Quiz time:
You’re waiting for your train. You spot a flash drive on a bench.
Do you:
- Pick it up and stick it into a device?
- Leave no stone unturned to find the owner, opening text files stored on the drive, clicking on links, and/or sending messages to any email addresses you might find?
- Keep your hands off that thing and away from your devices, given that it could be infested with malware?
Of course, option 3 is the only security-wise course of action.
But in a recent study, 17% of people chose options 1 and 2 – hey, free thumb drive! Wonder who lost it…? – and plugged in those suckers.
The company behind the research is technology certificate provider CompTIA.
It recently littered four US cities – Chicago, Cleveland, San Francisco and Washington, D.C. – with 200 unbranded, rigged drives, leaving them in high-traffic, public locations to find out how many people would do something risky.
The nearly one out of five users who plugged in the drives proceeded to engage in several potentially risky behaviors: opening text files, clicking on unfamiliar web links or sending messages to a listed email address.
CompTIA president and CEO Todd Thibodeaux:
These actions may seem innocuous, but each has the potential to open the door to the very real threat of becoming the victim of a hacker or a cybercriminal.
Just how risky is such behavior?
In 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.
Obviously, lost flash drives carry risk both to the finder and to employers: somebody who picks up an infected drive can spread infection onto not only their own devices, but also onto his or her company’s systems in these days of bring your own device (BYOD).
Sophos’s Ross McKerchar cooked up this list of 5 mobile device risks to a business, of which flash drives is one.
He suggests that if employees are allowed to use portable USB storage, then “make sure you scan, scan, scan…”
CompTIA says that a dearth of cybersecurity training for employees is part of the problem.
Beyond scattering flash drives around cities, the company also commissioned a survey of 1200 full-time workers across the US, finding that 45% say they don’t receive any form of cybersecurity training at work.
Other cyberthreat findings from the study:
- 94% regularly connect their laptop or mobile devices to public Wi-Fi networks. Of those, 69% handle work-related data while doing so. This isn’t surprising: past studies have found that most people (incorrectly!) think that Wi-Fi is safe.
- 38% of employees have used their work passwords for personal use.
- 36% use their work email address for personal accounts.
- 63% of employees use their work mobile device for personal activities.
- 41% of employees don’t know what two-factor authentication (2FA) is.
- 37% of employees only change their work passwords annually or sporadically.
Age plays into risky behavior: the study found that 42% of Millennials have had a work device infected with a virus in the past two years, compared with 32% for all employees. What’s more, 40% of Millennials are likely to pick up a USB stick found in public, compared with 22% of Gen X and 9% of Baby Boomers.
In keeping with a lower security risk awareness in the young: 27% of Millennials have had their personal identifiable information (PII) breached within the past two years, compared with 19% of all employees.
Besides the risk of infection via plugging in lost devices, lost flash drives can also lead to loss of personal details, given that most users don’t secure the data they store on such devices or the devices themselves.
That was one surprise uncovered in Sophos’s lost-drive research: not a single one of the lost drives was encrypted. Nor did they appear to contain any encrypted files.
Some takeaways:
An infection rate of 66% means there are a lot of malware-spreaders in our midst. Assume that a lost USB stick is likely to be an infected USB stick, so don’t plug it in.
Encrypt personal and business data before you store it on a USB device so it can’t be accessed if you lose it.
Image of USB flash drive courtesy of Shutterstock.com
MrGutts
We did that about 8 years ago with our own people, dropped a box of usb sticks off in front of a building, all with custom back doors / malware on them and all of them where used, plugged into the main network by users.
All of them went though security awareness training once again and we publicly shamed them ( I know, it was mean ) but word spread fast and it never happened again.
RichardD
Not only malware – a malicious USB key could fry your motherboard, as Graham Cluley reported on 13th October.
Dan Leeder (@leeder46)
How tempting! Yeah, it might contain malware, BUT . . . . it might have been lost by a CIA agent and have super secret info that they would reward handsomely for . . . . or maybe it’s a corporation’s secret files about future transactions. Whatever, it IS worth checking out and returning to the owner, if possible. Just take it to the nearest Best Buy and plug it into a demo computer. Or, go to the library and use a public computer. Just don’t use your own!!
Bryan
You’re very right about the curiosity, but it’s rather a crummy thing to do to someone freely offering you use of their computer.
Instead of letting Best Buy give you peanuts for your old PC, keep it around as a beater.
Geek extension: Get as technical as you wish and are able, keep a restoration image of it, install virtual boxes inside it, learn Linux–or OpenBSD.
