Under worm attack, US Army bans USB drives

Under worm attack, US Army bans USB drives

Summary: Under sustained attack from what is described as a rapidly spreading network worm, the U.S.

SHARE:

Under worm attack, US Army bans USB drivesUnder sustained attack from what is described as a rapidly spreading network worm, the U.S. army has banned the use of USB sticks, CDs, flash media cards, and all other removable data storage devices, according to internal e-mail messages seen by Wired's Noah Shachtman.

According to the article, service members have been ordered to "cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware."  Eventually, some government-approved drives will be allowed back under certain "mission-critical," but unclassified, circumstances. "Personally owned or non-authorized devices" are "prohibited" from here on out, according to the e-mails.

The USB device ban was handed down by the commander of U.S. Strategic Command and includes everything from external hard drives to "floppy disks. It takes effect immediately.

To make sure troops and military civilians are observing the suspension, government security teams "will be conducting daily scans and running custom scripts on NIPRNET and SIPRNET to ensure the commercial malware has not been introduced," an e-mail says. "Any discovery of malware will result in the opening of a security incident report and will be referred to the appropriate security officer for action."

The threat from malware that spreads via removable media has been on a steady rise with some estimates showing a 10 percent increase in detections this year.

ALSO SEE:

Malware-infected USB drives distributed at security conference

Malware found in Lenovo software package

Topics: Malware, Collaboration, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

175 comments
Log in or register to join the discussion
  • Um...good luck on that!!

    Do they not realize that the cost of lost productivity from completely un-networking and banning shared media FAR outweighs the cost of security s/w and remediation from time to time? Ever hear of anti-virus and backups? Or maybe they're still running Win 98. Sorry, my bad.
    Techboy_z
    • Actually . . .

      "Do they not realize that the cost of lost productivity from completely un-networking and banning shared media FAR outweighs the cost of security s/w and remediation from time to time?"

      In the case of a normal business, you would be right.

      In the case of the US Army, you are wrong. They are perhaps the biggest target of attacks and attempts at security breaches - and they have a lot of valuable secrets. I'd say you can't even begin to estimate the costs, much less claim to know how they compare to lost productivity.
      CobraA1
      • Linux not the Answer

        Linux would never pass all the requirements the governemtn puts on software. Even if the governement moved towards Linux, wouldn't you think that vast resources would be all of a sudden place on hacking Linux.

        The problem is not with the Army. It is DOD wide. They are all on the same network called ONENET. The networks are managed centrally. The whole idea for them is to take control away from local IT administrators and manage it from DC. They are very paranoid about network breaches as it is possible for a probleme to affect DOD worldwide. Limiting USB devices is a problem. People end up taking work home all the time. Productivity will take a huge hit. They simply have to find a security solution that works. Purchasing Thumb drives and issuing them to personnel in need of them after those drives have been certified would be a pretty good start or allowing folks with personally owned ones to be certified and used. Changing the entire operating system, would actually be insane and would cost Billions of dollars, even though Linux does not cost a dime.
        Mebarnabee
        • It would be expensive, however...

          However, Linux is the better solution than Windows.

          It's built for networking from the ground up.

          It's built for access control from the ground up.

          It's built for multiple user accounts from the ground up.

          And remote access to a Linux box is how most Linux boxes are used (we call them servers...).

          Also the government can control the source code and make a distro that is closed source and owned by the government.
          T1Oracle
          • nono

            actually i dont think its legal to make open source closed source, thats the whole point of open source.
            itchy8me
          • Wrong. You can close OSS.

            I know of a start up company that has that in their business plan.

            Also, there are closed source Linux distros (one example: http://librenix.com/?inode=2973)

            Irregardless, it all depends on licensing and if the government needs it then they could certainly negotiate.
            T1Oracle
          • no comprehendo

            i don't understand, i thought the whole point of open source was to protect the communities code from being closed... please explain.
            itchy8me
          • Open source

            ...just means that the code is publicly shared. The purpose is often to get community involvement in the development of the code. However many will allow private entities to use the code in closed source products.

            Some disagree with this and think that it is unfair, but if the licensing allows it then the private entity is fully within their rights. However, most (if not all) licenses do require that all derivative works give credit to the original source.

