Two-Thirds of Lost USB Drives Carry Malware

itwbennett writes "Antivirus firm Sophos acquired a passel of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales. The company analyzed 50 USB sticks and found that not a single one was encrypted and 33 of them were infected with at least one type of malware."

What do you expect ..

[roguegramma]

.. they were lost by the 10% of commuters stupid enough to lose an USB stick.

Re:What do you expect ..

[DemonGenius]

And I just used up all my mod points too...

Re:What do you expect ..

[Marxist+Hacker+42]

I was thinking of a different self-selecting sample- the script kiddies willing to spread malware-infected USB sticks around in public to see which computers phone home.

Re:What do you expect ..

[BitterOak]

.. they were lost by the 10% of commuters stupid enough to lose an USB stick.

Why is this modded troll? Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.? I'm not suggesting that it is impossible for a very careful person to drop something or have it fall through an unknown hole in the pocket, but at the same time, I don't think it is unreasonable to suspect that a population of those who left their USB sticks on the subway aren't necessarily perfectly representative of the population of USB stick users as a whole.

Re:What do you expect ..

[geekoid]

Because he implies when someone loses something it's because they are stupid; which is false.

Which implies all people not losing stuff are smart.

Re:What do you expect ..

[MurukeshM]

They considered that angle. But then

Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

"The malware involved was mostly very prevalent, general-purpose, zombie stuff," Ducklin explained. The security expert believes that this method of malware distribution is not even viable because most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

[TFA]

Re:What do you expect ..

Because he implies when someone loses something it's because they are stupid; which is false.

Which implies all people not losing stuff are smart.

Your logic is flawed.

Re:What do you expect ..

[aix+tom]

People who lose stuff are not necessarily more "stupid", but they are definitely more "careless"

And yes, people who care enough to double-check all their possessions lose less than people who don't.

And the people who double-check their possessions are probably also the ones who double-check their virus scanner and/or their encryption.

It has little to do with "stupid". In fact, one of the stereotypes of a careless person is the highly intelligent "absent minded professor"

Re:What do you expect ..

[nine-times]

It seems likely that people who are careless also lose things more often.

Re:What do you expect ..

[BasilBrush]

Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.?

It's not an unreasonable hypothesis to raise. It is unreasonable to assume it's true.

Re:What do you expect ..

[BasilBrush]

And yes, people who care enough to double-check all their possessions lose less than people who don't.

How exactly does one double-check, and in what way is it superior to single-checking?

What about those with zipped pockets or bags versus open pockets or bags. Do you think that might be a factor? And how exactly do you imagine that relates to "carelessness".

Do you imagine the use of zips correlates with computer literacy?

Re:What do you expect ..

[jabberw0k]

most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in? This is as accurate as Gracie Allen's telephone poll -- 100% of people she phoned, had a phone.

Re:What do you expect ..

[chaboud]

You know that someone is at their first computer conference when they un-velcro their bag in the middle of a panel. Zips, magnetic clasps, or straps, people. That, or they're just an ass.

Double checking is pretty straightforward for the neurotic among us. First, you check for something. Then, you check again. I inventory my laptop bag before a trip, then I take it downstairs, put it by the door, and do a second, less complete, inventory before I walk out. Keys, thumb-drives, headphones, ear-plugs, glasses, iLoks, pens, business cards, passport.

I'll know if the laptop has been left out when I lift the bag.

Re:What do you expect ..

[chaboud]

I think it's reasonable to assume it's likely, which, statistically, has more in common with true than false.

Once we've wandered into statistics on small non-random samples, I think we can say these things comfortably...

Re:What do you expect ..

[hairyfeet]

Call me paranoid but maybe some of the infected ones were lost on purpose? There are plenty of places to buy REALLY cheap USB sticks, especially if you get the smaller ones. IIRC there is a place selling the 256Mb sticks for something like 40c in bulk. If I wanted to spread malware to as many people as possible it sounds like an awful cheap way to do it, just leave sticks around the places where those that work at the place i ant to hack frequent, like say the subway they use at the time of the day they use it? Who cares if a couple get picked up by nobodies or end up in lost and found, they're cheap!

But the fact that they find so many whether lost intentionally or not really doesn't surprise me, hell I've lost some of my smaller sticks here and there. but of course i don't keep in data i give a crap about on them either, just drivers and flash tools for cleaning boxes. if someone was to find that 1gb stick i lost somewhere all they'll get is a bunch of freeware cleaners and the latest realtek drivers that were out at the time. Maybe the reason they weren't encrypted is like me many simply didn't have anything worth giving a shit about?

Re:What do you expect ..

[Just+Brew+It!]

But it is not unreasonable to expect that people who are less careful with physical possessions may also be less careful in other ways as well. So it would not surprise me if there is a correlation between "tends to lose USB sticks in public places" and "tends to get infected with malware".

Re:What do you expect ..

[Dahamma]

Which implies all people not losing stuff are smart.

No it doesn't. If you lost a USB stick you are stupid, does not mean if you didn't lose a USB stick you are not stupid. It means if you are not stupid, you haven't lost a USB stick. Contrapositive, not inverse.

But I do agree carelessness != stupidity :) Though I would also argue carelessness it much more common in malware infections, so the correlation could still be there...

Re:What do you expect ..

[spazzmo]

Ha ha. I don't think you are replying to what you think you are replying to. No-one mentioned being able to tell if a virus was calling home. They were talking about USB sticks being lost as opposed to planted.

Re:What do you expect ..

[spazzmo]

Oh and well done on the gratuitous verbal abuse to the people you weren't replying to...

Re:What do you expect ..

[DeathSquid]

Because he implies when someone loses something it's because they are stupid; which is false.

Which implies all people not losing stuff are smart.

