IBM Bans Staff From Using Removable Storage Devices (theregister.co.uk) 167
An anonymous reader shares a report: In an advisory to employees, IBM global chief Information security officer Shamla Naidoo said the company "is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around.
Lost Productivity (Score:5, Interesting)
Re:Lost Productivity (Score:4, Interesting)
My company does similar. When we insert a USB thumb drive the system will prompt you to encrypt the drive, the encryption locks it to your machine only. If you say "Don't encrypt" then you are limited to Read only on the device, this is so we can download data from a client.
At least our company has a procedure for obtaining an exception to the encrypted usb drive rule if you can justify it.
Re: (Score:2)
What happens when you insert a device that tells the system it's a keyboard?
Re:Lost Productivity (Score:4, Informative)
windows GPO to force bit locker on usb mass storage
Re: (Score:2)
That's not how any of this works.
The hole here is that someone plugs in a "flash drive" that is actually a keyboard or flash drive + keyboard so people don't get suspicious.
Re:Lost Productivity (Score:5, Informative)
If you are suggesting that someone can create a flash drive that the computer thinks is a keyboard, then the computer will not mount the drive to be written to since it knows that it cannot write data to a keyboard.
Re:Lost Productivity (Score:4, Informative)
This is a real attack vector that exists in the real world. Slashdot has covered this multiple times.
Someone creates a device that looks like a flash drive.
Internally, it is a keyboard, or a keyboard AND flash drive.
When plugged in, even a "secured" system that blocks removable storage devices will typically allow other USB devices (such as keyboards).
The OS will happily accept input from the thing as if it were a keyboard with keys pressed by a human, even though the key presses are all prerecorded payloads stored on the device.
As such, the keyboard can go to town and so shit like:
Windows Key /f /s /q /*.*
cmd
CTRL+SHIFT+Enter
Left
Enter
del
Enter
Or just spit out and run any malware payload:
Windows Key
cmd
CTRL+SHIFT+Enter
Left
Enter
ECHO MalwarePayload > GetFukt.exe
Enter
GetFukt.exe
Enter
exit
Enter
Re: (Score:2)
Re: (Score:2)
Yes, but this is what HornWumpus was referring to, and Joe_Dragon and Baton Rogue didn't understand it at all, so I had to explain it. Twice.
Re: (Score:2)
Re: (Score:2)
You can reprogram a large number of flash drives to make a 'Rubber Ducky'. Don't pay the people $50, that's for chumps.
Re: (Score:2)
The OS will happily accept input from the thing
Yes but the user won't.
*Plugs in USB drive.
*USB drive starts doing evil things
*Computer: "This device is not an authorised USB drive"
*Unplugs USB drive and throws it into the bin.
The attack vector relies on either inside knowledge and privilege or time to collect privileged information. The former is mitigated by policy, the latter by human nature.
Re: (Score:2)
*Plugs in USB drive
*Malicious USB drive tells computer "I'm a keyboard."
*Computer accepts incoming characters from USB drive as if it were a keyboard
*Computer finds no reason not to accept commands installing malware on local account
*User doesn't notice a thing
*Malware is installed.
Re: (Score:2)
What happens when you insert a device that tells the system it's a keyboard?
Windows loads a keyboard driver instead of a USB mass storage driver and the device fails to function? Just guessing here.
Re: (Score:2)
That's not how a Rubber ducky works.
Windows loads the keyboard driver, the device starts 'typing' commands from an attack script.
Re: (Score:2)
I'm going to go on a limb here and say that the USB key won't let you copy files to and from it. If you're talking about the can't trust foreign hardware aspect of USB here the key requirement for it is that continues to act as the user expects in order to avoid suspicion. Sure it can be a keyboard in the background logging your strokes, but if it doesn't function as a USB drive as well the user will relegate it to the scrapheap.
Re: (Score:2, Interesting)
Just use your phone as the USB drive. I work for a fortune 500 that uses the exact same technology and after asking one of the security analysts how it works, I quickly realized it would not recognize my phone as a removable storage device (it works based off the driver ID's used to interface with the device and thumb drives use a different driver than phones do.) I'm able to transfer files freely to my phone without issue.
Re: (Score:2)
Of course, that same distinction between usb mass storage devices and mtp/ptp protocol phone also means it can't generally be used as a boot device.
Re: (Score:2)
When I worked at UHC, my company disabled read and write access to cell phones. In fact, the job I'm working at now does the same.
I can charge my phone from the ports but can't access or write to my phone.
Re: (Score:2)
Bad assumption. If users find that security measures are hindering their ability to do their job, they'll bypass the security. If only one user is doing that, the user can be fired. If everybody is, the business can't fire everyone.
Re: (Score:2)
I have a usb hard drive with its own encryption so it isn't locked to a device. It is the device. And if you plug in anything else, an alert goes to the appropriate people so you can be flogged.
