State Agency to Destroy Unauthorized USB Drives

Lucas123 writes "The State of Washington's Division of Child support has forced hundreds of workers to turn in personal USB flash drives and has instead begun issuing corporate-style USB drives. The goal is to centrally monitor, configure and prevent unauthorized access to storage devices. So far about 150 common drives have been issued. The agency eventually plans to destroy all existing thumb drives collected as part of the security policy change."

Misleading summary

[jlowery (47102)]

The article states that the previous drives were "independently purchased" by employees, which likely means they got permission to buy a drive, went to Staples to get it, and then were reimbursed by the state. That would mean that they are not "personal" USB drives.

I know... I apologize for reading the article.

Re:

[jlowery (47102)]

Also... no mention of these drives being "unauthorized". Maybe the submitter needs to read the article as well.

Re:Misleading summary

[aurispector (530273)]

It really isn't clear at all exactly who purchased the drives and under what authority. Early in TFA they refer to "privately owned drives" which clearly indicates personal property, but in the same breath refer to state owned drives - and the difficulties in distinguishing between the two. The agency may well have a policy allowing them to confiscate personal items containing confidential information. Props to the agency for recognizing the problem.

The whole point of the exercise appears to be about safeguarding the data. The /. submission focusses on the confiscated drives being destroyed, which in TFA is a minor note at the end of the article. It appears that the state has to choose between paying someone to wipe all those drives or "destroying" them by some as yet undefined but presumably secure method and of the two, destruction would presumably be the most reliable.

A better title would have been "Washington's Division of Child Support takes important steps needed to safeguard confidental data" or "State agency moves to plug USB flash drive security gap". Oops, never mind, the second one was already used by *TFA*.

Re:Misleading summary

[damsa (840364)]

They are "personal" drives as opposed to "enterprise" drives in the sense that the state issued drive has additional features not available to the regular Staples consumer.

Re:

[warprin (794839)]

I agree, they probably got a supervisor's (at least one) ok on buying their own usb drive, it caught on, and then everyone started using them. Who knows if it was management that first decided to use non-approved drives. All we know is that the drives were not "coorrectly/officially" approved by the right department with the mandatory 100-page approval document.

Re:

[notaspunkymonkey (984275)]

"the mandatory 100-page approval document."

How the hell did you get access to my document - I store it on my personal USB drive, its the only copy... when they took it off me and gave me that new one I thought they destroyed my personal one..

Does that mean you have those pictures of my wife too???

Re:Misleading summary

[martin-boundary (547041)]

I know... I apologize for reading the article.

Weeelll. Looks like we got ourselves a reader! [youtube.com]

Misleading Summary leads to Misleading Tags

[keirre23hu (638913)]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

But then again what does the content of the article have to do with analysis on Slashdot... yeah I know.. flamebait..

Re:

[Firethorn (177587)]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Re:Misleading Summary leads to Misleading Tags

[keirre23hu (638913)]

Oh, I don't know, maybe erasing the drives makes sense because they contain case files and such?

The replacement drives might support encryption, which is a normal 'corporate' feature.

Your sarcasm is duly noted and definitely misdirected - my point is that the state has the right to do what they please with their hardware. If they decide to erase the drives because they have purchased better equipment, that is their prerogative. Unfortunately the summary leads one to believe that the state gov't is saying, "you used your personal thumbdrive for work, so bring it in and we'll erase it" when actually, what appears to have happened is that they (stupidly/cheaply) purchased non-enterprise drives for enterprise purposes, then figured it out sometime later and decided to "fix" the problem - not really a big story... but like I said.. this is slashdot, where too many people believe in the process of "ready, fire, aim"

when it comes to commenting or responding... comprehension is not necessary.

The use of the word "personal" was obviously targetted at getting a rise out of the non-RTFA crowd, as the article itself never terms the drives - "personal drives". They called them "nonapproved thumb drives". We recently discussed "secure" thumb drives [slashdot.org] and I hope they arent wasting their (taxpayers') money on the version of the Cruzer reviewed in the article.

