back to article Half of people plug in USB drives they find in the parking lot

A new study has found that almost half the people who pick up a USB stick they happen across in a parking lot plug said drives into their PCs. Researchers from Google, the University of Illinois Urbana-Champaign, and the University of Michigan, spread 297 USB drives around the Urbana-Champaign campus. They found that 48 …

Page:

  1. Franklin
    Pirate

    Maybe large biz needs to invest in some educational posters. I'm thinking something like the "Loose Lips Sink Ships" propaganda posters from WWII, perhaps a bold color with a cartoon sketch of a USB drive with shark teeth over a witty slogan that rhymes, posted in hallways and employee break rooms.

    I will leave the witty slogans to someone far cleverer than I.

    1. Stevie

      Educational Posters

      Unisys had some back in the 90s that were produced in a depressing three color scheme (grey, red and black on white paper) depicting Fidel Castro presenting two eager children wearing patched long combination underwear with 8" floppy discs which appeared to be infested with earthworms.

      The inspirational message read: Don't give your computer a "virus". (The wording may be off, but the quotes around "virus" are as on the poster).

      The fact that this poster looked exactly like some inspirational posters a colleague had brought back from behind the iron curtain a decade before was icing on the cake.

      1. Anonymous Coward
        Anonymous Coward

        Re: Educational Posters

        > Maybe large biz needs to invest in some educational posters.

        Have you just found a USB in the carpark?

        Are you going to plug it in to see what's on it?

        U Silly Berk

    2. Someone_Somewhere

      Re: witty slogans

      I'm not cleverer, nor is this particularly witty, but, "Used USB Drives Cost Lives."

      1. Anonymous Coward
        Anonymous Coward

        Re: witty slogans

        As slogans go it's not the best, but it doesn't make that much difference. Sadly with even a wildly successful security education campaign you are only talking about an effectiveness of 2-3% at best. So six months after were you to repeat the test you would find the number of people plugging in the drive would only have dropped to 47%.

      2. allthecoolshortnamesweretaken

        Re: witty slogans

        Not that witty, but how about

        "If you do stupid shit like that the IT guys are allowed to beat you with baseball bats!"

      3. Tigra 07
        Linux

        Re: Someone_Somewhere

        Maybe just a photo of a USB stick being wheeled into a castle by men in armour?

        "Don't invite trojans onto our systems"

    3. Mark 85

      Better than a poster. Just fill each USB port with epoxy except for the mouse and keyboard plug-ins. Then again, there's idiots who would unplug the keyboard and put the stick in there.

      Short of explosives, we can educate all we want but humans are curious and that is the problem.

      1. Ole Juul

        No need for extraordinary or malicious measures. There are safe pranks which can effectively be applied here. USB sticks filled with one of the standard stink bomb mixtures and heating up when you plug them in will work fine. When the office smells like rotten egg and faeces, the culprit will be shamed.

        1. TheOtherHobbes

          >When the office smells like rotten egg and faeces, the culprit will be shamed.

          In the boardroom, it's not obvious anyone will notice a difference.

        2. Nigel 11

          When the office smells like rotten egg and faeces, the culprit will be shamed.

          Just make sure you wear gloves when you assemble it. I suspect it will be some clueless executive's office that will get stinked out, and that he'll hire a private forensics company to try to find the culprit and fire him ( after he's tried to convince the local plod that it's bio-terrorists, and the plod laughed in his face).

          Maybe safer to chuck that perfumed USB stick into your local competitor's car-park? Or scale it down to essence of Poundland air-freshener instead of essence of polecat?

          Most entertaining of all might be a few grams of cannabis ....

        3. earl grey
          Trollface

          office smells like rotten egg and faeces

          Wait, you're saying that's not a normal office smell?

      2. P. Lee

        Better than Glue!

        Get those people who write your OS to run the USB drivers in a separate protection ring.

