Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
IBM Security

IBM Bans Staff From Using Removable Storage Devices (theregister.co.uk) 167

An anonymous reader shares a report: In an advisory to employees, IBM global chief Information security officer Shamla Naidoo said the company "is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around.
This discussion has been archived. No new comments can be posted.

IBM Bans Staff From Using Removable Storage Devices

Comments Filter:
  • Lost Productivity (Score:5, Interesting)

    by zmaragdus ( 1686342 ) on Thursday May 10, 2018 @12:25PM (#56589330)
    But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!
    • Re:Lost Productivity (Score:4, Interesting)

      by PA23 ( 1708056 ) on Thursday May 10, 2018 @12:32PM (#56589384)

      My company does similar. When we insert a USB thumb drive the system will prompt you to encrypt the drive, the encryption locks it to your machine only. If you say "Don't encrypt" then you are limited to Read only on the device, this is so we can download data from a client.

      At least our company has a procedure for obtaining an exception to the encrypted usb drive rule if you can justify it.

      • What happens when you insert a device that tells the system it's a keyboard?

        • Re:Lost Productivity (Score:4, Informative)

          by Joe_Dragon ( 2206452 ) on Thursday May 10, 2018 @01:28PM (#56589892)

          windows GPO to force bit locker on usb mass storage

          • That's not how any of this works.

            The hole here is that someone plugs in a "flash drive" that is actually a keyboard or flash drive + keyboard so people don't get suspicious.

            • Re:Lost Productivity (Score:5, Informative)

              by Baton Rogue ( 1353707 ) on Thursday May 10, 2018 @02:51PM (#56590576)
              Each USB device is identified independently of each other. If you plug in a USB keyboard that also has a USB port with a flash drive plugged in, the computer will see two different devices and only lock out the flash drive.

              If you are suggesting that someone can create a flash drive that the computer thinks is a keyboard, then the computer will not mount the drive to be written to since it knows that it cannot write data to a keyboard.
              • Re:Lost Productivity (Score:4, Informative)

                by sexconker ( 1179573 ) on Thursday May 10, 2018 @06:59PM (#56592010)

                This is a real attack vector that exists in the real world. Slashdot has covered this multiple times.

                Someone creates a device that looks like a flash drive.
                Internally, it is a keyboard, or a keyboard AND flash drive.
                When plugged in, even a "secured" system that blocks removable storage devices will typically allow other USB devices (such as keyboards).
                The OS will happily accept input from the thing as if it were a keyboard with keys pressed by a human, even though the key presses are all prerecorded payloads stored on the device.

                As such, the keyboard can go to town and so shit like:

                Windows Key
                cmd
                CTRL+SHIFT+Enter
                Left
                Enter
                del /f /s /q /*.*
                Enter

                Or just spit out and run any malware payload:
                Windows Key
                cmd
                CTRL+SHIFT+Enter
                Left
                Enter
                ECHO MalwarePayload > GetFukt.exe
                Enter
                GetFukt.exe
                Enter
                exit
                Enter

                • by ELCouz ( 1338259 )
                  These attack will be severely limited under non-admin user accounts.
                  • Yes, but this is what HornWumpus was referring to, and Joe_Dragon and Baton Rogue didn't understand it at all, so I had to explain it. Twice.

                • You can reprogram a large number of flash drives to make a 'Rubber Ducky'. Don't pay the people $50, that's for chumps.

                • The OS will happily accept input from the thing

                  Yes but the user won't.

                  *Plugs in USB drive.
                  *USB drive starts doing evil things
                  *Computer: "This device is not an authorised USB drive"
                  *Unplugs USB drive and throws it into the bin.

                  The attack vector relies on either inside knowledge and privilege or time to collect privileged information. The former is mitigated by policy, the latter by human nature.

                  • *Plugs in USB drive
                    *Malicious USB drive tells computer "I'm a keyboard."
                    *Computer accepts incoming characters from USB drive as if it were a keyboard
                    *Computer finds no reason not to accept commands installing malware on local account
                    *User doesn't notice a thing
                    *Malware is installed.

        • What happens when you insert a device that tells the system it's a keyboard?

          Windows loads a keyboard driver instead of a USB mass storage driver and the device fails to function? Just guessing here.

