USB flash drives and other removable storage devices were banned by the DoD in November 2008 after a military network was infected by the Agent.btz worm, which was introduced into the network from a USB flash drive.

The Wired.com article is incorrect in its assertion that STRATCOM has not addressed the problem of spreading viruses from removable media devices. IronKey and other vendors of hardware encrypted secure storage have been working with Joint Task Force – Global Network Operations (JTF-GNO) at STRATCOM to develop technical and operational requirements for preventing malware from infecting removable storage devices, and from migrating from devices onto networks.

IronKey partnered with Tresys who has a File Sanitization Tool designed to clean devices from malware when moved between different government networks.

IronKey Enterprise devices also feature an anti-malware scanner, to ensure that files stored on IronKeys do not have malware. IronKey devices also have active anti-malware capabilities preventing tampering with the autorun.inf on the device, which prevents malware from spreading from devices onto host computers.

Today, Navy Vice Admiral Carl Mauney, deputy commander of the United States Strategic Command said: “After extensive testing of mitigation measures, DoD decided to make this technology available again on a strictly controlled basis on DoD computers. Since the order restricting use of removable media, DoD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.”

An article at Government Info Security lists the requirements for using removable storage devices in the Department of Defense:

• Employing approved procedures and hardware that prevent unauthorized use, and scan, clean and wipe the devices removing malicious software.
• Restricting use to operational mission requirements
• Allowing only properly inventoried, government-procured and -owned devices for use in Defense Department information systems.
• Prohibiting personally owned devices on all military networks and computers.
• Banning use of DoD-procured and owned devices on non-government networks or computers without authorization from an approval authority.
• Using flash media only as a last resort to transfer data from one location to another and only when other authorized network resources are not available.
• Subjecting randomly selected users and drives to periodic audits.
• Requiring combatant commands, cervices, and agencies to establish their own approval authorities for determining whether selected flash media may be used within their individual organizations.

In an interview published by the Armed Forces Press Service today, Navy Vice Admiral Mauney said active operations in Afghanistan, Iraq and elsewhere will get priority in implementation of the new guidelines. “In terms of the mechanics, we’ve put together several small kits of the equipment that’s needed and we’ll be transitioning those to people out in the theater – in Afghanistan in particular – to help certain groups facilitate their use,” he said. The kits will contain hardware and software to ensure the safe use of removable media, including the required anti-malware scanning capabilities.

The report found that there were more victims than in any period since Javelin began performing these surveys in 2003. Much of the increase in fraud as so-called “new account fraud”, which showed longer periods of misuse and lack of detection, and therefore more dollar losses than any other type of fraud. An example of this fraud would be where a criminal applies for a credit card or personal loan using someone else’s identity information.

More information about the report can be found on Javelin’s website.

What do you think?

EMI is complaining that the bank’s historical process of sending out emails to corporate customers, asking them to update security tools (in this case, digital certificates), effectively “trained” the customer to fall for phishing scams. In 2008 Comerica switched from digital certificates to One Time password devices for authenticating customers. OTPs offer a lower level of security than digital certificates, as they can be vulnerable to man-in-the-middle and quick replay phishing attacks.

In early 2009 an EMI employee opened a fake email purporting to be from Comerica Bank, and instructing them to click on a link and update their security software. The user did so, and was taken to a phishing site, which requested the username, password and One Time Password number from the token. The user inputted this information, and the phishers used it to quickly log into the actual account and begin doing funds transfers. Over a period of a few hours, 47 wire transfers totalling $550,000 were made from EMI’s account to the bank accounts of criminals in other countries and in the US.

They have dubbed the new malicious software “Bugat”.

This appears to be a different strain than the Zeus banking trojan that has been used by cyber criminals to steal tens of millions of dollars from corporate bank accounts over the last several months.

Bugat uses an SSL encrypted communication link to send stolen passwords and cookies over the Internet to command & control servers operated by cyber criminals.

The malware uses a list of “websites of interest”, and when a user logs into one of those websites, it starts collecting information. Many of the targeted websites are business banking and wire transfer sites.

It seems that malware infected the computer that the comptroller of the town uses to access the bank’s corporate banking system. Cyber criminals were then able to steal the bank account login and password, and access the bank’s online banking system. They initiated numerous small funds transfers on January 11 and 12, 2010, taking a total of $378,000.

This is yet another of the increasingly visible attacks against users of corporate online banking systems with sophisticated malware, such as the Zeus, silentbanker, zbot or clampi trojans.