Slashdot Mirror
Two-Thirds of Lost USB Drives Carry Malware
itwbennett writes "Antivirus firm Sophos acquired a passel of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales. The company analyzed 50 USB sticks and found that not a single one was encrypted and 33 of them were infected with at least one type of malware."
.. they were lost by the 10% of commuters stupid enough to lose an USB stick.
Hey don't blame me, IANAB
One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.
How would they know if it had been encrypted by something like Truecrypt which is designed to be invisible to prying eyes?
... carry acroread.exe and/or iexplore.exe around on their USB sticks.
Weird.
The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.
Give me Classic Slashdot or give me death!
Perhaps this is the latest malware distribution method.
It's a good way to spread your malware: "lose" a USB stick and hope the person that finds it puts it in his work machine (if you make sure you lose it during the morning commute).
I can see someone "loosing" a couple in the employee smoking area outside of a bank or large tech company. Lost, sure they were.
Brought to you by Carl's Junior.
Conclusions you can draw from this study: people who ride transit and lose their USB memory stick while doing so are
(a) unlikely to encrypt the contents of their memory stick, and
(b) prone to malware infections
I'm not certain that this group is representative of the general population, however.
licet differant, aequabitur
I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.
This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.
There's another sample out there of sticks that WERE encrypted, or DID have useful data on them that were recovered by their owners. IE they were USB sticks that nobody gave a shit about. Why would we be surprised that there's malware on them and that there was no sensitive data. The other sticks were likely reclaimed.
It is more likely that the USB's got infected when someone at CityRail plugged them in to see if there was 'anything good' stored.
How is it that they know that most lost USB sticks are turned into the lost and found? I find that to be highly unlikely.
So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value ring a few alarm bells?
Perhaps the title should read
These USB flash drives should be destroyed, not auctioned off to the highest bidder.
Considering that these devices probably contain personal information, I just don't understand how anyone can think it's right to hand them over to anyone for analysis.
Do we do the same for personal diaries? Peoples wallets? I certainly hope not.
Personally I think it's disgusting that they are not being treated with the respect that they should be.
Of course I understand that a lot of these we probably not 'lost' but planted for nefarious reasons, but still, some will be legitimately lost personal items that could contains a wealth of personal information!
Never happened. True story.
Ext2 is so yesterday!
A huge amount of "lost" USB drives with no vital information but lots of spyware? Maybe some lucky rider will find one and stick it in their laptop.
Maybe that's exactly what someone wanted them to do.
My thoughts exactly.
None of these (256 meg to 8 Gig) were so valuable that their destruction would have been considered a huge waste, and the potential damage to the forgetful owner could be massive. You would think that the LEAST they could do was format them, which itself is far from fool proof. But releasing them intact just seems dumb, even if not illegal.
he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.
Sig Battery depleted. Reverting to safe mode.
Anti-virus vendor says there's yet another way to get a virus, and you need their product even more. Film at eleven.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Hey, you found my virus collection! I've been looking for that.
Don't worry about returning the thumbdrive, I'll just download a copy of your computer.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Because it's generally accepted more than 66% of computers run on an MS OS we can guestimate how many of them are infected.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Formatted in FAT is one thing. However there is just no excuse for not encrypting a USB flash drive. On Windows, BitLocker is a right click away. If one doesn't have an edition with BDE, then TrueCrypt is an easy install. Linux, there is TrueCrypt, LUKS, or loopback encryption. Macs have TrueCrypt and other items.
The reason I like using BitLocker or TrueCrypt for encrypting Windows data on a USB flash drive is that if someone finds the drive, can't access it, so formats it, the format.exe command in Windows explicitly will overwrite the sectors containing BitLocker key data, and also will overwrite the volume header in TrueCrypt (not by explicit design, but as part of putting the new filesystem in place.) This way, even if someone gets the password or key later on, the data is gone, barring someone bypassing the disk controller and going cell-by-cell around the wear levelling algorithm.