          • That's not how a Rubber ducky works.

            Windows loads the keyboard driver, the device starts 'typing' commands from an attack script.

        • I'm going to go on a limb here and say that the USB key won't let you copy files to and from it. If you're talking about the can't trust foreign hardware aspect of USB here the key requirement for it is that continues to act as the user expects in order to avoid suspicion. Sure it can be a keyboard in the background logging your strokes, but if it doesn't function as a USB drive as well the user will relegate it to the scrapheap.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Just use your phone as the USB drive. I work for a fortune 500 that uses the exact same technology and after asking one of the security analysts how it works, I quickly realized it would not recognize my phone as a removable storage device (it works based off the driver ID's used to interface with the device and thumb drives use a different driver than phones do.) I'm able to transfer files freely to my phone without issue.

        • by Junta ( 36770 )

          Of course, that same distinction between usb mass storage devices and mtp/ptp protocol phone also means it can't generally be used as a boot device.

        • When I worked at UHC, my company disabled read and write access to cell phones. In fact, the job I'm working at now does the same.

          I can charge my phone from the ports but can't access or write to my phone.

      • I have a usb hard drive with its own encryption so it isn't locked to a device. It is the device. And if you plug in anything else, an alert goes to the appropriate people so you can be flogged.

        Your description sounds like it is intended for temporary backups, which is not the problem needing to be solved.

    • ITs becoming more common. The last company I worked for and the company I work for now are both moving in this direction. However, you can get 'approved' usb devices if you can show the need and establish required controls.
    • by gweihir ( 88907 )

      Anybody that want to exfiltrate data can just take HD screenshots with a camera or use a frame-grabber modified to be undetectable (not hard to do on VGA). Anybody that does want to copy data for legitimate reasons is massively inconvenienced at the same time. A really stupid decision.

    • by kelemvor4 ( 1980226 ) on Thursday May 10, 2018 @02:03PM (#56590186)

      But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself? My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

      We have had a similar policy to IBM's for a few years. A person who needs to use usb storage devices for things like you're talking about have to apply for security exceptions. Even if your employer grants a few thousand legitimate exceptions for stuff like this, they have still minimized risk by eliminating USB use by the other 200,000 employees. It does involve some overhead and time wasted when you first apply for your exception. In my opinion the benefit outweighs the drawback.

      It's a lot like changing a default security policy to DENY and only ALLOWing things you really want. Minor inconvenience in exchange for greatly improved security.

      • Tried it. Got denied. Forced to continue doing things that are textbook examples of security breaches waiting to happen.
    • But how much productivity is lost because I need to use my personal laptop to transfer screenshots from a spectrum analyzer (USB port only!) via emailing to myself?

      My company does basically the same thing, and as an electronics engineer that spends a bunch of time at a test bench, this SUCKS!

      Our company blocks all USB flash drives except aegis secure key. These have a keypad on them so you have to enter a PIN to unlock the device at the hardware level before they can be used. Then they can be used in any OS or device. 10 wrong PIN entries and the drive is wiped. They are ludicrously expensive, but they don't get in the way too much, as you can unlock it, stick it in a client's laptop, then they can transfer files onto it, without them requiring special software.

    • Get a USB thumb drive and have it physically chained to the wall, such that the chain only reaches the devices that you need to transfer between. No chance of the thumb drive being lost or stolen.

    • But how much productivity is lost

      Probably none. When you hear notices like this come out of Fortune 500 companies the news only gets trickle fed headline. In the backend there will be alternatives in place, or procedures for actual use of USB if no alternatives can be found.

      My company says it does the same thing too. None the less I have an authorised encrypted USB key to keep going about my work, and most of those other people who desperately needed USB? Well they discovered a world of networking that enabled them to increased their produ

    • by AmiMoJo ( 196126 )

      Shhh! This is your excuse to require a nice new spectrum analyser with LAN port!

  • by bobstreo ( 1320787 ) on Thursday May 10, 2018 @12:26PM (#56589340)

    about wi-fi enabled portable hard drives and NFS or Samba shares. or FUSE or SSHFS.

    • Yes, there's always a way around. But the point is to minimize the exposure. Depending on the environment rogue Wi-Fi devices wouldn't work, as well as other network file shares.

