RANDOLPH AIR FORCE BASE, Texas –
Servicemembers, Department of Defense civilians and contractors at Randolph continue to plug unauthorized flash media devices into the Universal Serial Bus ports of their desktop and laptop computers despite a network security policy that has been in effect for nearly three years.
Most of the more than 40 infractions so far this year involve the use of smartphones - cellphones that offer the added capability of Internet and email access and other features - and iPods and other digital media players, 902nd Communications Squadron information assurance office representatives said.
"We're continually scanning the network for these unauthorized devices," said Joe Harris, 902nd CS wing information assurance chief. "We're not seeing as many thumb drives as before; we're seeing more of the smartphones, such as Android and BlackBerry."
In many cases, people are charging these devices by plugging them into the USB ports of their DoD computers, including laptops they take home, Harris said. However, even charging their smartphones using USB ports violates Air Force policy.
"People do not understand they cannot plug their devices into these government assets," he said.
Harris also said Air Force Systems Security Instruction 8502 strongly discourages the use of privately owned hardware - any personal electronic device or external hard drive - for government work, even if it does not contain flash memory.
Tommy Garcia, 902nd CS vulnerability management specialist, said people may be just charging their phones, but those devices pose a threat to the network.
"It's the potential to upload or download files, which can spread viruses that affect the whole network," he said.
IPods and other digital music players may also threaten network security, Garcia said.
"IPods come with cameras," he said. "It's all about security, period. It's not the music that's the problem; it's the potential of security violations."
So far this year, 19 infractions have involved the use of smartphones, compared with 13 related to thumb drives. The use of iPods has accounted for 11 violations. Sixteen infractions have occurred since mid-May.
Numbers are down from 2010, when the information assurance office tracked186 infractions. Among those violations were 85 for USB devices and 58 for iPods.
A USB port scanning system provided by the Defense Information Systems Agency allows the information assurance office to detect all violations of the flash media policy, including those that occurred while on temporary duty or off-site, when the laptop is returned and placed on the Randolph network.
Harris said the only authorized devices that can be connected to a USB port on the Randolph network are keyboards, mice, approved web cams and government-purchased external hard drives. However, external hard drives must be registered with a unit information assurance officer, on file with the wing IA office, have all the appropriate classification markings and labels and comply with the Removable Storage and External Connection Technologies Security Technical Implementation Guide.
Harris also advised Randolph network users to safeguard their passwords and personal identification numbers and warned them about the dangers associated with phishing, the fraudulent acquisition of sensitive personal information through emails.
"Passwords shouldn't be stored on your computer system," he said. "We have conducted network scans and found files with extensions preceded with 'Pass' or 'Password,' potentially storing passwords or PINs for various accounts inside documents. These are open, plain-text files, and anybody could have access to them."
Harris said it is not enough just to choose a strong password and change it often.
"Passwords are like keys to your accounts, so it is extremely important to safeguard them," he said. "Store your passwords in a safe place - either in your head or in a locked safe. Do not store such information on your computer or mobile device; this is the first place cyber criminals will search."
Harris said phishing is another one of the IA office's greatest concerns because people often fall prey to it. He said the 902nd CS recently conducted a test, sending an email titled "service appreciation" that resulted in more than 300 Randolph network users clicking on an imbedded link to enter a drawing for a tablet computer.
"Links embedded within unsolicited emails from unknown addresses, especially dot-com addresses, should never be clicked," he said.
Harris advised network users who have questions about the authenticity of an email to delete it or forward it to the IA office. They may also call 652-4231.
"We have a good system of detecting those types of emails, but they trickle in now and again," he said.