I used to think the best way to protect a computer hosting sensitive data was by not connecting it to any network, a process known as air gapping. Ah, the good old days.
WikiLeaks recently revealed that when a computer with the sensitive data is running Windows, even air gapped protection is insufficient. The CIA, using a software system codenamed Brutal Kangaroo, first infects a Windows computer connected to the internet, then infects any USB flash drive (a.k.a. thumb drive) plugged into that computer in the hope that the flash drive will eventually be plugged into the air-gap protected machines.
The most obvious defensive tactic is to avoid using Windows, but at this point, that goes without saying. There is, however, another defensive tactic that can protect air-gapped Windows computers from infected thumb drives.
Use a Chromebook as a middleman
Brutal Kangaroo infects the thumb drive itself, not the user data files. But the malware on the drive targets Windows, so, plugging an infected flash drive into a Chromebook does nothing. Chrome OS is immune to Windows malware.
Copy the data files from the possibly infected flash drive to the Chromebook, then remove the flash drive. Then take another flash drive, copy the files from the Chromebook to this second flash drive and then, finally, to the air-gapped Windows machine.
This defense requires flash drives that are dedicated to each half of the file transfer. That is some drives only travel between the internet and the Chromebook, while others only travel between the Chromebook and the air-gapped machines.
Keeping track of this can be made easier by color coding the flash drives. For example, all the flash drives that plug into an internet-connected computer could be red, while the flash drives that plug into the air-gapped machines could be green.
For additional safety, the Chromebook should be in Guest Mode to eliminate malicious browser extensions as a means of attack. Also, it would be safer to use a Chromebook that does not support Android apps, again, to reduce the attack surface.
Still another defensive step is to format the USB flash drives on the Chromebook before using them. Chrome OS currently formats devices with the exFAT file system, one that many other operating systems can read and write. For the record, Chrome OS offers read/write access to the FAT16, FAT32, exFAT and NTFS file systems.
Formatting on the Chromebook has three advantages.
For one, a Chromebook in Guest Mode should be a malware-free environment. Also, reformatting should protect against thumb drives that are already infected with malware. Finally, exFAT benefits from not being NTFS.
The Brutal Kangaroo User Guide discusses hiding the malware using two tricks that exist only in the NTFS file system. One hides data in the NTFS Alternate Data Streams (ADS), and the other hides files in the the System Volume Information folder.
Of course, air gapped protection is not just for organizations housing sensitive data. It’s also for computers controlling industrial devices such as power grids, dams and battleships. Recent reports in the British media note that their newest aircraft carrier, the HMS Queen Elizabeth, which is still being finalized, runs Windows XP in the flying control room. Hopefully, this blog does not come as news to the British Navy.
Get in touch with me privately by email at my full name at Gmail or publicly on Twitter at @defensivecomput.