Re:Misleading Summary leads to Misleading Tags

[CTachyon (412849)]

Now some geniuses have tagged it privacy - what does the state erasing a thumb drive it owns have to do with privacy?

RTFA. The reason the state is issuing these new fancy-schmancy thumb drives is that the new ones (claim to) have 256-bit AES encryption and (claim to) self-destruct after 10 consecutive wrong passwords. They're doing this whole switch because of privacy, because the thumb drives contain the private, personal case files of hundreds/thousands of citizens.

If you had read my response to the other post...

[keirre23hu (638913)]

you would see that I did RTFA. If the state had purchased the correct type of thumb drives in the beginning this would not have been an issue. The headline says "State Agency to Destroy Unauthorized USB Drives", someone noted that the misguided headline and summary do not accurately reflect the content of the article. I followed that up by nothing the tagging was questionable. The gist of the summary is that the privacy issue is in the erasing of the thumb drives, whereas the article's point is that persona

Good

[BadAnalogyGuy (945258)]

I don't want government employees listening to MP3s while at work. They are slow enough as it is.

Re:

[Skater (41976)]

I'm a government employee. My options are either (1) listening to MP3s and being slower or (2) being completely ineffective because I have to listen to my hyper coworker who has no inside voice screaming all day. She loudly, and randomly, says things like, "I'm not getting any work done guys!" to no one.

Accuracy of Story?

[sepluv (641107)]

It doesn't say in TFA that they have confiscated and destroyed existing drives (and, if they have, it may only be state-owned drives).

Although, it does say in the quote from the manager that they will "manage and back up the new drives using SanDisk's Central Management & Control server software...which relies on a Web connection to directly communicate with agents on the tiny flash drives [and can] remotely monitor and flush any lost drives" so they could read and delete files on the disks remotely.

It also says that they chose the disks for their MSW Vista compatibility which suggests that the "agents" really are (as previously quoted) on the disk rather than the PCs (one assumes so they can track what their employees do with the disks while not using their PCs, which really doesn't seem necessary to me). Hopefully they do have software on the PCs too to ensure that non-authorised disks are not used and to monitor activity if the "agents" are removed from the disk by intrepid employees.

Although, I suppose, in principal, the right to privacy of their clients (which could be breached by data being transferred out of the building) overrides the right to privacy the government employees have while in the office.

Re:Accuracy of Story?

[sepluv (641107)]

My bad. It says "after recalling the thumb drives used by workers. Most of those had been purchased independently by the employees, causing myriad problems for security personnel, Main said. The new policy requires workers to use the drives supplied by the agency. Main said he eventually plans to destroy all existing thumb drives collected as part of the security policy change." Although, I think from this and following comments like "The general perception is no one will report a lost USB memory stick because they're so cheap" there is an implication (although it isn't explicit at all) that the drives were bought with public money and used for public work.

Once again, I don't think there is too much to complain about here. It shocks me how many employers (even in sensitive areas like government departments and law firms) have PCs that will even, by default, run software or an operating system from a USB drive. According to TFA, in this case "sensitive data transported by off-site workers include[d client's] tax documents, employer records, criminal histories and federal passport data" and commonly "the names, dates of birth and Social Security numbers of children".

Of course, in opposition to what the article says, I think education about data protection legislation and issues is more important than attempting to physically constrain employees (which is ultimately impossible), although both may have their place.

Sensible policy

[MosesJones (55544)]

Before people moan about "personal" these aren't things that people have paid for with their own cash (they got the cash paid back). The other point is that banning removable storage is a difficult, but sensible, policy when there is confidential or valuable information about. Hopefully these USB sticks will be encrypted and tied to only the departmental machines (i.e. no working at home on confidential information) in order to prevent misuse or sale.

This isn't a personal privacy issue for the users (after all its just a USB key) its a personal privacy issue for the people on whom the department stores information.

Re:

[CastrTroy (595695)]

Do they even need to be taking information off premises? If the drives aren't encrypted they aren't secure. What computers are they hooking them up to? Are those computers secure? If you're only going to use the data on departmental machines, a network storage solution would work a lot better, and be a lot more secure.

