A group e-mail sent by the security department at the Executive Office for U.S. Attorneys in Washington, and recently obtained by Nextgov, illustrates just how much access hackers may have to supposedly high-secure government office buildings.
According to the July 9 e-mail, which was sent to office staff and contractors with the subject head "Malicious Thumb Drives," security officials said that they had found two stray thumb drives on the ninth floor of the Bicentennial Building on E Street in Downtown Washington, where the U.S. Attorneys Executive Office operates. The drives, one found in the men's restroom and another on a facsimile machine, would, once attached to a computer, secretly steal "certain system information" off the computer and transmit it out of the Justice Department. The e-mail read:
Please be advised that two USB thumb drives were discovered on the 9th Floor of the Bicentennial Building. One was discovered in the Men's restroom yesterday afternoon. Another was found this morning on a facsimile machine. The drives contain malicious code that automatically and silently executes when the drive is plugged into a system. The code captures certain system information and transmits it out of DOJ.
Such a threat underscores what most security experts consistently point out: The greatest threat comes from insiders -- employees and contractors who work within an agency or corporate office. No metal detector, x-ray machine, security guard, identity management application or penetration detection system would stop such an attack.
No word yet on if anyone at Justice inserted a stray thumb drive into their computer.
COMMENTS
first of all I think this issue is fabricated or bogus due to the fact that this is the Federal Government they never let any information out to the public about anything,let alone a severe security breach like this one,why would they want to tell the public that they are stupid or retarded not to know what is going on,plus the fact of all the firewalls anti virus and malaware software installed on the Dept.Of Justice Lan system. Can you say scare tactic Duh Think about it people...
skip 09/10/08 01:21 pm ET
Simple solution: Install software on secure systems that will only allow the OS to access a connected USB storage device if it can authenticate the device as being official use/issue. USB technology will allow this and even more secure would be using an encrypted key check on the offical device and locking out all others. People can't be fixed but technology can.
c5pilot 08/27/08 01:47 pm ET
I think this incident is a wake up call to all federal agencies as well as the private and commercial sectors, and should be pulbicized by national media and newspapers to alert users of all storage media be it a thumb drive, disk, or CD. Needless to say, there is also the fear of contaminated hard drives where they're manufactured throught the world - this is one of many demonstrated risks of OUTSOURCING/ GLOBALIZATION!!
MN 08/26/08 12:03 pm ET
It gets even worse. Take a look at the cases on your USB devices for country of origin. Even the ones issued by your IT folks that you signed for usually come from China. Virus scans may not detect code that doesn't wake up until it is activated. The biggest threat resides in "commuting" thumb drives that move between stations including that computer back home.
J. Borden 08/24/08 10:33 am ET
The threat here isn't "insiders." It's "stupid insiders."
Anybody stupid enough to pick up a stray thumbdrive he finds in the men's restroom, think "Hmmm, I wonder what this has on it?" and put it in their USB port needs to be sent back to remedial special education classes.
I say "stupid," because that's nice compared to what describes the employee who's ignored all AIS and security training, and who's respect for the data he works with is so low he would allow curiosity to trump minimally acceptable prudence.
R. Arnold 08/21/08 11:54 am ET
This is a threat. It might be mitigated somewhat by disabling the "Auto Run" feature on the PC. Above all, employee training is more effective IF it's taken seriously.
Jack 08/21/08 10:55 am ET
Think about how often these devices are given away at trade shows and every other kind of place. Think also about how often they are bought and sold. If a boatload of these were shipped with malware, how many would yield a successful attack?
arclight 08/21/08 08:10 am ET