USB security concerns officials Published Feb. 12, 2009 By Brandice J. Armstrong Tinker Public Affairs TINKER AIR FORCE BASE, Okla., -- Even though USB flash memory drives are indefinitely banned from Air Force Materiel Command computers, they are still a security risk. Tinker Operations Security personnel are encouraging installation network users to protect government jump drives and computers from potential threats. "There are some good guys and bad guys out there," said Eb Bauer, Tinker installation OPSEC program manager. "We've become too complacent with USBs." The Universal Serial Bus drives are part of every day life for many Americans. They enable quick file sharing from home to office or school, and provide connectivity for popular, memory-driven music players. They have quickly replaced, floppy discs and compact discs as the favored form of storing files that need to be portable. Before AFMC banned USBs in November 2008, many government employees often stored power-point presentations and like-documents on the removable and rewritable floppy disc replacement. The 4-inch-long devices were carried from place to place like a notebook or laptop. But, since the ban, USBs are transported less often and likely stored with other non-essential work materials. As a result, the devices have a better chance of being misplaced or used for other, sometime malicious, purposes. Mr. Bauer said government USBs need to be erased or stored in a secured place. He said he worries that a work-related USB storing "official use" government data, such as cell-phone numbers, addresses or social security numbers, could be lent to a family member or friend. In turn, a new user can access the "official use" information or, inadvertently, load it onto an outside computer, allowing others to view the government data. "We have information 'floating' right now as we speak," Mr. Bauer said. "USB sticks are sitting around on desks, at home and probably have lots of information that is not protected." Mr. Bauer said quick access allowed by USBs means government computers must also be locked when unattended. If office personnel leave their workstations and do not lock the terminal, Mr. Bauer said, a USB can be used to steal information between 64 megabytes to 64 gigabytes of information, or upload a virus onto a computer in a matter of seconds. "I know it might be a bit extreme, but I don't know that everyone is playing a fair game," Mr. Bauer said. A "worm virus" is one example of computer viruses transferable via USBs and worm virus "Agent.btz," can copy itself to removable USBs from an infected computer and transfer itself to other systems through a USB port. Mr. Bauer said USBs can also be loaded with software that steals information such as account passwords and credit card information before uploading a virus.