Re:

[AlecC (512609)]

The whole point of the article is that they are replacing dives of unknown source and capabilities with encryptes drives which self-wipe on to many access failures. They are, correctly, replacing insecure devices with secure ones and destroying insecure ones with confidential data.

Re:

[CastrTroy (595695)]

The point is, where are they taking these drives? If it's just for between computers within the organization, a network storage solution would work better. It would be more secure, and the files would never leave the premises (ideally). The only need for USB drives is to transfer data between computers not on the network. If the information they are transporting is really all that important and confidential, it's probably best that they never give access to it from unknown computers. Once you enter the

Re:

[AlecC (512609)]

Very true. I was assuming that the need thus to transport the data is proven. For example, a case worker might need to look up notes at a client residence while interviewing the client, or to update notes immediately after a client visit because they will be stale by the time s/he returns to the office after several, possibly ewearing, client visits. These are legitimate reasons to take the data off site. Obviously, they are reasons with a security cost, and the cost/benefit must be positively evaluated rat

Re:

[CastrTroy (595695)]

If they need to type up notes about cases, without being at the office, then get them a laptop and secure that. Sure they could still hook that up to another home computer, or to a USB drive, and data could get in the open, but there will be a lot less reason for them to do so. Giving them a USB drive gives them the ability, and actually encourages them to put the data on insecure systems. For the extra cost of these fancy USB drives, you could probably provide them with a laptop (over the cost of a deskt

Re:Sensible policy

[Moraelin (679338)]

Call me a cynic, but based on the experience of some places I worked for, it might just end up something like this:

1. What maybe started along the lines that you described, then has to go through controlling or purchasing or such, which in a lot of places have their job judged and measured by how much they saved. If they saved 10,000$ at the cost of making everyone else spend 1,000,000$ in workarounds and lost productivity, they're doing their job right. So someone will go "auugh, why should we pay a few bucks more on very secure drives, when we could get ordinary ones at a bulk discount? Look, there are these drives with fingerprint scanner for half the price. That's secure, right?" (See the vulnerability linked even on Slashdot recently.)

2. Someone else (or in some organizations the same) will have to make sure it's one of the approved suppliers. Ideally this would mean those who have a good track record of reliability, quality, etc. In practice, it'll mean one of (A) whoever pays more bribe, or (B) the boss's wife's or cousin's supplies company, created just to siphon some money off such purchases. If it's a state agency, stuff like pork barrel, political favours and lobbies have something to do with it too.

Since this _should_ be in conflict with #1 and is exactly the kind of thing that #1 is supposed to catch, sometimes they split the bribe, sometimes they trade favours, and sometimes inventive discounts are used. Like we'll price the USB sticks at $1000 each, give you a 50% discount, and let you show that you've done your job right by negotiating a whole $500 discount per drive.

3. Some IT department has been given thoroughly counter-productive goals, like only keeping the computers or the network running, but no mention of actually providing a service to the rest of the organization. So suddenly the users are their sworn enemies, the filthy pests that keep using and screwing their preciouss computers and network. They'll do their best to contain, thwart and plain old inconvenience those users at every step. So the "secure" setup for those drives will be just an exercise in making it as inconvenient to use as possible, to teach those pesky lusers a lesson.

And indeed the users do learn a lesson: that if you want to get your job done at all, you have to do your own unauthorized workarounds. There goes most of security out the window right there.

Alternately, the IT department has also been on the shit end of #1, and is underfunded and staffed with the cheapest monkeys who can sorta bang on a keyboard, and don't fling too much feces at the screen. So they'll configure something which they think is right, but is not.

Yet another alternative is that a lax PHB can't be bothered to actually organize IT, and some BOFH personality types feel free to override everything and do what _they_ please. I've seen it happen. Stuff like production servers configured without XA support for _years_, just because the relevant BOFH thought that's a buzzword and it runs just as well without it anyway, plus it saves him the bother of installing the relevant libraries on all servers. So he _lied_ to the team for years that they have a feature that they didn't actually have.

And not only I can see all three happening with security too, I've _seen_ it happen with security features too.