        USB is not normally a speed-critical system in most cases (unlike the NIC or SAS/SATA interfaces) and we know dodgy stuff get's plugged in. So why isn't the OS written properly?

        I can understand free stuff you haven't paid for, or stuff which runs on multiple architectures doing it wrong, but if you pay for your OS and it is single architecture only, you should be demanding more.

        The security software people know it is required. The OS people know it is required - they just can't be bothered and dumb is cheap for the vendor.

        1. Pookietoo

          Re: run the USB drivers in a separate protection ring

          But how do you tell a rogue USB stick that mimics an HID from a genuine HID?

    4. Warm Braw

      Maybe large technology-consuming biz needs to lean on large technology-producing biz so that the mere act of plugging a device into a computer can't result in major harm.

      It's a really sad indictment of the computer industry (and it's a problem that's affected pretty much every vendor over the years) that we have major data exfiltrations and hospitals shut down and everyone just shrugs because they imagine it's just how computers are and nothing can be done about it.

      There's a huge financial cost to businesses from what is, essentially, shoddy software and it's time to stop blaming the users for inadvertently exposing its faults.

    5. Nigel 11

      Maybe large biz needs to invest in some educational posters

      It will have to be an extraordinary large biz to not have a significant fraction of employees who will take any such poster as a recipe for what to do in order to f**k the b*****ds that own the place. Many, its a majority that will be thinking that way.

      How do we think that list of clients and potential tax-dodgers got out of Mossack Fonesca? An external hacker? Really?

  2. Stuart Halliday

    It's OK. In America they can just use a gun to protect themselves! ;)

  3. Stevie

    Bah!

    I only ever plug found thumbdrives into someone else's computer.

    Then I clean them by typing "format c:" and clicking until all the "are you sure" boxes go away.

    1. el_oscuro

      Re: Bah!

      Do you also install Linux afterwards so their computer actually works?

      1. John Tserkezis

        Re: Bah!

        "Do you also install Linux afterwards so their computer actually works?"

        No, because the users will complain their email attached-exe files don't work anymore.

        Yeap.

  4. redpawn

    A good file name

    All you need is a good file name such as "Cutest Kitten Vid" or "owner contact info.exe" and you would probably increase the folly. Data could be collected on click and install also.

    Business probably need to universally use security software to only allow authorized thumb drives to mount. Home users are just dead.

    1. Anonymous Coward
      Anonymous Coward

      Re: A good file name

      Most of the banks I've worked at over the last few years have locked down usb ports and dvd-rom drives on pc's so that they're not usable without an unlock code . Mostly a preventative measure to secure company data but also a good way to block these attempts at breeching systems.

      1. Anonymous Coward
        Anonymous Coward

        Re: A good file name

        Likewise here - my phone is locked out as you would expect....but then rather naughtily somehow presents itself as a DVD so that you can install the driver/software etc. The security does not appear to pick that up (although I suspect it would kick in if I tried to install it)

      2. Pookietoo

        Re: attempts at breeching systems

        So what happens once they're wearing trousers?

    2. Someone_Somewhere
      Devil

      Re: A good file name

      By far the most successful approach I have taken when engaging in (relatively harmless*) mischief has been to label it 'Do Not Open This'.

      People just can't help themselves, it seems. :D

      * prank executables and the like, nothing malicious.

    3. John Tserkezis

      Re: A good file name

      "All you need is a good file name such as "Cutest Kitten Vid" or "owner contact info.exe" and you would probably increase the folly."

      Agreed. We spoke about this with some friends who were arguing about how one would get an executable into someone else's computer.

      I said you don't have to. Just attach a file called "BigBoobs.exe" to an incoming email, and they're guaranteed to click on it. You don't even have to obscure it.

      1. Jimbo 6

        Re: A good file name

        Did anyone else ever receive an email attachment called "Brilliant_Ice_Hockey_Fight.wmv" (who could resist ?)