I sure as hell feel stupid when I lose stuff.
That in no way implies that I feel smart when I don't lose stuff.

Re:What do you expect ..

[mjwx]

They considered that angle. But then

Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

[TFA]

Trains are not logically a good place to leave sticks lying around for an attack. People treat things found on trains as suspicious, worse yet will hand them over to security. In order to attack via this angle you need to get people where they feel safer, such as in a workplace where they'll see a USB stick in the work dunny and thing "Free USB stick".

Also, never ascribe to malice what can easily be explained by stupidity. Steve the Salesman with his Blackpad and iBerry is paying zero attention to what he is doing could easily lose a USB stick out of his pocket, Given it will cost his companies IT dept $10 to replace, he just doesn't care.

Re:What do you expect ..

[Jafafa+Hots]

When you get off the train and check your pockets, that's double checking.

When your double checking reveals that the USB stick is not in your pocket but is instead still on the train that's just just closed its doors to pull away, that means by the GPs logic that you, having just lost the stick, are careless.

Therefore we must conclude apparently that double-checking is a sign of carelessness.

Re:What do you expect ..

[Neil+Boekend]

Dunno about him, but I do. If I am speaking English (I am dutch) I refer to an USB thumbdrive as "An USB stick".
I am curious to know: what is wrong about that?
"An" --> The rule of thumb for a/an I learned years ago was "a" if the next word starts with a consonant (B, C, D, F, G, H, ...) and "an" if the word starts with a vowel. The "U" in USB is a vowel. If that is incorrect I'd like to know.
USB --> USB could be said in full, but I'd guess that isn't what you meant for that sounds silly.
"Stick" --> I knew "stick" to be a oft-used word for these things. It's as good as any. I have seen it quite often and, due to the fluidic nature of language, that means it's accepted (for it's not a misspelling or a fault in grammar).
Please don't think I am trolling, I am curious to know: there is no sarcasm in this.

Re:What do you expect ..

[aix+tom]

How exactly does one double-check, and in what way is it superior to single-checking?

Single-checking would be to check "do I have everything" before you leave home in the morning.

Double (or multiple-) checking would be to check when you leave home, before you get on the bus, before you get off the bus, before you leave the office, etc...

I'm that kind of paranoid after I lost the master key to a company I worked for for only a month ages ago. ;-)

(Then of course I'm so "AH, I'm home" - relieved when I get home that I pretty much proceed to stuff the clothing with the USB drives right into the washing machine, but hey, at least no black hat gets at my data)

Re:What do you expect ..

[tbird81]

The incorrect part is saying "An".

You should use "an" as the article if the next word begins with a vowel sound. So we say "a European" (pronounced you-row-pean), "a universal serial bus", "a U-boat", "a yellow banana". We say "an apple", "an honourable discharge", and "an yttrium semiconductor" (pronounced ittrium),

So the rule is based on the sound and how things flow, not the actual letter of the alphabet used.

Re:What do you expect ..

[altstadt]

The a/an rule of thumb is to use "a" if the next word sounds like it starts with a consonant, and "an" if it sounds like it starts with a vowel.

To English ears, a German speaker says "ooh ess bay", while an English speaker says "you ess bee". The y sound in this case is a consonant, so a native English speaker will say "a you ess bee stick".

All bets are off when the word following a/an starts with an h, since the letter can be silent or verbalized depending on the word and where you grew up.

Re:What do you expect ..

[vrt3]

I speak Dutch too (I'm Flemish). I'm often inclined to write "an USB stick" like you do, because I often think of the Dutch pronunciation of USB which indeed starts with a vowel.

But what matters when writing English is, of course, the English pronunciation, not the Dutch one. In English it is pronounced like joe es bie, so the first sound is not a vowel, so it should be "a USB stick".

Re:What do you expect ..

[hairyfeet]

Don't feel bad friend, somewhere in one of my boxes in storage is a 64Mb CF card with card reader that I used as a thumbstick and paid close to $100 too. I thought when I got it "Wow these are DOZENS of floppies worth of data, how will i ever use it all up?" and now I carry around a 16Gb I paid $14 for on sale and have 4gb which is bigger than the first 5 HDDs i had on my keyring that was given to me free by a guy that basically uses the things like calling cards!

So don't feel bad friend, we're just antiques from when 8 tracks were playable in any car and dinosaurs roamed the earth. you want to feel old my oldest boy is in his second year of college and he has NEVER had an 8-track, cassette, or LP, ever! And he talks about how old he must be getting since his first PC ran windows 98 and had a Voodoo card!

Re:What do you expect ..

[RockDoctor]

100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in?

It shouldn't be that difficult. The statistics would be a but wobbly, giving fairly wide error bars, but the data should be available.

(Caveat : this applies to Scotland ; it may not apply to the rest of Britain, let alone Australia ; the German system doesn't seem terribly different). I've lost mobile phones in the past - in the back of taxis normally - and on one occasion out of IIRC three, it's been in the police's lost property office (most taxi companies are pretty good about this ; it's ultimately not in their interest to not do so). Each time I go into the lost property office, they take a note of my name, a description of the item lost, and the approximate location (because a lot of taxi companies only make one run to the lost property office a week ; perfectly reasonable, no charges of "theft by finding" if there's an established record from the company and some sort of record-keeping).
So, those records of lost property enquiries constitute a sample of the actual amount of lost property.
The records of lost property actually handed in constitutes a different sample of the actual amount of lost property.
The "hit rate" of matching lost property to enquiries should be enough to tie the two data sets together. I think the situation is comparable to a capture-tag-release-recapture-count tags experiment for estimating populations of wild animals, which is a standard operation. Hyper-geometric distribution, IIRC.

Oops, phone calls ... got to go and be transport for people.