4. Some PHB will figure out that it's not really an "enterprise" drive unless it has the organization's logo on it. In fact, that that's what makes anything properly enterprise.

Some frustrated users that have been on the shit end of #3 too often, will begin just printing and gluing makeshift logos to their own USB sticks, rather than put up with Mordac The Preventer Of IT Services again. Noone will be any wiser.

Etc.

Waste

[ajs318 (655362)]

At the very least, they could /dev/zero them and give them away.

Re:

[AlecC (512609)]

And how sure are you that /dev/zero actually destroys the data rather than just removing pointers to it? A study of disk drives bought on ebay showed that 1/3 had not been wiped at all and 1/3 had been re-initialised in a way that made it trivially easy to recover the "deleted" data.

Re:

[ajs318 (655362)]

dd if=/dev/zero of=/dev/sda1 will write zeros to /dev/sda1 until interrupted (which will happen of its own accord as soon as /dev/sda1 is full).

/dev/zero is a virtual device that whenever you read a character from it, comes out with a stream of zeros; it is always ready to read and never shows end-of-file. /dev/sda1 is a device that represents the first partition of the first SCSI, SATA or USB disk drive, treated as one huge file (which happens to contain all the files and pointers to them) rather than

Re:

[Culture20 (968837)]

And you can
dd if=/dev/sda1
before and after to be sure.

If you're really paranoid, there's also shred:
shred -n 300 -z -v /dev/sda1
(writes random data to /dev/sda1 300 times, then writes 0's. Spends a couple cycles with I/O to screen to let you know it still cares, [-n 0 -z -v] for a verbose version of dd if=/dev/zero)

Won't work, even with all the good faith...

[dpbsmith (263124)]

It's like trying to stop people from bringing in cell phones or iPods or PDAs... or creating personal Yahoo mail accounts from company machines... or playing solitaire at work. They are just too ubiquitous and there are just too many of them. Unless you get draconian (make it cause for immediate termination, and frisk every employee at the door... and I mean every employee, including all the vice presidents and directors and department heads).

Even employees that mean to comply will forget, will be at work and need one, reach in their pocket, and find they've got one of their own instead of the corporate-issued one.

I don't know what the answer is, but banning ubiquitous technology is like Canute holding back the waves.

The most dramatic case of the utter failure of this sort of thing I've seen occurred at a company in the 1990s which didn't quite understand that personal computers were personal. This was in the days before antivirus software was standard on any business machine. The company became seriously infected with a boot-sector virus. They had the entire IT department, SQA department, and tech support departments literally stop all their work for about a week while they went throughout the company collecting diskettes and disinfecting them, then pronounced the company clean. Apparently it never occurred to anyone that there were diskettes that weren't in the building.

Even then there were laptops, and, without pointing fingers--OK, pointing fingers--laptops were expensive at the time, and it was mostly the high-income and high-ranking employees, and, of course, people with good reason to have them--salespeople typically--that had them.

The company was reinfected by the same boot virus within less than a month.

Re:

[sepluv (641107)]

I don't see what is so draconian about terminating government employees who take personal data (that might be used for, say, ID theft) on citizens out of the building, no doubt committing a crime under data protection legislation in the process. After a few terminations, I'm sure they'd stop doing it. Governments tend to be way to lax with our data allowing their employees to repeatedly "mislay" it.

Re:

[tubs (143128)]

1) Get senior management support
2) Diasble all USB ports on all computers
3) All users to run as "Users" and not local administrator
4) Use GPO to diasble auto install of USB devices
5) Use GPO to deny all programs unless authorised (Not often used, but in windows you can stop a logged on domain user from running any programs whatsoever, including explorer)
6) Install Proxy that "denies" all webistes except approved one
7) Pissed off users, but more secure network. Senior management support you, so flack direct

Re:

[dpbsmith (263124)]

There are three problems with this. The first is that you're framing the problem too narrowly. It's not "denying use of USB thumb drives," it's "creating a culture for proper handling of data." If they can use USB drives, they'll email attachments to themselves. Or use a WebDAV account. Or use a Bluetooth-enabled portable hard drive. Or whatever. The problem that needs to be addressed is "why are people taking data with them? If it's for a legitimate reason, how do we facilitate their doing it properly? If

Re:

[AlecC (512609)]

There can be justifiable reasons for taking the data off site. Rather than banning it completely, you need to do a (security) cost/benefit analysis and justify the action. And if yu can reduce the security cost, you may well be able to access more benefits.