            Google has a closed source custom Linux distro for internal use.

            It is all about the licensing, and different people choose different licensing for their own reasons. I don't know why you would let a private entity close your source code, but for the case of government use I'd consider it patriotic to allow it.
            T1Oracle
          • Bushgotations?

            "...if the government needs it then they could certainly negotiate."
            Yeah, rigggggght!
            The Bush Administration (thery're STILL in orifice, REMEMBER?) negotiate on anything other than oil and how to line their own pockets with OIL MONEY? Get real...they just take what they want.
            redbeard74
        • The flaw with buying thumb drives would be

          That the user takes the drive home to a computer that his or her kids have been surfing the web on and now has every form of viral infection known to man or beast. Basically, undoing all the work in procuring and certifying the thumb drives. As long as you have storage devices that get attached to systems with limited protection connected to civilian internet connections you're going to have these issues.
          maldain
          • Violaters of the policy need to be slammed!

            Any employee with access to a DOD network that would export files to a USB drive to be used on a "shared" pc and then import back into the DOD network needs to be fired, military personnel NJP or some punitive action including courtmartial!
            overclocked
          • What about...

            As an Electronics Tech with 35 years of experience I find that the ability to bring some of my stored experience from home has been indespensible.

            Also, if I generate personal time-keeping at work it would be nice to take that information home, too.

            All I can do now is export it as text and e-mail it to myself...

            See my later post as to why this extreme measure should have *NEVER* been needed!
            madrucke@...
          • It certainly,,,

            ...should have never been needed - it should be impossibe for anyone to connect USB drives or any other non-approved devices/memory at all to the computers.
            fairportfan
          • Who to slam...

            Look I agree that idiots who do not practice good surfing and do not keep their personal systems "Clean" need to be slammed and slammed hard because they've ruined it for all of us...

            And, there is NO EXCUSE because all DOD employees have access to free use of AV Software if downloaded from a .MIL url...

            Of course now it's kind of hard to get home without a USB drive...

            There is a UCMJ or US Code about Forcing a Safeguard...

            Anyone that brings files to work without doing due dilligence in ensuring it's clean needs to have charges filed...

            But, again... The experts failed us!!!
            madrucke@...
        • Congress has already written...

          ...the requirement to consider Open Source in a DND procurement bill.

          With Secure Extensions, Solaris 10 is a far more secure OS than Windows or Linux by the way. Look it up.
          914four
          • If the DOD/Army were using Linux/Open Solaris...

            ...or any other such "secure" non-Windows OS, someone would be successfully writing malware for it.

            And, even if not, that still doesn't solve the problem of security breaches with classified material walking out the gate in someone's back pocket.
            fairportfan
          • You're half right...

            [i]..or any other such "secure" non-Windows OS, someone would be successfully writing malware for it.[/i]

            Many European governments (and even some DoD environments) are already using Linux desktop. Please cite these malware attacks you are claiming.

            [i]And, even if not, that still doesn't solve the problem of security breaches with classified material walking out the gate in someone's back pocket.[/i]

            That's true, but that's really besides the point when we're talking in a tech forum about operating systems as the topic.
            hasta la Vista, bah-bie
        • Linux not the answer?

          Strange...I work for the USAF and manage many Linux machines. Granted, they are servers, but the desktop is not far away. It is entirely possible, and in many cases easier, to secure a Linux box using DoD regulations (STIGs).
          will@...
        • Re: Linux not the Answer

          > They are very paranoid about network breaches

          When I was a GI, we had a saying. "When everybody really *is* out to get you, paranoia is just good, sound thinking."

          --
          Mike
          mike@...
        • Huh?

          Where did this diatribe about Linux come from. When I started reading the thread, you were the first mention of Linux.

          Personally, I'd have to say that Linux with security enhancements (see the NSA's SELinux page) or Solaris with it's security enhancements would be a better solution than Windows at this time.

          If nothing else, the malware writers are still concentrating on Windows which makes any other OS less likely to be compromised.

          As for certifying drives? I tend to wonder how certifying a drive is going to keep someone from using a USB drive to take work home and bringing a fine selection of malware back to work the next day.
          DNSB