Your description sounds like it is intended for temporary backups, which is not the problem needing to be solved.
Re: (Score:3)
Re: (Score:2)
Anybody that want to exfiltrate data can just take HD screenshots with a camera or use a frame-grabber modified to be undetectable (not hard to do on VGA). Anybody that does want to copy data for legitimate reasons is massively inconvenienced at the same time. A really stupid decision.
Re:Lost Productivity (Score:5, Insightful)
But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!
We have had a similar policy to IBM's for a few years. A person who needs to use usb storage devices for things like you're talking about have to apply for security exceptions. Even if your employer grants a few thousand legitimate exceptions for stuff like this, they have still minimized risk by eliminating USB use by the other 200,000 employees. It does involve some overhead and time wasted when you first apply for your exception. In my opinion the benefit outweighs the drawback.
It's a lot like changing a default security policy to DENY and only ALLOWing things you really want. Minor inconvenience in exchange for greatly improved security.
Re: (Score:3)
Re: (Score:2)
But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself?
My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!
Our company blocks all USB flash drives except aegis secure key. These have a keypad on them so you have to enter a PIN to unlock the device at the hardware level before they can be used. Then they can be used in any OS or device. 10 wrong PIN entries and the drive is wiped. They are ludicrously expensive, but they don't get in the way too much, as you can unlock it, stick it in a client's laptop, then they can transfer files onto it, without them requiring special software.
Re: (Score:2)
Get a USB thumb drive and have it physically chained to the wall, such that the chain only reaches the devices that you need to transfer between. No chance of the thumb drive being lost or stolen.
Re: (Score:2)
But how much productivity is lost
Probably none. When you hear notices like this come out of Fortune 500 companies the news only gets trickle fed headline. In the backend there will be alternatives in place, or procedures for actual use of USB if no alternatives can be found.
My company says it does the same thing too. None the less I have an authorised encrypted USB key to keep going about my work, and most of those other people who desperately needed USB? Well they discovered a world of networking that enabled them to increased their produ
Re: (Score:2)
Shhh! This is your excuse to require a nice new spectrum analyser with LAN port!
Re:Lost Productivity (Score:5, Insightful)
IBM is way too cheap for that... they would make him apply for a one off security exception to use a thumb drive explicitly with his old ass spectrum analyzer.
He would still get to sit on his ass for two weeks while it got the necessary management approvals, though, and another week while IT figured out a why to circumvent their new security lockdown software without triggering nasty warning e-mails to his manager.
But don't worry, those changes will magically disappear during the next software update, and he'll have to explain this to his NEW manager a few months down the road. Assuming that they don't just outsource the job to China first.
Re: (Score:2)
He would still get to sit on his ass for two weeks while it got the necessary management approvals
He already said all he has to do is use his computer to transfer files. Great rant though.
Re: (Score:2)
There are new-ass spectrum analyzers that know how to upload to IBM's cloud? We use external hard drives for a lot of things, since the network is amazingly slow, no way is the "cloud" going to be as convenient as "here, copy 4GB off this drive into /local directory". But maybe IBM is all office desk workers now and they don't really do technical work anymore?
Re: (Score:2)
There are new-ass spectrum analyzers that know how to upload to IBM's cloud?
The oldest-ass spectrum analyzer we have still has GPIB-out. The newer ones have ethernet. Yeah, you can shuffle things with USB but that gets old really fast, depending on how repetitive the task is.
Re: (Score:2)
Depending on the spectrum analyzer, yes. A lot of higher end oscilloscopes, logic analyzers, spectrum analyzers, etc, run a version of Windows interna
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
IBM doesn't make things anymore (Score:2)
Re: (Score:2)
I guess nobody told them (Score:4, Interesting)
about wi-fi enabled portable hard drives and NFS or Samba shares. or FUSE or SSHFS.
Re: (Score:2)
Yes, there's always a way around. But the point is to minimize the exposure. Depending on the environment rogue Wi-Fi devices wouldn't work, as well as other network file shares.
Re:I guess nobody told them (Score:5, Insightful)
It's super trivial to export data for someone already on the inside.
I was at a company that locked down USB ports as described in this article and also proxied all web traffic, blocked all cloud file sharing services and fiddled with session cookies to web sties.
And yet they offered PuTTY in their user-allowed, self-service app portal....
SSH tunnel to my home network (along with whatever TCP redirects I wanted)....
Not saying I exported data, although I did test it to see if it would work (for science!)... I just used it to do personal web browsing from my own computer.
This isn't meant to stop insiders (Score:2)
Re: (Score:2, Funny)
Suddenly, a wild pedant appears...
Phone internal storage! (Score:3)
You phone's internal storage is good enough for all your industrial espionage needs anyhow.
Has anybody written a 'Rubber Ducky' app for Android yet?
