oversees a system supporting 2,700 users, mostly attorneys and investigators.
'We represent people who are charged with federal crimes who can't afford lawyers,' Flax said. His network users handle sensitive attorney-client data, but Flax is not particularly worried about someone stealing it. 'My much bigger worry is somebody losing it.'
Prohibiting the use of portable devices is not practical, he said. Many of the lawyers and investigators work outside of the office much of the time, and the small drives and PDAs are convenient for keeping and ac- cessing the data they need.
'People who have access, have access,' Flax said. Information security within the Federal Defenders Program relies primarily on professional codes of conduct and ethics. 'Overriding everything we do is the attorney-client privilege.'
Although users have to be trusted, the possibility of losing control of data grows as the size of the device it is carried on shrinks. Files were easier to control when they were on legal-sized paper.
'There was a guard at the door who inspected your box on the way out,' Flax said. 'Now, it's in your pocket.'
Encryption is one way of protecting sensitive data against loss of a device, but it is not uniformly reliable, Flax said. Some encrypted devices use keys as small as 12 bits, and most keys are password protected, which often provides a low level of security.
'I use thumb drives myself,' he said. 'But I'm careful of what I put on them. What is really confidential is really encrypted.'
Still, Flax said he's on the lookout for a better solution.What to do?
The search for ways to control portable and removable media is just getting under way. Experts agree banning the devices is neither practical nor desirable, so vendors are responding with increasingly sophisticated products for applying policy to them.
'I don't think blocking the ports is an option,' Aubin said. 'USB is a really valuable tool. The next step is to control the devices.' That's what a host of companies, many of them in Europe, are now doing.
Aubin said SecureWave was moved to get into the business of device control by a 'three-letter agency' in the United States that was worried about USB key drives. The agency found that most drives on the market could slip undetected through metal detectors. Since the devices could not be excluded, the agency resorted to physically blocking the ports with glue.
Software is now available to take the place of glue, but it's still in a formative stage.
'We are mapping specifically to government requirements,' Aubin said. 'The government vertical is by far our number one market.'
SecureWave recently announced Device Control, a companion product to its earlier Application Control, both of which are designed to do exactly what their names suggest.
AdvancedForce is selling DeviceLock, which controls permissions of users of removable and portable devices. And Centennial Software recently announced DeviceWall, which manages connections to portable media.
But are government agencies ready for another new security solution? And do available solutions meet their needs?
When Centennial Software approached potential government customers about its DeviceWall product, Dole said, the initial reaction was, 'it's not needed.' Still, he said, 'we see a significant opportunity in the federal space.'Shopping for USB security
At JPAC in Oahu, Turner said small, portable storage devices have emerged as a security issue only in the past year, but have not yet reached the level of a problem.
'As thumb drive and PDA prices come down and more people have them, it's going to be a problem,' he said.
Turner's preference for heading off the problem is to use an off-the-shelf product. He is researching products now but does not expect to find what he needs on the market for at least another six months. His shopping list of features includes:
- Passive central management rather than client agents on every user's computer
- An easy-to-use central management system
- The ability to control devices based on a hardware ID
- A vendor-maintained, up-to-date list of supported devices.
Based on the technology currently available, JPAC may have to wait a while. Current products offer central management, but also rely on client agents to enforce policies. And most products control devices and applications by type rather than by hardware ID.
'I don't know if there are any third-party vendors who offer everything we are looking for,' he said.