Re:What do you expect ..

[Neil+Boekend]

Thank you all for helping me out. I must have misremembered the rule.

Mac

[cyachallenge]

FTA

One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

Re:Mac

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Re:Mac

[Rockoon]

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Yes they did, and then the guy you replied to did also.

It was seven. Were you looking for digits? 7.

Re:Mac

[geekoid]

0111

Re:Mac

[John+Bresnahan]

FTA

One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

Which means that those USB drives had been plugged in to a Windows machine at least once.

Re:Mac

[MurukeshM]

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Yes they did, and then the guy you replied to did also.

Uninfected devices.

Re:Mac

[msauve]

Yes they did

No, they didn't. There were 7 infected ones. The GP said "uninfected," and he's correct (unusual for a AC, I know) - without knowing how many uninfected ones qualify as "used under MacOS," the figure has no significance.

Re:Mac

[BasilBrush]

We have a winner!

Re:Mac

[Alomex]

A few years back Mac USB keys were much more likely to be carriers of Windows viruses since Macs did not scan for those.

 

Re:Mac

[antifoidulus]

Well, they don't really say what they meant by "formatting", if the sticks were formatted as HFS+ then I doubt they had been plugged into Windows computers, or at the very least got the malware from the Windows machine as right now there is no tool that can write directly to an HFS+ disk..... It's possible that they picked them up through using shared folders with a Windows VM and had their USB shared, but that seems pretty unlikely

However, more than likely what they meant by that statement is that they found .DS_Store directories on the disk which indicates that they have been plugged into a Mac(those directories are how finder remembers how you had your icons organized etc.)

Re:Mac

[microcars]

agreed, every USB stick I have used has been formatted FAT32 so it could be used on either Mac or Windows. Students I know tend to carry around their data on these things so they can use whatever computer is available wherever they are. I've found about six USB drives in various places off campus and they have all been filled with student homework.

Truecrypt?

[shellster_dude]

How would they know if it had been encrypted by something like Truecrypt which is designed to be invisible to prying eyes?

Re:Truecrypt?

[mr1911]

TrueCrypt does not make invisible containers. It makes encrypted containers.

There is an exception for the container hidden in an container, but that only offers plausible deniability as the existence of the larger container is obvious.

Re:Truecrypt?

[shellster_dude]

Still, how would they know if some sort of stenography was being implemented, or if I had a Truecrypt volume called "ProgramA.bin"?

Re:Truecrypt?

[tverbeek]

Because the kind of people who are that careful with their data don't lose the USB sticks on the train and then fail to come looking for them.

Re:Truecrypt?

[black3d]

Truecrypt isn't designed to be invisible at all. Aside from entirely encrypted drives, it's fairly obvious if someone HAS encrypted data. Truecrypt is about hiding that data via hidden paritions within outer encrypted containers, and plausible deniability.

Truecrypt volumes are generally detectable:
http://www.jadsoftware.com/?page_id=89
https://code.google.com/p/tcdiscover/
And if the researchers discovered drives that are filled entirely with random data, then they know they're either securely formatted or encrypted, and would likely consider them the latter - if they're securely formatted the file system appears intact. If the entire drive is encrypted (or securely erased from the MBR up) then the FS is not intact, and it's a fair bet that the researchers are claiming they found all sticks with intact file systems, formatted to the same volume as the stick, with single partitions.

As are those hidden within files:
http://16s.us/TCHunt/index.php

But - the reason for the ramble: Never make the mistake of thinking Truecrypt is invisible. It's not. What's "invisible" should be your second hidden volume within the Truecrypt container - if you've set it up correctly. And there have previously even been attacks on that, in the event attackers are able to gain access to the external container. Work on your plausible deniability. Don't rely on TC to do the work for you or you'll end up with leaks everywhere.
http://www.schneier.com/paper-truecrypt-dfs.pdf

Re:Truecrypt?

[DigiShaman]

I've only used TrueCrypt in two instances. First being a file container in which I could mount and store stuff. The other in which I provisioned a USB drive to store data. With regarding the last option, I was aways nagged about the flash drive not being formatted and proceeds to ask me if I wish to do so. So my wife finds the sucker and formats thinking it was up for grabs. Though I am curious. Does TruCrypt anticipate the drive being encrypted by reading a certain set of LBA blocks? Is it something in the MBR? Just how obvious is the hidden container when viewing the drive raw with a hex editor?

Re:Truecrypt?

[amRadioHed]

An encrypted volume would not look the same as a binary file. Binary's are far from random.

Re:Truecrypt?

[black3d]

As I posted elsewhere, but in case you don't see it - for finding truecrypt volumes hidden in files: http://16s.us/TCHunt/index.php

Re:Truecrypt?

[Anachragnome]

"TrueCrypt does not make invisible containers. It makes encrypted containers..."

Another question.

I am assuming that encrypting a container--in this case a USB stick--would also disable any malware already written to the drive as that code would be unrecognizable as code by the computer it was plugged in to...until it was decrypted. On the other side of the coin, if that same encrypted stick was plugged into an infected system, I assume the malware could be written (un-encrypted) to the drive intact and function when that stick was later plugged into another system. In essence, the malware can be installed on the stick while the drive is mounted via Truecrypt, as well as when it is plugged in but not mounted via Truecrypt. This would leave the user vulnerable twice.

Is this correct? Am I missing something, or is the encryption and malware two separate issues, because I don't see how encryption helps protect against malware once the drive or folder is decrypted.

Re:Truecrypt?

[geekoid]

Based on... what? Routine makes fools of us all from time to time.

Re:Truecrypt?

[Ichijo]

Binary's are far from random.

Are ASCII files more random? How about self-extracting archives?

Re:Truecrypt?