Re:

[tubs (143128)]

No, they'll understand why these security measures are in place because you've explained it, given them options and shown what the damage can do.

Oi - get real

[onyxruby (118189)]

Government agency does the right thing with trying to protect data and people still complain about it. Get real, not everything is a conspiracy, ok? The flash disks are government property, not personal, so why is anyone complaining.

Government and private sector agencies destroy used disks every single day using methods from as simple as patterning 1's and 0's to smelting the platters. This happens so often that their are dedicated machines available to do it for you right up to dedicated companies that specialize in the destruction.

/me grumbles and wants 5 minutes wasted out of my life back now...

Misleading Comments...

[Khue (625846)]

I think that they are actually being fairly reasonable about the whole issue. USB keys are a severe security risk as far as controlling access to data leaving a business. People leave with Excel sheets full of database information, confidential email, and sometimes text pads containing passwords to various systems. We've already begun the process of completely disabling all computers company wide from their ability to write to removable drives which essentially takes away the threat a USB key poses. Here we see that the state spent a reasonable amount of money (cost of the usb key itself + enterprise management software which probably has some sort of CAL) just so employees could still use USB keys. In my environment, employees just straight up would never have access to USB resources to begin with... Can you imagine the consequences of a disgruntled employee walking out of the office with a spreadsheet of 65k+ credit card records or other customer records? Hello Fidelity Insurance scandal...

Somebody has woken up to to personal privacy

[AlecC (512609)]

Given the casual way in which UK goverement employees, both civil and military, have been treating confidential information, I am glad that a department with seriously confidential information is taking the security of portable storage media seriously. Obviously, if the media were personally ppurchased and used in good faith, the owners of the media must be compensated. But, as previously suggested, these were probably privately purchased and then refunded as expenses, to the belong to the emplyer already.

As to destroying them... Put this in proportion: 150 devices, at perhaps $30 apiece if they wern't bought yesterday: about $4500. On the otyher side, when the UK government lost 2 CDs with large amounts of personal information, the mailshot warning the people whose personal and banking information had been misplaced cost $6,000,000. With cost ratios of this magnitude, the precautionary principle applies. Yes, you could wipe them, and they probably wouldn't leak info. But the cost if they did is so high that the tiny loss involved in destruction is irrelevant.

So I applaud a government department for finally taking privacy seriously. The cost arises becasue they didn't do so before, and is small. The cost for all the other departments who have not yet got it is increasing every day.

Why not disable the USB ports?

[Ahrel (1064770)]

Call me dumb, but I don't understand what they're using these thumb drives for that wouldn't be possible with a good network? Why not disable the ports (or at least access to them by anyone but IT and managers). If they have network shares, that should be sufficient enough to transfer data to a colleague. The article mentions PowerPoint presentations and the like...but if they're giving a presentation within the building, they should be able to access their shares for the power point files. If it's outside of the building, transfer it to the laptop before you go. But if you absolutely need the files on a thumb drive, get a monkey from IT to do it (that's what field tech's are for). I dunno, I guess I'm just too used to how the two places I've worked at in IT did and do things. The million dollar question is why is the state so paranoid that their employees in the Division of Child Support are going to be stealing information? Maybe they should screen better.

Re:

[JoeD (12073)]

Because USB ports are used for other things besides thumb drives. Notably, mice, keyboards, and printers.

Re:

[AlecC (512609)]

This is a child care agency. They need to visit the child and/or parents in their home, and have access to the child's records, both to read them (e.g. to find if any allegations are repeat cases) and to update them to record new allegations. You cannot get parents and childern to come into a secure environment for interview. The case worker, who may have to do three or four emotionally draining interviews in one day, cannot be expected to remember all the facts accurately enough for (for example) legal pro

There are security concerns

[JoeD (12073)]

I remember reading an article from a security consultant awhile back. One of his clients, a bank, had hired him to try to break into their systems, and were quite cocky about how they'd sealed off external access.

