Two-Thirds of Lost USB Drives Carry Malware

itwbennett writes "Antivirus firm Sophos acquired a passel of USB sticks lost by commuters on trains in the Greater Sydney metro area at an auction organized by the Rail Corporation New South Wales. The company analyzed 50 USB sticks and found that not a single one was encrypted and 33 of them were infected with at least one type of malware."

What do you expect ..

[roguegramma]

.. they were lost by the 10% of commuters stupid enough to lose an USB stick.

Re:What do you expect ..

[Marxist+Hacker+42]

I was thinking of a different self-selecting sample- the script kiddies willing to spread malware-infected USB sticks around in public to see which computers phone home.

Re:What do you expect ..

[BitterOak]

.. they were lost by the 10% of commuters stupid enough to lose an USB stick.

Why is this modded troll? Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.? I'm not suggesting that it is impossible for a very careful person to drop something or have it fall through an unknown hole in the pocket, but at the same time, I don't think it is unreasonable to suspect that a population of those who left their USB sticks on the subway aren't necessarily perfectly representative of the population of USB stick users as a whole.

Re:What do you expect ..

[geekoid]

Because he implies when someone loses something it's because they are stupid; which is false.

Which implies all people not losing stuff are smart.

Re:What do you expect ..

[MurukeshM]

They considered that angle. But then

Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

"The malware involved was mostly very prevalent, general-purpose, zombie stuff," Ducklin explained. The security expert believes that this method of malware distribution is not even viable because most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

[TFA]

Re:What do you expect ..

[aix+tom]

People who lose stuff are not necessarily more "stupid", but they are definitely more "careless"

And yes, people who care enough to double-check all their possessions lose less than people who don't.

And the people who double-check their possessions are probably also the ones who double-check their virus scanner and/or their encryption.

It has little to do with "stupid". In fact, one of the stereotypes of a careless person is the highly intelligent "absent minded professor"

Re:What do you expect ..

[nine-times]

It seems likely that people who are careless also lose things more often.

Re:What do you expect ..

[BasilBrush]

Is it unreasonable to assume there might be some correlation between those people who are less careful with possessions and those who are less careful about encryption/malware, etc.?

It's not an unreasonable hypothesis to raise. It is unreasonable to assume it's true.

Re:What do you expect ..

[jabberw0k]

most lost USB sticks are being handed into lost property rather than being plugged into computers by users.

100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in? This is as accurate as Gracie Allen's telephone poll -- 100% of people she phoned, had a phone.

Re:What do you expect ..

[hairyfeet]

Call me paranoid but maybe some of the infected ones were lost on purpose? There are plenty of places to buy REALLY cheap USB sticks, especially if you get the smaller ones. IIRC there is a place selling the 256Mb sticks for something like 40c in bulk. If I wanted to spread malware to as many people as possible it sounds like an awful cheap way to do it, just leave sticks around the places where those that work at the place i ant to hack frequent, like say the subway they use at the time of the day they use it? Who cares if a couple get picked up by nobodies or end up in lost and found, they're cheap!

But the fact that they find so many whether lost intentionally or not really doesn't surprise me, hell I've lost some of my smaller sticks here and there. but of course i don't keep in data i give a crap about on them either, just drivers and flash tools for cleaning boxes. if someone was to find that 1gb stick i lost somewhere all they'll get is a bunch of freeware cleaners and the latest realtek drivers that were out at the time. Maybe the reason they weren't encrypted is like me many simply didn't have anything worth giving a shit about?

Re:What do you expect ..

[Just+Brew+It!]

But it is not unreasonable to expect that people who are less careful with physical possessions may also be less careful in other ways as well. So it would not surprise me if there is a correlation between "tends to lose USB sticks in public places" and "tends to get infected with malware".

Re:What do you expect ..

[mjwx]

They considered that angle. But then

Ducklin said that the likelihood of the USB sticks being left on trains on purpose by hackers or penetration testers so they are picked up by corporate users and plugged into their work computers, is very low.

"We didn't find any evidence to support the theory that the USB sticks had been deliberately planted," said Graham Cluley, a senior technology consultant at the company.

[TFA]

Trains are not logically a good place to leave sticks lying around for an attack. People treat things found on trains as suspicious, worse yet will hand them over to security. In order to attack via this angle you need to get people where they feel safer, such as in a workplace where they'll see a USB stick in the work dunny and thing "Free USB stick".

Also, never ascribe to malice what can easily be explained by stupidity. Steve the Salesman with his Blackpad and iBerry is paying zero attention to what he is doing could easily lose a USB stick out of his pocket, Given it will cost his companies IT dept $10 to replace, he just doesn't care.

