WHAT’S THIS?

Of the 50 USB drives recently sold in a “Lost and Found Auction” in Sydney, Australia, a check showed two-thirds were infected with viruses, according to Sophos, a security firm. The drives contained personal information, tax records and photo albums and resumes. Most were drives for Windows computers.

Computer Virus Attack

Which brings us to a brief discussion of how easy it is to get those viruses: Just leave a USB flash memory key lying around. Somebody will pick it up and think: “Oh, what’s this?” They’ll plug it into a computer to find out.

Leaving a drive around to be picked up is amazingly effective. Let’s say you want to track everything someone does on a computer. You load a short program called a key logger onto the USB flash drive and add another that gives you access to that computer from anywhere in the world. The two spy programs will be downloaded into that computer within a fraction of a second when someone plugs it into a computer. From that moment forward, it is a slave to a controller somewhere, anywhere.

Who would plug in a mystery USB key? Well, there’s an old saying about car crashes: that most accidents are caused by the nut at the steering wheel. In this case the most dangerous person is a company’s own employee. “Oh, look at this,” someone will say to themselves. “Somebody left their USB key behind. I better plug it in and see who it belongs to.” Bang!

How easy is it to do this? Let us count the ways. Leave infected USB keys lying around in the parking lot, drop them on the floor in a corridor or an elevator. You can buy these drives for less than $5; for a hundred bucks you can drop 20 of them around a target area.

How about this idea? You go to the reception desk of any company, rest a hand on the desk and in that hand is your invasive key drive. Ask a question, get an answer, and leave, leaving the drive behind on the desk. “Oh, what’s this?” And off we go.

In many companies people can walk through corridors unchallenged for a while, dropping USB keys onto desks in cubicles as they go. How about leaving a couple in the company cafeteria?

Then of course there are the irresistible offers. Amazon sells “used” USB drives for just a few dollars. Used? Really? What was it used for? Or how about free USB drives that seem to be part of an advertising offer? Have an attractive young person hold a basket of them in front of a large office building and give them away as a promotion. You think people might take one? Are you kidding?

So what’s the best way to protect your company or family from plugging in an infected drive? Well, the simplest way is never plug them in. The next best way is to have a cheap extra computer for that purpose real cheap, one you might normally throw away or give to charity. Any “found” drives would be plugged into that computer, which and this is crucial is not connected to a network, it’s a stand-alone. It’s also loaded with the toughest anti-virus software this side of Mars. And maybe best of all is to stomp on a found drive until it’s unusable.

If you carry a USB key around with you and know there’s a risk of losing it, you might think about storing some of the items to the cloud, or at least encrypting them. You can buy USB drives that come with encryption software on them.

Comments are closed.