[black3d]

It should appear as random data (as opposed to an empty or freshly fully-formatted drive which appear zeroed or one'd depending on the case). This then means either it is encrypted, or has been securely erased. However, sometimes byte chains can be detected within the data. Use a tool like https://code.google.com/p/tcdiscover/ to test your volume.

Although there are more advanced tools available to LEA. Plausible deniability is more important than how hidden the volume is, and you should never give up the key to your external volume until forced to do so or in dire circumstances. It should be currently almost impossible (in most cases) to detect the second hidden volume within the outer volume.

So, work on that outer volume. Frequently write files to it - generally, as often as you're writing files to your hidden volume. So many people leave an empty outer volume and then expect plausible deniability to work when the volume was created 2 years ago and last modified 3 days ago. While it's "possible" that they "just erased all their data a few days ago", it's not plausible, hence the turn of phrase.

Re:Truecrypt?

[Vegemeister]

Truecrypt containers have an encrypted header in a particular chunk of the file. Truecrypt attempts to decrypt the data at this location with the given key. If it succeeds, then we know the file is a Truecrypt container. There is also another location that potentially holds an encrypted header describing a hidden volume.

Re:Truecrypt?

[black3d]

You're quite right. The researchers were simply pointing out that not only a) are none of them encrypted but also, b) they've got malware on them. Two separate issues. Although yes, an encrypted drive can't be infected by malware while encrypted as there's no file system there for it to infect (unless it writes its own MBR, in which case goodbye data) but as soon as its decrypted and in use that doesn't really matter.

Re:Truecrypt?

[tqk]

TrueCrypt does not make invisible containers. It makes encrypted containers.

I don't know about TrueCrypt but last I heard, MS Win* can't even see multiple partitions on USB keys. It only sees the first one (I don't know if this is still true wrt more recent versions of Win*); anything past the first one is invisible.

I don't bother to encrypt my USB keys either. I've not many secrets worth hiding, and a bzipped afio/cpio archive in a second to N extN ptn should be fairly unreadable for ca. 99% of humanity. Anyone who could read them would be disappointed. Not much for me to worry about there.

Medical doctors or bank employees might have more reason to consider encryption.

Re:Truecrypt?

[Anachragnome]

Thanks.

I guess the old adage still applies...

"Careful where you stick that thing, son..."

Re:Truecrypt?

[Fjandr]

An infection can write to the MBR without destroying the data; many malware programs do exactly this.

If it destroys the data, there's a large possibility that the drive will be erased completely, thus obliterating the malware. By only writing over the first section of the MBR the partition table remains intact, so nothing appears to be wrong with the drive.

Re:Truecrypt?

[LinuxIsGarbage]

A factory formatted drive may appear as all 0's (that's how a new SD card appeared to me), however a drive reformatted by traditional software will still show the previous contents (except where the FAT or equivalent was overwritten)

I repeat, a full-format does not zero the drive. A full format just performs a READ-verify on the volume. You need DBAN, Eraser, Roadkil's Disk Wipe, or similar to securely wipe the drive (1 pass is sufficient).

Also, True crypt doesn't change the modified date of the container file when you mount and use the volume, though not having it appear "stale" is a good idea.

Re:Truecrypt?

[Artifakt]

how would they know if some sort of stenography was being implemented

You are correct. There is no known way to detect which files were transcribed in shorthand by a person taking dictation before being entered by keyboard...
Oh, wait, you meant "steganography", didn't you?

Re:Truecrypt?

[chaboud]

I believe that there is a TrueCrypt mode for starting the data portion of the TrueCrypt partition in RAW after some specified number of bytes. This allows you to put some files on a drive and hide your encrypted partition after it.

Just put some goatse on there to keep the snoopers from digging too deep.

Re:Truecrypt?

[black3d]

That's true in most cases (although a format in Windows 7 of an SSD will request TRIM, erasing the data, but as we're talking about USB sticks that's not completely relevant here), and in those cases it doesn't appear as random data, but quite easily visible data. And if the perp's deniability is that he just formatted it, the random data is a dead-giveaway.

I wasn't intending to suggest to OP that he could format his drive and clear his data, but rather answering his question as to how his data should look as opposed to non-randomized data. Naturally, intact files are also obviously non-random. :) Ie, if the data is all zeros or all ones, it's clearly not encrypted.

Re:Truecrypt?

Because the kind of people who are that careful with their data don't lose the USB sticks on the train and then fail to come looking for them.

I encrypt my data because I'm careless, and when (not if) I do lose a stick I don't bother going back for it because I know the data is protected, and of course I have backups.

Re:Truecrypt?

[Hyperhaplo]

This is why I have a bunch of files on various devices and drives some of which are encrypted files (mostly with a single text file with "ha ha, made you look!" in them) and some of which are splices of encrypted files (and completely impossible to decrypt.. or tell if you can actually decrypt them).

In a subtle attempt at reverse psychology, half of these have innocent sounding names for which would be immediately discarded (based only on the name of the file) - and hence would be checked first should anyone be in the position to want to look at my files.

As for the $5 wrench.. well, then I'm screwed. There's no way to decrypt a file made up of the middle 1/3 of a 80 GB truecrypt container.

Without the $5 wrench.. well.. it would be fun to watch them try.

The USB device I use has built in encryption. No access without the password. If it is lost, then so is my data. Excellent.

Re:Truecrypt?

[Stuarticus]

DO you actually have time to make any files worth hiding while carrying on that level of subterfuge?

Re:Truecrypt?

[Hyperhaplo]

I don't make many files actually.. not that are worth obscuring on this level.. this is more about hiding and obscuring files other people have made :-) .. to give someone the runaround in the event my files fall into someone else's hands.

