Did you find a random USB thumb drive lying around? Go ahead and plug it into your laptop. Better yet, use it with your work laptop.
Are the IT pros in here cringing yet? Here, watch this video.
The “Dead Drops” project is an art and media experiment started by Berlin-based artist Aram Bartholl in 2010 when he visited New York City.
Bartholl explains the project as such:
‘Dead Drops’ is an anonymous, offline, peer to peer file-sharing network in public space. USB flash drives are embedded into walls, buildings and curbs accessible to anybody in public space. Everyone is invited to drop or find files on a dead drop. Plug your laptop to a wall, house or pole to share your favorite files and data. Each dead drop is installed empty except a readme.txt file explaining the project. ‘Dead Drops’ is open to participation. If you want to install a dead drop in your city/neighborhood follow the ‘how to’ instructions and submit the location and pictures.
So if you find a thumb drive just kind of lying around, pick it up and plug it in, right? You might be participating in a grand techno-social experiment.
Don’t do it.
Anyone with a basic understanding of USB security will tell you what a dangerous idea this is. Plugging randomly found USB drives into computers is a great way to infect your computer and others on your network with malware.
USB security threats are continuing to evolve
USB-borne malware has been around as long as thumb drives themselves, and USB security continues to be a major IT concern. Recently, USB-borne malware has become particularly nasty. Researchers at ESET discovered a new strain in March called Win32/PSW.Stealer.NAI—also known as USB Thief— that infects computers exclusively through USB devices.
USB Thief masks itself on thumb drives as popular applications like FireFox, Notepad++ or TrueCrypt. A user loads these apps onto their computer, and whenever the applications are opened, the malware runs in the background stealing keystrokes and other data.
“What really sets this malware apart is its self-protection mechanism,” says ESET analyst Tomas Gordon. “The (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen.”
BadUSB: using USB connections as a weapon
In the InfoSec community, USB drives are recognized as powerful cyberattack weapons. A couple years ago, security researchers Karsten Nohl and Jakob Lell demonstrated how they reverse-engineered and patched USB firmware, essentially transforming it into a malicious Trojan horse capable of compromising a network.
Nohl and Lell dubbed it BadUSB, and it was capable of several forms of cyber havoc. It could emulate the keyboard of a logged on user, and issue commands to steal files or install malware. When paired with an Android phone, it could be used to intercept the web traffic directed at the computer into which it was plugged.
BadUSB could even replace the BIOS on a PC by emulating a keyboard and opening a file hidden on the USB thumb drive.
Nohl and Lell gave a presentation on BadUSB at the 2014 Black Hat Briefings that is worth checking out if you’re interested in more details about USB hardware hacking.
USB Security: Tips for using thumb drives safely
There are safe approaches to using USB thumb drives. These require a basic understanding of USB security and a little common sense. The following tips come care of Ken Campbell, an expert in encrypted USB with Kingston Technology.
- Consider using a hardware-based encrypted USB Flash drive to safely protect important business files and documents. During tax season, for example, many small business owners, consumers, and other users put their returns on a Flash drive to take to their accountant. Having an encrypted USB drive for peace of mind in case the drive goes missing is a small price to pay. Hardware-based encrypted drives provide business-grade security and are not as expensive as one might think.
- Whether it’s a small business or a large corporation, it’s always smart to build an encrypted USB plan to protect and comply. There appears to be more and more news stories coming out involving data breaches or information gone missing due to lost USB Flash drives. In a recent study by the University of Illinois, Urbana Champaign, researchers deliberately dropped 297 USB drives in various locations around campus. They found that 45 percent of the missing drives were plugged in!
Although this was just a test, it shows what happens when lost drives are found. The moral to the story is no matter the size of a company, consider developing a plan to deploy encrypted drives to all employees who need to transport data from one PC to another. Most PCs are protected by an antivirus solution and a firewall. That firewall should be extended to mobile data also.
- Choose the right USB for your organization. Most encrypted drives start with basic 256-bit AES hardware-based encryption which is standard and enough for most businesses. Governmental agencies, financial companies and healthcare organizations all may require higher levels of compliance but the bottom line is there is no need to overpay for your encryption needs.
- Train and educate employees on acceptable uses of USB drives. Walk users through actual breach incidents and the negative consequences associated with using non-encrypted USBs.
- If viruses and infections are a concern on host PCs, consider using an encrypted drive with antivirus protection. Also, device-level management software is available to control access, audit file activity to show data moving in and out of an organization, remote disable in case it gets lost and other functions critical to keeping portable data safe.
USB drives will continue to be a useful tool for transporting data and applications. Understanding how to use these tools safely is critical to the data security of your business. Make sure you and your colleagues take a common sense approach to USB security when using flash drives and other USB devices.