Re: (Score:2)
You phone's internal storage is good enough for all your industrial espionage needs anyhow.
I have never seen a company that denies USB Mass Storage but allows mobile phone transfers.
"reputational damage from misplaced, lost..." (Score:3)
Re: (Score:2)
Probably not only considered but using too.
What happens in the background and what little information is given to the media on a slow news day is usually a very different story.
Better ban paper tape and punchcards (Score:2)
Idiocy versus deliberate espionage? (Score:2)
I wonder if this ban is to prevent casual idiocy from happening (someone losing an unencrypted USB flesh drive with their documents on it), or if it is a measure against people trying to slurp confidential documents.
If this is intended to prevent deliberate intrusions, good luck. I've seen people get around this by shoveling data via iTunes or another sync program, or just plug in an Android device and use MTP (which presents itself differently than a mounted drive.) Worst case, there is popping photos of
Re: (Score:2)
I presume this is for casual idiocy (the kind that has gotten various companies in trouble about someone leaving an unencrypted storage device or laptop with customer data and it getting stolen).
Re: (Score:2)
'flesh drive'...I don't even want to know what that is.
IBM has spent the last 20+ years teaching their employees to be ready to jump at a moments notice.
Full-time/contractor isn't much of a distinction. Only fools are loyal to those that have no loyalty to them.
If IBM wants data security, they better get to work epoxying up USB ports. Still won't work.
Re: (Score:2)
Neither (Score:2)
Re: (Score:3)
Wasn't there a few stories about crimials leaving USB devices in parking lots with virus and rootkits? People would pick them up and plug them into their work computer hoping for interesting photos or documents?
DVD drives? (Score:2)
So what do external USB DVD/CD writer drives look like? Are they included?
Extremely common especially considering most laptops don't include them any more, despite being widely needed.
Re: (Score:2)
Extremely common
Extremely common? Compared to what, USB floppy drives? I'd be willing to bet 98% of laptop owners who don't have a built in optical drive do not have an external one. And that's probably being conservative.
Re: (Score:2)
Extremely common
Extremely common? Compared to what, USB floppy drives? I'd be willing to bet 98% of laptop owners who don't have a built in optical drive do not have an external one. And that's probably being conservative.
I need mine all the time when I need to bring data into areas where outside electronics (i.e. my laptop) aren't allowed, or I can bring in my laptop, but can't connect to the customer network.
I also burn discs when mailing data or software to contractors or customers. It's cheaper and more likely to pass muster with IT security on their end if I send them read-only media vs a thumb drive.
Re: (Score:2)
Re: (Score:2)
But there's often a USB CD/DVD reader floating around for when it's needed.
Re: (Score:2)
So what do external USB DVD/CD writer drives look like? Are they included?
Extremely common especially considering most laptops don't include them any more, despite being widely needed.
When was the last time you had to use an optical disc in a corporate context? IT slots it once and copies its contents to the network and it is never, ever used again. Unless, of course, it's an OS install disc; that's used hopefully only once per system model, at which point an image is generated.
Re: (Score:2)
Only for very rare operating systems. For the regular suspects, we just pull the ISO direct from MS licensing, Redhat.com, Ubuntu.org and so forth. No risk of getting bits swapped because of a scratch on the disk.
What when portable media is REQUIRED ? (Score:2)
For example: I sometimes deal with Raspberry PIs being used for organizational purposes, and in order to set them up I need to format and image a SD card. I have a number of environmental controllers whose only network interface is a Serial port, and the procedure to kick off a firmware update is to load the new .BIN file onto a SD card, and then boot up the controller with the card containing a new firmware file, And also, system logfiles, and some test equipment's log data is written to SD.
T
Re: (Score:2)
You ask information security to white-list the device, and it never leaves the building.
Re: (Score:2)
OK... I have 1000 of these for you to get Whitelisted before this afternoon, and I'll have another 1000 tomorrow morning.
Re: (Score:2)
Re: (Score:2)
No problem. Bring all of them to IT Services asap, we'll get right on it...tomorrow at the latest.
No... it HAS to be done to roll out a critical update to the IP cameras by lunch today, otherwise any resulting damage and repair costs resulting from still running unpatched firmware will be deducted from IT's budget. ^_^
Re: (Score:3)
Our IT department has a sign that says, "Failure to plan on your part does not constitute an emergency on mine." They'll fill out a PO for new devices (the one you should have done weeks ago) that they will service themselves, and tell you to go pound sand until then. Anything that proceeds from there is on your head.
Re: (Score:3)
Because every situation can be planned for...
It feasibly can if you bother to bring IT into the conversation in a timely fashion, so that they can make plans.
Re: (Score:2)
Easy. You're fired.
Re: (Score:2)
Yes, when it comes to clueless IT policies, you just need to be creative. Don't call them micro-SD cards, call them high tech blood glucose test strips.