Note that Australia is quite close to being in the same situation America is.. see the articles about the IINet case currently in the courts - http://whirlpool.net.au/

Someone could literally bust my door down at any time. I would have no warning.. and no time to nuke anything.

This ruse is more about slowing an attacker down and costing an attacker resources than anything else. I smile every time I see one of those files, sitting there, waiting to be "cracked". I do so hope that if they want to try and go through my files that they try one of these first.

Meanwhile, I've just spent an hour and a half on a new short story. No doubt if this machine goes walking it will make light entertaining reading for the (government) thieves.

Re:Truecrypt?

[VortexCortex]

"Oh, wait, you meant "steganography", didn't you?"

What exactly does dinosaur drawings have to do with any of this?

Re:Truecrypt?

[rollingcalf]

To avoid that nagging Windows message about formatting encrypted USB drives, don't use encrypted partitions. Just format it as FAT or NTFS, then create a big encrypted container file on it.

I can't believe that many people...

[Fallingcow]

... carry acroread.exe and/or iexplore.exe around on their USB sticks.

Weird.

Re:I can't believe that many people...

[kju]

Well, i was too lazy to RTFA, but maybe these infected sticks are "lost" on purpose? I mean this has reportedly been done before.

Re:I can't believe that many people...

[The+MAZZTer]

TFA says they think this is unlikely due to the type of malware they found.

Re:I can't believe that many people...

[ColdWetDog]

TFAuthors didn't think so. The logic being that these sticks would more likely end up in the dump than on somebody elses computer and that the malware on the sticks was 'generic zombie stuff' (zombies are generic these days?).

Not a particularly tight argument, but there you have it.....

Re:I can't believe that many people...

[cyachallenge]

That's actually pretty interesting; what if some of these sticks were left intentionally. First, I wouldn't expect a USB stick to have malware. Second, I wouldn't feel bad about using a USB stick that somebody lost (they're mostly cheap and replacable). Arguably, that could be a good attack vector even for tech savy people.

Re:I can't believe that many people...

[1729]

This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.

Re:I can't believe that many people...

[jd]

I'm more inclined to think that the trains in Australia are carrying viruses and simply infect the USB sticks on contact.

Re:I can't believe that many people...

[StikyPad]

At work? Count me in. It's not my computer.

Re:I can't believe that many people...

[icebike]

Neither of those assumptions makes any sense. The guy's assumptions are simply naive.

You find a usb stick, you are likely to try it out to see what's on it.
The younger you are the more likely you will be to do this.

Generic malware is just as likely to be spread this way as any other. In fact this is a common method of untraceable introduction of a new virus or zombie.

Re:I can't believe that many people...

[chaboud]

I take a look at a found USB stick. I might be able to identify someone and return their data. I do this on a Linux VM, generally, but...

Re:I can't believe that many people...

[flappinbooger]

This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.

Or, an autorun CD with "top secret" or "big huge boobies" written on it with a sharpie.

What percent "success" rate do the pen testers get seeding a parking lot with removable media?

I'd label a CD-R with the name of a current large project or some other verbiage and make it look like someone was sneaking out confidential design files. Drop it some place someone will see it who knows about that project, and you'd be almost guaranteed it will get stuck in a computer, they will have to try and see what was being walked out of the building and by whom.

Encryption

[Hatta]

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

Re:Encryption

That's not the only point of USB sticks - they can also be used to syncronise two trusted computers at different locations. I use one for just this purpose. However, mine is encrypted.

Re:Encryption

[Baloroth]

Or to carry sensitive data often accessed and modified which you don't want on the Internet at all, or to carry the private key for data that is on the Internet. In either case, encryption would be useful. I can think of a few cases where encryption on a USB drive makes sense. Not a lot, true. And in almost any case, invisible encryption would be more useful, so they wouldn't have seen it anyways.

Re:Encryption

[Spodi]

They are also useful for cheap offline storage. Once or twice a year, I export my KeePass (password manager) database as XML on a thumb drive, put that in an ecrypted archive, then store the USB in a safe somewhere. That way I know I can always get to it even if something ugly goes down, like my main KeePass db gets corrupted and I don't notice until after I do my regular offline backups. Can never to be too cautious when dealing with thousands of distinct passwords.

Re:Encryption

[Jahava]

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

A common solution is to have multiple versions of encryption/decryption software (such as TrueCrypt) alongside the actual encrypted partition/blob. What you would do is plug it into the "strange" computer, install the software, and then have access your otherwise-encrypted valuable blob data. Depending on the situation, you can even have multiple encrypted blobs/partitions for different levels of trust.

Re:Encryption

[devitto]

errrrrrrrr, that's a pretty unusal use - only data that's 'public' on a USB stick.

Truecrypt is easy soloution, and is small enough to fit on the stick - problem solved.

Re:Encryption

[The+Mister+Purple]

Excellent point and practice.

Re:Encryption

[Hatta]

If the computer you plug it into is compromised, your truecrypt key can be sniffed.

Re:Encryption

[Vegemeister]

The last time I checked, Truecrypt used a kernel mode driver, and thus required admin privileges to run on Windows.

Re:Encryption

[plj]

I'll encrypt my sticks as soon as somebody makes an encryption software that works seamlessly in Windows AND Mac OS X AND Linux, and is easy to install and use. Currently, the only one that comes even close is Truecrypt, but due to its stupid vanity licence it isn't a real option on Linux, as it is not included in repos and as such isn't easy to install.

LUKS can work on Windows (with FreeOTFE) but not on OS X, so that isn't an option, either.

Re:Encryption

[godel_56]

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

I think Rohos encrypted containers are fully portable (with a copy of Rohos on the key), unlike TrueCrypt which requires you to have administrator access to the computer. Also there's nothing to stop you encrypting individual files on a USB key, such as with AxCrypt or the encryption options of 7Zip or Zip Genius.