    • by The-Ixian ( 168184 ) on Thursday May 10, 2018 @01:39PM (#56589998)

      It's super trivial to export data for someone already on the inside.

      I was at a company that locked down USB ports as described in this article and also proxied all web traffic, blocked all cloud file sharing services and fiddled with session cookies to web sties.

      And yet they offered PuTTY in their user-allowed, self-service app portal....

      SSH tunnel to my home network (along with whatever TCP redirects I wanted)....

      Not saying I exported data, although I did test it to see if it would work (for science!)... I just used it to do personal web browsing from my own computer.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Suddenly, a wild pedant appears...

  • by HornWumpus ( 783565 ) on Thursday May 10, 2018 @12:27PM (#56589348)

    You phone's internal storage is good enough for all your industrial espionage needs anyhow.

    Has anybody written a 'Rubber Ducky' app for Android yet?

    • You phone's internal storage is good enough for all your industrial espionage needs anyhow.

      I have never seen a company that denies USB Mass Storage but allows mobile phone transfers.

  • by JoeyRox ( 2711699 ) on Thursday May 10, 2018 @12:33PM (#56589390)
    Have they considered device-level encryption?
    • Probably not only considered but using too.

      What happens in the background and what little information is given to the media on a slow news day is usually a very different story.

  • Knowing IBM they still use these on a regular basis.
  • I wonder if this ban is to prevent casual idiocy from happening (someone losing an unencrypted USB flesh drive with their documents on it), or if it is a measure against people trying to slurp confidential documents.

    If this is intended to prevent deliberate intrusions, good luck. I've seen people get around this by shoveling data via iTunes or another sync program, or just plug in an Android device and use MTP (which presents itself differently than a mounted drive.) Worst case, there is popping photos of

    • by Junta ( 36770 )

      I presume this is for casual idiocy (the kind that has gotten various companies in trouble about someone leaving an unencrypted storage device or laptop with customer data and it getting stolen).

    • 'flesh drive'...I don't even want to know what that is.

      IBM has spent the last 20+ years teaching their employees to be ready to jump at a moments notice.

      Full-time/contractor isn't much of a distinction. Only fools are loyal to those that have no loyalty to them.

      If IBM wants data security, they better get to work epoxying up USB ports. Still won't work.

    • Probably because people don't use encrypted USB flash drives. If it is like other offices people are just using personal ones they had sitting around at home.
    • I suspect this is not about security at all, but rather about forcing employees (and suppliers and customers) to use IBM's cloud services. If IBM made flash drives, I guarantee the policy would be exactly the opposite.
    • Wasn't there a few stories about crimials leaving USB devices in parking lots with virus and rootkits? People would pick them up and plug them into their work computer hoping for interesting photos or documents?

  • So what do external USB DVD/CD writer drives look like? Are they included?

    Extremely common especially considering most laptops don't include them any more, despite being widely needed.

    • by EvilSS ( 557649 )

      Extremely common

      Extremely common? Compared to what, USB floppy drives? I'd be willing to bet 98% of laptop owners who don't have a built in optical drive do not have an external one. And that's probably being conservative.

      • by flink ( 18449 )

        Extremely common

        Extremely common? Compared to what, USB floppy drives? I'd be willing to bet 98% of laptop owners who don't have a built in optical drive do not have an external one. And that's probably being conservative.

        I need mine all the time when I need to bring data into areas where outside electronics (i.e. my laptop) aren't allowed, or I can bring in my laptop, but can't connect to the customer network.

        I also burn discs when mailing data or software to contractors or customers. It's cheaper and more likely to pass muster with IT security on their end if I send them read-only media vs a thumb drive.

        • by EvilSS ( 557649 )
          YOU need YOURS. I don't doubt there's a higher than average use of them with /. users, but I stand by my statement. The vast majority of laptop users don't own one. They are far from "Extremely common"
      • But there's often a USB CD/DVD reader floating around for when it's needed.

    • So what do external USB DVD/CD writer drives look like? Are they included?
      Extremely common especially considering most laptops don't include them any more, despite being widely needed.

      When was the last time you had to use an optical disc in a corporate context? IT slots it once and copies its contents to the network and it is never, ever used again. Unless, of course, it's an OS install disc; that's used hopefully only once per system model, at which point an image is generated.

