3

This is a bit of a hypothetical, but I am interested in an answer. First, I understand that no one can protect themselves against three letter organizations, so I am really just wondering about best practices.

Let's say I have a computer that is not connected to the internet. The computer doesn't even have a modem or wireless capabilities. The computer is used for working on secrets. You might be using the computer to run computations on certain data. Let's say that this data comes from a computer that is connected to the internet. So, one needs to, say, daily, transfer data from the internet connected computer to the secret computer.

The data itself isn't secret, but the outcome of the work done on the secret computer is. No data ever needs to electronically leave the secret computer.

My question is: What is a best practice for transferring files between the two computer?

One problem is that is the same USB key is used every time, then this USB key might be infected and indirectly allow an adversary access to the secret computer. One solution I can think of is to use a new USB key for every transfer, so that a USB key is destroyed after it has been connected to the secret computer. That way no secret work can make it's way to the internet connected computer.

But: Is there a way that doesn't require a new USB key every time?

techraf
  • 9,141
  • 11
  • 44
  • 62
Thomas
  • 3,841
  • 4
  • 22
  • 26
  • 1
    another good use for my yet-to-be-invented battery-needing thumb drive that uses RAM instead of NVRAM... – dandavis Aug 18 '16 at 02:26
  • 1
    What you are describing as a "*secure computer*" or a "*secret computer*" is commonly called an [air-gapped](https://en.m.wikipedia.org/wiki/Air_gap_(networking)) machine. – techraf Aug 18 '16 at 02:33
  • The best answer is DON'T. Or if you do, always use it only on that one computer. But keep in mind you don't ever know what might have already been done to any particular USB drive so it is back to DON'T. Talk to your OPSEC coordinator before doing this. – SDsolar Apr 21 '17 at 07:06

2 Answers2

4

The main issue with this approach isn't the reuse of the same USB stick. If you're defending against state-sponsored attackers there's a good chance they are able to tamper with your supply of USB sticks and give you some with their malware already preinstalled. However, since the machine has no way of talking back to the outside world to leak the secrets, getting malware on it may not be a big deal.

The problem is that since the machine can write to the USB sticks, it can use those to exfiltrate data. Whether you use new sticks or reuse the same ones, the problem still exists (unless you take great care of securely erasing/destroying the one-time use sticks before discarding them).

What I would recommend is using physically write-once media. An optical disk padded with random data (otherwise there may be a way to burn more data in the free space even on a non-rewritable disc), or a trusted USB stick (with firmware you made yourself or audited) with a physical write-protection switch. That would give the secret machine no way to leak its contents, assuming we discard theoretical attacks like encoding data in the CPU's EMI interference, etc.

You could also use a physical one-way connection like an Ethernet cable with the sending pairs cut, a serial cable with the TX line cut from the secret machine, or an audio cable connected to the audio input of the secret machine. That way it could receive data digitally without requiring human intervention to deal with storage media while having no way of talking back to the outside world.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • a ROM drive to read could safely consume RW media, which saves money and reduces leaky physical waste. – dandavis Aug 18 '16 at 02:28
  • 1
    +1 for read-only media, though for DVDs, non-writing drives may start getting hard to find. One-directional Ethernet would be handy, but would be compatible with few existing file transfer protocols. – ilkkachu Aug 18 '16 at 12:32
  • Thank you for the answer. I had though a bit about just using writeable CDs since these would be cheaper than USB keys. I was just wondering if there is a way that doesn't require having to use something new (USB key, CD, DVD, ..) every time a transfer needs to be made. I like the idea of using a one-way Ethernet cable. – Thomas Aug 18 '16 at 13:19
  • @ilkkachu: Could elaborate on the comment about the file transfer protocols? – Thomas Aug 18 '16 at 13:20
  • 1
    @Thomas, I mean that most networking protocols have at least some sort of replies for packets received, if only to guard against dropped packets. Everything using TCP, of course, but e.g. TFTP which works over UDP, too. Only exceptions I can think of would be protocols aimed for broadcasting to multiple clients. You could transfer data by a simple stream of UDP packets, maybe with something as simple as `netcat` or `socat`, but any failed transmissions would need to be dealt with manually. Not that you should get (almost) any dropped or garbled packets over a single, dedicated link. – ilkkachu Aug 18 '16 at 14:06
0

You might consider networking the computers together and writing your own simple file exchange program. Since it is your own program, nobody else will know how to exploit it. In the unlikely event that there is a remote exploit in the TCP/IP stack, you can have another computer running a different operating system monitor the data sent to the secret computer through an Ethernet hub. The monitoring computer never transmits. If such an exploit is used, you now have a copy of it, and you're a millionaire.

The idea of networking it may be scary, but exploits in file system drivers exist too. If you do go with removable storage, consider making a script that checks the filesystem for errors before mounting it, since that will help discover any exploits.

Alex Cannon
  • 402
  • 2
  • 7