Phony Lady Gaga CD used to steal sensitive docs
July 13, 2010 by Sam NarisiPosted in: In this week's e-newsletter, Latest News & Views, Security
Many companies ban or regulate the use of external storage drives to prevent sensitive information from being taken out of the office. But a recent incident at the Pentagon offers a warning about another data theft method.
American soldier Bradley E. Manning was arrested in May after being accused of stealing more than 150,000 highly classified documents and files from government computers in Iraq, including classified video of a helicopter attack that Manning leaked online.
Pentagon investigations have discovered his method for taking the data: He copied them to a compact disc disguised as a music CD by Lady Gaga.
While Manning burned the data to the CD, he said he wore headphones and lip-synched lyrics to look like he was listening to music.
In 2008, the Defense Department banned the use of USB thumb drives to prevent this type of thing from happening. The USB ports on computers with access to sensitive docs had been disabled.
However, the government’s computers still had disc drives installed with CD burning capabilities enabled, the New York Times reports.
Companies take note: You may want to think about policies and controls regarding CD burning for employees who deal with especially sensitive information.
Businesses might also want to considering disabling USB ports for those computers, or requiring IT to scan and approve USB devices before users connect them.
Also, configure anti-virus software to scan USB devices — in addition to users who intentionally pilfer company data onto iPods and other seemingly harmless storage devices, viruses can also be spread from those drives to the network if the proper controls aren’t in place.
DocuCrunch.com delivers the latest IT and Imaging news once a week to the inboxes of over 200,000 IT and Imaging professionals.
Click here to sign up and start your FREE subscription to DocuCrunch!
Tags: CD burners, data theft, Pentagon, sensitive documents, soldier
Loading ...
July 14th, 2010 at 1:07 pm
Minor corrections:
- USB is a “port” not a “portal”
- CDs, DVDs and BLuray discs are referred to as “optical drives” not “disc drives”.
- CD burning capability is a funtion of the device. CD or DVD readers can be used, referred to as “CD drive” or “DVD drive” in place of writeable / rewriteable drives, referred to as “CDR”, “CDRW”, “DVD+R”, “DVD-R”, “DVD+RW”. The main reason to mention this is that the device in question is licensed for the appropriate technology and has a visible logo on the front of the optical drive itself, meaning READ ONLY versus WRITEABLE devices can be identified by visual inspection.
- Further, “burning software” allows data to be written to an optical drive. Optical drives do not function as part of the operating system as with flash drives and magnetic drives, but require special software to work properly. In newer versions of Windows, this software is included with the operating system, but is still separate. You can’t “burn” (write) data to a writeable optical device without “burning software”
- The article’s title implies that somehow, Lady Gaga’s music was involved, or perhaps the manufacturing or distribution process for Lady Gaga’s music was somehow compromised. That’s not, in fact, the case. The article’s title could be more appropriately expressed as “Theif used CD burner while pretending to listen to music”. Lady Gaga is an insignificant detail.
Here is some analysis of your conclusions:
1. Any corporate environment handling sensitive data should have technology controls in place to disable USB ports, burning capabilities of the operating system, as well as prevent 3rd-party software installation. All of these are simple and cheap or free to implement.
2. The correct security posture is to have all of these capabilities disabled as the default, enabling specific capabilties only where required. This ensures that as hardware is replaced, the new hardware inherits the appropriate policy. It also helps ensure that if there is an error, the error is more likely to be more restrictive than less restrictive. This approach is basic security 101.
3. Environments where highly-sensitive information is involved, such as military or trade secrets, optical devices should not even be installed. If needed, they an be installed after the fact. If they are routinely used, read-only optical devices should be used by default, allowing writeable optical devices ONLY by exception (see #2)
4. Asking IT to scan USB devices is asking for trouble. People are not going to follow a written policy if they don’t understand the risk or simply opt for the convenience of NOT following the policy. And, obviously, someone with malicious intent is NOT going to follow the policy. This is what is known as a “voluntary” or “opt-in” control because it requires people to “volunteer” to follow the correct process. The alternative is to implement technology controls (“mandatory” controls), which need to be only as restrictive as required, and resilient enought to handle various scenarios, such as disabling the use of certain classes of devices unless specifically approved by exception.
5. Addressing USB and optical devices won’t solve the problem. Any computer has a hard drive that can be removed, and other types of ports that can be used to access and potentially duplicate sensitive information. As an example, there are camera pens, that look like ball point pens, that could be used to take pictures or video of the data displayed on a computer’s screen in order to copy sensitive data. The best approach is to ensure that multiple controls exist in layers, which is referred to as “defense in depth”. You are more likely to catch a determined hacker or theif when they trip over something simple, rather than expecting the “vault” approach to keep them out.
6. There has to be an appropriate balance between restrictive security controls versus the cost and productivity overhead. The biggest mistake made in most corporate environments is to “overprotect” data that is not valuable nor sensitve. For each type of information, an assessment should be performed, and security controls should be implemented by risk level.
Sorry to shoot your paraphrased interpretation of someone else’s work full of holes. This article is proof that you can repeat something interesting in order to sound interesting.