      • Only for very rare operating systems. For the regular suspects, we just pull the ISO direct from MS licensing, Redhat.com, Ubuntu.org and so forth. No risk of getting bits swapped because of a scratch on the disk.

  • For example: I sometimes deal with Raspberry PIs being used for organizational purposes, and in order to set them up I need to format and image a SD card. I have a number of environmental controllers whose only network interface is a Serial port, and the procedure to kick off a firmware update is to load the new .BIN file onto a SD card, and then boot up the controller with the card containing a new firmware file, And also, system logfiles, and some test equipment's log data is written to SD.

    T

    • by halivar ( 535827 )

      You ask information security to white-list the device, and it never leaves the building.

      • by mysidia ( 191772 )

        OK... I have 1000 of these for you to get Whitelisted before this afternoon, and I'll have another 1000 tomorrow morning.

        • by tomhath ( 637240 )
          No problem. Bring all of them to IT Services asap, we'll get right on it...tomorrow at the latest.
          • by mysidia ( 191772 )

            No problem. Bring all of them to IT Services asap, we'll get right on it...tomorrow at the latest.

            No... it HAS to be done to roll out a critical update to the IP cameras by lunch today, otherwise any resulting damage and repair costs resulting from still running unpatched firmware will be deducted from IT's budget. ^_^

            • by halivar ( 535827 )

              Our IT department has a sign that says, "Failure to plan on your part does not constitute an emergency on mine." They'll fill out a PO for new devices (the one you should have done weeks ago) that they will service themselves, and tell you to go pound sand until then. Anything that proceeds from there is on your head.

        • Easy. You're fired.

        • Yes, when it comes to clueless IT policies, you just need to be creative. Don't call them micro-SD cards, call them high tech blood glucose test strips.

    • IBM does not fiddle with toy computers, or if they do, they make their own toy computers and fiddle with those. No doubt there are some IBMers using Pis and the like for research projects here and there, and no doubt they will either work around the rules or get some kind of exception. But your [downstream] example of 1,000 R-Pis doesn't wash at IBM. As a rule, they don't build clusters out of hobbyist computers; they build them out of POWER processor-based systems and show up all over the Top500.

  • by Thelasko ( 1196535 ) on Thursday May 10, 2018 @12:50PM (#56589584) Journal
    Part of my job is managing suppliers. The corporate IT departments of all of the companies all have different policies regarding how data is to be moved. Often times, it's just easiest to have an liaison engineer come over with a flash drive to move the data. Email can't handle large enough files, getting IT to setup an FTP server takes weeks, and is still clunky. I have had some success using box.com for one project.

    I realize there has to be a trade off between getting work done, and security. I'm not sure this is worth the cost.
    • by EvilSS ( 557649 )
      They use services file transfer services like ShareFile, Box Enterprise, DropBox for business, or other Enterprise File Sync and Share (EFSS) products. These give the company more control and are easier to deal with than FTP sites these days since they are more user friendly and use HTTPS to do the transfer. Many can even be hosted on-prem so no cloud storage is required.
      • But hose systems are SLOW. I don't know of any network that beats the bandwidth of driving over a portable hard drive. Seriously, cloud services are attrocious, especially when your company has a puny outgoing pipe all trying to handle the data from 500 people going to the outsourced backoffice servers in rural India.

        • by EvilSS ( 557649 )
          No, your particular scenario is slow. For the vast majority of users they are way faster and more convenient than driving a USB drive to someone who-knows-where.
        • But hose systems are SLOW. I don't know of any network that beats the bandwidth of driving over a portable hard drive. Seriously, cloud services are attrocious, especially when your company has a puny outgoing pipe all trying to handle the data from 500 people going to the outsourced backoffice servers in rural India.

          Our facility's Internet connection is so slow, when I'm downloading updated installers (4GB downloads), I'll do it at home at night and bring it in so I won't cripple the site's network.

  • News Flash: IBM's IT department does what every other IT department does! Film at at 11!
    (Except I can't seem to copy it to my flash drive... lemme try DropBox... blocked, ummmm... how about my old university FTP sit... oh that's down... )

  • by gosand ( 234100 ) on Thursday May 10, 2018 @01:00PM (#56589666)

    I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"

    It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.