Lee Funkhouser
You are kidding right? No responsible person would knowingly risk infecting a computer at a Library? There are much better, safer, and more effective ways to check out a suspect flash drive. Boot into a Linux Live CD/DVD and use that to check the contents of a suspect drive. Boot into a Live Rescue CD/DVD/USB and use it to run a Malware Scan. Those are free to use and fairly easy to setup.
Mahhn
done this multiple times :)
Ann
4. Pick it up and dispose of it in the nearest trash container, to protect others from their own curiosity.
Paul Ducklin
5. Lash it to a clay pigeon with duct tape (what else!) and shout, “Pull!”
Spryte
After wrapping it up and putting it in a vise.
plugh
Stick it in a Chromebook. No attack vectors out of there.
Mike Blanchard
just stick it in a Mac…. Mac is immune to malware right?
Paul Ducklin
The irony is that even if Macs were immune to malware, so you decided not to bother with an anti-virus, then whenever you passed on a USB drive infected with Windows malware to a Windows user…
…you’d get the blame :-)
Mark
I built a nifty little hardware gizmo out of an AVR chip that will low level format a USB drive, fill every sector with random data, and verify it. It will render any USB drive safe… unless somebody had the skills to re-write the firmware in the USB controller inside the drive. Even then, the random data check is rather hard to get around… the USB controller chips don’t have enough RAM to cache all the critical sectors.
It does detect hanky-panky involving discrepancies between reported and expected drive parameters and capacity (i.e. hidden sectors on the drive). And it now has snubbers that would protect against and report high-voltage USB zappers.
Still, it’s best not to trust found USB drives.
Vivienne
I found a 2Gb SD card on the ground recently, next to the footpath on a suburban street. Is there the same risks? I’m wondering if it’s come from someone’s camera.
Paul Ducklin
Much the same risks, yes. When you plug a camera into a computer, it either uses MTP, which is a special protocol for sending files back and forth (which could include anything), or it just gets mounted as a removable drive like a vanilla USB stick. And if you plug the SD into the slot on a laptop, if you hve one, it gets mounted as a removable drive.
For any device that X can write to and Y can read back from later, Y can get more than he or she bargained for from X, and more than X maybe even knew about :-)
Tom
I have a friend who works for a small bank. He manages the bank’s Excel files. He had to take some files to a meeting with a software vendor and put a USB flash drive into his computer. The IT department immediately locked his computer and called him to ask him what he was doing. Remember, this is a small local backing corporation. How difficult can it be to setup software like this in light of all the problems USB drives present?
Paul Ducklin
Sophos’s endpoint protection product can do just that sort of thing (OK, it doesn’t call you on the phone and ask you what you think you’re doing, but you could probably script that if you wanted…cue Dirty Harry quote :-) – the general term for this sort of protection is “device control.”
It’s a great way to go, because it helps you keep the good stuff in as well as the bad stuff out, but for many IT departments it’s a tricky bridge to cross because it feels rather disruptive…at least, until something bad happens the first time :-(
Sort of like patching. Some people are still more afraid of the possibility that something might break for a while if they do patch than of the probability that a crook with an automated hacking script will get in if they don’t.
Tom
“but for many IT departments it’s a tricky bridge to cross because it feels rather disruptive…at least, until something bad happens the first time :-(” This sums up the average system administrators security battle with his coworkers. I’ve blocked sites because staff will go anywhere, click on anything, and enter personal information. They bank, shop, watch videos. I can’t recall entering any personal information into my work computer in over 15 years. I don’t check personal e-mail, bank, play games, etc. at work. That’s why I have a home computer. Here’s the incredible part, my boss thinks it’s ok that staff does this stuff. In 25 years my network has not been hacked, I have had an occasional virus (well just Conficker), but if we had a data breach or ransomeware, I’m sure my job would be jeopardized.
Mahhn
There are many AV and other programs that do device control. We have it set up so Only approved devices (by MAC address) can be used by people in specific AD groups. The only USB storage devices we allow are hardware encrypted (number pad on drive). It’s not cost prohibitive these days, and we also get reporting on attempts to access non-approved drives. Phones won’t even charge if they aren’t in the allowed group :)
Osama S.
Anyone surprised by the result?
If they used it on their home PC’s they have themselves to blame.
If they used it on a corporate computer the security team is to blame for not implementing mitigating controls beyond security awareness.
Chelsea Hawkins
If it weren’t for some kind soul finding my USB drive, opening it, and mailing it back to me, I’d have missed a semester’s worth of work, my proposal backup, and some documents needed by my son. I won’t say that it’s proper, but it did save me a lot of stress. Now I put my name and voicemail number on it…no need to open it just in case it’s lost again.