Re:What do you expect ..

[Jafafa+Hots]

When you get off the train and check your pockets, that's double checking.

When your double checking reveals that the USB stick is not in your pocket but is instead still on the train that's just just closed its doors to pull away, that means by the GPs logic that you, having just lost the stick, are careless.

Therefore we must conclude apparently that double-checking is a sign of carelessness.

Re:What do you expect ..

[tbird81]

The incorrect part is saying "An".

You should use "an" as the article if the next word begins with a vowel sound. So we say "a European" (pronounced you-row-pean), "a universal serial bus", "a U-boat", "a yellow banana". We say "an apple", "an honourable discharge", and "an yttrium semiconductor" (pronounced ittrium),

So the rule is based on the sound and how things flow, not the actual letter of the alphabet used.

Re:What do you expect ..

[altstadt]

The a/an rule of thumb is to use "a" if the next word sounds like it starts with a consonant, and "an" if it sounds like it starts with a vowel.

To English ears, a German speaker says "ooh ess bay", while an English speaker says "you ess bee". The y sound in this case is a consonant, so a native English speaker will say "a you ess bee stick".

All bets are off when the word following a/an starts with an h, since the letter can be silent or verbalized depending on the word and where you grew up.

Re:What do you expect ..

[RockDoctor]

100% of items handed in, have been handed in -- what a surprise! How do they track lost items that were not handed in?

It shouldn't be that difficult. The statistics would be a but wobbly, giving fairly wide error bars, but the data should be available.

(Caveat : this applies to Scotland ; it may not apply to the rest of Britain, let alone Australia ; the German system doesn't seem terribly different). I've lost mobile phones in the past - in the back of taxis normally - and on one occasion out of IIRC three, it's been in the police's lost property office (most taxi companies are pretty good about this ; it's ultimately not in their interest to not do so). Each time I go into the lost property office, they take a note of my name, a description of the item lost, and the approximate location (because a lot of taxi companies only make one run to the lost property office a week ; perfectly reasonable, no charges of "theft by finding" if there's an established record from the company and some sort of record-keeping).
So, those records of lost property enquiries constitute a sample of the actual amount of lost property.
The records of lost property actually handed in constitutes a different sample of the actual amount of lost property.
The "hit rate" of matching lost property to enquiries should be enough to tie the two data sets together. I think the situation is comparable to a capture-tag-release-recapture-count tags experiment for estimating populations of wild animals, which is a standard operation. Hyper-geometric distribution, IIRC.

Oops, phone calls ... got to go and be transport for people.

Mac

[cyachallenge]

FTA

One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

Re:Mac

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Re:Mac

[Rockoon]

... which unfortunately doesn't really tell us anything, since they don't mention how many of the uninfected storage devices were like that.

Yes they did, and then the guy you replied to did also.

It was seven. Were you looking for digits? 7.

Re:Mac

[John+Bresnahan]

FTA

One interesting aspect of the results was that based on their data and formatting seven of the infected storage devices belonged to Mac OS X users or had been extensively used under this OS.

Which means that those USB drives had been plugged in to a Windows machine at least once.

Re:Mac

[BasilBrush]

We have a winner!

Re:Mac

[Alomex]

A few years back Mac USB keys were much more likely to be carriers of Windows viruses since Macs did not scan for those.

 

Truecrypt?

[shellster_dude]

How would they know if it had been encrypted by something like Truecrypt which is designed to be invisible to prying eyes?

Re:Truecrypt?

[mr1911]

TrueCrypt does not make invisible containers. It makes encrypted containers.

There is an exception for the container hidden in an container, but that only offers plausible deniability as the existence of the larger container is obvious.

Re:Truecrypt?

[shellster_dude]

Still, how would they know if some sort of stenography was being implemented, or if I had a Truecrypt volume called "ProgramA.bin"?

Re:Truecrypt?

[black3d]

Truecrypt isn't designed to be invisible at all. Aside from entirely encrypted drives, it's fairly obvious if someone HAS encrypted data. Truecrypt is about hiding that data via hidden paritions within outer encrypted containers, and plausible deniability.

Truecrypt volumes are generally detectable:
http://www.jadsoftware.com/?page_id=89
https://code.google.com/p/tcdiscover/
And if the researchers discovered drives that are filled entirely with random data, then they know they're either securely formatted or encrypted, and would likely consider them the latter - if they're securely formatted the file system appears intact. If the entire drive is encrypted (or securely erased from the MBR up) then the FS is not intact, and it's a fair bet that the researchers are claiming they found all sticks with intact file systems, formatted to the same volume as the stick, with single partitions.

