A Lot of People Carelessly Plug In Random USB Drives Into Their Computers

An anonymous reader writes: Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers. Should such people be mocked? Would you plug in a USB drive that you found on the ground? Bruce Schneier, an American cryptographer, computer security and privacy specialist makes a good point: People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.

I do the same thing with my penis

Never know what STDs are there, but YOLO

Re:I do the same thing with my penis

[Xenx]

As this is Slashdot, I imagine your hand has been monogamous. Risk of STDs should be low.

Re:The chance of getting juicy selfies are a lot h

[Mr+D+from+63]

My guess is a fair amount of people open them just in an attempt to ID the owner so they can return it.

Re:Is this still true?

[gstoddart]

You pretty much need to disable it yourself, which means you need to know to do it.

Microsoft still treats auto-run like it's not a terrible idea.

It's actually kind of scary that anybody would keep doing that.

As far as I can see, Windows still excitedly runs anything it sees.

OS designers, not the customers are stupid.

[gurps_npc]

1) Given: People will take a random USB stick and plug it into a computer.

2) Conclusion: Only a moron will design an Operating system that automatically runs software on a USB stick. Any sane OS designer should declare all USB sticks to be suspect, and require an explicit confirmation before running any executable on it.

The minimal convenience of having auto-run for USB drives is far over-ridden by the huge security leak.

Design products for the people that will run it, not theoretical angels that will read and obey your instruction manuals - especially when they DO NOT COME WITH INSTRUCTION MANUALS anymore.

Mr. Robot

[show+me+altoids]

There is a scene in Mr. Robot where a girl dumps a bunch of infected USB stick in the parking lot of a police station, and a cop picks one up and plugs it into his computer. I thought this was rather far-fetched, but I guess not.

USB authorization

[rastos1]

That's why we have USB authorization. Since 2007.

Re:Is this still true?

First, malicious USB devices pretended to be CD readers because Windows would auto-run CDs but not mass storage (see U3, for supposedly non-malicious exploitation of this fact)

Then Windows started prompting the user before auto-run from CD drives also.

So now malicious USB devices present themselves as a keyboard and start typing commands (including hotkeys such as Win+R) to download and run malware off the net. USB keyboards can even interact with UAC prompts, even when presented on the Secure Desktop where software input emulation has no effect.

Re:People are stupid

[BronsCon]

You can buy USB drives in bulk for under a buck a piece, they don't need to be high-capacity, a 128MB drive can hold a shitload of malware. $5 might be a bit on the expensive side to infect a random machine that may not even be your target, but $75 to infect 100 machines is cheap for a targeted attack.

Re:Is this still true?

[lgw]

Bit of a bootstrapping issue there. When you plug in your first mouse or keyboard, what would you use to click "yes"?

Re:The chance of getting juicy selfies are a lot h

[sexconker]

Yeah right.

I'm not most people, but I did exactly this (with an SD card).

I went through photos on the card, managed to fine one that included a USPS package, transformed the image to read a partial name and was able to scan the barcode to get a zip, looked at other photos and compared them to Google/Bing maps and found the street but not the address, then found several profiles on the web, ultimately matching one photo to a Facebook account using a cropped version as the profile photo.

I then created a throwaway email account to create a throwaway Facebook account under the name of Natalie FoundUrSDCard or some such, messaged her and posted the uncropped version of her profile photo, and waited.

She responded and sent her uncle to come pick it up.

He did.

USB keyboard. Your computer DOES run the commands

[raymorris]

You assume that USB stick is a flash memory device. Being nasty, it tells the computer that it's a keyboard. Your computer almost certainly processes keyboard commands just like other computers do. I've built one of these.

Re:People are stupid

[Dutch+Gun]

It might be a pretty effective way to go spearphishing though. If you're trying to get into a specific high-value network, then this might be a great way to do it. Drop it outside the target office, label it something like "Private photos - do not view!" or something like that, and watch human nature take over.

Hopefully the administrator has properly hardened workstations against executing code on a random USB, but I'd bet a surprising number of networks would get infected in fairly short order.