What are the best practices for accepting and retrieving files from a USB drive someone gives you?
(assuming I trust the author of the files)
1) turn off autoplay on your system
2) plug it in
3) scan the mounted drive with antivirus software
4) drag and drop the select data files
Aside from having up to date antivirus, windows patches. and app patches, are ther any other good security steps specifically related to USB drives / portable drives?
We already know that a common attack method is to leave an infected USB stick in the parking lot of the company you're going after. There's no reason it won't work equally well on the public by dropping them in public transportation.
No. IT's normal SOP. It's not there responsibility to correct everyone else's mistakes. You lose a USB stick and don't claim it? TFB.
The fact they sell it for more the retail just says idiots are buying it.
The Kruger Dunning explains most post on
a) either a lot of pseudo-security researchers jumped on the 'lets loose USB sticks on the train' train
b) being careless enough to loose a usb stick is correlated with being careless enough not to encrypt it and both are correlated to be careless enough not to run your virus checker very often.
There is one very good excuse. Portability. That's what USB sticks are used for. You want to be able to take your stick and use it on your desktop, your laptop, your work (/school) computers where you don't have admin access, your friends' computers, and so on regardless of what OS. And right away, not after first installing additional software. None of those solutions solve this problem.
Can an arbitrary Windows machine read an ext2 volume? Can an arbitrary Linux machine mount a BitLocker volume? Can you install Truecrypt and mount containers on arbitrary Windows and Linux machines without root privileges? Thought not.
There is not much that works cross platform. If I were moving data between completely different platforms, I'd use something standard that would work on a file basis, rather than a filesystem or disk basis basis. The answer to this is gpg. Most platforms have a working gpg ported to them, be it Android, Solaris, AIX, Windows, Linux, BSD, or even iOS (both jailbroken and non jailbroken apps). I'd just encrypt a file using a passphrase and call it done. If it were a bunch of files, create a bit of chaff of a random size, tar that up, gpg the tar file and copy that to the drive.
So, with this in mind, TrueCrypt or BitLocker do the job well enough. Oftentimes, I'm just moving data from a Windows box to a Windows box, or from a Mac to a Mac. These cases, Disk Image or BitLocker is good enough.
You lose a USB stick and don't claim it? TFB.
Because when you lose a USB stick the first place you think to look is the subway...
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
The fact they sell it for more the retail just says idiots are buying it.
Or, you know, it says that lost USB sticks are more valuable than new, blank sticks. Think about why that might be.
Or that people are fishing for data rather than hardware
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
I find the actions of the rail corporation to be pretty alarming.
So if someone leaves private information, financial documents, etc. laying around my home or business, I can just collect them up, claim them as my own, and auction them off to the highest bidder?
Aside from the fact that they were foolish to not encrypt the information on their drives, it doesn't justify ethical handling of the found information. You don't find someone's wallet then sell it to someone who could be a potential white collar criminal, and then try to make moral excuses for yourself by saying "Oh they should have encrypted their wallet..."
You would think that the LEAST they could do was format them...
So the infected sticks could infect the Rail Corporations computers? Who pays for the time and effort to wipe the sticks and potentially clean the computers.
The rail company probably held these devices for several months waiting for the owners to claim them. If your USB stick has data that is valuable/compromising/whatever and it is not protected, it is your responsibility to not loose it, and if lost, contact lost and found to get it back.
The rail corporation (or anybody else for that matter) has no responsibility to ensure that this information is secure.
The Rail corporation has no moral right to sell information that could be damaging to the financial well being of another person
JUST BECAUSE that person accidentally dropped something.
There are laws covering lost property in almost every jurisdiction, and most of them give the finder more rights to the property than anyone other than the original owner. Never the less, selling damaging personal information is in itself a crime (invasion of privacy) and that it was carried out by government funded organization is inexcusable.
Rail corp's own Code of Conduct page links to a Corporate PDF that outlines their expectations, including:
You must:
Take care when collecting, storing, using
and disclosing personal information in
order to protect individuals’ privacy
They demand this of their employees, but think nothing of the rights of their customers?
