Monday, September 13, 2010

Flash drive pierces Pentagon security

Have you ever worked at a place that had a strict policy against any kind of portable external storage like USB hard drives or thumb drives? Maybe they even had group policies in place that disabled external storage on the USB ports? There's a good reason for that. Tim Greene of Businessweek reports that a successful 2008 attack on U.S. military networks was accomplished by sticking a flash drive into a laptop in the Middle East that later connected to a military network and infected computers on networks at Central Command - both classified and unclassified networks - networks that in theory shouldn't have any direct connection. But what spreads by flash drive once can spread that way again.

The breach prompted a change in Pentagon policies, which is good. But why were flash drives allowed in the first place? I can see the original laptop, but unless a computer with two network cards had one connecting to a non-classifed network and one to a classified network (another bad idea), infection by flash drive or other removable media is the most likely attack vector to move the malware between the two types of network, and that should never have been allowed.

The attack gave unprecedented access into the mind of the U.S. military to an enemy. Whoever the attacker was, they had the ability to see and even change battleplans and orders. The possible harm they could have done is mind boggling, and that the attack succeeded the way it did is more than a little scary. Pentagon policies have changed, but have they changed enough? I hope so.