Re:Encryption

[Hatta]

You can't do anything with the encrypted data unless you decrypt it. Once you decrypt it, the host computer has full access to it and your encryption keys. Decrypting files on an untrusted computer is a big no-no.

Re:Encryption

[Ken_g6]

I'll (fully) encrypt my sticks as soon as somebody makes an encryption software that is preinstalled in Windows AND Linux. (AND Mac OS X would be nice too). If I can't use it on a computer I don't have admin rights on, full-disk encryption is worthless to me.

On the other hand, I store my backups encrypted with AES-256 in openssl. I keep a Windows binary of OpenSSL on the drive so I know I can decrypt them if I really have to.

Re:Encryption

[petman]

Huh? I installed Truecrypt on my Ubuntu box easily enough from a PPA.

Lost? Riiigghtt...

[wjcofkc]

I can see someone "loosing" a couple in the employee smoking area outside of a bank or large tech company. Lost, sure they were.

Re:Lost? Riiigghtt...

I remember this attack in the past. At the time, it was the early 2000s and "Free MP3 CDs" were used. The autorun.inf ran some software that had a keylogger, and it also did some fairly fancy PPP over SSH tunneling.

It managed to completely compromise the business, and because their bread and butter was their software build tree and code, a competitor started overseas, got in touch with every single one of the business's clients to offer the same exact software for 1/4 the price, and the original business was shuttered within six months because they lost not just customers, but a needed VC funding round.

It used to be I'd just stuff a random USB flash drive into a Linux box, dd if=/dev/zero of=/dev/sdwhatever, but newer Trojanized ones actually register as a keyboard/mouse and start trying Windows commands once inserted.

Re:Lost? Riiigghtt...

[StikyPad]

I can see someone "loosing" a couple

Me too. I think it was called goatse.

Re:Lost? Riiigghtt...

[Lunzo]

WHOOOSH!

Conclusions

[Rudisaurus]

Conclusions you can draw from this study: people who ride transit and lose their USB memory stick while doing so are

(a) unlikely to encrypt the contents of their memory stick, and
(b) prone to malware infections

I'm not certain that this group is representative of the general population, however.

Re:Conclusions

[MozeeToby]

(c) Blackhats are leaving infected USB sticks on public transit on purpose to act as honey pots and spread infections.

Re:Conclusions

Alternatively, one could conclude that infected memory sticks are more prone to being left on trains.

Re:Conclusions

[BasilBrush]

Conclusions you can draw from this study: people who ride transit...
I'm not certain that this group is representative of the general population, however.

You must be American.

Safe USB

[FuzzyHead]

I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.

Re:Safe USB

That's a hardware solution of dubious value. :-)

I prefer to make a fake, read-only AUTORUN.INF directory with a read-only text file in it (usually I say what it's there for and call it "readme.txt"). Until malware gets smart enough to look at what's on the usb drive first before blindly writing it's own bogus AUTORUN.INF file, this seems to immunize them pretty effectively (the write will fail, both because the directory is read-only and because it is a non-empty directory rather than a file). Between that and disabling autorun on every machine I use, even if a worm gets on there: A) the payload doesn't get run automatically by the AUTORUN.INF file because the file is broken, and B) it doesn't get run when it gets plugged into my machines. Usually I just see a lonely payload file on there, often hidden in the Recycler, and delete it.

Re:Safe USB

[couchslug]

I just pull out early.

Re:Safe USB

[The+Wild+Norseman]

I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.

Meh. I just rely on the box I plug into to be using an IUD (Intrausb Device).

Sample issues

[igorthefiend]

This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

There's another sample out there of sticks that WERE encrypted, or DID have useful data on them that were recovered by their owners. IE they were USB sticks that nobody gave a shit about. Why would we be surprised that there's malware on them and that there was no sensitive data. The other sticks were likely reclaimed.

Re:Sample issues

[icebike]

This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

From TFA:

he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

Re:Sample issues

[dissy]

Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

http://en.wikipedia.org/wiki/Lost,_mislaid,_and_abandoned_property

Concerning abandoned or lost property, generally the finder must attempt to locate the original owner (title owner), usually by way of handing the property over to the authorities so they can attempt to return it.

However, if the lost property is not claimed after a time, then it legally becomes the property of the finder, and the finder gains the right to claim ownership over the item, to everyone except the title owner and any other previous holder of the item.

If the item is not claimed at all, they then gain ownership with all the rights that entitles, including reselling the item.

I admit the addition of copyright law, concerning the actual data on the flash drive, might be an entirely different matter.

However the rail corp never copied the data on the drives, so they are not in violation of copyright. Property law says they own the drive and the data, so reselling the data is also allowed, as long as they didn't make a copy to keep after the sale is complete.

There might be a problem if the final buyer did copy and distribute the data, but that violation would be committed by the final buyer, not the rail corporation.

CityRail = CityFail

It is more likely that the USB's got infected when someone at CityRail plugged them in to see if there was 'anything good' stored.

Re:CityRail = CityFail

[The+Mister+Purple]

That hadn't occurred to me. I wonder if the study included a security audit of the CityRail computers?

Re:CityRail = CityFail

[Teun]

In that case they would all have carried the same virus.

Re:CityRail = CityFail

[Yvan256]

Not if they were plugged into different computers. As Mister Purple said above, a security audit of the CityRail computers should have been done first. And as Icebike said above, I'm also wondering about the legal ramifications for the CityRail about selling things which includes private information.

Very nice of the Rail Corporation to auction them?

[sirdude]

So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value ring a few alarm bells?

Re:Very nice of the Rail Corporation to auction th

[icebike]

My thoughts exactly.