As are those hidden within files:
http://16s.us/TCHunt/index.php

But - the reason for the ramble: Never make the mistake of thinking Truecrypt is invisible. It's not. What's "invisible" should be your second hidden volume within the Truecrypt container - if you've set it up correctly. And there have previously even been attacks on that, in the event attackers are able to gain access to the external container. Work on your plausible deniability. Don't rely on TC to do the work for you or you'll end up with leaks everywhere.
http://www.schneier.com/paper-truecrypt-dfs.pdf

Re:Truecrypt?

[geekoid]

Based on... what? Routine makes fools of us all from time to time.

Re:Truecrypt?

[Anachragnome]

Thanks.

I guess the old adage still applies...

"Careful where you stick that thing, son..."

Re:Truecrypt?

[Artifakt]

how would they know if some sort of stenography was being implemented

You are correct. There is no known way to detect which files were transcribed in shorthand by a person taking dictation before being entered by keyboard...
Oh, wait, you meant "steganography", didn't you?

I can't believe that many people...

[Fallingcow]

... carry acroread.exe and/or iexplore.exe around on their USB sticks.

Weird.

Re:I can't believe that many people...

[1729]

This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.

Re:I can't believe that many people...

[jd]

I'm more inclined to think that the trains in Australia are carrying viruses and simply infect the USB sticks on contact.

Re:I can't believe that many people...

[StikyPad]

At work? Count me in. It's not my computer.

Re:I can't believe that many people...

[flappinbooger]

This is a routine trick in a security audit: drop some USB sticks in the employee parking lot, and see how many folks just plug it into their computer.

Or, an autorun CD with "top secret" or "big huge boobies" written on it with a sharpie.

What percent "success" rate do the pen testers get seeding a parking lot with removable media?

I'd label a CD-R with the name of a current large project or some other verbiage and make it look like someone was sneaking out confidential design files. Drop it some place someone will see it who knows about that project, and you'd be almost guaranteed it will get stuck in a computer, they will have to try and see what was being walked out of the building and by whom.

Encryption

[Hatta]

The whole point of portable USB sticks is to access your data from strange computers. Plugging an encrypted USB stick into a strange computer completely defeats the point of the encryption. None of my USB sticks are encrypted; they don't need to be because they have no personal information on them.

Re:Encryption

That's not the only point of USB sticks - they can also be used to syncronise two trusted computers at different locations. I use one for just this purpose. However, mine is encrypted.

Lost? Riiigghtt...

[wjcofkc]

I can see someone "loosing" a couple in the employee smoking area outside of a bank or large tech company. Lost, sure they were.

Conclusions

[Rudisaurus]

Conclusions you can draw from this study: people who ride transit and lose their USB memory stick while doing so are

(a) unlikely to encrypt the contents of their memory stick, and
(b) prone to malware infections

I'm not certain that this group is representative of the general population, however.

Safe USB

[FuzzyHead]

I practice safe USB plugging. I put a rubber cover over my USB stick before I try to plug it in to anything. I have never once caught a virus on it.

Re:Safe USB

[couchslug]

I just pull out early.

Sample issues

[igorthefiend]

This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

There's another sample out there of sticks that WERE encrypted, or DID have useful data on them that were recovered by their owners. IE they were USB sticks that nobody gave a shit about. Why would we be surprised that there's malware on them and that there was no sensitive data. The other sticks were likely reclaimed.

Re:Sample issues

[icebike]

This isn't lost USB sticks - this is USB sticks that were lost and weren't reclaimed long enough to end up in a transit authority auction.

Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

From TFA:

he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

Re:Sample issues

[dissy]

Auctioning these thing seems the height of irresponsibility. I wonder what legal ramifications there are for the Rail Corporation in releasing private information, (even if accidentally lost) to total strangers.

http://en.wikipedia.org/wiki/Lost,_mislaid,_and_abandoned_property

Concerning abandoned or lost property, generally the finder must attempt to locate the original owner (title owner), usually by way of handing the property over to the authorities so they can attempt to return it.

However, if the lost property is not claimed after a time, then it legally becomes the property of the finder, and the finder gains the right to claim ownership over the item, to everyone except the title owner and any other previous holder of the item.

If the item is not claimed at all, they then gain ownership with all the rights that entitles, including reselling the item.

I admit the addition of copyright law, concerning the actual data on the flash drive, might be an entirely different matter.

However the rail corp never copied the data on the drives, so they are not in violation of copyright. Property law says they own the drive and the data, so reselling the data is also allowed, as long as they didn't make a copy to keep after the sale is complete.

