Quick Study

By Brian Robinson

Blog archive

To USB or not to USB

Those little USB thumb drives are very helpful little critters for transporting data easily between one computer and another, you have to admit. However, they are also very useful for introducing malware into a system.

That was that the reason the Pentagon banned their use in November 2008, declaring that “Memory sticks, thumb drives and camera flash memory cards have given the adversary the capability to exploit our poor personal practices and have provided an avenue of attack ... malicious software (malware) programmed to embed itself in memory devices has entered our systems.”

Now, it seems, USB devices are OK. US Strategic Command has lifted its ban on their use. Not necessarily because they think they are safe to use, but because it doesn’t have the support to enforce that kind of ban indefinitely, according to this Wired report.

(InsideDefense.com first reported the story, but to read it online requires a subscription).

But here’s the thing. They are still dangerous things to use. A recent report said that certain Federal Information Processing Standard-certified USB drives actually had flaws that could allow unauthorized access to encrypted data, and then we get news that the South Korean military is planning to ban USB drives because of recent Chinese hacking attacks.

I can understand maintaining a ban, but saying that you can’t police it very well. At least you are sending the message that they are not safe to use. But knowing they’re not safe and lifting the ban anyway – what message does that send?

Posted by Brian Robinson on Feb 19, 2010 at 9:03 AM


Reader Comments

Wed, Feb 24, 2010 CONUS

It's simple: camera cards are bad because they can take pictures of malware; USB zip drives are OK because the centrifugal force flings viruses off. Everything in the military makes sense.

Tue, Feb 23, 2010 Steve Scheumann

I'm glad the war fighting side of the Army/DoD has once again over ruled (knocked some sense into?) the sustaining base side of the Army/DoD. Information assurance involves risk analysis and not universal bans. Hopefully the sustaining base side of the Army will not cause the relaxing of the ban to result in costly, time consuming mitigations of risks that don't warrent the time and effort.

Tue, Feb 23, 2010 Don Brown MA

I think it is a bit more complex then indicated. Yes, there was a ban, and yes it has been lifted, but only because the DOD put in place the safeguards to allow safe use of only select and approved Secure USB Drives. How do they enforce it? They do so with End Point Software that monitors what is plugged in via USB. The End Point solution will only allow certain devices to be recognized. Also, since those USB devices are all approved, they meet certain predetermined standards such as FIPS 140-2 Level 2 encryption, onboard virus and malware protection, and other features.

So, actually during the ban, there was much planning to set things right for the safe use of approved USB devices.

Tue, Feb 23, 2010 BigGoofyGuy New Jersey

Since flash drives come in so many shapes and sizes, it would be difficult to totally eliminate them from an office. Some flash drives are about the size of a fingernail. There are some in the form that would not readily reveal themselves as flash drives. USB007 has a flash drive that is also a pen and looks like a regular pen. There are flash drives that look like pendants. USB Geek has a variety. It has some that look like miniature stuffed animals. There is also the risk of not just malware but theft of data.

Tue, Feb 23, 2010 TIred of Stupidity

It always follows that some pundit will ask the "hard" questions.. Perhaps the various commanders recognized it was time for operational expediency? If the "ENEMY" can deny you the use of your technology merely by threat, they are half the way to winning the battle.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Defense Systems eNewsletters