        When opened it was actually a Powerpoint file (so automatically opened in full screen, & all other buttons disappeared) which flashed, in massive letters, 'DOWNLOADING GAY PORN NOW'.

        Cue frantic scrambling to close the offending item. Lesson learned.

  5. hellwig

    Ok People

    If someone returns your flash drive, you'll want to clean that thing off first. Why would you trust a flash drive that was returned to you because someone looked at your data? What else did they do to your drive?

    Everyone else, leave that thing alone. It's like a baby bird, if you get your scent on it, the parents will reject it (that's B.S. of course, but it keeps kids from getting all sorts of bird germs on their hands, so the analogy sticks).

    Any maybe people should use flash drives for their intended purpose, transferring and transporting files, instead of what we currently use them for: "My ONLY copy of that super important document!!! Help PLEASE!"

    1. Flocke Kroes Silver badge

      I thought I had a backup ...

      ... but she refused to type it in again.

    2. Nigel 11

      Re: Ok People

      Just possibly, because your large/important file/partition was encrypted.

      OTOH if a random hostile has seen that there is encrypted data on the drive it gives them a stronger incentive to try to sneak spyware in to your computer via the returned drive. So retrieve your encrypted file/partition using a sacrificial computer. If you are truly paranoid then validity-test the retrieved data on a second sacrificial computer that is not networked.

  6. The Man Who Fell To Earth Silver badge
    Black Helicopters

    Now we know how the Iranians probably got Stuxnetted

    An operative probably just flung infected USB drives over the Nantanz fence.

  7. Anonymous Coward
    Anonymous Coward

    Ideas for USB sticks

    A usb stick with thousands of photos on it of that self same USB stick jammed in a urethra.

  8. Stu 18

    If the people making the OS did their job...

    In my view if the OS writers spent less time trying to create lock in and more time trying to make things better, then this wouldn't be an issue. We have sandboxing, virtual machines, built in AV etc, why wouldn't the OS prevent anything dangerous happening when a device is plugged in?

    Why isn't there the same thing for installing an application in windows downloaded from the net, should this program have access to these files, should it be able to use the microphone, camera etc, this is trying to access these websites / IP addresses which are registered to ...

    I think we like to believe we are getting smarter over time, but I think we are getting dumber and American tech companies are leading the dumb and dumber movement at full speed!

    1. Dan 55 Silver badge
      Thumb Up

      Re: If the people making the OS did their job...

      Yep, they are. Check out the new WebUSB API from... Google. More car parks full of USB devices than you can shake a (USB) stick at for a fraction of the effort.

    2. Adam 52 Silver badge

      Re: If the people making the OS did their job...

      I'm with this. Why should plugging in a USB stick be dangerous? A USB stick shouldn't be able to run anything. USB hardware should prompt the user to download and install a driver.

      Time and time again we see features added for no readily apparent reason introducing security flaws (html email, scripting in document formats, autorun, hiding file extensions).

      1. John Tserkezis

        Re: If the people making the OS did their job...

        "I'm with this. Why should plugging in a USB stick be dangerous?"

        Autorun. An oldie but a goodie. and it only took Microsoft a few decades to realise it was actually a monumentally bad idea.

        Meanwhile, Joe Bloggs still has it enabled because they want their CDs to do something when you plug them in. (They'll never EVER let go of that feature)

        Till they learn, that is.

      2. Flocke Kroes Silver badge

        Another reason why plugging in a USB stick is dangerous

        It looks like a flash device, but the software in it pretends to be a USB hub with a flash device and a keyboard attached. When it thinks you are not watching, the software pretends another flash device has been plugged in then types the required command to run the malware on this hidden flash device.

        Of course, the OS can prevent this from happening by not trusting any USB keyboards, and all the user has to do is type "Trust me" to tell the OS which keyboard to trust.

        1. TheDarkFreak

          Re: Another reason why plugging in a USB stick is dangerous

          And then I'd be pissed that my Yubikey no longer works. There goes simple, secure authentication.