None of these (256 meg to 8 Gig) were so valuable that their destruction would have been considered a huge waste, and the potential damage to the forgetful owner could be massive. You would think that the LEAST they could do was format them, which itself is far from fool proof. But releasing them intact just seems dumb, even if not illegal.

he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

Summary...

[Chelloveck]

Anti-virus vendor says there's yet another way to get a virus, and you need their product even more. Film at eleven.

Re:On purpose

[camperdave]

Actually, leaving it on a bus is a pretty poor way to spread malware. If you are going to be dropsticking, then you want to do it in and around internet cafes and libraries - places where you expect people with computers to be.

hello, good samaritan

[Thud457]

Hey, you found my virus collection! I've been looking for that.
Don't worry about returning the thumbdrive, I'll just download a copy of your computer.

Two-thirds of drives were on a Windows computer

[Teun]

One clear outcome of this investigation is that 2/3 of these USB drives were inserted into Windows computers.

Because it's generally accepted more than 66% of computers run on an MS OS we can guestimate how many of them are infected.

How to safely use a USB drive?

What are the best practices for accepting and retrieving files from a USB drive someone gives you?

(assuming I trust the author of the files)

1) turn off autoplay on your system
2) plug it in
3) scan the mounted drive with antivirus software
4) drag and drop the select data files

Aside from having up to date antivirus, windows patches. and app patches, are ther any other good security steps specifically related to USB drives / portable drives?

Re:How to safely use a USB drive?

[SuricouRaven]

At my workplace,

1) Give it to either my boss, who has a Mac at his desk, or a coworker with a Ubuntu desktop. Failing that, boot a spare laptop off my my ubuntu boot-stick and use that.

Re:How to safely use a USB drive?

[LinuxIsGarbage]

Autorun / Autoplay should be permanently disabled anyways. I believe Vista/7 are a bit tighter than XP as far as Autorun, and XP is slightly better than nothing

The default action in XP is to execute autorun on CDs. This is how Sony rootkits get spread, and poses a hazard with U3 drives which have a partition that appears like a CD.

With flash drives by default XP will load the "what do you want to do?" window and the first option will be the autorun. However if you cancel this dialog, and at any point double click the drive in explorer it will execute the autorun anyways. I think Win7 is less big on running autoruns on a flash drive, and will now ask by default on a CD.

Re:Very nice of the Rail Corporation to auction th

[geekoid]

No. IT's normal SOP. It's not there responsibility to correct everyone else's mistakes. You lose a USB stick and don't claim it? TFB.

The fact they sell it for more the retail just says idiots are buying it.

There are two conclusion possible

[drolli]

a) either a lot of pseudo-security researchers jumped on the 'lets loose USB sticks on the train' train

b) being careless enough to loose a usb stick is correlated with being careless enough not to encrypt it and both are correlated to be careless enough not to run your virus checker very often.

Re:FAT

[SuricouRaven]

There is one very good excuse. Portability. That's what USB sticks are used for. You want to be able to take your stick and use it on your desktop, your laptop, your work (/school) computers where you don't have admin access, your friends' computers, and so on regardless of what OS. And right away, not after first installing additional software. None of those solutions solve this problem.

Re:FAT

[Vegemeister]

Can an arbitrary Windows machine read an ext2 volume? Can an arbitrary Linux machine mount a BitLocker volume? Can you install Truecrypt and mount containers on arbitrary Windows and Linux machines without root privileges? Thought not.

Re:FAT

[mlts]

There is not much that works cross platform. If I were moving data between completely different platforms, I'd use something standard that would work on a file basis, rather than a filesystem or disk basis basis. The answer to this is gpg. Most platforms have a working gpg ported to them, be it Android, Solaris, AIX, Windows, Linux, BSD, or even iOS (both jailbroken and non jailbroken apps). I'd just encrypt a file using a passphrase and call it done. If it were a bunch of files, create a bit of chaff of a random size, tar that up, gpg the tar file and copy that to the drive.

So, with this in mind, TrueCrypt or BitLocker do the job well enough. Oftentimes, I'm just moving data from a Windows box to a Windows box, or from a Mac to a Mac. These cases, Disk Image or BitLocker is good enough.

Re:Very nice of the Rail Corporation to auction th

[Nidi62]

You lose a USB stick and don't claim it? TFB.

Because when you lose a USB stick the first place you think to look is the subway...

Re:Very nice of the Rail Corporation to auction th

The fact they sell it for more the retail just says idiots are buying it.

Or, you know, it says that lost USB sticks are more valuable than new, blank sticks. Think about why that might be.

Re:Very nice of the Rail Corporation to auction th

[LordLucless]

Or that people are fishing for data rather than hardware

Ethics of selling your misplaced information?

[AaronLS]

I find the actions of the rail corporation to be pretty alarming.

So if someone leaves private information, financial documents, etc. laying around my home or business, I can just collect them up, claim them as my own, and auction them off to the highest bidder?

Aside from the fact that they were foolish to not encrypt the information on their drives, it doesn't justify ethical handling of the found information. You don't find someone's wallet then sell it to someone who could be a potential white collar criminal, and then try to make moral excuses for yourself by saying "Oh they should have encrypted their wallet..."

Re:On purpose

[icebike]

Actually, leaving it on a bus is a pretty poor way to spread malware. If you are going to be dropsticking, then you want to do it in and around internet cafes and libraries - places where you expect people with computers to be.

Because we all know, people who take buses and trains don't use computers, right?

Which begs the question of why these usb sticks were found on trains in the first place.

Re:Very nice of the Rail Corporation to auction th

[icebike]

The Rail corporation has no moral right to sell information that could be damaging to the financial well being of another person
JUST BECAUSE that person accidentally dropped something.