Sig Battery depleted. Reverting to safe mode.
Considering the highest bidder in the auction was a security company, it would seem that the black hats already know that these memory sticks are unlikely to contain anything valuable. We'd see a black market if they did, with petty criminals scouring the streets for lost USB sticks, and fences purchasing them.
"a passel of USB sticks" WTF is a "passel"
Nos Morituri te salutamus
A too small sample to come with any conclussion.
Okay, so say you find one. Or your relative/friend/coworker gives you one. OR, you need to loan them yours for a few minutes (happens more and more often now that computers don't come with floppies). What then? Once you get it back, how do you wipe it such that you can reuse it, but it doesn't have anything on it? I'd rather not kiss a $3 drive goodbye everytime that happens. On Linux you'd have to mount it, so (IIRC) you'd be able to just format the partition before mounting.
But how about on Windows. Mac OS? Or if I have autostart (or whatever it's called) off, am I safe? (and yes, I'm pretty sure that last one isn't right).
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
I suspect that a greater problem is trying to convince the lost and found jobsworth that that one is yours.
I find it hard to believe that none of the folks who turned in "lost" USB sticks took a minute to check if there was any hot pr0n on them first.
He meant steganography but
so he used encoded shorthand for it.
Fortunately, you were able to expand the shorthand, so the meaning wasn't lost. Unfortunately, you guessed the code, so the meaning wasn't lost.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Ah someone has finally found my missing virus collection!
Please return it, no questions asked.
PO Box 10110110110 /sarc off
Virus Park, Washington DC.
20001
For perspective, here's an analog analogy:
Suppose, instead of a USB stick, it was a folder full of good old-fashioned paper, perhaps of a sensitive or private nature. Surely they wouldn't have just given the thing out so cavalierly just because nobody claimed it.
Except I never "lost" them, I left them around for people to find with a few random pictures and PDF's on them, so people though "yay, free memory stick!". They also had a worm I was writing at the time on it; I had a 100% success rate on payload delivery too.
See a USB stick on the floor? By all means pick it up and keep it, but plug it into an old and offline box and run some scans, format it, check it for viruses before it comes near anything important to you.
I once got a virus on a USB by loading it into a photo print booth. Stuck it on my PC and it ran the virus immediately, thanks to Windows default AutoRun settings. Microsoft should really have a page on their web site with photos of its employees who made stupid decisions like this. The misery and loss of time and data this person caused are huge. (And also that annoying 'Index your help file' window, but that's another story).
In other news, totally impartial research conducted by Dettol shows that your bathroom isn't clean enough.
# cat
Damn, my RAM is full of llamas.
From TFA:
Sounds like something drummed up by their marketing department?
This story really is too thin for a headline.
Give me five or ten locations and a bigger sample and you'd have something.
Sophos has every reason to find more malware than anyone on here would expect to find on lost USB sticks. I've been an SA for a long time and Malware just isn't as common as the antivirus firms would like everyone to believe it is. I'd like to know what their definition of malware is for this informal "study". It's probably so loose as to be a joke. Whenever I've found malware, it's never removed by any antivirus program out there. They're all completely worthless, but I guess it keeps people working and that's great. If they did indeed find actual malware, which I highly doubt, then I'd say the USB sticks were planted for fools to pick up and shove in their hungry usb holes.
I have a whole bunch of unencrypted USB sticks...because the stuff I put on them isn't worth encrypting. As a geek I put stuff like drivers, or maybe music or a movie on them. Hardly stuff I care about other people getting their hands on. What would be more telling is the percentage of unencrypted sticks that contained sensitive information such as financial or medical data.
But the entire point of USB flash drives is being able to carry your data around and access it on random systems. When I want security, I carry a flash drive with portable WinSCP and putty. Create a password-protected ssh key just for that flash drive, and you can just remove it from ~/.ssh/authorized_keys if the flash drive gets lost.