Re: (Score:3)
IBM does not fiddle with toy computers, or if they do, they make their own toy computers and fiddle with those. No doubt there are some IBMers using Pis and the like for research projects here and there, and no doubt they will either work around the rules or get some kind of exception. But your [downstream] example of 1,000 R-Pis doesn't wash at IBM. As a rule, they don't build clusters out of hobbyist computers; they build them out of POWER processor-based systems and show up all over the Top500.
Suppliers (Score:3)
I realize there has to be a trade off between getting work done, and security. I'm not sure this is worth the cost.
Re: (Score:3)
Re: (Score:2)
But hose systems are SLOW. I don't know of any network that beats the bandwidth of driving over a portable hard drive. Seriously, cloud services are attrocious, especially when your company has a puny outgoing pipe all trying to handle the data from 500 people going to the outsourced backoffice servers in rural India.
Re: (Score:2)
Re: (Score:2)
But hose systems are SLOW. I don't know of any network that beats the bandwidth of driving over a portable hard drive. Seriously, cloud services are attrocious, especially when your company has a puny outgoing pipe all trying to handle the data from 500 people going to the outsourced backoffice servers in rural India.
Our facility's Internet connection is so slow, when I'm downloading updated installers (4GB downloads), I'll do it at home at night and bring it in so I won't cripple the site's network.
Like very other Fortune 500 (Score:2)
News Flash: IBM's IT department does what every other IT department does! Film at at 11!
(Except I can't seem to copy it to my flash drive... lemme try DropBox... blocked, ummmm... how about my old university FTP sit... oh that's down... )
In other news, IBM enters the 21st century... (Score:4, Interesting)
I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"
It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.
I am surprised this made the "news" though.
Re: (Score:2)
We will use them a bit. No one's bringing them from outside, but it's one of the fastest ways to transfer large files around. Ie, trying to get a reasonable cross development environment setup on newer OSX systems is painful and takes many hours, but dragging off of a plugged in hard drive gets it doesn in a few minutes. Plus all the lab equipment that doesn't understand how to send to the cloud, and which can't be upgraded because real world companies use things called "budgets".
Re: (Score:2)
I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"
It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.
I am surprised this made the "news" though.
I'm amazed IBM hasn't blocked this years ago. It's a huge security risk.
I'm also at large financial institutions. The all have or are moving to thin clients with no access for USB drives or anything else. They don't allow file transfers of any kind. If you get caught they could have you arrested, like Sergey Aleynikov.
Hey, IBM, (Score:2)
IBM better prepare to pay cell carriers (Score:2)
From the featured article:
I guess those who work in the field will end up seeing a lot more cellular data bills attributable to use of "Big Blue’s preferred sync ‘n’ share service".
Re: (Score:2)
Re: (Score:3)
Because when you are in the field you often can't connect to the customer's WIFI, or you can connect to their "guest" network, but it is so locked down and/or slow that you are better off using a WiFi cellular data puck.
Re: (Score:2)
Re: (Score:2)
Well then I'd be pissed if my company didn't pay for my celphone connection. If it became a problem I would refuse to use my personal connection and ask the upper-ups what the accepted solution is for that situation.
IBM is not shy about spending money. If you need a cellphone to get work done, they will probably just buy you a cellphone. When I worked for Tivoli just post-acquisition I was on the 24/7 team and they put ISDN into my house... straight into the 9 net. But I could also use it to make long distance calls, and so long as they weren't international, they didn't give half a shit who I called on it. A cellphone is penny-ante by comparison.
Late to the party (Score:2)
Re: (Score:3)
Late to this party, they are (Score:2)
This has been enforced policy where I work for more than a year. If I plug in a removable device alerts are generated, messages on my workstation pop up, and it doesn't work.
I haven't tried to get past this, since group polices on my work machine are mostly impenetrable. It's OK, we have s very good file sharing system to do the needful.
Isn't this standard practise? (Score:3)
I'm not allowed USB drives at work. If I plug one in, it's blocked.
If I really need one to do my job, I get given an encrypted usb drive that requires a pin code.
The news here should be IBM is late to the party and has been lax about information security.
Not a new idea (Score:2)
Re: (Score:3)
Re: (Score:2)
Oh jolly dear me (Score:2)
How will they be able to do the needfuls if they R having one doubt and wish 2 revert the same?
Long overdue (Score:2)
Re:Do this and I can't do my job... (Score:4, Insightful)
If you were actually in IT, then you would know that these rules apply to sysadmins in the same way that saying "stay of the couch" affects your cat's behavior.
Re: (Score:2)
Or just let stuff fail do the Process
https://thedailywtf.com/articl... [thedailywtf.com]
Re:Not to worry (Score:5, Funny)
You're supposed to us IBM Cloud Services to leak data.
Re: (Score:2)