There are laws covering lost property in almost every jurisdiction, and most of them give the finder more rights to the property than anyone other than the original owner. Never the less, selling damaging personal information is in itself a crime (invasion of privacy) and that it was carried out by government funded organization is inexcusable.

Rail corp's own Code of Conduct page links to a Corporate PDF that outlines their expectations, including:

You must:
Take care when collecting, storing, using
and disclosing personal information in
order to protect individuals’ privacy

They demand this of their employees, but think nothing of the rights of their customers?

Re:On purpose

[chaboud]

Dude. Stop with the brain hurt.

Clearly, people got these because they are dumb. We know that they are dumb because they ride public transit. They ride public transit because they are poor. Dumb, poor, train people got sticks without understanding what they were for. They probably tried to eat them and left them in the train.

Because they're dumb, poor, non-computer people.

QED.

Now I have to go catch a train home.

Re:Very nice of the Rail Corporation to auction th

Considering the highest bidder in the auction was a security company, it would seem that the black hats already know that these memory sticks are unlikely to contain anything valuable. We'd see a black market if they did, with petty criminals scouring the streets for lost USB sticks, and fences purchasing them.

Communications Skills

[Ghaoth]

"a passel of USB sticks" WTF is a "passel"

Re:Communications Skills

[__aajfby9338]

"a passel of USB sticks" WTF is a "passel"

Some of the hallmarks of good communication skills are having a large vocabulary, and knowing how to add new words to it.

Definition of passel

Re:Communications Skills

[flyingfsck]

A passel is a large number of something. It is a variant of the word parcel. So, the word is correctly used in this story.

Re:Communications Skills

[Ghaoth]

Agreed but..."passel" is a posh American corruption introduced by nasal congestion and definitely not a new word, just bad spelling by phonetics. A bit like coral parlips.

" The company analyzed 50 USB sticks"

[mapuche]

A too small sample to come with any conclussion.

Re:" The company analyzed 50 USB sticks"

[flyingfsck]

No, 50 is actually a magical number where sets are generally considered to be statistically significant.

How _would_ you wipe one if you got it?

[mbourgon]

Okay, so say you find one. Or your relative/friend/coworker gives you one. OR, you need to loan them yours for a few minutes (happens more and more often now that computers don't come with floppies). What then? Once you get it back, how do you wipe it such that you can reuse it, but it doesn't have anything on it? I'd rather not kiss a $3 drive goodbye everytime that happens. On Linux you'd have to mount it, so (IIRC) you'd be able to just format the partition before mounting.

But how about on Windows. Mac OS? Or if I have autostart (or whatever it's called) off, am I safe? (and yes, I'm pretty sure that last one isn't right).

Re:How _would_ you wipe one if you got it?

[L4t3r4lu5]

Personally, use a LiveCD (Dr Web) in an old laptop with no hard disk as a sheep-dip station. If I'm handed a memory stick, it gets scanned before it touches a network connected device. It's not 100% foolproof, but it eliminates a lot of risk. Once scanned, I plug it in to my workstation to see what's on it. Disabling auto-run prevents automatic launch of any payload, and media-insertion scan from $favouriteAVproduct will let you know of anything else untoward.
br.Failing that, snap the thing in half and chuck it in the recycling. Hey, it's $3. Or, free at any trade show.

Re:Very nice of the Rail Corporation to auction th

[demonlapin]

I suspect that a greater problem is trying to convince the lost and found jobsworth that that one is yours.

Want to bet?

[Paul1969]

I find it hard to believe that none of the folks who turned in "lost" USB sticks took a minute to check if there was any hot pr0n on them first.

Good news and bad news

[Sloppy]

He meant steganography but

1. that is a very long word and people hate to type it
2. he didn't want you to know what he was talking about, or even know that he was talking about something else

so he used encoded shorthand for it.

Fortunately, you were able to expand the shorthand, so the meaning wasn't lost. Unfortunately, you guessed the code, so the meaning wasn't lost.

Re:Scammers

[sixsixtysix]

this is exactly what i was thinking. purposely left for goal of infecting.

Virus Collection

Ah someone has finally found my missing virus collection!
Please return it, no questions asked.

PO Box 10110110110
Virus Park, Washington DC.
20001 /sarc off

In other news...

[bcmm]

In other news, totally impartial research conducted by Dettol shows that your bathroom isn't clean enough.

AV Marketing?

[ProfanityHead]

From TFA:

The experiment was done by antivirus firm Sophos, which acquired three bags of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales.

Sounds like something drummed up by their marketing department?

An antivirus firm finds malware...surprise

[doston]

Sophos has every reason to find more malware than anyone on here would expect to find on lost USB sticks. I've been an SA for a long time and Malware just isn't as common as the antivirus firms would like everyone to believe it is. I'd like to know what their definition of malware is for this informal "study". It's probably so loose as to be a joke. Whenever I've found malware, it's never removed by any antivirus program out there. They're all completely worthless, but I guess it keeps people working and that's great. If they did indeed find actual malware, which I highly doubt, then I'd say the USB sticks were planted for fools to pick up and shove in their hungry usb holes.

This isn't necessarily indicative of anything...

[Vrtigo1]

I have a whole bunch of unencrypted USB sticks...because the stuff I put on them isn't worth encrypting. As a geek I put stuff like drivers, or maybe music or a movie on them. Hardly stuff I care about other people getting their hands on. What would be more telling is the percentage of unencrypted sticks that contained sensitive information such as financial or medical data.

Re:FAT

[Vegemeister]

But the entire point of USB flash drives is being able to carry your data around and access it on random systems. When I want security, I carry a flash drive with portable WinSCP and putty. Create a password-protected ssh key just for that flash drive, and you can just remove it from ~/.ssh/authorized_keys if the flash drive gets lost.