So he took a bunch of thumb drives, put a Windows autorun backdoor installer on them, and scattered them around the entrances and outdoor smoking areas.

Hey, presto, instant access.

Now if only all the other agencies would....

[LynnwoodRooster (966895)]

consider privacy, too. Two years ago, I had the "pleasure" of a WA State DOR audit. The auditor wanted me to copy our company's QuickBooks file to his USB so he could work on it at his office. Knowing the law, I said I'd run reports and print out anything he wanted, but would not give him the file because it contained delicate information (like SSNs, health information, credit card numbers, etc).

The auditor was furious, and demanded we give him the file, rather than just printouts. I said no, and he left, only to return the next day with his supervisor, who also demanded the same and said they'd get the file "legally" if needed.

I told them to give me the USB key, and we'll see. I plugged the key in and turned the monitor around so they could see 9 QuickBooks files from other companies. I asked them if they intended to share my data with the next 9 companies, like they just shared those files with me?

After much haranguing, and threat of legal action, we finally agreed on a full Excel file database dump, but with the critical fields (customer names, CC numbers, etc) wiped.

Is it just me,

[IdeaMan (216340)]

or did anyone else immediately think "They're not doing that because the fobs are insecure, they're looking for child porn."

RTFA

[jlowery (47102)]

They're likely neither unauthorized or personal.

Re:

[IBBoard (1128019)]

Chances are they've been using their 'personal' USB sticks to transfer work documents. If that's the case and the agency have some form of classification level or protection for their information then more fool them for putting the information on a personal device.

It's the same in any military situation - hook a device up to a Restricted or higher machine and the only way to 'declassify' it is with a hammer.

Or, as some people have pointed out from TFA, it could be that these were purchases that they've been

Re:You can have my USB key

[Tyndmyr (811713)]

Having spent quite a few years working for the US government, I assure you, they were either reimbursed for them if they were officially permitted, or warned against using them. It's not uncommon to sign a waiver giving them permission to confiscate storage media if you store sensitive stuff on it, and personally, Im rather glad to see them being responsible with information that could pose a major privacy threat.

Re:

[Comboman (895500)]

Too bad the person who wrote the summary didn't RTFA, because the summary says they were personal USB keys.

Re:What a waste

[jlarocco (851450)]

I'm also annoyed (as I always am with things like this) that they are going to destroy the drives as opposed to Zeroing them out and selling them second hand.

Two things to consider:

• By the time most government hardware gets destroyed, it's already obsolete. My guess is most of the drives they're destroying are well under a gig. Who would buy a used 256 MB flash drive?
• Destroying the drives is harder to fuck up. I don't know what information they're storing about people, but I'd rather it not be accidently released. It's pretty easy to see which drive hasn't been smashed to bits with a hammer, not so much which drive has been properly zeroed and formatted.

Re:What a waste

[SharpFang (651121)]

especially that due to wear protection flashdrives are pretty hard to zero. Overwriting files is not guaranteed to delete the data because the 'overwrite' may (and likely will) happen elsewhere than original data was. You can still fill the whole drive with zeros (or better - random noise) but the science concerning recovery of overwritten data from flash memory is nonexistent - nobody knows if whether it can or can't be done.

Re:

['Tractor' Barry (788340)]

> Who would buy a used 256 MB flash drive?

Depends on the price. If they were 1p I'd buy 100 of 'em. 256 Mb is still a useful amount of storage (plain text, html, mp3 etc. etc.).

Re:

[Lumpy (12016)]

REally? I give mine up willingly. I upgrade about every 3 months. I now carry a 16 gig model. I gave away my 4 gig to a stranger recently when we were talking and he asked about thumb drives, I said they are dirt cheap. Here, have one (I was out of the older 1 gig drives I had clogging the bottom of my backpack.)

that's the cool part. Plug in two drives, dump contents from one to the other, format the old one, give it away. Really simple.