      3. Hans 1
        Happy

        Re: If the people making the OS did their job...

        1. Get a dodgy USB stick (which cannot be used) with custom inscription, for example: Model No: ABC12345 2Tb MegaUltraDrive

        2. Then, on the internet, put a site up where you can download windows driver for model ABC12345 ...

        3. 0wned, any Windows techy would fall for that - if your lucky, a domain admin will plug the thing into his work computer .... if the website looks legit enough. I am sure the domain admins in banks do not have epoxy in their USB ports ... ;-)

        Windows, the OS for the clueless....

    3. phuzz Silver badge

      Re: If the people making the OS did their job...

      Sure, you could set things up so that an administrative password was required every time somebody plugged in a USB stick, but good luck putting up with the phone calls all day "I just need to copy this file can you come up and type in the password please?".

      Or you could have a box that pops up and asks the user to confirm that they want to run whatever is on the USB stick. People will just click the button regardless.

      You can do the sensible thing and disable autoruns, but people are still going to click on cute_cat_pics.jpg.exe, and then click 'Yes' on the "are you sure?" dialogue.

      And of course, if we lived in a world where the average person knew basic IT security measures (or even cared in the slightest about it), then a lot of us would be out of a job.

  9. Faceless Man

    They tried this as part of a penetration test on our network. They left thumb drives and CDs with "Payroll" written on them in marker in meeting rooms, and the carpark.

    Seemed kind of obvious they were a plant, plus the fact we knew it was going on, made us suspicious, although I believe some people were stupid enough to just plug them in.

    1. goldcd

      Those are the people you should fire.

      Those that took them home, ran them on sandboxed machines, negotiated salary hikes off the data contained... actually, I've got a much better idea.

      Corporations should just flood their car -parks with non-malware sticks indicating your colleagues are earning minimum wage.

      Keep the eejits quiet.

  10. Franco

    This is why I always want USB port lockdown, becuase as Vinnie Jones says

    https://www.youtube.com/watch?v=gQKUXDB27Dg

  11. KH

    Safe for me

    There's no auto-run on Linux. It's a safe practice to plug in random USB sticks. Windows users get what they get.

    1. Anonymous Coward
      Anonymous Coward

      Re: Safe for me

      Not worried about USB keys that also pack a USB HID? I wouldn't be so sure of my USB stack, even on Linux.

      raving angry loony below makes a good point too: no software will protect you from a -220V inverter across the USB data lines.

    2. a_yank_lurker

      Re: Safe for me

      Whether autorun is on or off is not relevant. The relevant point is the stupidity of installing unknown USB stick in any computer.

    3. Someone_Somewhere

      Re: Safe for me

      > There's no auto-run on Linux.

      No, but there /is/ automount - and that means there's something to hook into.

      The chances are that it still won't get any further than the user account, but that makes no difference if that account has access to priviliged information and/or services.

      1. Flocke Kroes Silver badge

        Re: automount

        The automount demon requires CAP_SYS_ADMIN to mount devices. Back when I was a PFY, automountd ran as root, and did not run fschk before mounting a block device. A defective file system could crash the kernel, and a maliciously crafted one would be able to run arbitrary code as the kernel.

        My information may be really out of date as I always disable automountd when commissioning a new system. (I do not use a file manager and I find it irritating to press <ALT><F4> every time I plug in a USB storage device).

    4. Planty Bronze badge

      Re: Safe for me

      No autorun on windows either, for the last 8 years or so.

    5. Anonymous Coward
      Anonymous Coward

      Re: Safe for me

      > There's no auto-run on Linux.

      Wow. People seem to have forgotten that USB devices can carry trojans that are firmware based and/or otherwise fairly OS independent.

      As a good example, here's BadUSB from 2014:

      http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

      Please don't feel that using Linux protects you from bad USB devices. It really doesn't.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like