    I am surprised this made the "news" though.

    • We will use them a bit. No one's bringing them from outside, but it's one of the fastest ways to transfer large files around. Ie, trying to get a reasonable cross development environment setup on newer OSX systems is painful and takes many hours, but dragging off of a plugged in hard drive gets it doesn in a few minutes. Plus all the lab equipment that doesn't understand how to send to the cloud, and which can't be upgraded because real world companies use things called "budgets".

    • I've worked for a couple of very large financial institutions, and they disabled USB drives 5+ years ago. It not only curtails the threat of pilfering information, but shuts down a hole in security. "hey, I found this thumb drive in the parking lot, I'll just plug it in and see what's on it"

      It was a pain at first, but you quickly learn that for MOST work, it's not necessary. If it is, you can usually get an exemption.

      I am surprised this made the "news" though.

      I'm amazed IBM hasn't blocked this years ago. It's a huge security risk.

      I'm also at large financial institutions. The all have or are moving to thin clients with no access for USB drives or anything else. They don't allow file transfers of any kind. If you get caught they could have you arrested, like Sergey Aleynikov.

  • Hey, IBM.... Welcome to 2009!
  • From the featured article:

    IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around.

    I guess those who work in the field will end up seeing a lot more cellular data bills attributable to use of "Big Blue’s preferred sync ‘n’ share service".

    • Why would you assume a sync site would need a cellular connection? There is this thing called a website that works on wifi.
      • by flink ( 18449 )

        Because when you are in the field you often can't connect to the customer's WIFI, or you can connect to their "guest" network, but it is so locked down and/or slow that you are better off using a WiFi cellular data puck.

        • Well then I'd be pissed if my company didn't pay for my celphone connection. If it became a problem I would refuse to use my personal connection and ask the upper-ups what the accepted solution is for that situation.
          • Well then I'd be pissed if my company didn't pay for my celphone connection. If it became a problem I would refuse to use my personal connection and ask the upper-ups what the accepted solution is for that situation.

            IBM is not shy about spending money. If you need a cellphone to get work done, they will probably just buy you a cellphone. When I worked for Tivoli just post-acquisition I was on the 24/7 team and they put ISDN into my house... straight into the 9 net. But I could also use it to make long distance calls, and so long as they weren't international, they didn't give half a shit who I called on it. A cellphone is penny-ante by comparison.

  • My employer has done this for years. If you want to use external storage you can get one approved for use in an office environment by demonstrating a need. As far as the lab environment goes, you can *borrow* one of the lab's own specially approved, encrypted, and regularly inspected and cleaned drives for pulling data off of lab computers and equipment. Why any large IP-handling company would allow any old employee to tote around their own personal attack/leak vector is beyond me.
    • At my workplace we got IronKeys for this a long time ago. They sat in a cabinet. One person checked one out once but then didn't need it. They are still there to this day. It turns out people who are good with technology don't absolutely need a USB key.
  • This has been enforced policy where I work for more than a year. If I plug in a removable device alerts are generated, messages on my workstation pop up, and it doesn't work.

    I haven't tried to get past this, since group polices on my work machine are mostly impenetrable. It's OK, we have s very good file sharing system to do the needful.

  • by viperidaenz ( 2515578 ) on Thursday May 10, 2018 @04:01PM (#56590950)

    I'm not allowed USB drives at work. If I plug one in, it's blocked.
    If I really need one to do my job, I get given an encrypted usb drive that requires a pin code.

    The news here should be IBM is late to the party and has been lax about information security.

  • I worked for a company that disabled the USB ports in all computers _after_ multiple instances of their employees downloading their customer lists and starting their own competing companies.
    • And here's the stupid thing about that policy: their routers didn't do MAC address filtering, so anybody could have brought in a WiFi Access Point, plugged it into the network, and accessed all the company files from outside the building! I didn't feel like telling them about that flaw in their security, since they had already made my job hard enough to do.
  • How will they be able to do the needfuls if they R having one doubt and wish 2 revert the same?

  • USB, and other external storaqge media, have long been recognized as security risks. This may not be a cure-all, but it is a needed 1st step

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...