There might be a problem if the final buyer did copy and distribute the data, but that violation would be committed by the final buyer, not the rail corporation.

CityRail = CityFail

It is more likely that the USB's got infected when someone at CityRail plugged them in to see if there was 'anything good' stored.

Re:CityRail = CityFail

[The+Mister+Purple]

That hadn't occurred to me. I wonder if the study included a security audit of the CityRail computers?

Re:CityRail = CityFail

[Teun]

In that case they would all have carried the same virus.

Very nice of the Rail Corporation to auction them?

[sirdude]

So, RailCorp decided to auction off lost property that could well be of a sensitive nature to some random member of the public? How responsible is that? Shouldn't the fact that they are able to sell lost (and used) property off at twice their retail value ring a few alarm bells?

Re:Very nice of the Rail Corporation to auction th

[icebike]

My thoughts exactly.

None of these (256 meg to 8 Gig) were so valuable that their destruction would have been considered a huge waste, and the potential damage to the forgetful owner could be massive. You would think that the LEAST they could do was format them, which itself is far from fool proof. But releasing them intact just seems dumb, even if not illegal.

he Sophos researchers found personal information belonging to the former owners of the devices, as well as their families, friends and colleagues. The recovered files included images, documents, source code, audio files, video files, XML files and even AutoCAD drawings.

Summary...

[Chelloveck]

Anti-virus vendor says there's yet another way to get a virus, and you need their product even more. Film at eleven.

Re:On purpose

[camperdave]

Actually, leaving it on a bus is a pretty poor way to spread malware. If you are going to be dropsticking, then you want to do it in and around internet cafes and libraries - places where you expect people with computers to be.

Re:Very nice of the Rail Corporation to auction th

[geekoid]

No. IT's normal SOP. It's not there responsibility to correct everyone else's mistakes. You lose a USB stick and don't claim it? TFB.

The fact they sell it for more the retail just says idiots are buying it.

Re:FAT

[Vegemeister]

Can an arbitrary Windows machine read an ext2 volume? Can an arbitrary Linux machine mount a BitLocker volume? Can you install Truecrypt and mount containers on arbitrary Windows and Linux machines without root privileges? Thought not.

Re:Very nice of the Rail Corporation to auction th

[icebike]

The Rail corporation has no moral right to sell information that could be damaging to the financial well being of another person
JUST BECAUSE that person accidentally dropped something.

There are laws covering lost property in almost every jurisdiction, and most of them give the finder more rights to the property than anyone other than the original owner. Never the less, selling damaging personal information is in itself a crime (invasion of privacy) and that it was carried out by government funded organization is inexcusable.

Rail corp's own Code of Conduct page links to a Corporate PDF that outlines their expectations, including:

You must:
Take care when collecting, storing, using
and disclosing personal information in
order to protect individuals’ privacy

They demand this of their employees, but think nothing of the rights of their customers?

Re:On purpose

[chaboud]

Dude. Stop with the brain hurt.

Clearly, people got these because they are dumb. We know that they are dumb because they ride public transit. They ride public transit because they are poor. Dumb, poor, train people got sticks without understanding what they were for. They probably tried to eat them and left them in the train.

Because they're dumb, poor, non-computer people.

QED.

Now I have to go catch a train home.

How _would_ you wipe one if you got it?

[mbourgon]

Okay, so say you find one. Or your relative/friend/coworker gives you one. OR, you need to loan them yours for a few minutes (happens more and more often now that computers don't come with floppies). What then? Once you get it back, how do you wipe it such that you can reuse it, but it doesn't have anything on it? I'd rather not kiss a $3 drive goodbye everytime that happens. On Linux you'd have to mount it, so (IIRC) you'd be able to just format the partition before mounting.

But how about on Windows. Mac OS? Or if I have autostart (or whatever it's called) off, am I safe? (and yes, I'm pretty sure that last one isn't right).

Re:How _would_ you wipe one if you got it?

[L4t3r4lu5]

Personally, use a LiveCD (Dr Web) in an old laptop with no hard disk as a sheep-dip station. If I'm handed a memory stick, it gets scanned before it touches a network connected device. It's not 100% foolproof, but it eliminates a lot of risk. Once scanned, I plug it in to my workstation to see what's on it. Disabling auto-run prevents automatic launch of any payload, and media-insertion scan from $favouriteAVproduct will let you know of anything else untoward.
br.Failing that, snap the thing in half and chuck it in the recycling. Hey, it's $3. Or, free at any trade show.

Want to bet?

[Paul1969]

I find it hard to believe that none of the folks who turned in "lost" USB sticks took a minute to check if there was any hot pr0n on them first.